PingAccess

PingAccess 7.2 (December 2022)

Adjust web session timeouts based on specific user attributes

New PA-14884

Added a new advanced setting, the Timeout Groovy Script field, to the Web Sessions page. With this feature, you can attach a groovy script to a web session to overwrite its default Max Timeout and Idle Timeout values based on specific user attributes returned by the token provider. For more information and an example script, see Creating web sessions.

Access reserved resources from an application’s context root

New PA-14876

Added a new advanced setting, Use context root as reserved resource base path, to the Applications page. Selecting this check box prepends the specified application’s <context root> before the globally-defined <reserved application context root> in the file path to reserved resources and runtime API endpoints, making accessibility to these resources more flexible. For more information and examples, see Application field descriptions.

Establish web sessions in Microsoft Office products

New PA-14900

Added a new out-of-the-box authentication challenge policy which enables you to open Microsoft Office applications in an in-app browser that redirects to the OpenID Provider (OP) for authentication. See Authentication for more information on system-provided policies and Configuring authentication challenge policies for more information on how to use the MS-OFBA challenge response mapping and the MS-OFBA Authentication Request Redirect challenge response generator to address edge-case scenarios regarding MS-OFBA support.

Include requested resource URL in additional authentication challenge responses

New PA-14988

Added additional parameters to the Redirect Challenge and Templated Challenge response generators. They can now store the URL of the resource a user was trying to access before they were redirected to authenticate, as well as the authentication API parameters necessary for the user to access that resource. This features aids in the creation of your own user sign-on experience, but some additional coding is required. For more information, see Authentication challenge response generator descriptions and Configuring authentication challenge policies.

Provide user feedback on authentication challenge reason for expired sessions

New PA-15010

Added feedback keys to the OIDC Authentication Request Redirect, Redirect Challenge, and Templated Challenge response generators. When a user is redirected to an authentication source by one of these authentication challenge response generators, PingAccess sends the feedback key to the authentication source to let it know that the user was directed there because their session expired. The authentication source can then configure and display a user-facing message to let the user know why they were redirected.

To enable PingAccess to send feedback to the authentication source, you must select the Provide Authentication Feedback check box on the web session you intend to use. For more information, see Configuring authentication challenge policies and Creating web sessions.

Configure prompt parameter in OIDC authentication requests

New PA-14999

Added a prompt parameter to the following authentication challenge response generators:

  • Browser-handled OIDC Authentication Request

  • HTML OIDC Authentication Request

  • MS_OFBA Authentication Request Redirect

  • OIDC Authentication Request Redirect

  • PingFederate Authentication API Challenge

The prompt parameter can be used to confirm that the end-user is still present for the current session, or to draw attention to the authentication request. For more information, see Configuring authentication challenge policies. You can also configure the prompt parameter on a web session, but a prompt parameter specified on a challenge response generator takes precedence. For more information, see Creating web sessions.

Additionally, PingAccess can now send pushed authorization requests (PAR) to provide an additional layer of security to requests if PingFederate is configured as the token provider. For more information, see Enable Push Authorization in Creating web sessions.

Create PingOne Protect policies through the PingAccess administrative API

New PA-14987

Added two new admin API endpoints, /pingone/connections and /risk/policies. Administrators can integrate PingOne Protect evaluations into PingAccess through the /pingone/connections endpoint. With the risk/policies endpoint, administrators can create risk policies to dynamically monitor end-user requests and invoke specific access control or authentication challenge policies set by the administrator based on the PingOne Protect score that the user’s activity generates. For more information, see PingOne Protect integration.

Stale engine node deletion

New PA-14867

You can configure administrative nodes to automatically remove stale engine node entities. For more information, see Configuring administrative nodes.

Removed extraneous algorithm to improve replication times

Improved PA-15032

Consolidated an algorithm that assisted in calculating invalidation timestamps for agent resources to improve performance speed.

Improved Apache Derby replication times regarding slow database queries

Improved PA-15027

Resource database queries were performing slowly in Apache Derby when run at scale. The query used with the resource table has been changed to improve the speed of policy data collection.

Fixed replication of rules and rulesets configured on a proxied version of PingFederate

Fixed PA-15136

Because of a misclassification by an optimization that tries to prevent rules and rulesets from being replicated to the engine if they are not in use, PingAccess wasn’t replicating rules and rulesets assigned to a proxied PingFederate configuration unless they were also assigned to other applications or resources. Rules and rulesets assigned to a proxied PingFederate configuration are now classified correctly.

Fixed sample plugins failing to build with Maven 3.8.1+

Fixed PA-114997 PingAccess

Maven 3.8.1 and up are configured to block HTTP repositories by default. The PingAccess Add-on SDK for Java shipped with sample plugins that were failing to build because they contained references to a HTTP repository. PingAccess now ships with pom files in its sample plugins that reference HTTPS repositories instead.

Fixed population of original resource IDs in upgrade audit logs

Fixed PA-14998

The upgrade audit log is used to review entity migration after you’ve upgraded PingAccess to a new version. Original resource IDs within the upgrade audit log were incorrectly displaying a value of zero instead of their real values. This issue has been fixed.

Fixed PA-14891

Case-sensitivity was causing the Blackberry SDK to remove the cookie set by the PingAccess nonce, which was formerly “set-cookie.” Set-Cookie now uses title-case capitalization to ensure that the cookie is set properly.

Fixed identity mapping exclusion list issue

Fixed PA-14908

Fixed an issue that prevented an identity mapping from being saved through the API if the exclusion list attributes were null.

Fixed identity mapping for unprotected API applications

Fixed PA-14899

Fixed an issue that prevented identity mappings from being assigned to unprotected API applications.

Fixed sign on failure issue

Fixed PA-14897

Fixed an issue that sometimes caused UI lockout after multiple failed sign on attempts.

Fixed engine status field descriptions

Fixed PA-14885

Added descriptions of the fields for the GET /engines/status endpoint.

Fixed potential deadlock issue

Fixed PA-14974

Added handling to recover from deadlocks encountered during configuration import and other asynchronous Admin API actions.