PingAccess 7.0 (December 2021)

New PA-14281

Added a new Logout response generator for virtual resources, enabling you to customize logout behavior for each application. See Adding application resources for more information.

New PA-14227, PA-14410

PingAccess now supports trace-level logging to help troubleshoot certification revocation issues and provides an option to bypass trust anchor validation. This helps improve interoperability with certificate authority (CA) infrastructure. See Creating trusted certificate groups for more information.

New PA-14412

PingAccess now supports creating web session access token identity mappings. This helps ease integration with existing APIs, in particular in the context of Single Page Applications (SPAs). See Creating web session access token identity mappings for more information.

New PA-14422

PingAccess now supports validation for client certificate chains that are not in the standard order, such as a reversed certificate chain of [root, intermediate, leaf]. See Creating trusted certificate groups for more information.

Info PA-14435

PingAccess no longer supports runtime state clustering. Clustered environments that do not use runtime state clustering are not affected.

Security PA-14403

Fixed a potential security issue.

Security PA-14296

Fixed a potential security issue.

Security PA-14284

Fixed a potential security issue.

Security PA-14279

Fixed a potential security issue.

Security PA-14287

Fixed a potential security issue.

Security PA-14331

Fixed a potential security issue.

Security PA-14302

Fixed a potential security issue.

Security PA-14134

Fixed a potential security issue.

Security PA-14135

Fixed a potential security issue.

Security PA-14143

Fixed a potential security issue.

Fixed PA-14542

Fixed a typo in the Content-Security-Policy header that prevented PingAccess from loading external scripts from HTML responses.

Fixed PA-14541

Fixed an issue in the CRL client certificate authentication flow that returned a 500 error code when PingAccess is in FIPS mode.

Fixed PA-14421

Updated the PingAccess UI to display the alias of the selected certificates in the Trusted Certificate Group List.

Fixed PA-14433

Fixed an issue that limited the host field for the Primary Administrative Node to 64 characters, instead of the standard 255 characters.

Fixed PA-14083

Added handling to URL encode client secrets with special characters per RFC 6749.

Fixed PA-14445

Fixed an issue where upon detecting a revoked certificate in a chain, PingAccess incorrectly assumes it is always the first cert in the chain.

Fixed PA-14304

Fixed an issue that returned a 500 error when requesting key pairs endpoints with special characters in the chain certs field.

Fixed PA-14467

Fixed an issue that caused key rolling to result in Admin Token Provider and System Token Provider being switched.

Fixed PA-14477

Fixed a typo that could cause warnings when running PingAccess as a Windows Service.

Fixed PA-14402

Fixed an issue that prevented PingAccess from encoding non-ASCII characters when they are in the domain only.

Fixed PA-14468

Fixed an issue that caused PingAccess to trigger an error when using the PingAuthorize Access Control rule and the target Sideband provider returns a response that omits the response.body parameter.

Fixed PA-14392

Fixed an issue that caused PingAccess Admin UI to incorrectly initialize an application with the state of another application leading to scenarios where an administrator could mistakenly update an application with the data of another application.

Fixed PA-14314

Fixed an issue that prevented header warnings from being sent for PEM key pairs with a single duplicate chain certificate.

Fixed PA-14258

Added INFO level logging at the start of configuration import.

Fixed PA-14280

Fixed an issue that prevented an ACME request with an INVALID state and an empty problem description from displaying correctly.

Fixed PA-14290

Fixed an issue that caused the PingAccess Sideband transport to only use fixed ports when performing resource matching against incoming sideband API requests.

Fixed PA-14238

Fixed an issue that caused disabled algorithms to appear on the Signing Algorithm drop-down list on the Auth Token Management page.

Fixed PA-14265

Fixed an issue that prevented the SSO Admin Authentication method in the PingAccess admin console from functioning in clustered PingAccess deployments when Private Key JSON Web Token (JWT) client authentication is used.

Fixed PA-14029

Fixed an issue that caused PingAccess Sideband API to return an error when no scope claim is configured in the access token.

Fixed PA-14305

Fixed an issue where the 'Transfer-Encoding' request header is dropped from inbound PingAccess Sideband API request results.

Fixed PA-14472

Improved error message when supplying an empty string to fields that expect a charset.

Issue PA-14985

There are a few potential scenarios when the PingAccess data layer might encounter deadlocks. PingAccess should be able to recover from these deadlocks, so hibernate error logs can be ignored when followed by the log message "Recovered from database deadlock with transaction retry."

Issue PA-14414

Cloud HSM functionality works in FIPS mode but not in regular mode for Java8u261 and later. RSASSA-PSS signing algorithms fail with Java8u261 or later, and HSM vendors and core Java use different naming conventions for the RSASSA-PSS algorithm. There is a documented workaround in Adding an AWS CloudHSM provider.

Issue PA-14466

Due to an outstanding defect in the Kong API Gateway, the ping-auth plugin currently does not support requests that utilize the Transfer-Encoding header. If PingAccess is used as the external authorization server, the Rewrite Content rule can prevent the page from displaying.

Issue PAPQ-1034

PingAccess 6.3 deployments that use the Sideband API feature cannot be upgraded using the zero downtime upgrade procedure. You must use a planned outage to upgrade such an environment.

Issue

Depending on the source version, the upgrade process may change the default settings for the SameSite cookie attribute to make PingAccess cookies work on all browsers. Review the settings for each web session in Access → Web Sessions to verify that your SameSite cookie attribute values are set to None or Lax, depending on the third-party context needs for PingAccess cookies.

Issue STAGING-8707

PingAccess may have difficulty maintaining TLS 1.3 connections when using JDK 11.0.0, 11.0.1, or 11.0.2 because of a defect in those versions. This might cause upgrades to fail on systems using these versions.

Issue PA-4888

Engines and admin replicas do not connect to admin console if a combination of IP addresses and DNS names are used.

Issue PA-6262

The token processor can’t connect to a JWKS endpoint via Secure Sockets Layer (SSL) when an IP is used rather than a hostname. To workaround this issue, add the hostname as the subject alt name on the key pair.

Issue PA-11390

If you create multiple virtual hosts with a shared hostname and associate the hostname with a server key pair, the virtual hosts retain the connection with the server key pair even if they are subsequently renamed. The virtual host must be deleted and recreated to remove the association.

Issue PA-10505

Upgrades will fail with a risk-based authorization rule if a third-party service is not used in the rule.

Issue

Log files may contain excessive warnings issued by Hibernate during startup.

Issue PA-12647

Asynchronous front-channel logout might fail in some browsers depending on end-user settings. See https://support.pingidentity.com/s/article/Managing-Single-Log-Out-in-different-browsers for browser-specific workarounds.

Issue PA-13500

Assigning a new key pair to the Admin HTTPS listener if the browser does not trust the new key pair can prevent the UI from functioning. The workaround is to close the browser and re-open it so that all connections to the admin node use the new certificate.

Issue PA-13214

Invalid special characters ((),/;<⇒?@[\]\{}") can be added to the Certificate to Header Mapping field in an identity mapping. Adding this identity mapping to an application will cause 400 errors when the application is accessed.

Issue PA-14239

If PingAccess is repeatedly stopped and restarted in FIPS mode, subsequent restarts can take up to 5 minutes to complete. The workaround is to use a tool such as rng-tools to refresh /dev/random and make more entropy available faster. For example:

Issue

Firefox does not correctly support the HTML5 time tag. When using the Time Range rule, enter time in 24-hour format.

Issue

When installing PingAccess as a Windows service using Windows PowerShell and Java 8, the error message "Could not find or load main class" can be safely ignored.

Issue PA-2896

Request Preservation is not supported with Safari Private Browsing.

Issue PA-1894

Incorrect handling for IPv6 literals in Host header. Note that IPv6 is not currently supported.

Issue PA-14907

After starting PingAccess for the first time on a Windows system or upgrading PingAccess on a Windows system, a warning message is logged reporting that the pa.jwk file was not made non-executable. This message can be ignored.