Release Notes
New features and improvements in PingAccess. Updated October 7, 2024.
PingAccess 7.3.6 (October 2024)
Create custom log level categories
New PA-15743
Add a custom log level category and manage its verbosity in the admin console. Learn more in Creating custom log level categories.
PingAccess 7.3.5 (August 2024)
Fixed a security vulnerability with URL-encoded characters
Security PA-15776
Added the pa.uri.canonicalize
parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.
Opt out of automatic URL encoding
Improved PA-15697
By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.
You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:
Set response headers for OAuth errors
Improved PA-15764
Added the oauth.error.headers
and oauth.error.header.Content-Security-Policy
parameters to the Configuration file reference.
Fixed issues with query parameter behavior due to automatic URL encoding
Fixed PA-15696
Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing =
to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.
Fixed admin JWKS endpoint returning a 401
or 500
response instead of the OAuth key set
Fixed PA-15723
Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS
endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401
unauthorized responses or 500
internal server errors.
PingAccess 7.3.3 (March 2024)
Improved request header security
Security PA-15610
Fixed an issue with connection request header handling. Learn more in SECADV045.
Fixed replication configuration identifiers updating before configuration changes were applied
Fixed PA-15506
Fixed an issue that caused PingAccess engine or replica admin nodes to update their replication configuration identifier before they had finished integrating changes into their runtime configuration. This would result in nodes using stale configuration information until a new configuration change event happened.
Fixed import failure caused by multiple trusted certificates in configuration
Fixed PA-15568
Fixed an issue that could cause PingAccess configuration imports to fail if you had multiple trusted certificates configured in your environment.
Fixed NullPointerException
with the rewrite content rule
Fixed PA-15612
Fixed an issue that caused a NullPointerException
error when the rewrite content rule was used on a resource that returned an empty chunked response body.
PingAccess 7.3.2 (October 2023)
Configure Microsoft Azure AD as the token provider for administrative API OAuth
New PA-15518
Added support for OAuth tokens created by Microsoft Azure AD for administrative API OAuth. This improves account security for administrators with Microsoft Azure AD configured as the token provider and enables administrators to use their own accounts to configure PingAccess via admin API calls. Relaxed the following PingAccess requirements:
-
If you’re using either a common token provider or administrative token provider configuration, you can now use a local access token validator to bypass administrative API OAuth validation that checks whether the token provider supports the introspection endpoint. This is necessary because Microsoft Azure AD does not have an introspection endpoint.
-
The administrative API OAuth no longer enforces whether an administrative token contains a
scope
claim with a configurable value, because Microsoft Azure AD uses ascp
claim instead.
Map SAML tokens as HTTP request headers
New PA-15525
Added the ability to map the SAML token received from a SAML token mediator site authenticator to an HTTP request header that you specify instead of mapping the token as a request cookie. For more information, see the Logged In Header Name field.
Fixed object ID override for key pairs and certificates imported through the administrative API
Fixed PA-15386
Fixed an issue that caused PingAccess to replace object IDs defined on key pairs or certificates imported through the administrative API with an auto-generated object ID.
Additionally, the POST /keyPairs/import
and POST
/certificates
API models have been updated to include more information on how to assign an ID for these object types.
PingAccess 7.3.1 (September 2023)
Configure Microsoft Azure AD as a common token provider when protecting an API application
New PA-15369
PingAccess has made common token provider configuration more flexible:
-
When you’re configuring the OAuth authorization server for a common token provider, the Introspection Endpoint field is now required only if you configure a remote access token validator on your PingAccess application.
-
When you’re configuring an application, before you can select a remote access token validator from the Access Validation list, you must configure an Introspection Endpoint on the OAuth Authorization Server tab.
This increased flexibility enables you to configure Azure AD as the common token provider for protected API applications.
Because Azure AD doesn’t have an |
Fixed UI rendering issue when optional field is missing from plugin
Fixed PA-15273
Fixed an issue that caused the PingAccess administrative console UI to fail to render if a newly added configuration field was missing from the plugin data that was saved previously.
For more information, see create your own plugins.
Fixed SniHandlerConfigBuilder
parameter keystore type declaration
Fixed PA-15270
Fixed an issue that caused the SniHandlerConfigBuilder
to fail to declare a specific keystore type for the PingAccess SslContext
server, which could result in PingAccess taking longer to start up if the target JVM’s default keystore type was PKCS#12.
The SniHandlerConfigBuilder
now specifically declares JKS as the keystore type to prevent unexpected performance losses.
Fixed UI rendering breakage when using Groovy script fields in composite plugin fields
Fixed PA-15381
Fixed an issue that caused the PingAccess administrative console UI to display a blank page if you attempted to configure a Groovy script field within a plugin entity in a composite field.
For more information, see create your own plugins.
Fixed form data registration of list fields in composite plugin fields
Fixed PA-15382
Fixed an issue that caused list fields embedded in composite plugin fields to register improperly in the form data for the PingAccess administrative console UI.
For more information, see create your own plugins.
Fixed log category preferences not sticking on restart
Fixed PA-15390
Fixed an issue that caused PingAccess to reset an environment’s configured log setting categories on startup.
Fixed early expiration of cached PingOne Protect risk evaluation results
Fixed PA-15396
Fixed an issue with the PingOne Protect integration that caused PingAccess to calculate expiration values for cached risk evaluation results in milliseconds instead of seconds. This unexpected input value was disabling token caching after making a risk evaluation because PingAccess was receiving a false positive result that the risk evaluation cache data had expired.
Fixed an issue caused by sending an API request with an invalid or blank risk policy
Fixed PA-15399
Fixed an issue that caused sending an API request with an invalid or blank risk policy to result in a NullPointerException
error.
Fixed Azure AD access token validation issue
Fixed PA-15496
Azure AD creates a Application (Client) ID
value that exceeds 36 characters and automatically assigns that value as the Audience
value in the access token. This prevented PingAccess from validating Azure AD access tokens because PingAccess previously accepted a maximum of 32 characters for an Audience
value.
PingAccess can now accept a longer Audience
value.
PingAccess 7.3 (June 2023)
Upgrading from PingAccess 6.2 or below to the latest version will require two steps as of PingAccess 8.0
Info
Beginning with the PingAccess 8.0 release in December 2023, upgrades to the latest release directly from PingAccess 6.2 and below won’t be possible. You’ll need to upgrade to a version of PingAccess between 6.3 and 7.3 first, and then upgrade to the latest version of PingAccess.
Added support for IBM HTTP Server running on RHEL 8 or 9
New
Added support for IBM HTTP Server 9.0 running on RHEL 8 or 9 to the PingAccess agent for Apache (RHEL). For more information, see:
Added UI controls for risk policy configuration
New PA-15152
Added two new pages in the administrative console, PingOne Connections and Risk Policies, as well as new configuration options on the Application and Application Resource tabs. These UI controls simplify the process of setting up a PingOne Protect integration. For more information, see the following topics:
-
For more information on how to establish a connection between PingOne Protect and PingAccess, see PingOne connections.
-
For more information on how to create a risk policy, see Risk policies.
-
For more information on how to assign a risk policy to a specific application or application resource, see the Application Type table entry in Application field descriptions or step 11 of Adding application resources.
Adjust log levels through the administrative console or API
New PA-15160
Added a log4j-categories.xml
file which defines and allows references to PingAccess-specific logging categories. This enables you to adjust log levels through the administrative console or API as opposed to directly within the log4j2.xml
file.
If you have customized your |
To adjust log levels in the administrative console, use the new Log Settings page to enable Verbose logging on a per category basis. In the administrative API, enable verbose logging through the new /logSettings
endpoint. For more information on log levels and how to adjust them, see Log settings.
Apply PingAuthorize rules on web applications
New PA-15161
Previously, two PingAccess rule types, the PingAuthorize access control rule and the PingAuthorize response filtering rule, could only be applied on API applications.
You can now apply either rule type on a web application, Web + API application, or a specific web application resource through the PingAccess administrative console or administrative API. This enables you to apply rules configured in PingAuthorize to inbound web requests and outbound web responses in PingAccess.
-
For more information on applying PingAuthorize rules to inbound web requests, see Adding PingAuthorize access control rules.
-
For more information on applying PingAuthorize rules to outbound web responses, see Adding PingAuthorize response filtering rules.
-
For more information on how to add rules to applications or specific application resources, see Applying rules to applications and resources.
Upgraded AWS CloudHSM Client SDK 3.x to 5.x
New PA-15182
Removed support for AWS CloudHSM Client SDK 3, which was limited to usage with Java 8 and Linux. Added support for AWS CloudHSM Client SDK 5, which is usable with Java 8 or Java 11, and can be deployed on Linux or Windows.
However, Client SDK 5 also introduces an issue with elliptic curve key pairs which prevents them from being assigned to PingAccess listeners. For more information on Client SDK 5, see Adding an AWS CloudHSM provider and Upgrade considerations.
Track id_token or include the id_token_hint parameter in SLO calls
New PA-15207
Added a new configuration option for common token providers and a new configuration option for administrative console UI SSO authentication:
-
Select the Track id_token check box to track the
id_token
that the authorization server provides after authentication. For more information, see Configuring OpenID Connect token providers.You must select Track id_token to use the
id_token
attribute when Creating header identity mappings. -
The Include id_token_hint in SLO check box lets administrators choose whether to send an
id_token_hint
in PingAccess’s single logout (SLO) request to the token provider. This extends PingAccess’s compatibility with token providers that require this parameter for SLO, such as Okta. For more information, see Configuring admin UI SSO authentication.
Selecting either of these options increases the size of the PingAccess cookie. For more information on other settings you can adjust to balance this out, see Minimizing the PingAccess cookie size. |
Use a SAML Token Mediator to perform token mediation
New PA-15222
Added a new type of authentication to the Site Authenticator list in the administrative console, SAML Token Mediator. This authentication type enables PingAccess to perform token mediation with PingFederate to get a SAML 1.1 or SAML 2.0 assertion, providing greater flexibility in the types of security tokens that you can use.
For more information, see Adding site authenticators and SAML token mediator site authenticators.
Use environment variables to simplify container management
New PA-15223
Simplify container management by using environment variables to override the values of PingAccess configuration properties instead of directly editing each property in its respective .properties
file.
|
For more information, see Use environment variables to override configuration settings.
Connect engine nodes to a more recently upgraded administrative node
New PA-15226
Engine nodes and the replica administrative node running PingAccess 7.3 or later can now connect with an administrative node that’s running a later version of PingAccess. This change:
-
Reduces the possibility for outages caused by outdated information.
-
Improves stability for containerized deployments.
-
Reduces log error messages.
-
Improves the process of upgrading to future versions of PingAccess.
Currently, only nodes from PingAccess 7.3 or later can replicate data that’s relevant to the version they’re running. The ability to replicate version-relevant data does not remove any steps from the upgrade or zero-downtime upgrade process. You should still finish upgrading all of an environment’s nodes before making configuration changes. |
For more information, see Upgrade considerations.
Self-register a replacement engine if an existing engine isn’t running
New PA-15252
Added a new cluster configuration setting to the run.properties
file, engine.polling.test.delay
. This property provides more handling flexibility if an engine can’t connect to the administrative node.
If a previously existing engine isn’t running, a replacement PingAccess engine that’s created with the same name can now self-register. The replacement engine also updates its configuration to match the configuration from the most recent registration JWT.
Control whether a replacement engine will self-register when this condition is met with the engine.polling.test.delay
property. Set this value below zero if you don’t want engines to self-register, and set it equal to or higher than the engine.polling.delay
value to increase flexibility in determining whether an previously existing engine is running. For more information, see Configuration file reference.
Use additional matching strategies on web session attribute rules
New PA-15253
Added a new selector to web session attribute rules, Matching Strategy. To change how PingAccess evaluates attributes, select an option from this list. By default, PingAccess uses a Case-Sensitive matching strategy.
Evaluate attributes with a Case-Insensitive or DN Matching strategy to make changes at the attribute source that are semantically equivalent for the source context without having to modify your PingAccess configuration. This reduces the possibility of outages caused by case-sensitivity differences in policy evaluation.
For more information, see Web session attribute rule.
Upgraded admin API documentation to use OAS 2.0
Improved PA-14633
In PingAccess 7.3, the Swagger-UI component that displays the PingAccess admin API documentation was upgraded to remove outdated dependencies. The Swagger-UI component now uses OpenAPI specification (OAS) 2.0. For more information, see Administrative API endpoints.
The specification that the PingAccess admin API docs used previously, Swagger 1.2, has been deprecated. The Swagger 1.2 specification is still available at https://<PA_HOME>:<PORT>/pa-admin-api/v3/api-docs/pa/api-docs.json, but might be removed from future versions of PingAccess. |
Expanded verbose logging categories
Improved PA-15195
Added two new log categories to the Log Settings page in the administrative console, Core and Cluster Replication. For more information on these categories, see Log level category descriptions.
Updated PingAccess client authentication logic
Improved PA-15229
Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support.
Added an option for access token validators to skip audience validation
Improved PA-15249
Added a Skip Audience Validation check box to the Access Token Validator page in the administrative console. If this option is selected, an access token validator doesn’t attempt to validate access tokens for audience claims.
You must select this option if you don’t plan to configure an audience value. For more information, see Adding access token validators. |
Improved Windows request processing speed
Fixed PA-14729
A setting in the upgrade utility and PingAccess Service/conf
directory, Djava.security.egd=file:/dev/./urandom
, was slowing request processing. This setting is specific to Unix environments, so it was removed from Windows script/conf
files in PingAccess.
PingOne risk policy integration maps user-agent header manually
Fixed PA-15153
PingAccess wasn’t sending the browser.userAgent
parameter to PingOne Protect because PingAccess doesn’t currently support device profiling (which would normally collect this parameter). In the absence of device profiling, PingAccess now attempts to map this parameter manually and send it to PingOne Protect.
Redirect and templated authentication challenges now set PingAccess cookies
Fixed PA-15154
PingAccess now proactively sets web session cookies for Redirect and Templated authentication challenges when you select the Append Redirect Parameters check box on one of those two challenge generators. Adding web session cookies helps the frontend application to interpret redirect or templated challenge responses and begin the appropriate authentication procedure.
Improved vague error response message when PingOne Credential is blank or null
Fixed PA-15165
The response message PingAccess returns for errors generated when an administrator adds or updates a PingOne connection has been improved to specify that the credential must not be null, empty, or blank.
Adjusted agent token cache TTLs to reflect risk policy evaluation intervals
Fixed PA-15166
Corrected an issue with token cache time to lives (TTLs) on agent applications that use the PingOne Protect integration. The agent token cache TTLs no longer prioritize an application’s web session Idle Timeout over the Risk Check Interval or Authentication Validity Period defined in the application’s risk policy.
Fixed default removal of active session state cookies from requests
Fixed PA-15167
Corrected an issue where PingAccess would remove active session state cookies from requests by default. If a component relies on the session state cookie, its absence can cause unexpected behavior, so PingAccess now removes session state cookies conditionally.
Corrected CPU load return message when load is 0
Fixed PA-15185
Previously, PingAccess would return a response of N/A
when CPU load is unavailable or detected to have a value of zero. PingAccess now provides a response of 0
instead.
Fixed upgrade utility issue when default system encoding isn’t UTF-8
Fixed PA-15240
Formerly, running the upgrade utility on a system that uses non-UTF character encoding by default could result in the upgrade utility modifying non-ASCII content. This is because there are certain code flows that don’t define a character set to use when transferring data between the source and target version of PingAccess.
The upgrade utility now checks if the character set on the content type header is set to null
. If it is, the upgrade utility changes the character set to UTF-8.
Fixed an issue that intermittently slowed API response time
Fixed PA-15271
Reconfiguring PingAccess’s log context results in an API response time delay. PingAccess is now optimized to prevent log context from reloading during configuration reload unless changes have been made to the enabled log settings API categories or to the underlying categories in the log4j-categories.xml
file.
Fixed a potential security vulnerability
Security PA-15059
Upgraded a component of PingAccess to the latest security standard.
Console Log Settings page doesn’t immediately reflect changes made in the API
Issue PA-15351
If you have the administrative console and API open at the same time and you’re on a console page that isn’t Log Settings, the Log Settings page won’t immediately populate any log changes that you make in the API.
To work around this issue, go to the Log Settings page. Perform a hard refresh, or go to another page and then return to Log Settings.
PingAccess 7.2.4 (August 2024)
Fixed a security vulnerability with URL-encoded characters
Security PA-15776
Added the pa.uri.canonicalize
parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.
Opt out of automatic URL encoding
Improved PA-15697
By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.
You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:
Set response headers for OAuth errors
Improved PA-15764
Added the oauth.error.headers
and oauth.error.header.Content-Security-Policy
parameters to the Configuration file reference.
Fixed issues with query parameter behavior due to automatic URL encoding
Fixed PA-15696
Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing =
to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.
Fixed admin JWKS endpoint returning a 401
or 500
response instead of the OAuth key set
Fixed PA-15723
Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS
endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401
unauthorized responses or 500
internal server errors.
PingAccess 7.2.3 (March 2024)
Improved request header security
Security PA-15610
Fixed an issue with connection request header handling. Learn more in SECADV045.
Fixed NullPointerException
with the rewrite content rule
Fixed PA-15612
Fixed an issue that caused a NullPointerException
error when the rewrite content rule was used on a resource that returned an empty chunked response body.
PingAccess 7.2.2 (July 2023)
Connect engine nodes to a more recently upgraded administrative node
New PA-15359
Engine nodes and the replica administrative node running PingAccess 7.2.2 or later can now connect with an administrative node that’s running a later version of PingAccess.
This ability was backported from PingAccess 7.3. For more information on how to use this ability, see Connect engine nodes to a more recently upgraded administrative node in the 7.3 release notes. |
Updated PingAccess client authentication logic
Improved PA-15229
Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support.
Fixed upgrade utility issue when default system encoding isn’t UTF-8
Fixed PA-15240
Formerly, running the upgrade utility on a system that uses non-UTF character encoding by default could result in the upgrade utility modifying non-ASCII content. This is because there are certain code flows that don’t define a character set to use when transferring data between the source and target version of PingAccess.
The upgrade utility now checks if the character set on the content type header is set to null. If it is, the upgrade utility changes the character set to UTF-8.
PingAccess 7.2.1 (April 2023)
Added RHEL 9 support to PingAccess
New PA-15174
Added support for RHEL 9 to version 7.2 of PingAccess, and the most recent versions of the PingAccess agent for NGINX and the PingAccess agent for Apache (RHEL). For more information, see the following topics:
Added UI controls for risk policy configuration
New PA-15152
Added two new pages in the administrative console, PingOne Connections and Risk Policies, as well as new configuration options on the Application and Application Resource tabs. These UI controls simplify the process of setting up a PingOne Protect integration for web applications. For more information, see the following topics:
-
For more information on how to establish a connection between PingOne Protect and PingAccess, see PingOne connections.
-
For more information on how to create a risk policy, see Risk policies.
-
For more information on how to assign a risk policy to a specific application or application resource, see the Application Type table entry in Application field descriptions or step 11 of Adding application resources.
PingOne risk policy integration maps user-agent header manually
Fixed PA-15153
PingAccess wasn’t sending the browser.userAgent
parameter to PingOne Protect because PingAccess doesn’t currently support device profiling (which would normally collect this parameter). In the absence of device profiling, PingAccess now attempts to map this parameter manually and send it to PingOne Protect.
Redirect and templated authentication challenges now set PingAccess cookies
Fixed PA-15154
PingAccess now proactively sets web session cookies for Redirect and Templated authentication challenges when you select the Append Redirect Parameters check box on one of those two challenge generators. Adding web session cookies helps the frontend application to interpret redirect or templated challenge responses and begin the appropriate authentication procedure.
Improved vague error response message when PingOne Credential is blank or null
Fixed PA-15165
The response message PingAccess returns for errors generated when an administrator adds or updates a PingOne connection has been improved to specify that the credential must not be null, empty, or blank.
Adjusted agent token cache TTLs to reflect risk policy evaluation intervals
Fixed PA-15166
Corrected an issue with token cache time to lives (TTLs) on agent applications that use the PingOne Protect integration. The agent token cache TTLs no longer prioritize an application’s web session Idle Timeout over the Risk Check Interval or Authentication Validity Period defined in the application’s risk policy.
Fixed default removal of active session state cookies from requests
Fixed PA-15167
Corrected an issue where PingAccess would remove active session state cookies from requests by default. If a component relies on the session state cookie, its absence can cause unexpected behavior, so PingAccess now removes session state cookies conditionally.
PingAccess 7.2 (December 2022)
Adjust web session timeouts based on specific user attributes
New PA-14884
Added a new advanced setting, the Timeout Groovy Script field, to the Web Sessions page. With this feature, you can attach a groovy script to a web session to overwrite its default Max Timeout and Idle Timeout values based on specific user attributes returned by the token provider. For more information and an example script, see Creating web sessions.
Access reserved resources from an application’s context root
New PA-14876
Added a new advanced setting, Use context root as reserved resource base path, to the Applications page. Selecting this check box prepends the specified application’s <context root> before the globally-defined <reserved application context root> in the file path to reserved resources and runtime API endpoints, making accessibility to these resources more flexible. For more information and examples, see Application field descriptions.
Establish web sessions in Microsoft Office products
New PA-14900
Added a new out-of-the-box authentication challenge policy which enables you to open Microsoft Office applications in an in-app browser that redirects to the OpenID Provider (OP) for authentication. See Authentication for more information on system-provided policies and Configuring authentication challenge policies for more information on how to use the MS-OFBA challenge response mapping and the MS-OFBA Authentication Request Redirect challenge response generator to address edge-case scenarios regarding MS-OFBA support.
Include requested resource URL in additional authentication challenge responses
New PA-14988
Added additional parameters to the Redirect Challenge and Templated Challenge response generators. They can now store the URL of the resource a user was trying to access before they were redirected to authenticate, as well as the authentication API parameters necessary for the user to access that resource. This features aids in the creation of your own user sign-on experience, but some additional coding is required. For more information, see Authentication challenge response generator descriptions and Configuring authentication challenge policies.
Provide user feedback on authentication challenge reason for expired sessions
New PA-15010
Added feedback keys to the OIDC Authentication Request Redirect, Redirect Challenge, and Templated Challenge response generators. When a user is redirected to an authentication source by one of these authentication challenge response generators, PingAccess sends the feedback key to the authentication source to let it know that the user was directed there because their session expired. The authentication source can then configure and display a user-facing message to let the user know why they were redirected.
To enable PingAccess to send feedback to the authentication source, you must select the Provide Authentication Feedback check box on the web session you intend to use. For more information, see Configuring authentication challenge policies and Creating web sessions.
Configure prompt parameter in OIDC authentication requests
New PA-14999
Added a prompt parameter to the following authentication challenge response generators:
-
Browser-handled OIDC Authentication Request
-
HTML OIDC Authentication Request
-
MS_OFBA Authentication Request Redirect
-
OIDC Authentication Request Redirect
-
PingFederate Authentication API Challenge
The prompt parameter can be used to confirm that the end-user is still present for the current session, or to draw attention to the authentication request. For more information, see Configuring authentication challenge policies. You can also configure the prompt parameter on a web session, but a prompt parameter specified on a challenge response generator takes precedence. For more information, see Creating web sessions.
Additionally, PingAccess can now send pushed authorization requests (PAR) to provide an additional layer of security to requests if PingFederate is configured as the token provider. For more information, see Enable Push Authorization in Creating web sessions.
Create PingOne Protect policies through the PingAccess administrative API
New PA-14987
Added two new admin API endpoints, /pingone/connections
and /risk/policies
. Administrators can integrate PingOne Protect evaluations into PingAccess through the /pingone/connections
endpoint. With the risk/policies
endpoint, administrators can create risk policies to dynamically monitor end-user requests and invoke specific access control or authentication challenge policies set by the administrator based on the PingOne Protect score that the user’s activity generates. For more information, see PingOne Protect integration.
Stale engine node deletion
New PA-14867
You can configure administrative nodes to automatically remove stale engine node entities. For more information, see Configuring administrative nodes.
Removed extraneous algorithm to improve replication times
Improved PA-15032
Consolidated an algorithm that assisted in calculating invalidation timestamps for agent resources to improve performance speed.
Improved Apache Derby replication times regarding slow database queries
Improved PA-15027
Resource database queries were performing slowly in Apache Derby when run at scale. The query used with the resource table has been changed to improve the speed of policy data collection.
Fixed replication of rules and rulesets configured on a proxied version of PingFederate
Fixed PA-15136
Because of a misclassification by an optimization that tries to prevent rules and rulesets from being replicated to the engine if they are not in use, PingAccess wasn’t replicating rules and rulesets assigned to a proxied PingFederate configuration unless they were also assigned to other applications or resources. Rules and rulesets assigned to a proxied PingFederate configuration are now classified correctly.
Fixed sample plugins failing to build with Maven 3.8.1+
Fixed PA-114997 PingAccess
Maven 3.8.1 and up are configured to block HTTP repositories by default. The PingAccess Add-on SDK for Java shipped with sample plugins that were failing to build because they contained references to a HTTP repository. PingAccess now ships with pom files in its sample plugins that reference HTTPS repositories instead.
Fixed population of original resource IDs in upgrade audit logs
Fixed PA-14998
The upgrade audit log is used to review entity migration after you’ve upgraded PingAccess to a new version. Original resource IDs within the upgrade audit log were incorrectly displaying a value of zero instead of their real values. This issue has been fixed.
Fixed PingAccess nonce “set-cookie” interaction with Blackberry SDK
Fixed PA-14891
Case-sensitivity was causing the Blackberry SDK to remove the cookie set by the PingAccess nonce, which was formerly “set-cookie.” Set-Cookie now uses title-case capitalization to ensure that the cookie is set properly.
Fixed identity mapping exclusion list issue
Fixed PA-14908
Fixed an issue that prevented an identity mapping from being saved through the API if the exclusion list attributes were null.
Fixed identity mapping for unprotected API applications
Fixed PA-14899
Fixed an issue that prevented identity mappings from being assigned to unprotected API applications.
Fixed sign on failure issue
Fixed PA-14897
Fixed an issue that sometimes caused UI lockout after multiple failed sign on attempts.
PingAccess 7.1.5 (August 2024)
Fixed a security vulnerability with URL-encoded characters
Security PA-15776
Added the pa.uri.canonicalize
parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.
Opt out of automatic URL encoding
Improved PA-15697
By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.
You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:
Set response headers for OAuth errors
Improved PA-15764
Added the oauth.error.headers
and oauth.error.header.Content-Security-Policy
parameters to the Configuration file reference.
Fixed issues with query parameter behavior due to automatic URL encoding
Fixed PA-15696
Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing =
to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.
Fixed admin JWKS endpoint returning a 401
or 500
response instead of the OAuth key set
Fixed PA-15723
Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS
endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401
unauthorized responses or 500
internal server errors.
PingAccess 7.1.4 (March 2024)
Improved request header security
Security PA-15610
Fixed an issue with connection request header handling. Learn more in SECADV045.
Updated PingAccess client authentication logic
Improved PA-15229
Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support.
Fixed replication of rules and rulesets configured on a proxied version of PingFederate
Fixed PA-15136
Because of a misclassification by an optimization that tries to prevent rules and rulesets from being replicated to the engine if they are not in use, PingAccess wasn’t replicating rules and rulesets assigned to a proxied PingFederate configuration unless they were also assigned to other applications or resources. Rules and rulesets assigned to a proxied PingFederate configuration are now classified correctly.
Fixed NullPointerException
with the rewrite content rule
Fixed PA-15612
Fixed an issue that caused a NullPointerException
error when the rewrite content rule was used on a resource that returned an empty chunked response body.
PingAccess 7.1.3 (October 2022)
Fixed PingAccess Nonce “Set-Cookie” Interaction with Blackberry SDK
Fixed PA-14891
Case-sensitivity was causing the Blackberry SDK to remove the cookie set by the PingAccess nonce, which was formerly “set-cookie.” Set-Cookie now uses title-case capitalization to ensure that the cookie is set properly.
PingAccess 7.1 (June 2022)
Automatic Engine Registration
New PA-14730
A new capability lets you configure and download an engine node registration file from the PingAccess UI. You can put this file on an engine node when it is first started to automatically register the engine node. For more information, see Configuring engine nodes using an auto-registration file.
Added capability for forced reauthorization
New PA-14737
Authentication requirements rules now include an option for maximum age. If the user has not authenticated within the specified timeframe, they are prompted to reauthenticate. For more information, see Adding an authentication requirements rule.
Kong API Gateway Integration
New PA-14418
Ping Identity provides a plugin for Kong Gateway that enables PingAccess (and other Ping Identity products) to be used for policy decisions. For more information, see Kong API Gateway Integration.
IWA Integration
New PA-14588
PingAccess, when protecting applications as a gateway, adds support for protecting applications that rely on Integrated Windows Authentication (IWA). This gives IAM teams consistent, centralized access control and visibility for IWA-based applications, similar to their WAM-based applications (PingAccess does not mediate authentication methods for IWA-based applications. Authentication is negotiated between the browser and the IWA-based application, passing through PingAccess). For more information, see IWA Integration.
Added SPA Support Disabled Authentication Challenge Policy
New PA-14567
A new SPA Support Disabled Authentication Challenge Policy (ACP) has been added that behaves the same as previously seen when Applications were set with SPA Support disabled. Additionally, added an ability to define a default ACP to be set when creating new applications in the PingAccess administrative UI. For more information, see changes to Application field descriptions and System defaults, and Configuring authentication challenge policies.
Added Content-Security-Policy
headers
New PA-14597
The PingAccess Runtime Authentication Challenge Policy behavior is modified to incorporate a default CSP header in the response. Additionally, default content-security-policy
headers have been added for various error responses generated by PingAccess. For more information, see changes to Configuration file reference.
Added support for PingFederate administrative APIs using OAuth authentication
New PA-14562
PingAccess can authenticate to PingFederate administrative APIs using OAuth2 by sending a bearer token in the requests PingAccess makes to the PingFederate administrative API. For more information, see Configuring PingFederate administration.
Fixed certificate ID issue
Fixed PA-14775
Fixed an issue that restricted the available certificate IDs for agents, engines, and replica administrative nodes.
Fixed authentication requirements issue
Fixed PA-14771
Fixed an issue that prevented an authentication requirements list from correctly displaying the related authentication requirements rule after an attempt to edit it.
Fixed non-FIPS HSM key pair issue
Fixed PA-14414
Fixed an issue where PingAccess could not use non-FIPS HSM key pairs at runtime.
Fixed DB password issue
Fixed PA-14570
Resolved an issue by disabling the DB password check in Derby.
Fixed nonce cookie persistence issue
Fixed PA-12652
Fixed an issue where nonce cookies were not removed when SLO is not enabled.
Fixed API swagger issue
Fixed PA-14634
Fixed an issue with API swagger where the GET Response Class Models and Operational Models did not reflect the actual response.
Fixed custom load balancing issue
Fixed PA-14645
Fixed an issue where custom load balancing strategies that returned custom TargetHosts would result in runtime exceptions.
PingAccess 7.0.8 (August 2024)
Fixed a security vulnerability with URL-encoded characters
Security PA-15776
Added the pa.uri.canonicalize
parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.
Opt out of automatic URL encoding
Improved PA-15697
By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.
You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:
Set response headers for OAuth errors
Improved PA-15764
Added the oauth.error.headers
and oauth.error.header.Content-Security-Policy
parameters to the Configuration file reference.
Fixed issues with query parameter behavior due to automatic URL encoding
Fixed PA-15696
Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing =
to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.
PingAccess 7.0.7 (March 2024)
Improved request header security
Security PA-15610
Fixed an issue with connection request header handling. Learn more in SECADV045.
Updated PingAccess client authentication logic
Improved PA-15229
Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support.
Fixed NullPointerException
with the rewrite content rule
Fixed PA-15612
Fixed an issue that caused a NullPointerException
error when the rewrite content rule was used on a resource that returned an empty chunked response body.
PingAccess 7.0.4 (May 2022)
Fixed behavior of Body.toString() in the add-on SDK
Fixed PA-14751 PingAccess
Fixed handling of PingAccess add-on SDK function com.pingidentity.pa.sdk.http.Body#toString
to maintain the same behavior as seen prior to 6.3.
Fixed runtime exception with custom load balancing strategies
Fixed PA-14645
Fixed an issue where custom load balancing strategies that returned custom TargetHosts would result in runtime exceptions.
PingAccess 7.0 (December 2021)
Added Logout virtual resource
New PA-14281
Added a new Logout response generator for virtual resources, enabling you to customize logout behavior for each application. See Adding application resources for more information.
CRL processing improvements
New PA-14227, PA-14410
PingAccess now supports trace-level logging to help troubleshoot certification revocation issues and provides an option to bypass trust anchor validation. This helps improve interoperability with certificate authority (CA) infrastructure. See Creating trusted certificate groups for more information.
Added support for web session access token identity mappings
New PA-14412
PingAccess now supports creating web session access token identity mappings. This helps ease integration with existing APIs, in particular in the context of Single Page Applications (SPAs). See Creating web session access token identity mappings for more information.
Added support for reversed trust chain certificate validation
New PA-14422
PingAccess now supports validation for client certificate chains that are not in the standard order, such as a reversed certificate chain of [root,
intermediate, leaf]
. See Creating trusted certificate groups for more information.
Runtime state clustering no longer supported
Info PA-14435
PingAccess no longer supports runtime state clustering. Clustered environments that do not use runtime state clustering are not affected.
Fixed a typo affecting the upload of external scripts
Fixed PA-14542
Fixed a typo in the Content-Security-Policy header that prevented PingAccess from loading external scripts from HTML responses.
Fixed an issue that returned a 500 error code
Fixed PA-14541
Fixed an issue in the CRL client certificate authentication flow that returned a 500 error code when PingAccess is in FIPS mode.
UI displays alias of selected certificates
Fixed PA-14421
Updated the PingAccess UI to display the alias of the selected certificates in the Trusted Certificate Group List.
Expanded character limit on the primary administrative node host field
Fixed PA-14433
Fixed an issue that limited the host field for the Primary Administrative Node to 64 characters, instead of the standard 255 characters.
Added URL encoding for special characters
Fixed PA-14083
Added handling to URL encode client secrets with special characters per RFC 6749.
Fixed incorrect assumption that a revoked certificate is the first in the chain
Fixed PA-14445
Fixed an issue where upon detecting a revoked certificate in a chain, PingAccess incorrectly assumes it is always the first cert in the chain.
Fixed 500 error issue related to key pair endpoints
Fixed PA-14304
Fixed an issue that returned a 500 error when requesting key pairs endpoints with special characters in the chain certs field.
Fixed an issue that switched the admin and system token providers
Fixed PA-14467
Fixed an issue that caused key rolling to result in Admin Token Provider and System Token Provider being switched.
Fixed a typo causing warnings when running PingAccess as a Windows Service
Fixed PA-14477
Fixed a typo that could cause warnings when running PingAccess as a Windows Service.
Fixed non-ASCII character encoding issue
Fixed PA-14402
Fixed an issue that prevented PingAccess from encoding non-ASCII characters when they are in the domain only.
Fixed an error caused by omission of the response.body parameter
Fixed PA-14468
Fixed an issue that caused PingAccess to trigger an error when using the PingAuthorize Access Control rule and the target Sideband provider returns a response that omits the response.body
parameter.
Fixed an issue with application initialization in the Admin UI
Fixed PA-14392
Fixed an issue that caused PingAccess Admin UI to incorrectly initialize an application with the state of another application leading to scenarios where an administrator could mistakenly update an application with the data of another application.
Fixed an issue preventing PEM key pair header warnings from being sent
Fixed PA-14314
Fixed an issue that prevented header warnings from being sent for PEM key pairs with a single duplicate chain certificate.
Added INFO level logging
Fixed PA-14258
Added INFO level logging at the start of configuration import.
Fixed invalid ACME request display issue
Fixed PA-14280
Fixed an issue that prevented an ACME request with an INVALID state and an empty problem description from displaying correctly.
Fixed sideband transport issue with fixed ports
Fixed PA-14290
Fixed an issue that caused the PingAccess Sideband transport to only use fixed ports when performing resource matching against incoming sideband API requests.
Fixed display issue with the Signing Algorithm drop-down list
Fixed PA-14238
Fixed an issue that caused disabled algorithms to appear on the Signing Algorithm drop-down list on the Auth Token Management page.
Fixed an issue with JWT SSO Admin Authentication
Fixed PA-14265
Fixed an issue that prevented the SSO Admin Authentication method in the PingAccess admin console from functioning in clustered PingAccess deployments when Private Key JSON Web Token (JWT) client authentication is used.
Fixed no scope claim issue with the PingAccess sideband API
Fixed PA-14029
Fixed an issue that caused PingAccess Sideband API to return an error when no scope claim is configured in the access token.
Fixed Sideband API 'Transfer-Encoding' issue
Fixed PA-14305
Fixed an issue where the 'Transfer-Encoding' request header is dropped from inbound PingAccess Sideband API request results.
Improved empty string error message
Fixed PA-14472
Improved error message when supplying an empty string to fields that expect a charset.
Hibernate deadlock errors
Issue PA-14985
There are a few potential scenarios when the PingAccess data layer might encounter deadlocks. PingAccess should be able to recover from these deadlocks, so hibernate error logs can be ignored when followed by the log message "Recovered from database deadlock with transaction retry."
Cloud HSM limited in Java8u261
Issue PA-14414
Cloud HSM functionality works in FIPS mode but not in regular mode for Java8u261
and later. RSASSA-PSS
signing algorithms fail with Java8u261
or later, and HSM vendors and core Java use different naming conventions for the RSASSA-PSS
algorithm. There is a documented workaround in Adding an AWS CloudHSM provider.
Kong API limitation
Issue PA-14466
Due to an outstanding defect in the Kong API Gateway, the ping-auth
plugin currently does not support requests that utilize the Transfer-Encoding
header. If PingAccess is used as the external authorization server, the Rewrite Content rule can prevent the page from displaying.
Zero downtime upgrade limitation
Issue PAPQ-1034
PingAccess 6.3 deployments that use the Sideband API feature cannot be upgraded using the zero downtime upgrade procedure. You must use a planned outage to upgrade such an environment.
SameSite cookie upgrade issue
Issue
Depending on the source version, the upgrade process may change the default settings for the SameSite cookie attribute to make PingAccess cookies work on all browsers. Review the settings for each web session in Access → Web Sessions to verify that your SameSite cookie attribute values are set to None or Lax, depending on the third-party context needs for PingAccess cookies.
TLS 1.3 limitation
Issue STAGING-8707
PingAccess may have difficulty maintaining TLS 1.3 connections when using JDK 11.0.0, 11.0.1, or 11.0.2 because of a defect in those versions. This might cause upgrades to fail on systems using these versions.
Engine and Admin Replica connection issue
Issue PA-4888
Engines and admin replicas do not connect to admin console if a combination of IP addresses and DNS names are used.
Token processor issue
Issue PA-6262
The token processor can’t connect to a JWKS endpoint via Secure Sockets Layer (SSL) when an IP is used rather than a hostname. To workaround this issue, add the hostname as the subject alt name on the key pair.
Virtual hosts with shared hostnames retention issue
Issue PA-11390
If you create multiple virtual hosts with a shared hostname and associate the hostname with a server key pair, the virtual hosts retain the connection with the server key pair even if they are subsequently renamed. The virtual host must be deleted and recreated to remove the association.
Risk-based authorization rule issue during upgrade
Issue PA-10505
Upgrades will fail with a risk-based authorization rule if a third-party service is not used in the rule.
Excessive log file warnings during startup
Issue
Log files may contain excessive warnings issued by Hibernate during startup.
Asynchronous front-channel logout issue
Issue PA-12647
Asynchronous front-channel logout might fail in some browsers depending on end-user settings. See https://support.pingidentity.com/s/article/Managing-Single-Log-Out-in-different-browsers for browser-specific workarounds.
UI failure when assigning new key pair
Issue PA-13500
Assigning a new key pair to the Admin HTTPS listener if the browser does not trust the new key pair can prevent the UI from functioning. The workaround is to close the browser and re-open it so that all connections to the admin node use the new certificate.
Invalid special characters permitted in identity mappings
Issue PA-13214
Invalid special characters ((),/;<⇒?@[\]\{}"
) can be added to the Certificate to Header Mapping field in an identity mapping. Adding this identity mapping to an application will cause 400 errors when the application is accessed.
Slow restarts in FIPS mode
Issue PA-14239
If PingAccess is repeatedly stopped and restarted in FIPS mode, subsequent restarts can take up to 5 minutes to complete. The workaround is to use a tool such as rng-tools to refresh /dev/random and make more entropy available faster. For example:
sudo yum install rng-tools sudo rngb -b
Firefox limitation for time range rules
Issue
Firefox does not correctly support the HTML5 time tag. When using the Time Range rule, enter time in 24-hour format.
Spurious errors when installing PingAccess as a Windows service
Issue
When installing PingAccess as a Windows service using Windows PowerShell and Java 8, the error message "Could not find or load main class" can be safely ignored.
Request preservation not supported with Safari private browsing
Issue PA-2896
Request Preservation is not supported with Safari Private Browsing.