Release Notes
New features and improvements in PingAccess. Updated August 16, 2024.
PingAccess 7.2.4 (August 2024)
Fixed a security vulnerability with URL-encoded characters
Security PA-15776
Added the pa.uri.canonicalize
parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.
Opt out of automatic URL encoding
Improved PA-15697
By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.
You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:
Set response headers for OAuth errors
Improved PA-15764
Added the oauth.error.headers
and oauth.error.header.Content-Security-Policy
parameters to the Configuration file reference.
Fixed issues with query parameter behavior due to automatic URL encoding
Fixed PA-15696
Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing =
to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.
Fixed admin JWKS endpoint returning a 401
or 500
response instead of the OAuth key set
Fixed PA-15723
Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS
endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401
unauthorized responses or 500
internal server errors.
PingAccess 7.2.3 (March 2024)
Improved request header security
Security PA-15610
Fixed an issue with connection request header handling. Learn more in SECADV045.
Fixed NullPointerException
with the rewrite content rule
Fixed PA-15612
Fixed an issue that caused a NullPointerException
error when the rewrite content rule was used on a resource that returned an empty chunked response body.
PingAccess 7.2.2 (July 2023)
Connect engine nodes to a more recently upgraded administrative node
New PA-15359
Engine nodes and the replica administrative node running PingAccess 7.2.2 or later can now connect with an administrative node that’s running a later version of PingAccess.
This ability was backported from PingAccess 7.3. For more information on how to use this ability, see Connect engine nodes to a more recently upgraded administrative node in the 7.3 release notes. |
Updated PingAccess client authentication logic
Improved PA-15229
Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support.
Fixed upgrade utility issue when default system encoding isn’t UTF-8
Fixed PA-15240
Formerly, running the upgrade utility on a system that uses non-UTF character encoding by default could result in the upgrade utility modifying non-ASCII content. This is because there are certain code flows that don’t define a character set to use when transferring data between the source and target version of PingAccess.
The upgrade utility now checks if the character set on the content type header is set to null. If it is, the upgrade utility changes the character set to UTF-8.
PingAccess 7.2.1 (April 2023)
Added RHEL 9 support to PingAccess
New PA-15174
Added support for RHEL 9 to version 7.2 of PingAccess, and the most recent versions of the PingAccess agent for NGINX and the PingAccess agent for Apache (RHEL). For more information, see the following topics:
Added UI controls for risk policy configuration
New PA-15152
Added two new pages in the administrative console, PingOne Connections and Risk Policies, as well as new configuration options on the Application and Application Resource tabs. These UI controls simplify the process of setting up a PingOne Protect integration for web applications. For more information, see the following topics:
-
For more information on how to establish a connection between PingOne Protect and PingAccess, see PingOne connections.
-
For more information on how to create a risk policy, see Risk policies.
-
For more information on how to assign a risk policy to a specific application or application resource, see the Application Type table entry in Application field descriptions or step 11 of Adding application resources.
PingOne risk policy integration maps user-agent header manually
Fixed PA-15153
PingAccess wasn’t sending the browser.userAgent
parameter to PingOne Protect because PingAccess doesn’t currently support device profiling (which would normally collect this parameter). In the absence of device profiling, PingAccess now attempts to map this parameter manually and send it to PingOne Protect.
Redirect and templated authentication challenges now set PingAccess cookies
Fixed PA-15154
PingAccess now proactively sets web session cookies for Redirect and Templated authentication challenges when you select the Append Redirect Parameters check box on one of those two challenge generators. Adding web session cookies helps the frontend application to interpret redirect or templated challenge responses and begin the appropriate authentication procedure.
Improved vague error response message when PingOne Credential is blank or null
Fixed PA-15165
The response message PingAccess returns for errors generated when an administrator adds or updates a PingOne connection has been improved to specify that the credential must not be null, empty, or blank.
Adjusted agent token cache TTLs to reflect risk policy evaluation intervals
Fixed PA-15166
Corrected an issue with token cache time to lives (TTLs) on agent applications that use the PingOne Protect integration. The agent token cache TTLs no longer prioritize an application’s web session Idle Timeout over the Risk Check Interval or Authentication Validity Period defined in the application’s risk policy.
Fixed default removal of active session state cookies from requests
Fixed PA-15167
Corrected an issue where PingAccess would remove active session state cookies from requests by default. If a component relies on the session state cookie, its absence can cause unexpected behavior, so PingAccess now removes session state cookies conditionally.
PingAccess 7.2 (December 2022)
Adjust web session timeouts based on specific user attributes
New PA-14884
Added a new advanced setting, the Timeout Groovy Script field, to the Web Sessions page. With this feature, you can attach a groovy script to a web session to overwrite its default Max Timeout and Idle Timeout values based on specific user attributes returned by the token provider. For more information and an example script, see Creating web sessions.
Access reserved resources from an application’s context root
New PA-14876
Added a new advanced setting, Use context root as reserved resource base path, to the Applications page. Selecting this check box prepends the specified application’s <context root> before the globally-defined <reserved application context root> in the file path to reserved resources and runtime API endpoints, making accessibility to these resources more flexible. For more information and examples, see Application field descriptions.
Establish web sessions in Microsoft Office products
New PA-14900
Added a new out-of-the-box authentication challenge policy which enables you to open Microsoft Office applications in an in-app browser that redirects to the OpenID Provider (OP) for authentication. See Authentication for more information on system-provided policies and Configuring authentication challenge policies for more information on how to use the MS-OFBA challenge response mapping and the MS-OFBA Authentication Request Redirect challenge response generator to address edge-case scenarios regarding MS-OFBA support.
Include requested resource URL in additional authentication challenge responses
New PA-14988
Added additional parameters to the Redirect Challenge and Templated Challenge response generators. They can now store the URL of the resource a user was trying to access before they were redirected to authenticate, as well as the authentication API parameters necessary for the user to access that resource. This features aids in the creation of your own user sign-on experience, but some additional coding is required. For more information, see Authentication challenge response generator descriptions and Configuring authentication challenge policies.
Provide user feedback on authentication challenge reason for expired sessions
New PA-15010
Added feedback keys to the OIDC Authentication Request Redirect, Redirect Challenge, and Templated Challenge response generators. When a user is redirected to an authentication source by one of these authentication challenge response generators, PingAccess sends the feedback key to the authentication source to let it know that the user was directed there because their session expired. The authentication source can then configure and display a user-facing message to let the user know why they were redirected.
To enable PingAccess to send feedback to the authentication source, you must select the Provide Authentication Feedback check box on the web session you intend to use. For more information, see Configuring authentication challenge policies and Creating web sessions.
Configure prompt parameter in OIDC authentication requests
New PA-14999
Added a prompt parameter to the following authentication challenge response generators:
-
Browser-handled OIDC Authentication Request
-
HTML OIDC Authentication Request
-
MS_OFBA Authentication Request Redirect
-
OIDC Authentication Request Redirect
-
PingFederate Authentication API Challenge
The prompt parameter can be used to confirm that the end-user is still present for the current session, or to draw attention to the authentication request. For more information, see Configuring authentication challenge policies. You can also configure the prompt parameter on a web session, but a prompt parameter specified on a challenge response generator takes precedence. For more information, see Creating web sessions.
Additionally, PingAccess can now send pushed authorization requests (PAR) to provide an additional layer of security to requests if PingFederate is configured as the token provider. For more information, see Enable Push Authorization in Creating web sessions.
Create PingOne Protect policies through the PingAccess administrative API
New PA-14987
Added two new admin API endpoints, /pingone/connections
and /risk/policies
. Administrators can integrate PingOne Protect evaluations into PingAccess through the /pingone/connections
endpoint. With the risk/policies
endpoint, administrators can create risk policies to dynamically monitor end-user requests and invoke specific access control or authentication challenge policies set by the administrator based on the PingOne Protect score that the user’s activity generates. For more information, see PingOne Protect integration.
Stale engine node deletion
New PA-14867
You can configure administrative nodes to automatically remove stale engine node entities. For more information, see Configuring administrative nodes.
Removed extraneous algorithm to improve replication times
Improved PA-15032
Consolidated an algorithm that assisted in calculating invalidation timestamps for agent resources to improve performance speed.
Improved Apache Derby replication times regarding slow database queries
Improved PA-15027
Resource database queries were performing slowly in Apache Derby when run at scale. The query used with the resource table has been changed to improve the speed of policy data collection.
Fixed replication of rules and rulesets configured on a proxied version of PingFederate
Fixed PA-15136
Because of a misclassification by an optimization that tries to prevent rules and rulesets from being replicated to the engine if they are not in use, PingAccess wasn’t replicating rules and rulesets assigned to a proxied PingFederate configuration unless they were also assigned to other applications or resources. Rules and rulesets assigned to a proxied PingFederate configuration are now classified correctly.
Fixed sample plugins failing to build with Maven 3.8.1+
Fixed PA-114997 PingAccess
Maven 3.8.1 and up are configured to block HTTP repositories by default. The PingAccess Add-on SDK for Java shipped with sample plugins that were failing to build because they contained references to a HTTP repository. PingAccess now ships with pom files in its sample plugins that reference HTTPS repositories instead.
Fixed population of original resource IDs in upgrade audit logs
Fixed PA-14998
The upgrade audit log is used to review entity migration after you’ve upgraded PingAccess to a new version. Original resource IDs within the upgrade audit log were incorrectly displaying a value of zero instead of their real values. This issue has been fixed.
Fixed PingAccess nonce “set-cookie” interaction with Blackberry SDK
Fixed PA-14891
Case-sensitivity was causing the Blackberry SDK to remove the cookie set by the PingAccess nonce, which was formerly “set-cookie.” Set-Cookie now uses title-case capitalization to ensure that the cookie is set properly.
Fixed identity mapping exclusion list issue
Fixed PA-14908
Fixed an issue that prevented an identity mapping from being saved through the API if the exclusion list attributes were null.
Fixed identity mapping for unprotected API applications
Fixed PA-14899
Fixed an issue that prevented identity mappings from being assigned to unprotected API applications.
Fixed sign on failure issue
Fixed PA-14897
Fixed an issue that sometimes caused UI lockout after multiple failed sign on attempts.
PingAccess 7.1.5 (August 2024)
Fixed a security vulnerability with URL-encoded characters
Security PA-15776
Added the pa.uri.canonicalize
parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.
Opt out of automatic URL encoding
Improved PA-15697
By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.
You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:
Set response headers for OAuth errors
Improved PA-15764
Added the oauth.error.headers
and oauth.error.header.Content-Security-Policy
parameters to the Configuration file reference.
Fixed issues with query parameter behavior due to automatic URL encoding
Fixed PA-15696
Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing =
to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.
Fixed admin JWKS endpoint returning a 401
or 500
response instead of the OAuth key set
Fixed PA-15723
Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS
endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401
unauthorized responses or 500
internal server errors.
PingAccess 7.1.4 (March 2024)
Improved request header security
Security PA-15610
Fixed an issue with connection request header handling. Learn more in SECADV045.
Updated PingAccess client authentication logic
Improved PA-15229
Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support.
Fixed replication of rules and rulesets configured on a proxied version of PingFederate
Fixed PA-15136
Because of a misclassification by an optimization that tries to prevent rules and rulesets from being replicated to the engine if they are not in use, PingAccess wasn’t replicating rules and rulesets assigned to a proxied PingFederate configuration unless they were also assigned to other applications or resources. Rules and rulesets assigned to a proxied PingFederate configuration are now classified correctly.
Fixed NullPointerException
with the rewrite content rule
Fixed PA-15612
Fixed an issue that caused a NullPointerException
error when the rewrite content rule was used on a resource that returned an empty chunked response body.
PingAccess 7.1.3 (October 2022)
Fixed PingAccess Nonce “Set-Cookie” Interaction with Blackberry SDK
Fixed PA-14891
Case-sensitivity was causing the Blackberry SDK to remove the cookie set by the PingAccess nonce, which was formerly “set-cookie.” Set-Cookie now uses title-case capitalization to ensure that the cookie is set properly.
PingAccess 7.1 (June 2022)
Automatic Engine Registration
New PA-14730
A new capability lets you configure and download an engine node registration file from the PingAccess UI. You can put this file on an engine node when it is first started to automatically register the engine node. For more information, see Configuring engine nodes using an auto-registration file.
Added capability for forced reauthorization
New PA-14737
Authentication requirements rules now include an option for maximum age. If the user has not authenticated within the specified timeframe, they are prompted to reauthenticate. For more information, see Adding an authentication requirements rule.
Kong API Gateway Integration
New PA-14418
Ping Identity provides a plugin for Kong Gateway that enables PingAccess (and other Ping Identity products) to be used for policy decisions. For more information, see Kong API Gateway Integration.
IWA Integration
New PA-14588
PingAccess, when protecting applications as a gateway, adds support for protecting applications that rely on Integrated Windows Authentication (IWA). This gives IAM teams consistent, centralized access control and visibility for IWA-based applications, similar to their WAM-based applications (PingAccess does not mediate authentication methods for IWA-based applications. Authentication is negotiated between the browser and the IWA-based application, passing through PingAccess). For more information, see IWA Integration.
Added SPA Support Disabled Authentication Challenge Policy
New PA-14567
A new SPA Support Disabled Authentication Challenge Policy (ACP) has been added that behaves the same as previously seen when Applications were set with SPA Support disabled. Additionally, added an ability to define a default ACP to be set when creating new applications in the PingAccess administrative UI. For more information, see changes to Application field descriptions and System defaults, and Configuring authentication challenge policies.
Added Content-Security-Policy
headers
New PA-14597
The PingAccess Runtime Authentication Challenge Policy behavior is modified to incorporate a default CSP header in the response. Additionally, default content-security-policy
headers have been added for various error responses generated by PingAccess. For more information, see changes to Configuration file reference.
Added support for PingFederate administrative APIs using OAuth authentication
New PA-14562
PingAccess can authenticate to PingFederate administrative APIs using OAuth2 by sending a bearer token in the requests PingAccess makes to the PingFederate administrative API. For more information, see Configuring PingFederate administration.
Fixed certificate ID issue
Fixed PA-14775
Fixed an issue that restricted the available certificate IDs for agents, engines, and replica administrative nodes.
Fixed authentication requirements issue
Fixed PA-14771
Fixed an issue that prevented an authentication requirements list from correctly displaying the related authentication requirements rule after an attempt to edit it.
Fixed non-FIPS HSM key pair issue
Fixed PA-14414
Fixed an issue where PingAccess could not use non-FIPS HSM key pairs at runtime.
Fixed DB password issue
Fixed PA-14570
Resolved an issue by disabling the DB password check in Derby.
Fixed nonce cookie persistence issue
Fixed PA-12652
Fixed an issue where nonce cookies were not removed when SLO is not enabled.
Fixed API swagger issue
Fixed PA-14634
Fixed an issue with API swagger where the GET Response Class Models and Operational Models did not reflect the actual response.
Fixed custom load balancing issue
Fixed PA-14645
Fixed an issue where custom load balancing strategies that returned custom TargetHosts would result in runtime exceptions.
PingAccess 7.0.8 (August 2024)
Fixed a security vulnerability with URL-encoded characters
Security PA-15776
Added the pa.uri.canonicalize
parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.
Opt out of automatic URL encoding
Improved PA-15697
By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.
You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:
Set response headers for OAuth errors
Improved PA-15764
Added the oauth.error.headers
and oauth.error.header.Content-Security-Policy
parameters to the Configuration file reference.
Fixed issues with query parameter behavior due to automatic URL encoding
Fixed PA-15696
Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing =
to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.
PingAccess 7.0.7 (March 2024)
Improved request header security
Security PA-15610
Fixed an issue with connection request header handling. Learn more in SECADV045.
Updated PingAccess client authentication logic
Improved PA-15229
Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support.
Fixed NullPointerException
with the rewrite content rule
Fixed PA-15612
Fixed an issue that caused a NullPointerException
error when the rewrite content rule was used on a resource that returned an empty chunked response body.
PingAccess 7.0.4 (May 2022)
Fixed behavior of Body.toString() in the add-on SDK
Fixed PA-14751 PingAccess
Fixed handling of PingAccess add-on SDK function com.pingidentity.pa.sdk.http.Body#toString
to maintain the same behavior as seen prior to 6.3.
Fixed runtime exception with custom load balancing strategies
Fixed PA-14645
Fixed an issue where custom load balancing strategies that returned custom TargetHosts would result in runtime exceptions.
PingAccess 7.0 (December 2021)
Added Logout virtual resource
New PA-14281
Added a new Logout response generator for virtual resources, enabling you to customize logout behavior for each application. See Adding application resources for more information.
CRL processing improvements
New PA-14227, PA-14410
PingAccess now supports trace-level logging to help troubleshoot certification revocation issues and provides an option to bypass trust anchor validation. This helps improve interoperability with certificate authority (CA) infrastructure. See Creating trusted certificate groups for more information.
Added support for web session access token identity mappings
New PA-14412
PingAccess now supports creating web session access token identity mappings. This helps ease integration with existing APIs, in particular in the context of Single Page Applications (SPAs). See Creating web session access token identity mappings for more information.
Added support for reversed trust chain certificate validation
New PA-14422
PingAccess now supports validation for client certificate chains that are not in the standard order, such as a reversed certificate chain of [root,
intermediate, leaf]
. See Creating trusted certificate groups for more information.
Runtime state clustering no longer supported
Info PA-14435
PingAccess no longer supports runtime state clustering. Clustered environments that do not use runtime state clustering are not affected.
Fixed a typo affecting the upload of external scripts
Fixed PA-14542
Fixed a typo in the Content-Security-Policy header that prevented PingAccess from loading external scripts from HTML responses.
Fixed an issue that returned a 500 error code
Fixed PA-14541
Fixed an issue in the CRL client certificate authentication flow that returned a 500 error code when PingAccess is in FIPS mode.
UI displays alias of selected certificates
Fixed PA-14421
Updated the PingAccess UI to display the alias of the selected certificates in the Trusted Certificate Group List.
Expanded character limit on the primary administrative node host field
Fixed PA-14433
Fixed an issue that limited the host field for the Primary Administrative Node to 64 characters, instead of the standard 255 characters.
Added URL encoding for special characters
Fixed PA-14083
Added handling to URL encode client secrets with special characters per RFC 6749.
Fixed incorrect assumption that a revoked certificate is the first in the chain
Fixed PA-14445
Fixed an issue where upon detecting a revoked certificate in a chain, PingAccess incorrectly assumes it is always the first cert in the chain.
Fixed 500 error issue related to key pair endpoints
Fixed PA-14304
Fixed an issue that returned a 500 error when requesting key pairs endpoints with special characters in the chain certs field.
Fixed an issue that switched the admin and system token providers
Fixed PA-14467
Fixed an issue that caused key rolling to result in Admin Token Provider and System Token Provider being switched.
Fixed a typo causing warnings when running PingAccess as a Windows Service
Fixed PA-14477
Fixed a typo that could cause warnings when running PingAccess as a Windows Service.
Fixed non-ASCII character encoding issue
Fixed PA-14402
Fixed an issue that prevented PingAccess from encoding non-ASCII characters when they are in the domain only.
Fixed an error caused by omission of the response.body parameter
Fixed PA-14468
Fixed an issue that caused PingAccess to trigger an error when using the PingAuthorize Access Control rule and the target Sideband provider returns a response that omits the response.body
parameter.
Fixed an issue with application initialization in the Admin UI
Fixed PA-14392
Fixed an issue that caused PingAccess Admin UI to incorrectly initialize an application with the state of another application leading to scenarios where an administrator could mistakenly update an application with the data of another application.
Fixed an issue preventing PEM key pair header warnings from being sent
Fixed PA-14314
Fixed an issue that prevented header warnings from being sent for PEM key pairs with a single duplicate chain certificate.
Added INFO level logging
Fixed PA-14258
Added INFO level logging at the start of configuration import.
Fixed invalid ACME request display issue
Fixed PA-14280
Fixed an issue that prevented an ACME request with an INVALID state and an empty problem description from displaying correctly.
Fixed sideband transport issue with fixed ports
Fixed PA-14290
Fixed an issue that caused the PingAccess Sideband transport to only use fixed ports when performing resource matching against incoming sideband API requests.
Fixed display issue with the Signing Algorithm drop-down list
Fixed PA-14238
Fixed an issue that caused disabled algorithms to appear on the Signing Algorithm drop-down list on the Auth Token Management page.
Fixed an issue with JWT SSO Admin Authentication
Fixed PA-14265
Fixed an issue that prevented the SSO Admin Authentication method in the PingAccess admin console from functioning in clustered PingAccess deployments when Private Key JSON Web Token (JWT) client authentication is used.
Fixed no scope claim issue with the PingAccess sideband API
Fixed PA-14029
Fixed an issue that caused PingAccess Sideband API to return an error when no scope claim is configured in the access token.
Fixed Sideband API 'Transfer-Encoding' issue
Fixed PA-14305
Fixed an issue where the 'Transfer-Encoding' request header is dropped from inbound PingAccess Sideband API request results.
Improved empty string error message
Fixed PA-14472
Improved error message when supplying an empty string to fields that expect a charset.
Hibernate deadlock errors
Issue PA-14985
There are a few potential scenarios when the PingAccess data layer might encounter deadlocks. PingAccess should be able to recover from these deadlocks, so hibernate error logs can be ignored when followed by the log message "Recovered from database deadlock with transaction retry."
Cloud HSM limited in Java8u261
Issue PA-14414
Cloud HSM functionality works in FIPS mode but not in regular mode for Java8u261
and later. RSASSA-PSS
signing algorithms fail with Java8u261
or later, and HSM vendors and core Java use different naming conventions for the RSASSA-PSS
algorithm. There is a documented workaround in Adding an AWS CloudHSM provider.
Kong API limitation
Issue PA-14466
Due to an outstanding defect in the Kong API Gateway, the ping-auth
plugin currently does not support requests that utilize the Transfer-Encoding
header. If PingAccess is used as the external authorization server, the Rewrite Content rule can prevent the page from displaying.
Zero downtime upgrade limitation
Issue PAPQ-1034
PingAccess 6.3 deployments that use the Sideband API feature cannot be upgraded using the zero downtime upgrade procedure. You must use a planned outage to upgrade such an environment.
SameSite cookie upgrade issue
Issue
Depending on the source version, the upgrade process may change the default settings for the SameSite cookie attribute to make PingAccess cookies work on all browsers. Review the settings for each web session in Access → Web Sessions to verify that your SameSite cookie attribute values are set to None or Lax, depending on the third-party context needs for PingAccess cookies.
TLS 1.3 limitation
Issue STAGING-8707
PingAccess may have difficulty maintaining TLS 1.3 connections when using JDK 11.0.0, 11.0.1, or 11.0.2 because of a defect in those versions. This might cause upgrades to fail on systems using these versions.
Engine and Admin Replica connection issue
Issue PA-4888
Engines and admin replicas do not connect to admin console if a combination of IP addresses and DNS names are used.
Token processor issue
Issue PA-6262
The token processor can’t connect to a JWKS endpoint via Secure Sockets Layer (SSL) when an IP is used rather than a hostname. To workaround this issue, add the hostname as the subject alt name on the key pair.
Virtual hosts with shared hostnames retention issue
Issue PA-11390
If you create multiple virtual hosts with a shared hostname and associate the hostname with a server key pair, the virtual hosts retain the connection with the server key pair even if they are subsequently renamed. The virtual host must be deleted and recreated to remove the association.
Risk-based authorization rule issue during upgrade
Issue PA-10505
Upgrades will fail with a risk-based authorization rule if a third-party service is not used in the rule.
Excessive log file warnings during startup
Issue
Log files may contain excessive warnings issued by Hibernate during startup.
Asynchronous front-channel logout issue
Issue PA-12647
Asynchronous front-channel logout might fail in some browsers depending on end-user settings. See https://support.pingidentity.com/s/article/Managing-Single-Log-Out-in-different-browsers for browser-specific workarounds.
UI failure when assigning new key pair
Issue PA-13500
Assigning a new key pair to the Admin HTTPS listener if the browser does not trust the new key pair can prevent the UI from functioning. The workaround is to close the browser and re-open it so that all connections to the admin node use the new certificate.
Invalid special characters permitted in identity mappings
Issue PA-13214
Invalid special characters ((),/;<⇒?@[\]\{}"
) can be added to the Certificate to Header Mapping field in an identity mapping. Adding this identity mapping to an application will cause 400 errors when the application is accessed.
Slow restarts in FIPS mode
Issue PA-14239
If PingAccess is repeatedly stopped and restarted in FIPS mode, subsequent restarts can take up to 5 minutes to complete. The workaround is to use a tool such as rng-tools to refresh /dev/random and make more entropy available faster. For example:
sudo yum install rng-tools sudo rngb -b
Firefox limitation for time range rules
Issue
Firefox does not correctly support the HTML5 time tag. When using the Time Range rule, enter time in 24-hour format.
Spurious errors when installing PingAccess as a Windows service
Issue
When installing PingAccess as a Windows service using Windows PowerShell and Java 8, the error message "Could not find or load main class" can be safely ignored.
Request preservation not supported with Safari private browsing
Issue PA-2896
Request Preservation is not supported with Safari Private Browsing.