Release Notes

New PA-15743

Add a custom log level category and manage its verbosity in the admin console. Learn more in Creating custom log level categories.

Fixed PA-15805

Fixed an issue with the log4j-categories.xml file path that caused logging to break when running PingAccess as a Windows service.

Fixed PA-15801

Fixed a processing behavior conflict that prevented WebSocket connections from being established when using Integrated Windows Authentication (IWA).

Security PA-15776

Added the pa.uri.canonicalize parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.

Improved PA-15697

By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.

You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:

Improved PA-15764

Added the oauth.error.headers and oauth.error.header.Content-Security-Policy parameters to the Configuration file reference.

Fixed PA-15696

Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing = to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.

Fixed PA-15723

Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401 unauthorized responses or 500 internal server errors.

Fixed PA-15725

Fixed an engine self-registration failure issue caused by inability to determine if the engine self-registration token should be a Bearer or DPoP-bound token.

Fixed PA-15741

Fixed a potential infinite loop issue that could prevent an engine node or replica administrative node from applying configuration changes.

New PA-15703

Enable PingAccess to write any of its five audit logs in Common Event Format (CEF). Learn more in Writing audit logs in Common Event Format.

Security PA-15610

Fixed an issue with connection request header handling. Learn more in SECADV045.

Fixed PA-15612

Fixed an issue that caused a NullPointerException error when the rewrite content rule was used on a resource that returned an empty chunked response body.

Fixed PA-15622

Fixed an issue that caused unprotected agent API resources to have unexpected OAuth TTL values.

Fixed PA-15692

Fixed a regression issue that caused a 500 error response when accessing a global unprotected resource on a Web + API application.

Info PA-15358

If you have PingAccess 6.2 or below, you cannot upgrade directly to PingAccess 8.0. You must upgrade to a version above 6.2 first, and then upgrade to 8.0.

This is because in PingAccess 8.0, an outdated H2 JAR file was removed, and PingAccess 6.2 and below use an H2 embedded database.

New PA-15374

If you’re using the PingOne Protect integration, you can now enable device profiling to implement attribute-based access control (ABAC) and enforce a complete zero trust strategy with PingAccess and PingOne Protect. You can:

For more information on enabling device profiling in PingAccess, see Risk policy field descriptions. For more information on PingOne predictor types, see Risk policies.

New PA-15517

Added the ability to use OAuth 2.0 Demonstrating Proof of Possession (DPoP) capabilities in a resource server role. This enables you to meet potential FAPI 2.0 Advanced Profile authorization server requirements in the future and prevent fraudulent access token usage.

Enable DPoP-bound access tokens in your token provider or admin token provider configuration. You can also override the global DPoP settings in your API authentication settings, or at the application or resource level for an API or Web + API application. For more information, see:

New PA-15369

PingAccess has made common token provider configuration more flexible:

This increased flexibility enables you to configure Azure AD as the common token provider for protected API applications.

New PA-15375

New PA-15376

By default, private key JWT OIDC code flow uses dynamic keys managed automatically by PingAccess. You can now opt to use static keys instead if you want to control key rotation yourself. For more information, see Configuring static signing keys.

You can:

New PA-15510

Added support for Microsoft SQL Server 2022 to enable migration to SQL server versions included in Microsoft’s mainstream support policy.

New PA-15511

Qualified support for server-sent events (SSE) in PingAccess. You can use WebSockets or SSE to facilitate communication between the requesting client and a protected site. SSE pushes real-time updates in one direction, from server to client, whereas WebSockets uses bidirectional communication.

New PA-15518

Added support for OAuth tokens created by Microsoft Azure AD for administrative API OAuth. This improves account security for administrators with Microsoft Azure AD configured as the token provider and enables administrators to use their own accounts to make PingAccess API changes. Relaxed the following PingAccess requirements:

New PA-15525

Added the ability to map the SAML token received from a SAML token mediator site authenticator to an HTTP request header that you specify instead of mapping the token as a request cookie. For more information, see the Logged In Header Name field.

New PA-15527

You can now choose a case-matching strategy for administrative single sign-on and OAuth roles, not just web session attribute rules. Selection options are:

For more information, see Configuring API authentication and Configuring admin UI SSO authentication.

Improved PA-15378

Updated the Help icon link in the administrative console that takes you to the PingAccess documentation. In PingAccess 8.0 forward, this link will now take you to the version of the documentation that matches the version of PingAccess that you’re using.

Improved PA-15399

Improved an error message caused by sending an admin API request to create or update a risk policy with invalid or missing data. The error message no longer returns a NullPointerException error.

Improved PA-15529

Removed old fonts from the PingAccess administrative console to improve user experience.

Fixed PA-15241

Fixed inaccurate reference to the OAuth authorization server as the OpenID Connect provider in the DELETE method of the oauth/authServer endpoint.

Fixed PA-15270

Fixed an issue that caused the SniHandlerConfigBuilder to fail to declare a specific keystore type for the PingAccess SslContext server, which could result in PingAccess taking longer to start up if the target JVM’s default keystore type was PKCS#12.

The SniHandlerConfigBuilder now specifically declares JKS as the keystore type to prevent unexpected performance losses.

Fixed PA-15273

Fixed an issue that caused the PingAccess administrative console UI to fail to render if a newly added configuration field was missing from the plugin data that was saved previously.

For more information, see create your own plugins.

Fixed PA-15380

Fixed an issue that caused unexpected behavior in PingAccess if you deleted an entity while a clustered console node was preparing a replication payload to share with other nodes in the cluster. Some examples of this unexpected behavior included:

Fixed PA-15381

Fixed an issue that caused the PingAccess administrative console UI to display a blank page if you attempted to configure a Groovy script field within a plugin entity in a composite field.

For more information, see create your own plugins.

Fixed PA-15382

Fixed an issue that caused list fields embedded in composite plugin fields to register improperly in the form data for the PingAccess administrative console UI.

For more information, see create your own plugins.

Fixed PA-15386

Fixed an issue that caused PingAccess to replace object IDs defined on key pairs or certificates imported through the administrative API with an auto-generated object ID.

Additionally, the POST /keyPairs/import and POST /certificates API models have been updated to include more information on how to assign an ID for these object types.

Fixed PA-15390

Fixed an issue that caused PingAccess to reset an environment’s configured log setting categories on startup.

Fixed PA-15396

Fixed an issue with the PingOne Protect integration that caused PingAccess to calculate expiration values for cached risk evaluation results in milliseconds instead of seconds. This unexpected input value was disabling token caching after making a risk evaluation because PingAccess was receiving a false positive result that the risk evaluation cache data had expired.

Fixed PA-15496

Azure AD creates a Application (Client) ID value that exceeds 36 characters and automatically assigns that value as the Audience value in the access token. This prevented PingAccess from validating Azure AD access tokens because PingAccess previously accepted a maximum of 32 characters for an Audience value.

PingAccess can now accept a longer Audience value.

Fixed PA-15506

Fixed an issue that caused PingAccess engine or replica admin nodes to update their replication configuration identifier before they had finished integrating changes into their runtime configuration. This would result in nodes using stale configuration information until a new configuration change event happened.

Fixed PA-15537

Fixed an issue that caused admin API OAuth settings to be excluded from bulk export operations if you configure admin API OAuth with an access token validator but haven’t set client credentials.

Fixed PA-15568

Fixed an issue that could cause PingAccess configuration imports to fail if you had multiple trusted certificates configured in your environment.

Issue

When installing PingAccess as a Windows service using Windows PowerShell and Java 8, the error message Could not find or load main class can be safely ignored.

Issue PAPQ-1034

PingAccess 6.3 deployments that use the Sideband API feature cannot be upgraded using the zero downtime upgrade procedure. You must use a planned outage to upgrade such an environment.

Issue STAGING-8707

PingAccess may have difficulty maintaining TLS 1.3 connections when using JDK 11.0.0, 11.0.1, or 11.0.2 because of a defect in those versions. This might cause upgrades to fail on systems using these versions.

Issue PA-1894

Incorrect handling for IPv6 literals in host header. Note that IPv6 is not currently supported.

Issue PA-2896

Request Preservation is not supported with Safari Private Browsing.

Issue PA-4888

Engines and admin replicas do not connect to admin console if a combination of IP addresses and DNS names are used.

Issue PA-6262

The token processor can’t connect to a JWKS endpoint via SSL when an IP is used rather than a hostname. To workaround this issue, add the hostname as the subject alt name on the key pair.

Issue PA-7068

In custom PingAccess plugins, using com.pingidentity.pa.sdk.http.Message#setBody or com.pingidentity.pa.sdk.http.Message#setBodyContent directly on an exchange’s Response object to modify content from the backend can put PingAccess connections into indeterminate states. The workaround is to:

Issue PA-8651

Firefox does not correctly support the HTML5 time tag. When using the time range rule, enter time in 24-hour format.

Issue PA-10505

Upgrades will fail with a risk-based authorization rule if a third-party service is not used in the rule.

Issue PA-11390

If you create multiple virtual hosts with a shared hostname and associate the hostname with a server key pair, the virtual hosts retain the connection with the server key pair even if they are subsequently renamed. The virtual host must be deleted and recreated to remove the association.

Issue PA-12647

Asynchronous front-channel logout might fail in some browsers depending on end-user settings. See https://support.pingidentity.com/s/article/Managing-Single-Log-Out-in-different-browsers for browser-specific workarounds.

Issue PA-13214

Invalid special characters ((),/;<⇒?@[\]\{}") can be added to the certificate to Header Mapping field in an identity mapping. Adding this identity mapping to an application will cause 400 errors when the application is accessed.

Issue PA-13500

Assigning a new key pair to the Admin HTTPS listener if the browser does not trust the new key pair can prevent the UI from functioning. The workaround is to close the browser and re-open it so that all connections to the admin node use the new certificate.

Issue PA-14239

If PingAccess is repeatedly stopped and restarted in FIPS mode, subsequent restarts can take up to 5 minutes to complete. The workaround is to use a tool such as rng-tools to refresh /dev/random and make more entropy available faster. For example:

Issue PA-14414

Cloud HSM functionality works in FIPS mode but not in regular mode for Java8u261 and later. RSASSA-PSS signing algorithms fail with Java8u261 or later, and HSM vendors and core Java use different naming conventions for the RSASSA-PSS algorithm. There is a documented workaround in Adding an AWS CloudHSM provider.

Issue PA-14466

Due to an outstanding defect in the Kong API Gateway, the ping-auth plugin currently does not support requests that utilize the Transfer-Encoding header. If PingAccess is used as the external authorization server, the rewrite content rule can prevent the page from displaying.

Issue PA-14621

If a client certificate has a certificate revocation list (CRL) DistributionPoint that points to an extremely large CRL, PingAccess might suffer from high memory usage leading to Out of memory (OOM) exceptions.

Issue PA-14863

BC-FIPS and HSMs are not supported when using Java 17.

Issue PA-14907

After starting PingAccess for the first time on a Windows system or upgrading PingAccess on a Windows system, a warning message is logged reporting that the pa.jwk file was not made non-executable. This message can be ignored.

Issue PA-14985

There are a few potential scenarios when the PingAccess data layer might encounter deadlocks. PingAccess should be able to recover from these deadlocks, so hibernate error logs can be ignored when followed by the log message Recovered from database deadlock with transaction retry.

Issue PA-14978

A race condition caused by importing applications with significant reuse of virtual hosts or context roots can deadlock the Apache Derby DB.

PA-14974 added systematic deadlock handling to reattempt operations that lead to a deadlock condition in Apache Derby, but a specific fix for this deadlock scenario will be added in a future release to reduce wasted cycles and warning or error log messages.

Issue PA-15351

If you have the administrative console and API open at the same time and you’re on a console page that isn’t Log Settings, the Log Settings page won’t immediately populate any log changes that you make in the API.

To work around this issue, go to the Log Settings page. Perform a hard refresh, or go to another page and then return to Log Settings.

Issue PA-15449

Mutual TLS with a backend site that requires post-handshake authentication is not supported when using TLS 1.3. Current workaround options are to remove the requirement for post-handshake authentication from the backend site or to disable TLS 1.3.

Issue PA-15559

Currently, SNI is only set up for virtual hosts that are actively configured in an application. This can prevent PingAccess from presenting an expected certificate for a given redirect host.

The workaround is to configure the source host in a redirect as the virtual host for a disabled PingAccess application.