These enhancements and issue fixes are included in PingAccess 7.0, released in December 2021.
Enhancements
- Added Logout virtual resource
- Added a new Logout response generator for virtual resources, enabling you to customize logout behavior for each application. See Adding application resources for more information.
- CRL processing improvements
- PingAccess now supports trace-level logging to help troubleshoot certification revocation issues and provides an option to bypass trust anchor validation. This helps improve interoperability with CA infrastructure. See Creating trusted certificate groups for more information.
- Added support for web session access token identity mappings
- PingAccess now supports creating web session access token identity mappings. This helps ease integration with existing APIs, in particular in the context of Single Page Applications (SPAs). See Creating web session access token identity mappings for more information.
- Added support for reversed trust chain certificate validation
- PingAccess now supports validation
for client certificate chains that are not in the standard order, such as a
reversed certificate chain of
[root, intermediate, leaf]. See Creating trusted certificate groups for more information.
Removed features
- Runtime state clustering
- PingAccess no longer supports runtime state clustering. Clustered environments that do not use runtime state clustering are not affected.
Resolved issues
| Ticket ID | Description |
|---|---|
| PA-14403 | Fixed a potential security issue. |
| PA-14296 | Fixed a potential security issue. |
| PA-14284 | Fixed a potential security issue. |
| PA-14279 | Fixed a potential security issue. |
| PA-14287 | Fixed a potential security issue. |
| PA-14331 | Fixed a potential security issue. |
| PA-14302 | Fixed a potential security issue. |
| PA-14134 | Fixed a potential security issue. |
| PA-14135 | Fixed a potential security issue. |
| PA-14143 | Fixed a potential security issue. |
| PA-14542 | Fixed a typo in the Content-Security-Policy header that prevented PingAccess from loading external scripts from HTML responses. |
| PA-14541 | Fixed an issue in the CRL client certificate authentication flow that returned a 500 error code when PingAccess is in FIPS mode. |
| PA-14421 | Updated the PingAccess UI to display the alias of the selected certificates in the Trusted Certificate Group List. |
| PA-14433 | Fixed an issue that limited the host field for the Primary Administrative Node to 64 characters, instead of the standard 255 characters. |
| PA-14083 | Added handling to URL encode client secrets with special characters per RFC 6749. |
| PA-14445 | Fixed an issue where upon detecting a revoked certificate in a chain, PingAccess incorrectly assumes it is always the first cert in the chain. |
| PA-14304 | Fixed an issue that returned a 500 error when requesting keypairs endpoints with special characters in the chain certs field. |
| PA-14467 | Fixed an issue that caused key rolling to result in Admin Token Provider and System Token Provider being switched. |
| PA-14477 | Fixed a typo that could cause warnings when running PingAccess as a Windows Service. |
| PA-14402 | Fixed an issue that prevented PingAccess from encoding non-ASCII characters when they are in the domain only. |
| PA-14468 | Fixed an issue that caused PingAccess to trigger an error when using the PingAuthorize Access Control rule and the target Sideband provider returns a response that omits the response.body parameter. |
| PA-14392 | Fixed an issue that caused PingAccess Admin UI to incorrectly initialize an application with the state of another application leading to scenarios where an administrator could mistakenly update an application with the data of another application. |
| PA-14314 | Fixed an issue that prevented header warnings from being sent for PEM key pairs with a single duplicate chain certificate. |
| PA-14258 | Added INFO level logging at the start of configuration import. |
| PA-14280 | Fixed an issue that prevented an ACME request with an INVALID state and an empty problem description from displaying correctly. |
| PA-14290 | Fixed an issue that caused the PingAccess Sideband transport to only use fixed ports when performing resource matching against incoming sideband API requests. |
| PA-14238 | Fixed an issue that caused disabled algorithms to appear on the Signing Algorithm drop down menu on the Auth Token Management page. |
| PA-14265 | Fixed an issue that prevented the SSO Admin Authentication method in the PingAccess admin console from functioning in clustered PingAccess deployments when Private Key JWT client authentication is used. |
| PA-14029 | Fixed an issue that caused PingAccess Sideband API to return an error when no scope claim is configured in the access token. |
| PA-14305 | Fixed an issue where the 'Transfer-Encoding' request header is dropped from inbound PingAccess Sideband API request results. |
| PA-14472 | Improved error message when supplying an empty string to fields that expect a charset. |