---
title: PingAccess 7.2 (December 2022)
description: New PA-14884
component: pingaccess
version: 7.3
page_id: pingaccess:release_notes:pa_72_december_2022
canonical_url: https://docs.pingidentity.com/pingaccess/7.3/release_notes/pa_72_december_2022.html
revdate: June 14, 2023
section_ids:
  adjust-web-session-timeouts-based-on-specific-user-attributes: Adjust web session timeouts based on specific user attributes
  access-reserved-resources-from-an-applications-context-root: Access reserved resources from an application's context root
  establish-web-sessions-in-microsoft-office-products: Establish web sessions in Microsoft Office products
  include-requested-resource-url-in-additional-authentication-challenge-responses: Include requested resource URL in additional authentication challenge responses
  provide-user-feedback-on-authentication-challenge-reason-for-expired-sessions: Provide user feedback on authentication challenge reason for expired sessions
  configure-prompt-parameter-in-oidc-authentication-requests: Configure prompt parameter in OIDC authentication requests
  create-pingone-protect-policies-through-the-pingaccess-administrative-api: Create PingOne Protect policies through the PingAccess administrative API
  stale-engine-node-deletion: Stale engine node deletion
  removed-extraneous-algorithm-to-improve-replication-times: Removed extraneous algorithm to improve replication times
  improved-apache-derby-replication-times-regarding-slow-database-queries: Improved Apache Derby replication times regarding slow database queries
  fixed-replication-of-rules-and-rulesets-configured-on-a-proxied-version-of-pingfederate: Fixed replication of rules and rulesets configured on a proxied version of PingFederate
  fixed-sample-plugins-failing-to-build-with-maven-3-8-1: Fixed sample plugins failing to build with Maven 3.8.1+
  fixed-population-of-original-resource-ids-in-upgrade-audit-logs: Fixed population of original resource IDs in upgrade audit logs
  fixed-pingaccess-nonce-set-cookie-interaction-with-blackberry-sdk: Fixed PingAccess nonce "set-cookie" interaction with Blackberry SDK
  fixed-identity-mapping-exclusion-list-issue: Fixed identity mapping exclusion list issue
  fixed-identity-mapping-for-unprotected-api-applications: Fixed identity mapping for unprotected API applications
  fixed-sign-on-failure-issue: Fixed sign on failure issue
  fixed-engine-status-field-descriptions: Fixed engine status field descriptions
  fixed-potential-deadlock-issue: Fixed potential deadlock issue
---

# PingAccess 7.2 (December 2022)

## Adjust web session timeouts based on specific user attributes

New PA-14884

Added a new advanced setting, the **Timeout Groovy Script** field, to the **Web Sessions** page. With this feature, you can attach a groovy script to a web session to overwrite its default **Max Timeout** and **Idle Timeout** values based on specific user attributes returned by the token provider. For more information and an example script, see [Creating web sessions](../pingaccess_user_interface_reference_guide/pa_creating_web_sessions.html).

## Access reserved resources from an application's context root

New PA-14876

Added a new advanced setting, **Use context root as reserved resource base path**, to the **Applications** page. Selecting this check box prepends the specified application's *\<context root>* before the globally-defined *\<reserved application context root>* in the file path to reserved resources and runtime API endpoints, making accessibility to these resources more flexible. For more information and examples, see [Application field descriptions](../pingaccess_user_interface_reference_guide/pa_application_field_descriptions.html).

## Establish web sessions in Microsoft Office products

New PA-14900

Added a new out-of-the-box authentication challenge policy which enables you to open Microsoft Office applications in an in-app browser that redirects to the OpenID Provider (OP) for authentication. See [Authentication](../pingaccess_user_interface_reference_guide/pa_authentication.html) for more information on system-provided policies and [Configuring authentication challenge policies](../pingaccess_user_interface_reference_guide/pa_configuring_authn_challenge_policies.html) for more information on how to use the **MS-OFBA** challenge response mapping and the **MS-OFBA Authentication Request Redirect** challenge response generator to address edge-case scenarios regarding MS-OFBA support.

## Include requested resource URL in additional authentication challenge responses

New PA-14988

Added additional parameters to the **Redirect Challenge** and **Templated Challenge** response generators. They can now store the URL of the resource a user was trying to access before they were redirected to authenticate, as well as the authentication API parameters necessary for the user to access that resource. This features aids in the creation of your own user sign-on experience, but some additional coding is required. For more information, see [Authentication challenge response generator descriptions](../pingaccess_user_interface_reference_guide/pa_acr_generator_descriptions.html) and [Configuring authentication challenge policies](../pingaccess_user_interface_reference_guide/pa_configuring_authn_challenge_policies.html).

## Provide user feedback on authentication challenge reason for expired sessions

New PA-15010

Added feedback keys to the **OIDC Authentication Request Redirect**, **Redirect Challenge**, and **Templated Challenge** response generators. When a user is redirected to an authentication source by one of these authentication challenge response generators, PingAccess sends the feedback key to the authentication source to let it know that the user was directed there because their session expired. The authentication source can then configure and display a user-facing message to let the user know why they were redirected.

To enable PingAccess to send feedback to the authentication source, you must select the **Provide Authentication Feedback** check box on the web session you intend to use. For more information, see [Configuring authentication challenge policies](../pingaccess_user_interface_reference_guide/pa_configuring_authn_challenge_policies.html) and [Creating web sessions](../pingaccess_user_interface_reference_guide/pa_creating_web_sessions.html).

## Configure prompt parameter in OIDC authentication requests

New PA-14999

Added a prompt parameter to the following authentication challenge response generators:

* Browser-handled OIDC Authentication Request

* HTML OIDC Authentication Request

* MS\_OFBA Authentication Request Redirect

* OIDC Authentication Request Redirect

* PingFederate Authentication API Challenge

The prompt parameter can be used to confirm that the end-user is still present for the current session, or to draw attention to the authentication request. For more information, see [Configuring authentication challenge policies](../pingaccess_user_interface_reference_guide/pa_configuring_authn_challenge_policies.html). You can also configure the prompt parameter on a web session, but a prompt parameter specified on a challenge response generator takes precedence. For more information, see [Creating web sessions](../pingaccess_user_interface_reference_guide/pa_creating_web_sessions.html).

Additionally, PingAccess can now send pushed authorization requests (PAR) to provide an additional layer of security to requests if PingFederate is configured as the token provider. For more information, see **Enable Push Authorization** in [Creating web sessions](../pingaccess_user_interface_reference_guide/pa_creating_web_sessions.html).

## Create PingOne Protect policies through the PingAccess administrative API

New PA-14987

Added two new admin API endpoints, `/pingone/connections` and `/risk/policies`. Administrators can integrate PingOne Protect evaluations into PingAccess through the `/pingone/connections` endpoint. With the `risk/policies` endpoint, administrators can create risk policies to dynamically monitor end-user requests and invoke specific access control or authentication challenge policies set by the administrator based on the PingOne Protect score that the user's activity generates. For more information, see [PingOne Protect integration](../agents_and_integrations/pa_p1risk_policy_eval_integration.html).

## Stale engine node deletion

New PA-14867

You can configure administrative nodes to automatically remove stale engine node entities. For more information, see [Configuring administrative nodes](../pingaccess_user_interface_reference_guide/pa_configuring_admin_nodes.html).

## Removed extraneous algorithm to improve replication times

Improved PA-15032

Consolidated an algorithm that assisted in calculating invalidation timestamps for agent resources to improve performance speed.

## Improved Apache Derby replication times regarding slow database queries

Improved PA-15027

Resource database queries were performing slowly in Apache Derby when run at scale. The query used with the resource table has been changed to improve the speed of policy data collection.

## Fixed replication of rules and rulesets configured on a proxied version of PingFederate

Fixed PA-15136

Because of a misclassification by an optimization that tries to prevent rules and rulesets from being replicated to the engine if they are not in use, PingAccess wasn't replicating rules and rulesets assigned to a proxied PingFederate configuration unless they were also assigned to other applications or resources. Rules and rulesets assigned to a proxied PingFederate configuration are now classified correctly.

## Fixed sample plugins failing to build with Maven 3.8.1+

Fixed PA-114997 PingAccess

Maven 3.8.1 and up are configured to block HTTP repositories by default. The PingAccess Add-on SDK for Java shipped with sample plugins that were failing to build because they contained references to a HTTP repository. PingAccess now ships with pom files in its sample plugins that reference HTTPS repositories instead.

## Fixed population of original resource IDs in upgrade audit logs

Fixed PA-14998

The upgrade audit log is used to review entity migration after you've upgraded PingAccess to a new version. Original resource IDs within the upgrade audit log were incorrectly displaying a value of zero instead of their real values. This issue has been fixed.

## Fixed PingAccess nonce "set-cookie" interaction with Blackberry SDK

Fixed PA-14891

Case-sensitivity was causing the Blackberry SDK to remove the cookie set by the PingAccess nonce, which was formerly "set-cookie." Set-Cookie now uses title-case capitalization to ensure that the cookie is set properly.

## Fixed identity mapping exclusion list issue

Fixed PA-14908

Fixed an issue that prevented an identity mapping from being saved through the API if the exclusion list attributes were null.

## Fixed identity mapping for unprotected API applications

Fixed PA-14899

Fixed an issue that prevented identity mappings from being assigned to unprotected API applications.

## Fixed sign on failure issue

Fixed PA-14897

Fixed an issue that sometimes caused UI lockout after multiple failed sign on attempts.

## Fixed engine status field descriptions

Fixed PA-14885

Added descriptions of the fields for the `GET /engines/status` endpoint.

## Fixed potential deadlock issue

Fixed PA-14974

Added handling to recover from deadlocks encountered during configuration import and other asynchronous Admin API actions.