PingAccess

PingAccess 7.1 (June 2022)

Automatic Engine Registration

New PA-14730

A new capability lets you configure and download an engine node registration file from the PingAccess UI. You can put this file on an engine node when it is first started to automatically register the engine node. For more information, see Configuring engine nodes using an auto-registration file.

Added capability for forced reauthorization

New PA-14737

Authentication requirements rules now include an option for maximum age. If the user has not authenticated within the specified timeframe, they are prompted to reauthenticate. For more information, see Adding an authentication requirements rule.

Kong API Gateway Integration

New PA-14418

Ping Identity provides a plugin for Kong Gateway that enables PingAccess (and other Ping Identity products) to be used for policy decisions. For more information, see Kong API Gateway Integration.

IWA Integration

New PA-14588

PingAccess, when protecting applications as a gateway, adds support for protecting applications that rely on Integrated Windows Authentication (IWA). This gives IAM teams consistent, centralized access control and visibility for IWA-based applications, similar to their WAM-based applications (PingAccess does not mediate authentication methods for IWA-based applications. Authentication is negotiated between the browser and the IWA-based application, passing through PingAccess). For more information, see IWA Integration.

Added SPA Support Disabled Authentication Challenge Policy

New PA-14567

A new SPA Support Disabled Authentication Challenge Policy (ACP) has been added that behaves the same as previously seen when Applications were set with SPA Support disabled. Additionally, added an ability to define a default ACP to be set when creating new applications in the PingAccess administrative UI. For more information, see changes to Application field descriptions and System defaults, and Configuring authentication challenge policies.

Added Content-Security-Policy headers

New PA-14597

The PingAccess Runtime Authentication Challenge Policy behavior is modified to incorporate a default CSP header in the response. Additionally, default content-security-policy headers have been added for various error responses generated by PingAccess. For more information, see changes to Configuration file reference.

Added support for PingFederate administrative APIs using OAuth authentication

New PA-14562

PingAccess can authenticate to PingFederate administrative APIs using OAuth2 by sending a bearer token in the requests PingAccess makes to the PingFederate administrative API. For more information, see Configuring PingFederate administration.

Fixed security issue

Security PA-14772

Fixed a potential security issue with basic authentication.

Fixed potential security issue

Security PA-14579

Fixed a potential security issue.

Fixed potential security issue

Security PA-14310

Fixed a potential security issue.

Fixed potential security issue

Security PA-14573

Fixed a potential security issue.

Fixed potential security issue

Security PA-14772

Fixed a potential security issue.

Updated Log4j to 2.17.1

Improved PA-14557

PingAccess upgraded to Log4j version 2.17.1.

Improved CSD tool

Improved PA-14580

Added a default memory limit on the CSD tool.

Fixed certificate ID issue

Fixed PA-14775

Fixed an issue that restricted the available certificate IDs for agents, engines, and replica administrative nodes.

Fixed authentication requirements issue

Fixed PA-14771

Fixed an issue that prevented an authentication requirements list from correctly displaying the related authentication requirements rule after an attempt to edit it.

Fixed non-FIPS HSM key pair issue

Fixed PA-14414

Fixed an issue where PingAccess could not use non-FIPS HSM key pairs at runtime.

Fixed DB password issue

Fixed PA-14570

Resolved an issue by disabling the DB password check in Derby.

Fixed PA-12652

Fixed an issue where nonce cookies were not removed when SLO is not enabled.

Fixed API swagger issue

Fixed PA-14634

Fixed an issue with API swagger where the GET Response Class Models and Operational Models did not reflect the actual response.

Fixed custom load balancing issue

Fixed PA-14645

Fixed an issue where custom load balancing strategies that returned custom TargetHosts would result in runtime exceptions.

Fixed error header issue

Fixed PA-14606

Fixed an issue where the rule.error.headers additional headers did not display from policy rule results.

Java 17 limitation

Issue PA-14863

BC-FIPS and HSMs are not supported when using Java 17.

Certificate revocation list memory issue

Issue PA-14621

If a client certificate has a certificate revocation list (CRL) DistributionPoint that points to an extremely large CRL, PingAccess might suffer from high memory usage leading to Out of memory (OOM) exceptions.