Release Notes

New PA-15743

Add a custom log level category and manage its verbosity in the admin console. Learn more in Creating custom log level categories.

Fixed PA-15805

Fixed an issue with the log4j-categories.xml file path that caused logging to break when running PingAccess as a Windows service.

Fixed PA-15801

Fixed a processing behavior conflict that prevented WebSocket connections from being established when using Integrated Windows Authentication (IWA).

Security PA-15776

Added the pa.uri.canonicalize parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.

Improved PA-15697

By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.

You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:

Improved PA-15764

Added the oauth.error.headers and oauth.error.header.Content-Security-Policy parameters to the Configuration file reference.

Fixed PA-15696

Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing = to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.

Fixed PA-15723

Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401 unauthorized responses or 500 internal server errors.

Fixed PA-15759

Fixed an issue that prevented PingAccess 7.3.3 and 7.3.4 from starting in FIPS mode.

Fixed PA-15741

Fixed a potential infinite loop issue that could prevent an engine node or replica administrative node from applying configuration changes.

Security PA-15610

Fixed an issue with connection request header handling. Learn more in SECADV045.

Fixed PA-15506

Fixed an issue that caused PingAccess engine or replica admin nodes to update their replication configuration identifier before they had finished integrating changes into their runtime configuration. This would result in nodes using stale configuration information until a new configuration change event happened.

Fixed PA-15568

Fixed an issue that could cause PingAccess configuration imports to fail if you had multiple trusted certificates configured in your environment.

Fixed PA-15612

Fixed an issue that caused a NullPointerException error when the rewrite content rule was used on a resource that returned an empty chunked response body.

Fixed PA-15620

Fixed an issue that caused PingAccess to stop reading chunked request and responses early if the chunk length lines had any leading or trailing white spaces.

New PA-15518

Added support for OAuth tokens created by Microsoft Azure AD for administrative API OAuth. This improves account security for administrators with Microsoft Azure AD configured as the token provider and enables administrators to use their own accounts to configure PingAccess via admin API calls. Relaxed the following PingAccess requirements:

New PA-15525

Added the ability to map the SAML token received from a SAML token mediator site authenticator to an HTTP request header that you specify instead of mapping the token as a request cookie. For more information, see the Logged In Header Name field.

Fixed PA-15386

Fixed an issue that caused PingAccess to replace object IDs defined on key pairs or certificates imported through the administrative API with an auto-generated object ID.

Additionally, the POST /keyPairs/import and POST /certificates API models have been updated to include more information on how to assign an ID for these object types.

Fixed PA-15537

Fixed an issue that caused admin API OAuth settings to be excluded from bulk export operations if you configure admin API OAuth with an access token validator but haven’t set client credentials.

New PA-15369

PingAccess has made common token provider configuration more flexible:

This increased flexibility enables you to configure Azure AD as the common token provider for protected API applications.

Fixed PA-15273

Fixed an issue that caused the PingAccess administrative console UI to fail to render if a newly added configuration field was missing from the plugin data that was saved previously.

For more information, see create your own plugins.

Fixed PA-15270

Fixed an issue that caused the SniHandlerConfigBuilder to fail to declare a specific keystore type for the PingAccess SslContext server, which could result in PingAccess taking longer to start up if the target JVM’s default keystore type was PKCS#12.

The SniHandlerConfigBuilder now specifically declares JKS as the keystore type to prevent unexpected performance losses.

Fixed PA-15381

Fixed an issue that caused the PingAccess administrative console UI to display a blank page if you attempted to configure a Groovy script field within a plugin entity in a composite field.

For more information, see create your own plugins.

Fixed PA-15382

Fixed an issue that caused list fields embedded in composite plugin fields to register improperly in the form data for the PingAccess administrative console UI.

For more information, see create your own plugins.

Fixed PA-15390

Fixed an issue that caused PingAccess to reset an environment’s configured log setting categories on startup.

Fixed PA-15396

Fixed an issue with the PingOne Protect integration that caused PingAccess to calculate expiration values for cached risk evaluation results in milliseconds instead of seconds. This unexpected input value was disabling token caching after making a risk evaluation because PingAccess was receiving a false positive result that the risk evaluation cache data had expired.

Fixed PA-15399

Fixed an issue that caused sending an API request with an invalid or blank risk policy to result in a NullPointerException error.

Fixed PA-15496

Azure AD creates a Application (Client) ID value that exceeds 36 characters and automatically assigns that value as the Audience value in the access token. This prevented PingAccess from validating Azure AD access tokens because PingAccess previously accepted a maximum of 32 characters for an Audience value.

PingAccess can now accept a longer Audience value.

Info

Beginning with the PingAccess 8.0 release in December 2023, upgrades to the latest release directly from PingAccess 6.2 and below won’t be possible. You’ll need to upgrade to a version of PingAccess between 6.3 and 7.3 first, and then upgrade to the latest version of PingAccess.

New

Added support for IBM HTTP Server 9.0 running on RHEL 8 or 9 to the PingAccess agent for Apache (RHEL). For more information, see:

New PA-15152

Added two new pages in the administrative console, PingOne Connections and Risk Policies, as well as new configuration options on the Application and Application Resource tabs. These UI controls simplify the process of setting up a PingOne Protect integration. For more information, see the following topics:

New PA-15160

Added a log4j-categories.xml file which defines and allows references to PingAccess-specific logging categories. This enables you to adjust log levels through the administrative console or API as opposed to directly within the log4j2.xml file.

To adjust log levels in the administrative console, use the new Log Settings page to enable Verbose logging on a per category basis. In the administrative API, enable verbose logging through the new /logSettings endpoint. For more information on log levels and how to adjust them, see Log settings.

New PA-15161

Previously, two PingAccess rule types, the PingAuthorize access control rule and the PingAuthorize response filtering rule, could only be applied on API applications.

You can now apply either rule type on a web application, Web + API application, or a specific web application resource through the PingAccess administrative console or administrative API. This enables you to apply rules configured in PingAuthorize to inbound web requests and outbound web responses in PingAccess.

New PA-15182

Removed support for AWS CloudHSM Client SDK 3, which was limited to usage with Java 8 and Linux. Added support for AWS CloudHSM Client SDK 5, which is usable with Java 8 or Java 11, and can be deployed on Linux or Windows.

However, Client SDK 5 also introduces an issue with elliptic curve key pairs which prevents them from being assigned to PingAccess listeners. For more information on Client SDK 5, see Adding an AWS CloudHSM provider and Upgrade considerations.

New PA-15207

Added a new configuration option for common token providers and a new configuration option for administrative console UI SSO authentication:

New PA-15222

Added a new type of authentication to the Site Authenticator list in the administrative console, SAML Token Mediator. This authentication type enables PingAccess to perform token mediation with PingFederate to get a SAML 1.1 or SAML 2.0 assertion, providing greater flexibility in the types of security tokens that you can use.

For more information, see Adding site authenticators and SAML token mediator site authenticators.

New PA-15223

Simplify container management by using environment variables to override the values of PingAccess configuration properties instead of directly editing each property in its respective .properties file.

For more information, see Use environment variables to override configuration settings.

New PA-15226

Engine nodes and the replica administrative node running PingAccess 7.3 or later can now connect with an administrative node that’s running a later version of PingAccess. This change:

For more information, see Upgrade considerations.

New PA-15252

Added a new cluster configuration setting to the run.properties file, engine.polling.test.delay. This property provides more handling flexibility if an engine can’t connect to the administrative node.

If a previously existing engine isn’t running, a replacement PingAccess engine that’s created with the same name can now self-register. The replacement engine also updates its configuration to match the configuration from the most recent registration JWT.

Control whether a replacement engine will self-register when this condition is met with the engine.polling.test.delay property. Set this value below zero if you don’t want engines to self-register, and set it equal to or higher than the engine.polling.delay value to increase flexibility in determining whether an previously existing engine is running. For more information, see Configuration file reference.

New PA-15253

Added a new selector to web session attribute rules, Matching Strategy. To change how PingAccess evaluates attributes, select an option from this list. By default, PingAccess uses a Case-Sensitive matching strategy.

Evaluate attributes with a Case-Insensitive or DN Matching strategy to make changes at the attribute source that are semantically equivalent for the source context without having to modify your PingAccess configuration. This reduces the possibility of outages caused by case-sensitivity differences in policy evaluation.

For more information, see Web session attribute rule.

Improved PA-14633

In PingAccess 7.3, the Swagger-UI component that displays the PingAccess admin API documentation was upgraded to remove outdated dependencies. The Swagger-UI component now uses OpenAPI specification (OAS) 2.0. For more information, see Administrative API endpoints.

Improved PA-15195

Added two new log categories to the Log Settings page in the administrative console, Core and Cluster Replication. For more information on these categories, see Log level category descriptions.

Improved PA-15229

Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support.

Improved PA-15249

Added a Skip Audience Validation check box to the Access Token Validator page in the administrative console. If this option is selected, an access token validator doesn’t attempt to validate access tokens for audience claims.

Fixed PA-14729

A setting in the upgrade utility and PingAccess Service/conf directory, Djava.security.egd=file:/dev/./urandom, was slowing request processing. This setting is specific to Unix environments, so it was removed from Windows script/conf files in PingAccess.

Fixed PA-15153

PingAccess wasn’t sending the browser.userAgent parameter to PingOne Protect because PingAccess doesn’t currently support device profiling (which would normally collect this parameter). In the absence of device profiling, PingAccess now attempts to map this parameter manually and send it to PingOne Protect.

Fixed PA-15154

PingAccess now proactively sets web session cookies for Redirect and Templated authentication challenges when you select the Append Redirect Parameters check box on one of those two challenge generators. Adding web session cookies helps the frontend application to interpret redirect or templated challenge responses and begin the appropriate authentication procedure.

Fixed PA-15165

The response message PingAccess returns for errors generated when an administrator adds or updates a PingOne connection has been improved to specify that the credential must not be null, empty, or blank.

Fixed PA-15166

Corrected an issue with token cache time to lives (TTLs) on agent applications that use the PingOne Protect integration. The agent token cache TTLs no longer prioritize an application’s web session Idle Timeout over the Risk Check Interval or Authentication Validity Period defined in the application’s risk policy.

Fixed PA-15167

Corrected an issue where PingAccess would remove active session state cookies from requests by default. If a component relies on the session state cookie, its absence can cause unexpected behavior, so PingAccess now removes session state cookies conditionally.

Fixed PA-15185

Previously, PingAccess would return a response of N/A when CPU load is unavailable or detected to have a value of zero. PingAccess now provides a response of 0 instead.

Fixed PA-15240

Formerly, running the upgrade utility on a system that uses non-UTF character encoding by default could result in the upgrade utility modifying non-ASCII content. This is because there are certain code flows that don’t define a character set to use when transferring data between the source and target version of PingAccess.

The upgrade utility now checks if the character set on the content type header is set to null. If it is, the upgrade utility changes the character set to UTF-8.

Fixed PA-15271

Reconfiguring PingAccess’s log context results in an API response time delay. PingAccess is now optimized to prevent log context from reloading during configuration reload unless changes have been made to the enabled log settings API categories or to the underlying categories in the log4j-categories.xml file.

Security PA-15059

Upgraded a component of PingAccess to the latest security standard.

Issue PA-15351

If you have the administrative console and API open at the same time and you’re on a console page that isn’t Log Settings, the Log Settings page won’t immediately populate any log changes that you make in the API.

To work around this issue, go to the Log Settings page. Perform a hard refresh, or go to another page and then return to Log Settings.

Security PA-15776

Added the pa.uri.canonicalize parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.

Improved PA-15697

By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.

You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:

Improved PA-15764

Added the oauth.error.headers and oauth.error.header.Content-Security-Policy parameters to the Configuration file reference.

Fixed PA-15696

Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing = to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.

Fixed PA-15723

Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401 unauthorized responses or 500 internal server errors.

Fixed PA-15741

Fixed a potential infinite loop issue that could prevent an engine node or replica administrative node from applying configuration changes.

Security PA-15610

Fixed an issue with connection request header handling. Learn more in SECADV045.

Fixed PA-15612

Fixed an issue that caused a NullPointerException error when the rewrite content rule was used on a resource that returned an empty chunked response body.

New PA-15359

Engine nodes and the replica administrative node running PingAccess 7.2.2 or later can now connect with an administrative node that’s running a later version of PingAccess.

Improved PA-15229

Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support.

Fixed PA-15240

Formerly, running the upgrade utility on a system that uses non-UTF character encoding by default could result in the upgrade utility modifying non-ASCII content. This is because there are certain code flows that don’t define a character set to use when transferring data between the source and target version of PingAccess.

The upgrade utility now checks if the character set on the content type header is set to null. If it is, the upgrade utility changes the character set to UTF-8.

New PA-15174

Added support for RHEL 9 to version 7.2 of PingAccess, and the most recent versions of the PingAccess agent for NGINX and the PingAccess agent for Apache (RHEL). For more information, see the following topics:

New PA-15152

Added two new pages in the administrative console, PingOne Connections and Risk Policies, as well as new configuration options on the Application and Application Resource tabs. These UI controls simplify the process of setting up a PingOne Protect integration for web applications. For more information, see the following topics:

Fixed PA-15153

PingAccess wasn’t sending the browser.userAgent parameter to PingOne Protect because PingAccess doesn’t currently support device profiling (which would normally collect this parameter). In the absence of device profiling, PingAccess now attempts to map this parameter manually and send it to PingOne Protect.

Fixed PA-15154

PingAccess now proactively sets web session cookies for Redirect and Templated authentication challenges when you select the Append Redirect Parameters check box on one of those two challenge generators. Adding web session cookies helps the frontend application to interpret redirect or templated challenge responses and begin the appropriate authentication procedure.

Fixed PA-15165

The response message PingAccess returns for errors generated when an administrator adds or updates a PingOne connection has been improved to specify that the credential must not be null, empty, or blank.

Fixed PA-15166

Corrected an issue with token cache time to lives (TTLs) on agent applications that use the PingOne Protect integration. The agent token cache TTLs no longer prioritize an application’s web session Idle Timeout over the Risk Check Interval or Authentication Validity Period defined in the application’s risk policy.

Fixed PA-15167

Corrected an issue where PingAccess would remove active session state cookies from requests by default. If a component relies on the session state cookie, its absence can cause unexpected behavior, so PingAccess now removes session state cookies conditionally.

New PA-14884

Added a new advanced setting, the Timeout Groovy Script field, to the Web Sessions page. With this feature, you can attach a groovy script to a web session to overwrite its default Max Timeout and Idle Timeout values based on specific user attributes returned by the token provider. For more information and an example script, see Creating web sessions.

New PA-14876

Added a new advanced setting, Use context root as reserved resource base path, to the Applications page. Selecting this check box prepends the specified application’s <context root> before the globally-defined <reserved application context root> in the file path to reserved resources and runtime API endpoints, making accessibility to these resources more flexible. For more information and examples, see Application field descriptions.

New PA-14900

Added a new out-of-the-box authentication challenge policy which enables you to open Microsoft Office applications in an in-app browser that redirects to the OpenID Provider (OP) for authentication. See Authentication for more information on system-provided policies and Configuring authentication challenge policies for more information on how to use the MS-OFBA challenge response mapping and the MS-OFBA Authentication Request Redirect challenge response generator to address edge-case scenarios regarding MS-OFBA support.

New PA-14988

Added additional parameters to the Redirect Challenge and Templated Challenge response generators. They can now store the URL of the resource a user was trying to access before they were redirected to authenticate, as well as the authentication API parameters necessary for the user to access that resource. This features aids in the creation of your own user sign-on experience, but some additional coding is required. For more information, see Authentication challenge response generator descriptions and Configuring authentication challenge policies.

New PA-15010

Added feedback keys to the OIDC Authentication Request Redirect, Redirect Challenge, and Templated Challenge response generators. When a user is redirected to an authentication source by one of these authentication challenge response generators, PingAccess sends the feedback key to the authentication source to let it know that the user was directed there because their session expired. The authentication source can then configure and display a user-facing message to let the user know why they were redirected.

To enable PingAccess to send feedback to the authentication source, you must select the Provide Authentication Feedback check box on the web session you intend to use. For more information, see Configuring authentication challenge policies and Creating web sessions.

New PA-14999

Added a prompt parameter to the following authentication challenge response generators:

The prompt parameter can be used to confirm that the end-user is still present for the current session, or to draw attention to the authentication request. For more information, see Configuring authentication challenge policies. You can also configure the prompt parameter on a web session, but a prompt parameter specified on a challenge response generator takes precedence. For more information, see Creating web sessions.

Additionally, PingAccess can now send pushed authorization requests (PAR) to provide an additional layer of security to requests if PingFederate is configured as the token provider. For more information, see Enable Push Authorization in Creating web sessions.

New PA-14987

Added two new admin API endpoints, /pingone/connections and /risk/policies. Administrators can integrate PingOne Protect evaluations into PingAccess through the /pingone/connections endpoint. With the risk/policies endpoint, administrators can create risk policies to dynamically monitor end-user requests and invoke specific access control or authentication challenge policies set by the administrator based on the PingOne Protect score that the user’s activity generates. For more information, see PingOne Protect integration.

New PA-14867

You can configure administrative nodes to automatically remove stale engine node entities. For more information, see Configuring administrative nodes.

Improved PA-15032

Consolidated an algorithm that assisted in calculating invalidation timestamps for agent resources to improve performance speed.

Improved PA-15027

Resource database queries were performing slowly in Apache Derby when run at scale. The query used with the resource table has been changed to improve the speed of policy data collection.

Fixed PA-15136

Because of a misclassification by an optimization that tries to prevent rules and rulesets from being replicated to the engine if they are not in use, PingAccess wasn’t replicating rules and rulesets assigned to a proxied PingFederate configuration unless they were also assigned to other applications or resources. Rules and rulesets assigned to a proxied PingFederate configuration are now classified correctly.

Fixed PA-114997 PingAccess

Maven 3.8.1 and up are configured to block HTTP repositories by default. The PingAccess Add-on SDK for Java shipped with sample plugins that were failing to build because they contained references to a HTTP repository. PingAccess now ships with pom files in its sample plugins that reference HTTPS repositories instead.

Fixed PA-14998

The upgrade audit log is used to review entity migration after you’ve upgraded PingAccess to a new version. Original resource IDs within the upgrade audit log were incorrectly displaying a value of zero instead of their real values. This issue has been fixed.

Fixed PA-14891

Case-sensitivity was causing the Blackberry SDK to remove the cookie set by the PingAccess nonce, which was formerly “set-cookie.” Set-Cookie now uses title-case capitalization to ensure that the cookie is set properly.

Fixed PA-14908

Fixed an issue that prevented an identity mapping from being saved through the API if the exclusion list attributes were null.

Fixed PA-14899

Fixed an issue that prevented identity mappings from being assigned to unprotected API applications.

Fixed PA-14897

Fixed an issue that sometimes caused UI lockout after multiple failed sign on attempts.

Fixed PA-14885

Added descriptions of the fields for the GET /engines/status endpoint.

Fixed PA-14974

Added handling to recover from deadlocks encountered during configuration import and other asynchronous Admin API actions.

Security PA-15776

Added the pa.uri.canonicalize parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.

Improved PA-15697

By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.

You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:

Improved PA-15764

Added the oauth.error.headers and oauth.error.header.Content-Security-Policy parameters to the Configuration file reference.

Fixed PA-15696

Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing = to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.

Fixed PA-15723

Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401 unauthorized responses or 500 internal server errors.

Fixed PA-15741

Fixed a potential infinite loop issue that could prevent an engine node or replica administrative node from applying configuration changes.

Security PA-15610

Fixed an issue with connection request header handling. Learn more in SECADV045.

Improved PA-15229

Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support.

Fixed PA-15136

Because of a misclassification by an optimization that tries to prevent rules and rulesets from being replicated to the engine if they are not in use, PingAccess wasn’t replicating rules and rulesets assigned to a proxied PingFederate configuration unless they were also assigned to other applications or resources. Rules and rulesets assigned to a proxied PingFederate configuration are now classified correctly.

Fixed PA-15612

Fixed an issue that caused a NullPointerException error when the rewrite content rule was used on a resource that returned an empty chunked response body.

Fixed PA-14891

Case-sensitivity was causing the Blackberry SDK to remove the cookie set by the PingAccess nonce, which was formerly “set-cookie.” Set-Cookie now uses title-case capitalization to ensure that the cookie is set properly.

Improved PA-15027

Resource database queries were performing slowly in Apache Derby when run at scale. The query used with the resource table has been changed to improve the speed of policy data collection.

Improved PA-15032

Consolidated an algorithm that assisted in calculating invalidation timestamps for agent resources to improve performance speed.

Fixed PA-14974

Added handling to recover from deadlocks encountered during configuration import and other asynchronous Admin API actions.

Fixed PA-14875

Fixed an exchange processing issue that could cause a memory leak.

Security PA-14772

Fixed a potential security issue with basic authentication.

New PA-14730

A new capability lets you configure and download an engine node registration file from the PingAccess UI. You can put this file on an engine node when it is first started to automatically register the engine node. For more information, see Configuring engine nodes using an auto-registration file.

New PA-14737

Authentication requirements rules now include an option for maximum age. If the user has not authenticated within the specified timeframe, they are prompted to reauthenticate. For more information, see Adding an authentication requirements rule.

New PA-14418

Ping Identity provides a plugin for Kong Gateway that enables PingAccess (and other Ping Identity products) to be used for policy decisions. For more information, see Kong API Gateway Integration.

New PA-14588

PingAccess, when protecting applications as a gateway, adds support for protecting applications that rely on Integrated Windows Authentication (IWA). This gives IAM teams consistent, centralized access control and visibility for IWA-based applications, similar to their WAM-based applications (PingAccess does not mediate authentication methods for IWA-based applications. Authentication is negotiated between the browser and the IWA-based application, passing through PingAccess). For more information, see IWA Integration.

New PA-14567

A new SPA Support Disabled Authentication Challenge Policy (ACP) has been added that behaves the same as previously seen when Applications were set with SPA Support disabled. Additionally, added an ability to define a default ACP to be set when creating new applications in the PingAccess administrative UI. For more information, see changes to Application field descriptions and System defaults, and Configuring authentication challenge policies.

New PA-14597

The PingAccess Runtime Authentication Challenge Policy behavior is modified to incorporate a default CSP header in the response. Additionally, default content-security-policy headers have been added for various error responses generated by PingAccess. For more information, see changes to Configuration file reference.

New PA-14562

PingAccess can authenticate to PingFederate administrative APIs using OAuth2 by sending a bearer token in the requests PingAccess makes to the PingFederate administrative API. For more information, see Configuring PingFederate administration.

Security PA-14772

Fixed a potential security issue with basic authentication.

Security PA-14579

Fixed a potential security issue.

Security PA-14310

Fixed a potential security issue.

Security PA-14573

Fixed a potential security issue.

Security PA-14772

Fixed a potential security issue.

Improved PA-14557

PingAccess upgraded to Log4j version 2.17.1.

Improved PA-14580

Added a default memory limit on the CSD tool.

Fixed PA-14775

Fixed an issue that restricted the available certificate IDs for agents, engines, and replica administrative nodes.

Fixed PA-14771

Fixed an issue that prevented an authentication requirements list from correctly displaying the related authentication requirements rule after an attempt to edit it.

Fixed PA-14414

Fixed an issue where PingAccess could not use non-FIPS HSM key pairs at runtime.

Fixed PA-14570

Resolved an issue by disabling the DB password check in Derby.

Fixed PA-12652

Fixed an issue where nonce cookies were not removed when SLO is not enabled.

Fixed PA-14634

Fixed an issue with API swagger where the GET Response Class Models and Operational Models did not reflect the actual response.

Fixed PA-14645

Fixed an issue where custom load balancing strategies that returned custom TargetHosts would result in runtime exceptions.

Fixed PA-14606

Fixed an issue where the rule.error.headers additional headers did not display from policy rule results.

Issue PA-14863

BC-FIPS and HSMs are not supported when using Java 17.

Issue PA-14621

If a client certificate has a certificate revocation list (CRL) DistributionPoint that points to an extremely large CRL, PingAccess might suffer from high memory usage leading to Out of memory (OOM) exceptions.

Security PA-15776

Added the pa.uri.canonicalize parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.

Improved PA-15697

By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.

You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:

Improved PA-15764

Added the oauth.error.headers and oauth.error.header.Content-Security-Policy parameters to the Configuration file reference.

Fixed PA-15696

Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing = to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.

Fixed PA-15741

Fixed a potential infinite loop issue that could prevent an engine node or replica administrative node from applying configuration changes.

Security PA-15610

Fixed an issue with connection request header handling. Learn more in SECADV045.

Improved PA-15229

Updated the PingAccess logic that determines which authentication method to use at runtime. This update prevents errors when Private Key JWT and Mutual TLS are the only client authentication methods that a token provider can support.

Fixed PA-15612

Fixed an issue that caused a NullPointerException error when the rewrite content rule was used on a resource that returned an empty chunked response body.

Fixed PA-14974

Added handling to recover from deadlocks encountered during configuration import and other asynchronous Admin API actions.

Fixed PA-14875

Fixed an exchange processing issue that could cause a memory leak.

Security PA-14772

Fixed a potential security issue with basic authentication.

Improved PA-14580

Added a default memory limit on the CSD tool.

Fixed PA-14751 PingAccess

Fixed handling of PingAccess add-on SDK function com.pingidentity.pa.sdk.http.Body#toString to maintain the same behavior as seen prior to 6.3.

Fixed PA-14645

Fixed an issue where custom load balancing strategies that returned custom TargetHosts would result in runtime exceptions.

Fixed PA-14638

Fixed handling of non-ASCII characters in the request body of PingAuthorize rules.

Fixed PA-14640

Fixed handling of non-ASCII characters in sideband API request bodies.

Improved PA-14557

PingAccess upgraded to Log4j version 2.17.1

Fixed PA-14414

Fixed an issue where PingAccess could not use non-FIPS HSM key pairs at runtime.

Improved PA-14555

PingAccess upgraded to Log4j version 2.17.

Security PA-14549

PingAccess upgraded to Log4j version 2.16.

New PA-14281

Added a new Logout response generator for virtual resources, enabling you to customize logout behavior for each application. See Adding application resources for more information.

New PA-14227, PA-14410

PingAccess now supports trace-level logging to help troubleshoot certification revocation issues and provides an option to bypass trust anchor validation. This helps improve interoperability with certificate authority (CA) infrastructure. See Creating trusted certificate groups for more information.

New PA-14412

PingAccess now supports creating web session access token identity mappings. This helps ease integration with existing APIs, in particular in the context of Single Page Applications (SPAs). See Creating web session access token identity mappings for more information.

New PA-14422

PingAccess now supports validation for client certificate chains that are not in the standard order, such as a reversed certificate chain of [root, intermediate, leaf]. See Creating trusted certificate groups for more information.

Info PA-14435

PingAccess no longer supports runtime state clustering. Clustered environments that do not use runtime state clustering are not affected.

Security PA-14403

Fixed a potential security issue.

Security PA-14296

Fixed a potential security issue.

Security PA-14284

Fixed a potential security issue.

Security PA-14279

Fixed a potential security issue.

Security PA-14287

Fixed a potential security issue.

Security PA-14331

Fixed a potential security issue.

Security PA-14302

Fixed a potential security issue.

Security PA-14134

Fixed a potential security issue.

Security PA-14135

Fixed a potential security issue.

Security PA-14143

Fixed a potential security issue.

Fixed PA-14542

Fixed a typo in the Content-Security-Policy header that prevented PingAccess from loading external scripts from HTML responses.

Fixed PA-14541

Fixed an issue in the CRL client certificate authentication flow that returned a 500 error code when PingAccess is in FIPS mode.

Fixed PA-14421

Updated the PingAccess UI to display the alias of the selected certificates in the Trusted Certificate Group List.

Fixed PA-14433

Fixed an issue that limited the host field for the Primary Administrative Node to 64 characters, instead of the standard 255 characters.

Fixed PA-14083

Added handling to URL encode client secrets with special characters per RFC 6749.

Fixed PA-14445

Fixed an issue where upon detecting a revoked certificate in a chain, PingAccess incorrectly assumes it is always the first cert in the chain.

Fixed PA-14304

Fixed an issue that returned a 500 error when requesting key pairs endpoints with special characters in the chain certs field.

Fixed PA-14467

Fixed an issue that caused key rolling to result in Admin Token Provider and System Token Provider being switched.

Fixed PA-14477

Fixed a typo that could cause warnings when running PingAccess as a Windows Service.

Fixed PA-14402

Fixed an issue that prevented PingAccess from encoding non-ASCII characters when they are in the domain only.

Fixed PA-14468

Fixed an issue that caused PingAccess to trigger an error when using the PingAuthorize Access Control rule and the target Sideband provider returns a response that omits the response.body parameter.

Fixed PA-14392

Fixed an issue that caused PingAccess Admin UI to incorrectly initialize an application with the state of another application leading to scenarios where an administrator could mistakenly update an application with the data of another application.

Fixed PA-14314

Fixed an issue that prevented header warnings from being sent for PEM key pairs with a single duplicate chain certificate.

Fixed PA-14258

Added INFO level logging at the start of configuration import.

Fixed PA-14280

Fixed an issue that prevented an ACME request with an INVALID state and an empty problem description from displaying correctly.

Fixed PA-14290

Fixed an issue that caused the PingAccess Sideband transport to only use fixed ports when performing resource matching against incoming sideband API requests.

Fixed PA-14238

Fixed an issue that caused disabled algorithms to appear on the Signing Algorithm drop-down list on the Auth Token Management page.

Fixed PA-14265

Fixed an issue that prevented the SSO Admin Authentication method in the PingAccess admin console from functioning in clustered PingAccess deployments when Private Key JSON Web Token (JWT) client authentication is used.

Fixed PA-14029

Fixed an issue that caused PingAccess Sideband API to return an error when no scope claim is configured in the access token.

Fixed PA-14305

Fixed an issue where the 'Transfer-Encoding' request header is dropped from inbound PingAccess Sideband API request results.

Fixed PA-14472

Improved error message when supplying an empty string to fields that expect a charset.

Issue PA-14985

There are a few potential scenarios when the PingAccess data layer might encounter deadlocks. PingAccess should be able to recover from these deadlocks, so hibernate error logs can be ignored when followed by the log message "Recovered from database deadlock with transaction retry."

Issue PA-14414

Cloud HSM functionality works in FIPS mode but not in regular mode for Java8u261 and later. RSASSA-PSS signing algorithms fail with Java8u261 or later, and HSM vendors and core Java use different naming conventions for the RSASSA-PSS algorithm. There is a documented workaround in Adding an AWS CloudHSM provider.

Issue PA-14466

Due to an outstanding defect in the Kong API Gateway, the ping-auth plugin currently does not support requests that utilize the Transfer-Encoding header. If PingAccess is used as the external authorization server, the Rewrite Content rule can prevent the page from displaying.

Issue PAPQ-1034

PingAccess 6.3 deployments that use the Sideband API feature cannot be upgraded using the zero downtime upgrade procedure. You must use a planned outage to upgrade such an environment.

Issue

Depending on the source version, the upgrade process may change the default settings for the SameSite cookie attribute to make PingAccess cookies work on all browsers. Review the settings for each web session in Access → Web Sessions to verify that your SameSite cookie attribute values are set to None or Lax, depending on the third-party context needs for PingAccess cookies.

Issue STAGING-8707

PingAccess may have difficulty maintaining TLS 1.3 connections when using JDK 11.0.0, 11.0.1, or 11.0.2 because of a defect in those versions. This might cause upgrades to fail on systems using these versions.

Issue PA-4888

Engines and admin replicas do not connect to admin console if a combination of IP addresses and DNS names are used.

Issue PA-6262

The token processor can’t connect to a JWKS endpoint via Secure Sockets Layer (SSL) when an IP is used rather than a hostname. To workaround this issue, add the hostname as the subject alt name on the key pair.

Issue PA-11390

If you create multiple virtual hosts with a shared hostname and associate the hostname with a server key pair, the virtual hosts retain the connection with the server key pair even if they are subsequently renamed. The virtual host must be deleted and recreated to remove the association.

Issue PA-10505

Upgrades will fail with a risk-based authorization rule if a third-party service is not used in the rule.

Issue

Log files may contain excessive warnings issued by Hibernate during startup.

Issue PA-12647

Asynchronous front-channel logout might fail in some browsers depending on end-user settings. See https://support.pingidentity.com/s/article/Managing-Single-Log-Out-in-different-browsers for browser-specific workarounds.

Issue PA-13500

Assigning a new key pair to the Admin HTTPS listener if the browser does not trust the new key pair can prevent the UI from functioning. The workaround is to close the browser and re-open it so that all connections to the admin node use the new certificate.

Issue PA-13214

Invalid special characters ((),/;<⇒?@[\]\{}") can be added to the Certificate to Header Mapping field in an identity mapping. Adding this identity mapping to an application will cause 400 errors when the application is accessed.

Issue PA-14239

If PingAccess is repeatedly stopped and restarted in FIPS mode, subsequent restarts can take up to 5 minutes to complete. The workaround is to use a tool such as rng-tools to refresh /dev/random and make more entropy available faster. For example:

Issue

Firefox does not correctly support the HTML5 time tag. When using the Time Range rule, enter time in 24-hour format.

Issue

When installing PingAccess as a Windows service using Windows PowerShell and Java 8, the error message "Could not find or load main class" can be safely ignored.

Issue PA-2896

Request Preservation is not supported with Safari Private Browsing.

Issue PA-1894

Incorrect handling for IPv6 literals in Host header. Note that IPv6 is not currently supported.

Issue PA-14907

After starting PingAccess for the first time on a Windows system or upgrading PingAccess on a Windows system, a warning message is logged reporting that the pa.jwk file was not made non-executable. This message can be ignored.