PingAccess 8.2.1 (April 2025)

Configure PingAccess to retry failed target site connections immediately

New PA-15943

The minimum value for the Failed Retry Timeout (S) field in PingAccess availability profile configurations is now 0 instead of 1. This enables you to remove the delay before PingAccess retries establishing a connection to a failed target site.

Learn more in Creating availability profiles.

BCFIPS library upgraded to version 2.0

Improved PA-15938

Upgraded to BCFIPS 2.0 for FIPS 140-3 compliance, resulting in the following changes:

Two new properties are available in the run.properties file, pa.trust.keystore.type and pa.trust.keystore.path.

Learn more about these properties in the Configuration database and key store settings section of the Configuration file reference.
PingAccess no longer supports SHA-1 while running in FIPS mode.

Learn more about PingAccess features that operate differently or are unavailable in FIPS mode in Managing Federal Information Processing Standards (FIPS) mode. For example, PKCS#12 isn’t a supported keystore type in FIPS mode.

Authenticate PingAccess agents with bearer tokens only

Improved PA-15967

PingAccess engine nodes can now authenticate bearer tokens sent by a PingAccess agent without requiring the shared secret to be sent as well.

By default, agents continue to send both the shared secret and the bearer token when the Require Token Authentication checkbox is selected. To prevent an agent from sending a shared secret, remove the agent.engine.configuration.shared.secret property from the agent.properties file you download.

Learn more about bearer token authentication in Configuring PingAccess agents to use bearer token authentication and Agent field descriptions.

The PingAccess agent for Apache (Windows) hasn’t yet been updated to support bearer token authentication. You can configure the agents with the new agent.properties file with no performance impact, but leave the Require Token Authentication checkbox cleared until both:

Agent compatibility is added
You’ve upgraded all agents to the supported version

Fixed an issue with post-authentication method type expectations

Fixed PA-15762

Fixed an issue that caused requests to fail because of resource method enforcement.

PingAccess disables request preservation for the templated, redirect, and PF Authentication API challenge response generators, expecting the frontend SPA to maintain any data that requires preservation. As a result, PingAccess was expecting a GET request after authentication instead of a POST request, because PingAccess only maintains post-authentication requests as a POST if request preservation is enabled.

Fixed inability to change a default CSP

Fixed PA-16035

Fixed an issue that prevented changing the default content security policy when using the HTML OIDC Authentication Request authentication challenge response generator.

Added the pf.redirect.use.default.csp property to the run.properties file. Learn more in the Security headers properties section of the Configuration file reference.

Fixed issues starting PingAccess in FIPS mode when using AWS CloudHSM

Fixed PA-15924

Fixed an issue that caused a Null Pointer Exception error when starting PingAccess in Federal Information Processing Standards (FIPS) mode if you had any AWS CloudHSM key pairs configured. This issue was also applicable if you tried to configure a new CloudHSM key pair while in FIPS mode.

Learn more about FIPS mode in Managing Federal Information Processing Standards (FIPS) mode.
Learn more about AWS CloudHSM in Adding an AWS CloudHSM provider.