These enhancements and issue fixes are included in PingAccess 6.3, released in July 2021.
Enhancements
- Added Federal Information Processing Standards (FIPS) Mode
- PingAccess can now be placed in FIPS mode, ensuring that all encryption algorithms used are FIPS-compliant. See Federal Information Processing Standards (FIPS) Mode for more information.
- Added support for PEM-encoded key pairs
- You can import or export PEM-encoded key pairs. See Importing existing key pairs for more information.
- Updated PingAccess database to Apache Derby
- The PingAccess database now uses Apache Derby for additional security.
- Replaced MD5 with SHA256
- The MD5 algorithm has been replaced with the SHA256 algorithm.
- Added sideband API
- You can configure PingAccess sideband API clients to request access decisions from PingAccess. See Sideband Clients for more information.
- Added capability for redirectless authentication using PingFederate
- When configuring an authentication challenge policy, you can enable redirectless authentication using PingFederate. See Configuring authentication challenge policies for more information.
- Enhanced redirect rules and rejection handlers to allow relative URLs
- You can use relative URLs in redirect rules and rejection handlers. See Adding redirect rules and Creating rejection handlers for more information.
- Added additional JWT signing algorithms
- You can now use RS384, RS512, PS256, PS384, and PS512 with a 2048-bit key size as signing algorithms for JSON web tokens. RSASSA-PSS signing algorithms are only available if the version of Java used on the PingAccess system supports them.
- Improved PingFederate host name support
- When configuring PingFederate as a token provider, you can provide a separate host name for the certificate or skip hostname verification. See Configuring PingFederate administration for more information.
- Added single-page application developer's guide
- This guide and its associated code samples explain how to prepare a single-page application to work with PingAccess. See the PingAccess developer resources on Github for more information.
Resolved issues
| Ticket ID | Description |
|---|---|
| N/A | Fixed potential security issues. |
| PA-13830 | Fixed an issue that caused the user interface to crash after viewing some rule summaries. |
| PA-14151 | Fixed an issue that returned an empty response when a request to
the /keyPairs endpoint contained invalid
JSON. |
| PA-14071 | Fixed an issue that prevented key rolling for keys retrieved using the JWKS endpoints through Agent port 3030. |
| PA-13913 | Fixed an issue that caused the applicationId and
applicationName attributes to be empty on error
pages when values should have been available. |
| PA-14004 | Fixed an issue that caused a null pointer exception when the trusted certificate supplied for a newly created agent, engine, or replica administrative node was about to expire. |
| PA-14141 | Fixed an issue that prevented a proxied PingFederate token provider from using the context root during OIDC metadata collection. |
| PA-14248 | Fixed an issue that caused the user interface to crash when viewing some rule set groups. |
| PA-14082 | Fixed an issue that prevented some invalid requests received by PingAccess from generating log entries. |
| PA-13498 | Fixed an issue that incorrectly displayed the access token validator for an application if PingOne was configured as the token provider. |
| PA-14026 | Fixed an issue that hid fields in Availability Profile summaries if their value was 0. |
| PA-14011 | Fixed an issue that caused the destination field of a sideband client to revert to a previous value when saved. |
| PA-14009 | Fixed an issue that validated new token provider configurations against disabled existing configurations, preventing migration to new configurations. |
| PA-13844 | Fixed an issue that prevented PingFederate configuration and prevented PingAccess from starting if the OAuth signing algorithm was set to an empty string. |
| PA-13823 | Fixed an issue that prevented object-valued arrays in JWT identity mappings with inclusion lists from being processed correctly. |
| PA-13757 | Fixed an issue that caused JSON objects to be incorrectly excluded from JWT identity mappings with exclusion lists. |
| PA-13753 | Fixed an issue that caused the Skip Hostname Verification option in the PingFederate runtime configuration to be ignored in some environments. |
| PA-13760 | Fixed an issue that caused the API to incorrectly use the system token provider instead of the admin token provider when enabling Admin SSO. |
| PA-13841 | Fixed an issue that caused a 500 response if a signing algorithm
was set to a blank value through the
/websessionManagement or
/authTokenManagement endpoints. |
| PA-13842 | Fixed an issue that caused the non-default P-256 signing
algorithm to be used if the signing algorithm was removed using the
/authTokenManagement endpoint. |
| PA-13867 | Fixed an issue that caused spurious log entries after configuring a global unprotected resource. |
| PA-13851 | Fixed an issue that caused the /webSession
endpoint to allow a POST or PUT without a specified
credentialsType value. |
| PA-13678 | Fixed an issue that prevented a configuration import if PingAccess was installed in a
directory that included /data/ in its
filepath. |
| PA-13744 | Fixed an issue that displayed the Change Token Provider Type option for auditors. |
| PA-13758 | Fixed an issue that sometimes prevented configuration import or upgrade after a change in token provider and UI authentication method. |
| PA-13815 | Fixed an issue that caused stale signing algorithm data to
persistently display in the /websessionManagement
or /authTokenManagement endpoints. |
| PA-14006 | Fixed an issue that prevented rules from being saved or displaying an error if it shared a name with an existing rule. |
| PA-13820 | Fixed an issue that prevented agent token caching for API requests if the Cache tokens option was disabled. |