PingAccess

Release Notes

New features and improvements in PingAccess. Updated August 16, 2024.

PingAccess 7.2.4 (August 2024)

Fixed a security vulnerability with URL-encoded characters

Security PA-15776

Added the pa.uri.canonicalize parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.

Opt out of automatic URL encoding

Improved PA-15697

By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.

You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:

Set response headers for OAuth errors

Improved PA-15764

Added the oauth.error.headers and oauth.error.header.Content-Security-Policy parameters to the Configuration file reference.

Fixed issues with query parameter behavior due to automatic URL encoding

Fixed PA-15696

Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing = to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.

Fixed admin JWKS endpoint returning a 401 or 500 response instead of the OAuth key set

Fixed PA-15723

Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401 unauthorized responses or 500 internal server errors.

Fixed potential infinite loop issue with PingAccess clusters

Fixed PA-15741

Fixed a potential infinite loop issue that could prevent an engine node or replica administrative node from applying configuration changes.

PingAccess 7.2.3 (March 2024)

Improved request header security

Security PA-15610

Fixed an issue with connection request header handling. Learn more in SECADV045.

Fixed NullPointerException with the rewrite content rule

Fixed PA-15612

Fixed an issue that caused a NullPointerException error when the rewrite content rule was used on a resource that returned an empty chunked response body.

PingAccess 7.2.2 (July 2023)

Connect engine nodes to a more recently upgraded administrative node

New PA-15359

Engine nodes and the replica administrative node running PingAccess 7.2.2 or later can now connect with an administrative node that’s running a later version of PingAccess.

This ability was backported from PingAccess 7.3. For more information on how to use this ability, see Connect engine nodes to a more recently upgraded administrative node in the 7.3 release notes.

Updated PingAccess client authentication logic

Improved PA-15229

Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support.

Fixed upgrade utility issue when default system encoding isn’t UTF-8

Fixed PA-15240

Formerly, running the upgrade utility on a system that uses non-UTF character encoding by default could result in the upgrade utility modifying non-ASCII content. This is because there are certain code flows that don’t define a character set to use when transferring data between the source and target version of PingAccess.

The upgrade utility now checks if the character set on the content type header is set to null. If it is, the upgrade utility changes the character set to UTF-8.

PingAccess 7.2.1 (April 2023)

Added RHEL 9 support to PingAccess

New PA-15174

Added support for RHEL 9 to version 7.2 of PingAccess, and the most recent versions of the PingAccess agent for NGINX and the PingAccess agent for Apache (RHEL). For more information, see the following topics:

Added UI controls for risk policy configuration

New PA-15152

Added two new pages in the administrative console, PingOne Connections and Risk Policies, as well as new configuration options on the Application and Application Resource tabs. These UI controls simplify the process of setting up a PingOne Protect integration for web applications. For more information, see the following topics:

PingOne risk policy integration maps user-agent header manually

Fixed PA-15153

PingAccess wasn’t sending the browser.userAgent parameter to PingOne Protect because PingAccess doesn’t currently support device profiling (which would normally collect this parameter). In the absence of device profiling, PingAccess now attempts to map this parameter manually and send it to PingOne Protect.

Redirect and templated authentication challenges now set PingAccess cookies

Fixed PA-15154

PingAccess now proactively sets web session cookies for Redirect and Templated authentication challenges when you select the Append Redirect Parameters check box on one of those two challenge generators. Adding web session cookies helps the frontend application to interpret redirect or templated challenge responses and begin the appropriate authentication procedure.

Improved vague error response message when PingOne Credential is blank or null

Fixed PA-15165

The response message PingAccess returns for errors generated when an administrator adds or updates a PingOne connection has been improved to specify that the credential must not be null, empty, or blank.

Adjusted agent token cache TTLs to reflect risk policy evaluation intervals

Fixed PA-15166

Corrected an issue with token cache time to lives (TTLs) on agent applications that use the PingOne Protect integration. The agent token cache TTLs no longer prioritize an application’s web session Idle Timeout over the Risk Check Interval or Authentication Validity Period defined in the application’s risk policy.

Fixed default removal of active session state cookies from requests

Fixed PA-15167

Corrected an issue where PingAccess would remove active session state cookies from requests by default. If a component relies on the session state cookie, its absence can cause unexpected behavior, so PingAccess now removes session state cookies conditionally.

PingAccess 7.2 (December 2022)

Adjust web session timeouts based on specific user attributes

New PA-14884

Added a new advanced setting, the Timeout Groovy Script field, to the Web Sessions page. With this feature, you can attach a groovy script to a web session to overwrite its default Max Timeout and Idle Timeout values based on specific user attributes returned by the token provider. For more information and an example script, see Creating web sessions.

Access reserved resources from an application’s context root

New PA-14876

Added a new advanced setting, Use context root as reserved resource base path, to the Applications page. Selecting this check box prepends the specified application’s <context root> before the globally-defined <reserved application context root> in the file path to reserved resources and runtime API endpoints, making accessibility to these resources more flexible. For more information and examples, see Application field descriptions.

Establish web sessions in Microsoft Office products

New PA-14900

Added a new out-of-the-box authentication challenge policy which enables you to open Microsoft Office applications in an in-app browser that redirects to the OpenID Provider (OP) for authentication. See Authentication for more information on system-provided policies and Configuring authentication challenge policies for more information on how to use the MS-OFBA challenge response mapping and the MS-OFBA Authentication Request Redirect challenge response generator to address edge-case scenarios regarding MS-OFBA support.

Include requested resource URL in additional authentication challenge responses

New PA-14988

Added additional parameters to the Redirect Challenge and Templated Challenge response generators. They can now store the URL of the resource a user was trying to access before they were redirected to authenticate, as well as the authentication API parameters necessary for the user to access that resource. This features aids in the creation of your own user sign-on experience, but some additional coding is required. For more information, see Authentication challenge response generator descriptions and Configuring authentication challenge policies.

Provide user feedback on authentication challenge reason for expired sessions

New PA-15010

Added feedback keys to the OIDC Authentication Request Redirect, Redirect Challenge, and Templated Challenge response generators. When a user is redirected to an authentication source by one of these authentication challenge response generators, PingAccess sends the feedback key to the authentication source to let it know that the user was directed there because their session expired. The authentication source can then configure and display a user-facing message to let the user know why they were redirected.

To enable PingAccess to send feedback to the authentication source, you must select the Provide Authentication Feedback check box on the web session you intend to use. For more information, see Configuring authentication challenge policies and Creating web sessions.

Configure prompt parameter in OIDC authentication requests

New PA-14999

Added a prompt parameter to the following authentication challenge response generators:

  • Browser-handled OIDC Authentication Request

  • HTML OIDC Authentication Request

  • MS_OFBA Authentication Request Redirect

  • OIDC Authentication Request Redirect

  • PingFederate Authentication API Challenge

The prompt parameter can be used to confirm that the end-user is still present for the current session, or to draw attention to the authentication request. For more information, see Configuring authentication challenge policies. You can also configure the prompt parameter on a web session, but a prompt parameter specified on a challenge response generator takes precedence. For more information, see Creating web sessions.

Additionally, PingAccess can now send pushed authorization requests (PAR) to provide an additional layer of security to requests if PingFederate is configured as the token provider. For more information, see Enable Push Authorization in Creating web sessions.

Create PingOne Protect policies through the PingAccess administrative API

New PA-14987

Added two new admin API endpoints, /pingone/connections and /risk/policies. Administrators can integrate PingOne Protect evaluations into PingAccess through the /pingone/connections endpoint. With the risk/policies endpoint, administrators can create risk policies to dynamically monitor end-user requests and invoke specific access control or authentication challenge policies set by the administrator based on the PingOne Protect score that the user’s activity generates. For more information, see PingOne Protect integration.

Stale engine node deletion

New PA-14867

You can configure administrative nodes to automatically remove stale engine node entities. For more information, see Configuring administrative nodes.

Removed extraneous algorithm to improve replication times

Improved PA-15032

Consolidated an algorithm that assisted in calculating invalidation timestamps for agent resources to improve performance speed.

Improved Apache Derby replication times regarding slow database queries

Improved PA-15027

Resource database queries were performing slowly in Apache Derby when run at scale. The query used with the resource table has been changed to improve the speed of policy data collection.

Fixed replication of rules and rulesets configured on a proxied version of PingFederate

Fixed PA-15136

Because of a misclassification by an optimization that tries to prevent rules and rulesets from being replicated to the engine if they are not in use, PingAccess wasn’t replicating rules and rulesets assigned to a proxied PingFederate configuration unless they were also assigned to other applications or resources. Rules and rulesets assigned to a proxied PingFederate configuration are now classified correctly.

Fixed sample plugins failing to build with Maven 3.8.1+

Fixed PA-114997 PingAccess

Maven 3.8.1 and up are configured to block HTTP repositories by default. The PingAccess Add-on SDK for Java shipped with sample plugins that were failing to build because they contained references to a HTTP repository. PingAccess now ships with pom files in its sample plugins that reference HTTPS repositories instead.

Fixed population of original resource IDs in upgrade audit logs

Fixed PA-14998

The upgrade audit log is used to review entity migration after you’ve upgraded PingAccess to a new version. Original resource IDs within the upgrade audit log were incorrectly displaying a value of zero instead of their real values. This issue has been fixed.

Fixed PA-14891

Case-sensitivity was causing the Blackberry SDK to remove the cookie set by the PingAccess nonce, which was formerly “set-cookie.” Set-Cookie now uses title-case capitalization to ensure that the cookie is set properly.

Fixed identity mapping exclusion list issue

Fixed PA-14908

Fixed an issue that prevented an identity mapping from being saved through the API if the exclusion list attributes were null.

Fixed identity mapping for unprotected API applications

Fixed PA-14899

Fixed an issue that prevented identity mappings from being assigned to unprotected API applications.

Fixed sign on failure issue

Fixed PA-14897

Fixed an issue that sometimes caused UI lockout after multiple failed sign on attempts.

Fixed engine status field descriptions

Fixed PA-14885

Added descriptions of the fields for the GET /engines/status endpoint.

Fixed potential deadlock issue

Fixed PA-14974

Added handling to recover from deadlocks encountered during configuration import and other asynchronous Admin API actions.

PingAccess 7.1.5 (August 2024)

Fixed a security vulnerability with URL-encoded characters

Security PA-15776

Added the pa.uri.canonicalize parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.

Opt out of automatic URL encoding

Improved PA-15697

By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.

You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:

Set response headers for OAuth errors

Improved PA-15764

Added the oauth.error.headers and oauth.error.header.Content-Security-Policy parameters to the Configuration file reference.

Fixed issues with query parameter behavior due to automatic URL encoding

Fixed PA-15696

Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing = to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.

Fixed admin JWKS endpoint returning a 401 or 500 response instead of the OAuth key set

Fixed PA-15723

Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401 unauthorized responses or 500 internal server errors.

Fixed potential infinite loop issue with PingAccess clusters

Fixed PA-15741

Fixed a potential infinite loop issue that could prevent an engine node or replica administrative node from applying configuration changes.

PingAccess 7.1.4 (March 2024)

Improved request header security

Security PA-15610

Fixed an issue with connection request header handling. Learn more in SECADV045.

Updated PingAccess client authentication logic

Improved PA-15229

Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support.

Fixed replication of rules and rulesets configured on a proxied version of PingFederate

Fixed PA-15136

Because of a misclassification by an optimization that tries to prevent rules and rulesets from being replicated to the engine if they are not in use, PingAccess wasn’t replicating rules and rulesets assigned to a proxied PingFederate configuration unless they were also assigned to other applications or resources. Rules and rulesets assigned to a proxied PingFederate configuration are now classified correctly.

Fixed NullPointerException with the rewrite content rule

Fixed PA-15612

Fixed an issue that caused a NullPointerException error when the rewrite content rule was used on a resource that returned an empty chunked response body.

PingAccess 7.1.3 (October 2022)

Fixed PA-14891

Case-sensitivity was causing the Blackberry SDK to remove the cookie set by the PingAccess nonce, which was formerly “set-cookie.” Set-Cookie now uses title-case capitalization to ensure that the cookie is set properly.

Improved Apache Derby Replication Times Regarding Slow Database Queries

Improved PA-15027

Resource database queries were performing slowly in Apache Derby when run at scale. The query used with the resource table has been changed to improve the speed of policy data collection.

Removed Extraneous Algorithm to Improve Replication Times

Improved PA-15032

Consolidated an algorithm that assisted in calculating invalidation timestamps for agent resources to improve performance speed.

PingAccess 7.1.2 (September 2022)

Fixed potential deadlock issue

Fixed PA-14974

Added handling to recover from deadlocks encountered during configuration import and other asynchronous Admin API actions.

PingAccess 7.1.1 (August 2022)

Fixed potential memory leak

Fixed PA-14875

Fixed an exchange processing issue that could cause a memory leak.

Fixed security issue

Security PA-14772

Fixed a potential security issue with basic authentication.

PingAccess 7.1 (June 2022)

Automatic Engine Registration

New PA-14730

A new capability lets you configure and download an engine node registration file from the PingAccess UI. You can put this file on an engine node when it is first started to automatically register the engine node. For more information, see Configuring engine nodes using an auto-registration file.

Added capability for forced reauthorization

New PA-14737

Authentication requirements rules now include an option for maximum age. If the user has not authenticated within the specified timeframe, they are prompted to reauthenticate. For more information, see Adding an authentication requirements rule.

Kong API Gateway Integration

New PA-14418

Ping Identity provides a plugin for Kong Gateway that enables PingAccess (and other Ping Identity products) to be used for policy decisions. For more information, see Kong API Gateway Integration.

IWA Integration

New PA-14588

PingAccess, when protecting applications as a gateway, adds support for protecting applications that rely on Integrated Windows Authentication (IWA). This gives IAM teams consistent, centralized access control and visibility for IWA-based applications, similar to their WAM-based applications (PingAccess does not mediate authentication methods for IWA-based applications. Authentication is negotiated between the browser and the IWA-based application, passing through PingAccess). For more information, see IWA Integration.

Added SPA Support Disabled Authentication Challenge Policy

New PA-14567

A new SPA Support Disabled Authentication Challenge Policy (ACP) has been added that behaves the same as previously seen when Applications were set with SPA Support disabled. Additionally, added an ability to define a default ACP to be set when creating new applications in the PingAccess administrative UI. For more information, see changes to Application field descriptions and System defaults, and Configuring authentication challenge policies.

Added Content-Security-Policy headers

New PA-14597

The PingAccess Runtime Authentication Challenge Policy behavior is modified to incorporate a default CSP header in the response. Additionally, default content-security-policy headers have been added for various error responses generated by PingAccess. For more information, see changes to Configuration file reference.

Added support for PingFederate administrative APIs using OAuth authentication

New PA-14562

PingAccess can authenticate to PingFederate administrative APIs using OAuth2 by sending a bearer token in the requests PingAccess makes to the PingFederate administrative API. For more information, see Configuring PingFederate administration.

Fixed security issue

Security PA-14772

Fixed a potential security issue with basic authentication.

Fixed potential security issue

Security PA-14579

Fixed a potential security issue.

Fixed potential security issue

Security PA-14310

Fixed a potential security issue.

Fixed potential security issue

Security PA-14573

Fixed a potential security issue.

Fixed potential security issue

Security PA-14772

Fixed a potential security issue.

Updated Log4j to 2.17.1

Improved PA-14557

PingAccess upgraded to Log4j version 2.17.1.

Improved CSD tool

Improved PA-14580

Added a default memory limit on the CSD tool.

Fixed certificate ID issue

Fixed PA-14775

Fixed an issue that restricted the available certificate IDs for agents, engines, and replica administrative nodes.

Fixed authentication requirements issue

Fixed PA-14771

Fixed an issue that prevented an authentication requirements list from correctly displaying the related authentication requirements rule after an attempt to edit it.

Fixed non-FIPS HSM key pair issue

Fixed PA-14414

Fixed an issue where PingAccess could not use non-FIPS HSM key pairs at runtime.

Fixed DB password issue

Fixed PA-14570

Resolved an issue by disabling the DB password check in Derby.

Fixed PA-12652

Fixed an issue where nonce cookies were not removed when SLO is not enabled.

Fixed API swagger issue

Fixed PA-14634

Fixed an issue with API swagger where the GET Response Class Models and Operational Models did not reflect the actual response.

Fixed custom load balancing issue

Fixed PA-14645

Fixed an issue where custom load balancing strategies that returned custom TargetHosts would result in runtime exceptions.

Fixed error header issue

Fixed PA-14606

Fixed an issue where the rule.error.headers additional headers did not display from policy rule results.

Java 17 limitation

Issue PA-14863

BC-FIPS and HSMs are not supported when using Java 17.

Certificate revocation list memory issue

Issue PA-14621

If a client certificate has a certificate revocation list (CRL) DistributionPoint that points to an extremely large CRL, PingAccess might suffer from high memory usage leading to Out of memory (OOM) exceptions.

PingAccess 7.0.8 (August 2024)

Fixed a security vulnerability with URL-encoded characters

Security PA-15776

Added the pa.uri.canonicalize parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.

Opt out of automatic URL encoding

Improved PA-15697

By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.

You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:

Set response headers for OAuth errors

Improved PA-15764

Added the oauth.error.headers and oauth.error.header.Content-Security-Policy parameters to the Configuration file reference.

Fixed issues with query parameter behavior due to automatic URL encoding

Fixed PA-15696

Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing = to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.

Fixed potential infinite loop issue with PingAccess clusters

Fixed PA-15741

Fixed a potential infinite loop issue that could prevent an engine node or replica administrative node from applying configuration changes.

PingAccess 7.0.7 (March 2024)

Improved request header security

Security PA-15610

Fixed an issue with connection request header handling. Learn more in SECADV045.

Updated PingAccess client authentication logic

Improved PA-15229

Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support.

Fixed NullPointerException with the rewrite content rule

Fixed PA-15612

Fixed an issue that caused a NullPointerException error when the rewrite content rule was used on a resource that returned an empty chunked response body.

PingAccess 7.0.6 (September 2022)

Fixed potential deadlock issue

Fixed PA-14974

Added handling to recover from deadlocks encountered during configuration import and other asynchronous Admin API actions.

PingAccess 7.0.5 (August 2022)

Fixed potential memory leak

Fixed PA-14875

Fixed an exchange processing issue that could cause a memory leak.

Fixed security issue

Security PA-14772

Fixed a potential security issue with basic authentication.

PingAccess 7.0.4 (May 2022)

Improved CSD JVM memory usage

Improved PA-14580

Added a default memory limit on the CSD tool.

Fixed behavior of Body.toString() in the add-on SDK

Fixed PA-14751 PingAccess

Fixed handling of PingAccess add-on SDK function com.pingidentity.pa.sdk.http.Body#toString to maintain the same behavior as seen prior to 6.3.

Fixed runtime exception with custom load balancing strategies

Fixed PA-14645

Fixed an issue where custom load balancing strategies that returned custom TargetHosts would result in runtime exceptions.

Fixed handling of PingAuthorize non-ASCII characters

Fixed PA-14638

Fixed handling of non-ASCII characters in the request body of PingAuthorize rules.

Fixed handling of sideband API non-ASCII characters

Fixed PA-14640

Fixed handling of non-ASCII characters in sideband API request bodies.

PingAccess 7.0.3 (January 2022)

Log4j upgrade

Improved PA-14557

PingAccess upgraded to Log4j version 2.17.1

Fixed runtime issue with non-FIPS HSM key pairs

Fixed PA-14414

Fixed an issue where PingAccess could not use non-FIPS HSM key pairs at runtime.

PingAccess 7.0.2 (December 2021)

Log4j Upgrade

Improved PA-14555

PingAccess upgraded to Log4j version 2.17.

PingAccess 7.0.1 (December 2021)

Log4j update

Security PA-14549

PingAccess upgraded to Log4j version 2.16.

PingAccess 7.0 (December 2021)

Added Logout virtual resource

New PA-14281

Added a new Logout response generator for virtual resources, enabling you to customize logout behavior for each application. See Adding application resources for more information.

CRL processing improvements

New PA-14227, PA-14410

PingAccess now supports trace-level logging to help troubleshoot certification revocation issues and provides an option to bypass trust anchor validation. This helps improve interoperability with certificate authority (CA) infrastructure. See Creating trusted certificate groups for more information.

Added support for web session access token identity mappings

New PA-14412

PingAccess now supports creating web session access token identity mappings. This helps ease integration with existing APIs, in particular in the context of Single Page Applications (SPAs). See Creating web session access token identity mappings for more information.

Added support for reversed trust chain certificate validation

New PA-14422

PingAccess now supports validation for client certificate chains that are not in the standard order, such as a reversed certificate chain of [root, intermediate, leaf]. See Creating trusted certificate groups for more information.

Runtime state clustering no longer supported

Info PA-14435

PingAccess no longer supports runtime state clustering. Clustered environments that do not use runtime state clustering are not affected.

Fixed security issue

Security PA-14403

Fixed a potential security issue.

Fixed security issue

Security PA-14296

Fixed a potential security issue.

Fixed security issue

Security PA-14284

Fixed a potential security issue.

Fixed security issue

Security PA-14279

Fixed a potential security issue.

Fixed security issue

Security PA-14287

Fixed a potential security issue.

Fixed security issue

Security PA-14331

Fixed a potential security issue.

Fixed security issue

Security PA-14302

Fixed a potential security issue.

Fixed security issue

Security PA-14134

Fixed a potential security issue.

Fixed security issue

Security PA-14135

Fixed a potential security issue.

Fixed security issue

Security PA-14143

Fixed a potential security issue.

Fixed a typo affecting the upload of external scripts

Fixed PA-14542

Fixed a typo in the Content-Security-Policy header that prevented PingAccess from loading external scripts from HTML responses.

Fixed an issue that returned a 500 error code

Fixed PA-14541

Fixed an issue in the CRL client certificate authentication flow that returned a 500 error code when PingAccess is in FIPS mode.

UI displays alias of selected certificates

Fixed PA-14421

Updated the PingAccess UI to display the alias of the selected certificates in the Trusted Certificate Group List.

Expanded character limit on the primary administrative node host field

Fixed PA-14433

Fixed an issue that limited the host field for the Primary Administrative Node to 64 characters, instead of the standard 255 characters.

Added URL encoding for special characters

Fixed PA-14083

Added handling to URL encode client secrets with special characters per RFC 6749.

Fixed incorrect assumption that a revoked certificate is the first in the chain

Fixed PA-14445

Fixed an issue where upon detecting a revoked certificate in a chain, PingAccess incorrectly assumes it is always the first cert in the chain.

Fixed PA-14304

Fixed an issue that returned a 500 error when requesting key pairs endpoints with special characters in the chain certs field.

Fixed an issue that switched the admin and system token providers

Fixed PA-14467

Fixed an issue that caused key rolling to result in Admin Token Provider and System Token Provider being switched.

Fixed a typo causing warnings when running PingAccess as a Windows Service

Fixed PA-14477

Fixed a typo that could cause warnings when running PingAccess as a Windows Service.

Fixed non-ASCII character encoding issue

Fixed PA-14402

Fixed an issue that prevented PingAccess from encoding non-ASCII characters when they are in the domain only.

Fixed an error caused by omission of the response.body parameter

Fixed PA-14468

Fixed an issue that caused PingAccess to trigger an error when using the PingAuthorize Access Control rule and the target Sideband provider returns a response that omits the response.body parameter.

Fixed an issue with application initialization in the Admin UI

Fixed PA-14392

Fixed an issue that caused PingAccess Admin UI to incorrectly initialize an application with the state of another application leading to scenarios where an administrator could mistakenly update an application with the data of another application.

Fixed an issue preventing PEM key pair header warnings from being sent

Fixed PA-14314

Fixed an issue that prevented header warnings from being sent for PEM key pairs with a single duplicate chain certificate.

Added INFO level logging

Fixed PA-14258

Added INFO level logging at the start of configuration import.

Fixed invalid ACME request display issue

Fixed PA-14280

Fixed an issue that prevented an ACME request with an INVALID state and an empty problem description from displaying correctly.

Fixed sideband transport issue with fixed ports

Fixed PA-14290

Fixed an issue that caused the PingAccess Sideband transport to only use fixed ports when performing resource matching against incoming sideband API requests.

Fixed display issue with the Signing Algorithm drop-down list

Fixed PA-14238

Fixed an issue that caused disabled algorithms to appear on the Signing Algorithm drop-down list on the Auth Token Management page.

Fixed an issue with JWT SSO Admin Authentication

Fixed PA-14265

Fixed an issue that prevented the SSO Admin Authentication method in the PingAccess admin console from functioning in clustered PingAccess deployments when Private Key JSON Web Token (JWT) client authentication is used.

Fixed no scope claim issue with the PingAccess sideband API

Fixed PA-14029

Fixed an issue that caused PingAccess Sideband API to return an error when no scope claim is configured in the access token.

Fixed Sideband API 'Transfer-Encoding' issue

Fixed PA-14305

Fixed an issue where the 'Transfer-Encoding' request header is dropped from inbound PingAccess Sideband API request results.

Improved empty string error message

Fixed PA-14472

Improved error message when supplying an empty string to fields that expect a charset.

Hibernate deadlock errors

Issue PA-14985

There are a few potential scenarios when the PingAccess data layer might encounter deadlocks. PingAccess should be able to recover from these deadlocks, so hibernate error logs can be ignored when followed by the log message "Recovered from database deadlock with transaction retry."

Cloud HSM limited in Java8u261

Issue PA-14414

Cloud HSM functionality works in FIPS mode but not in regular mode for Java8u261 and later. RSASSA-PSS signing algorithms fail with Java8u261 or later, and HSM vendors and core Java use different naming conventions for the RSASSA-PSS algorithm. There is a documented workaround in Adding an AWS CloudHSM provider.

Kong API limitation

Issue PA-14466

Due to an outstanding defect in the Kong API Gateway, the ping-auth plugin currently does not support requests that utilize the Transfer-Encoding header. If PingAccess is used as the external authorization server, the Rewrite Content rule can prevent the page from displaying.

Zero downtime upgrade limitation

Issue PAPQ-1034

PingAccess 6.3 deployments that use the Sideband API feature cannot be upgraded using the zero downtime upgrade procedure. You must use a planned outage to upgrade such an environment.

Issue

Depending on the source version, the upgrade process may change the default settings for the SameSite cookie attribute to make PingAccess cookies work on all browsers. Review the settings for each web session in Access → Web Sessions to verify that your SameSite cookie attribute values are set to None or Lax, depending on the third-party context needs for PingAccess cookies.

TLS 1.3 limitation

Issue STAGING-8707

PingAccess may have difficulty maintaining TLS 1.3 connections when using JDK 11.0.0, 11.0.1, or 11.0.2 because of a defect in those versions. This might cause upgrades to fail on systems using these versions.

Engine and Admin Replica connection issue

Issue PA-4888

Engines and admin replicas do not connect to admin console if a combination of IP addresses and DNS names are used.

Token processor issue

Issue PA-6262

The token processor can’t connect to a JWKS endpoint via Secure Sockets Layer (SSL) when an IP is used rather than a hostname. To workaround this issue, add the hostname as the subject alt name on the key pair.

Virtual hosts with shared hostnames retention issue

Issue PA-11390

If you create multiple virtual hosts with a shared hostname and associate the hostname with a server key pair, the virtual hosts retain the connection with the server key pair even if they are subsequently renamed. The virtual host must be deleted and recreated to remove the association.

Risk-based authorization rule issue during upgrade

Issue PA-10505

Upgrades will fail with a risk-based authorization rule if a third-party service is not used in the rule.

Excessive log file warnings during startup

Issue

Log files may contain excessive warnings issued by Hibernate during startup.

Asynchronous front-channel logout issue

Issue PA-12647

Asynchronous front-channel logout might fail in some browsers depending on end-user settings. See https://support.pingidentity.com/s/article/Managing-Single-Log-Out-in-different-browsers for browser-specific workarounds.

UI failure when assigning new key pair

Issue PA-13500

Assigning a new key pair to the Admin HTTPS listener if the browser does not trust the new key pair can prevent the UI from functioning. The workaround is to close the browser and re-open it so that all connections to the admin node use the new certificate.

Invalid special characters permitted in identity mappings

Issue PA-13214

Invalid special characters ((),/;<⇒?@[\]\{}") can be added to the Certificate to Header Mapping field in an identity mapping. Adding this identity mapping to an application will cause 400 errors when the application is accessed.

Slow restarts in FIPS mode

Issue PA-14239

If PingAccess is repeatedly stopped and restarted in FIPS mode, subsequent restarts can take up to 5 minutes to complete. The workaround is to use a tool such as rng-tools to refresh /dev/random and make more entropy available faster. For example:

sudo yum install rng-tools
sudo rngb -b

Firefox limitation for time range rules

Issue

Firefox does not correctly support the HTML5 time tag. When using the Time Range rule, enter time in 24-hour format.

Spurious errors when installing PingAccess as a Windows service

Issue

When installing PingAccess as a Windows service using Windows PowerShell and Java 8, the error message "Could not find or load main class" can be safely ignored.

Request preservation not supported with Safari private browsing

Issue PA-2896

Request Preservation is not supported with Safari Private Browsing.

IPv6 limitation

Issue PA-1894

Incorrect handling for IPv6 literals in Host header. Note that IPv6 is not currently supported.

Spurious warning after upgrade or startup on Windows

Issue PA-14907

After starting PingAccess for the first time on a Windows system or upgrading PingAccess on a Windows system, a warning message is logged reporting that the pa.jwk file was not made non-executable. This message can be ignored.