--- title: PingAccess 7.3 (June 2023) description: Info component: pingaccess version: 7.3 page_id: pingaccess:release_notes:pa_73_rn_2023 canonical_url: https://docs.pingidentity.com/pingaccess/7.3/release_notes/pa_73_rn_2023.html llms_txt: https://docs.pingidentity.com/pingaccess/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: May 8, 2024 section_ids: upgrading-from-pingaccess-6-2-or-below-to-the-latest-version-will-require-two-steps-as-of-pingaccess-8-0: Upgrading from PingAccess 6.2 or below to the latest version will require two steps as of PingAccess 8.0 added-support-for-ibm-http-server-running-on-rhel-8-or-9: Added support for IBM HTTP Server running on RHEL 8 or 9 added-ui-controls-for-risk-policy-configuration: Added UI controls for risk policy configuration adjust-log-levels-through-the-administrative-console-or-api: Adjust log levels through the administrative console or API apply-pingauthorize-rules-on-web-applications: Apply PingAuthorize rules on web applications upgraded-aws-cloudhsm-client-sdk-3-x-to-5-x: Upgraded AWS CloudHSM Client SDK 3.x to 5.x track-id_token-or-include-the-id_token_hint-parameter-in-slo-calls: Track id_token or include the id_token_hint parameter in SLO calls use-a-saml-token-mediator-to-perform-token-mediation: Use a SAML Token Mediator to perform token mediation use-environment-variables-to-simplify-container-management: Use environment variables to simplify container management connect-engine-nodes-to-a-more-recently-upgraded-administrative-node: Connect engine nodes to a more recently upgraded administrative node self-register-a-replacement-engine-if-an-existing-engine-isnt-running: Self-register a replacement engine if an existing engine isn't running use-additional-matching-strategies-on-web-session-attribute-rules: Use additional matching strategies on web session attribute rules upgraded-admin-api-documentation-to-use-oas-2-0: Upgraded admin API documentation to use OAS 2.0 expanded-verbose-logging-categories: Expanded verbose logging categories updated-pingaccess-client-authentication-logic: Updated PingAccess client authentication logic added-an-option-for-access-token-validators-to-skip-audience-validation: Added an option for access token validators to skip audience validation improved-windows-request-processing-speed: Improved Windows request processing speed pingone-risk-policy-integration-maps-user-agent-header-manually: PingOne risk policy integration maps user-agent header manually redirect-and-templated-authentication-challenges-now-set-pingaccess-cookies: Redirect and templated authentication challenges now set PingAccess cookies improved-vague-error-response-message-when-pingone-credential-is-blank-or-null: Improved vague error response message when PingOne Credential is blank or null adjusted-agent-token-cache-ttls-to-reflect-risk-policy-evaluation-intervals: Adjusted agent token cache TTLs to reflect risk policy evaluation intervals fixed-default-removal-of-active-session-state-cookies-from-requests: Fixed default removal of active session state cookies from requests corrected-cpu-load-return-message-when-load-is-0: Corrected CPU load return message when load is 0 fixed-upgrade-utility-issue-when-default-system-encoding-isnt-utf-8: Fixed upgrade utility issue when default system encoding isn't UTF-8 fixed-an-issue-that-intermittently-slowed-api-response-time: Fixed an issue that intermittently slowed API response time fixed-a-potential-security-vulnerability: Fixed a potential security vulnerability console-log-settings-page-doesnt-immediately-reflect-changes-made-in-the-api: Console Log Settings page doesn't immediately reflect changes made in the API --- # PingAccess 7.3 (June 2023) ## Upgrading from PingAccess 6.2 or below to the latest version will require two steps as of PingAccess 8.0 Info Beginning with the PingAccess 8.0 release in December 2023, upgrades to the latest release directly from PingAccess 6.2 and below won't be possible. You'll need to upgrade to a version of PingAccess between 6.3 and 7.3 first, and then upgrade to the latest version of PingAccess. ## Added support for IBM HTTP Server running on RHEL 8 or 9 New Added support for IBM HTTP Server 9.0 running on RHEL 8 or 9 to the PingAccess agent for Apache (RHEL). For more information, see: * [RHEL agent system requirements](../agents_and_integrations/pa_agent_for_apache_rhel_system_reqs.html) * [Installing on an IBM HTTP Server using Apache 2.4](../agents_and_integrations/pa_manually_installing_on_an_ibm_http_server.html) ## Added UI controls for risk policy configuration New PA-15152 Added two new pages in the administrative console, **PingOne Connections** and **Risk Policies**, as well as new configuration options on the **Application** and **Application Resource** tabs. These UI controls simplify the process of setting up a [PingOne Protect integration](../agents_and_integrations/pa_p1risk_policy_eval_integration.html). For more information, see the following topics: * For more information on how to establish a connection between PingOne Protect and PingAccess, see [PingOne connections](../pingaccess_user_interface_reference_guide/pa_p1_connection_overview.html). * For more information on how to create a risk policy, see [Risk policies](../pingaccess_user_interface_reference_guide/pa_risk_policies_overview.html). * For more information on how to assign a risk policy to a specific application or application resource, see the **Application Type** table entry in [Application field descriptions](../pingaccess_user_interface_reference_guide/pa_application_field_descriptions.html) or step 11 of [Adding application resources](../pingaccess_user_interface_reference_guide/pa_adding_application_resources.html). ## Adjust log levels through the administrative console or API New PA-15160 Added a `log4j-categories.xml` file which defines and allows references to PingAccess-specific logging categories. This enables you to adjust log levels through the administrative console or API as opposed to directly within the `log4j2.xml` file. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you have customized your `log4j2.xml` file, you must merge it with the `log4j-categories.xml` file to be able to reference the new categories. | To adjust log levels in the administrative console, use the new **Log Settings** page to enable **Verbose** logging on a per category basis. In the administrative API, enable verbose logging through the new `/logSettings` endpoint. For more information on log levels and how to adjust them, see [Log settings](../pingaccess_user_interface_reference_guide/pa_log_settings.html). ## Apply PingAuthorize rules on web applications New PA-15161 Previously, two PingAccess rule types, the PingAuthorize access control rule and the PingAuthorize response filtering rule, could only be applied on API applications. You can now apply either rule type on a web application, Web + API application, or a specific web application resource through the PingAccess administrative console or administrative API. This enables you to apply rules configured in PingAuthorize to inbound web requests and outbound web responses in PingAccess. * For more information on applying PingAuthorize rules to inbound web requests, see [Adding PingAuthorize access control rules](../pingaccess_user_interface_reference_guide/pa_adding_pingauth_access_control_rules.html). * For more information on applying PingAuthorize rules to outbound web responses, see [Adding PingAuthorize response filtering rules](../pingaccess_user_interface_reference_guide/pa_adding_pingauthz_response_filtering_rules.html). * For more information on how to add rules to applications or specific application resources, see [Applying rules to applications and resources](../pingaccess_user_interface_reference_guide/pa_applying_rules_to_apps_and_resources.html). ## Upgraded AWS CloudHSM Client SDK 3.x to 5.x New PA-15182 Removed support for AWS CloudHSM Client SDK 3, which was limited to usage with Java 8 and Linux. Added support for AWS CloudHSM Client SDK 5, which is usable with Java 8 or Java 11, and can be deployed on Linux or Windows. However, Client SDK 5 also introduces an issue with elliptic curve key pairs which prevents them from being assigned to PingAccess listeners. For more information on Client SDK 5, see [Adding an AWS CloudHSM provider](../pingaccess_user_interface_reference_guide/pa_adding_an_aws_cloudhsm_provider.html) and [Upgrade considerations](../upgrading_pingaccess/pa_upgrade_considerations.html). ## Track id\_token or include the id\_token\_hint parameter in SLO calls New PA-15207 Added a new configuration option for common token providers and a new configuration option for administrative console UI SSO authentication: * Select the **Track id\_token** check box to track the `id_token` that the authorization server provides after authentication. For more information, see [Configuring OpenID Connect token providers](../pingaccess_user_interface_reference_guide/pa_configuring_oidc.html). | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You must select **Track id\_token** to use the `id_token` attribute when [Creating header identity mappings](../pingaccess_user_interface_reference_guide/pa_creating_header_identity_mappings.html). | * The **Include id\_token\_hint in SLO** check box lets administrators choose whether to send an `id_token_hint` in PingAccess's single logout (SLO) request to the token provider. This extends PingAccess's compatibility with token providers that require this parameter for SLO, such as Okta. For more information, see [Configuring admin UI SSO authentication](../pingaccess_user_interface_reference_guide/pa_configuring_admin_ui_sso_authn_task.html). | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Selecting either of these options increases the size of the PingAccess cookie. For more information on other settings you can adjust to balance this out, see [Minimizing the PingAccess cookie size](../troubleshooting/pa_minimizing_the_pa_cookie_size.html). | ## Use a SAML Token Mediator to perform token mediation New PA-15222 Added a new type of authentication to the **Site Authenticator** list in the administrative console, **SAML Token Mediator**. This authentication type enables PingAccess to perform token mediation with PingFederate to get a SAML 1.1 or SAML 2.0 assertion, providing greater flexibility in the types of security tokens that you can use. For more information, see [Adding site authenticators](../pingaccess_user_interface_reference_guide/pa_adding_site_authenticators.html) and [SAML token mediator site authenticators](../pingaccess_user_interface_reference_guide/pa_saml_token_mediator_site_authn.html). ## Use environment variables to simplify container management New PA-15223 Simplify container management by using environment variables to override the values of PingAccess configuration properties instead of directly editing each property in its respective `.properties` file. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * You can only override the value of a property defined in one of the property files from the `/conf` directory. * If you're running PingAccess in a clustered deployment, you must apply environment variable changes to each cluster node individually. | For more information, see [Use environment variables to override configuration settings](../configuring_and_customizing_pingaccess/pa_environment_variables_config_override.html). ## Connect engine nodes to a more recently upgraded administrative node New PA-15226 Engine nodes and the replica administrative node running PingAccess 7.3 or later can now connect with an administrative node that's running a later version of PingAccess. This change: * Reduces the possibility for outages caused by outdated information. * Improves stability for containerized deployments. * Reduces log error messages. * Improves the process of upgrading to future versions of PingAccess. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Currently, only nodes from PingAccess 7.3 or later can replicate data that's relevant to the version they're running.The ability to replicate version-relevant data does not remove any steps from the upgrade or zero-downtime upgrade process. You should still finish upgrading all of an environment's nodes before making configuration changes. | Learn more in [Upgrade considerations](../upgrading_pingaccess/pa_upgrade_considerations.html). ## Self-register a replacement engine if an existing engine isn't running New PA-15252 Added a new cluster configuration setting to the `run.properties` file, `engine.polling.test.delay`. This property provides more handling flexibility if an engine can't connect to the administrative node. If a previously existing engine isn't running, a replacement PingAccess engine that's created with the same name can now self-register. The replacement engine also updates its configuration to match the configuration from the most recent registration JWT. Control whether a replacement engine will self-register when this condition is met with the `engine.polling.test.delay` property. Set this value below zero if you don't want engines to self-register, and set it equal to or higher than the `engine.polling.delay` value to increase flexibility in determining whether an previously existing engine is running. You can find more information in [Configuration file reference](../reference_guides/pa_config_file_ref.html). ## Use additional matching strategies on web session attribute rules New PA-15253 Added a new selector to web session attribute rules, **Matching Strategy**. To change how PingAccess evaluates attributes, select an option from this list. By default, PingAccess uses a **Case-Sensitive** matching strategy. Evaluate attributes with a **Case-Insensitive** or **DN Matching** strategy to make changes at the attribute source that are semantically equivalent for the source context without having to modify your PingAccess configuration. This reduces the possibility of outages caused by case-sensitivity differences in policy evaluation. You can find more information in [Web session attribute rule](../pingaccess_user_interface_reference_guide/pa_adding_web_session_attribute_rules.html). ## Upgraded admin API documentation to use OAS 2.0 Improved PA-14633 In PingAccess 7.3, the Swagger-UI component that displays the PingAccess admin API documentation was upgraded to remove outdated dependencies. The Swagger-UI component now uses OpenAPI specification (OAS) 2.0. For more information, see [Administrative API endpoints](../reference_guides/pa_admin_api_endpoints.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The specification that the PingAccess admin API docs used previously, Swagger 1.2, has been deprecated. The Swagger 1.2 specification is still available at https\://*\*:*\*/pa-admin-api/v3/api-docs/pa/api-docs.json, but might be removed from future versions of PingAccess. | ## Expanded verbose logging categories Improved PA-15195 Added two new log categories to the **Log Settings** page in the administrative console, **Core** and **Cluster Replication**. For more information on these categories, see [Log level category descriptions](../pingaccess_user_interface_reference_guide/pa_log_level_category_descriptions.html). ## Updated PingAccess client authentication logic Improved PA-15229 Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support. ## Added an option for access token validators to skip audience validation Improved PA-15249 Added a **Skip Audience Validation** check box to the **Access Token Validator** page in the administrative console. If this option is selected, an access token validator doesn't attempt to validate access tokens for audience claims. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You must select this option if you don't plan to configure an audience value. For more information, see [Adding access token validators](../pingaccess_user_interface_reference_guide/pa_adding_access_token_validators.html). | ## Improved Windows request processing speed Fixed PA-14729 A setting in the upgrade utility and `PingAccess Service/conf` directory, `Djava.security.egd=file:/dev/./urandom`, was slowing request processing. This setting is specific to Unix environments, so it was removed from `Windows script/conf` files in PingAccess. ## PingOne risk policy integration maps user-agent header manually Fixed PA-15153 PingAccess wasn't sending the `browser.userAgent` parameter to PingOne Protect because PingAccess doesn't currently support device profiling (which would normally collect this parameter). In the absence of device profiling, PingAccess now attempts to map this parameter manually and send it to PingOne Protect. ## Redirect and templated authentication challenges now set PingAccess cookies Fixed PA-15154 PingAccess now proactively sets web session cookies for **Redirect** and **Templated** authentication challenges when you select the **[Append Redirect Parameters](../pingaccess_user_interface_reference_guide/pa_acr_generator_descriptions.html)** check box on one of those two challenge generators. Adding web session cookies helps the frontend application to interpret redirect or templated challenge responses and begin the appropriate authentication procedure. ## Improved vague error response message when PingOne Credential is blank or null Fixed PA-15165 The response message PingAccess returns for errors generated when an administrator adds or updates a PingOne connection has been improved to specify that the credential must not be null, empty, or blank. ## Adjusted agent token cache TTLs to reflect risk policy evaluation intervals Fixed PA-15166 Corrected an issue with token cache time to lives (TTLs) on agent applications that use the [PingOne Protect integration](../agents_and_integrations/pa_p1risk_policy_eval_integration.html). The agent token cache TTLs no longer prioritize an application's [web session](../pingaccess_user_interface_reference_guide/pa_creating_web_sessions.html) **Idle Timeout** over the **Risk Check Interval** or **Authentication Validity Period** defined in the application's [risk policy](../pingaccess_user_interface_reference_guide/pa_risk_policies_overview.html). ## Fixed default removal of active session state cookies from requests Fixed PA-15167 Corrected an issue where PingAccess would remove active session state cookies from requests by default. If a component relies on the session state cookie, its absence can cause unexpected behavior, so PingAccess now removes session state cookies conditionally. ## Corrected CPU load return message when load is 0 Fixed PA-15185 Previously, PingAccess would return a response of `N/A` when CPU load is unavailable or detected to have a value of zero. PingAccess now provides a response of `0` instead. ## Fixed upgrade utility issue when default system encoding isn't UTF-8 Fixed PA-15240 Formerly, running the upgrade utility on a system that uses non-UTF character encoding by default could result in the upgrade utility modifying non-ASCII content. This is because there are certain code flows that don't define a character set to use when transferring data between the source and target version of PingAccess. The upgrade utility now checks if the character set on the content type header is set to `null`. If it is, the upgrade utility changes the character set to UTF-8. ## Fixed an issue that intermittently slowed API response time Fixed PA-15271 Reconfiguring PingAccess's log context results in an API response time delay. PingAccess is now optimized to prevent log context from reloading during configuration reload unless changes have been made to the enabled log settings API categories or to the underlying categories in the `log4j-categories.xml` file. ## Fixed a potential security vulnerability Security PA-15059 Upgraded a component of PingAccess to the latest security standard. ## Console **Log Settings** page doesn't immediately reflect changes made in the API Issue PA-15351 If you have the administrative console and API open at the same time and you're on a console page that isn't **Log Settings**, the **Log Settings** page won't immediately populate any log changes that you make in the API. To work around this issue, go to the **Log Settings** page. Perform a hard refresh, or go to another page and then return to **Log Settings**.