--- title: PingAccess 8.2 (December 2024) description: Info PA-15870 component: pingaccess version: 8.2 page_id: pingaccess:release_notes:pa_82_december_2024 canonical_url: https://docs.pingidentity.com/pingaccess/8.2/release_notes/pa_82_december_2024.html revdate: March 13, 2025 section_ids: pingaccess-for-azure-ad-program-ends-in-december-2025: PingAccess for Azure AD program ends in December 2025 create-custom-log-level-categories: Create custom log level categories added-support-for-java-21: Added support for Java 21 configure-pingone-advanced-identity-cloud-or-pingam-as-a-token-provider: Configure PingOne Advanced Identity Cloud or PingAM as a token provider configure-an-expected-response-header-for-cors-preflight-requests: Configure an expected response header for CORS preflight requests configure-samesite-settings-on-pingaccess-nonce-cookies: Configure SameSite settings on PingAccess nonce cookies configure-a-pingauthorize-policy-decision-access-control-rule-for-fine-grained-access-control: Configure a PingAuthorize policy decision access control rule for fine-grained access control configure-multiple-jwks-endpoints-for-access-token-validation: Configure multiple JWKS endpoints for access token validation configure-pingaccess-to-allow-agents-to-authenticate-with-a-bearer-token: Configure PingAccess to allow agents to authenticate with a bearer token added-support-for-amazon-linux-2023: Added support for Amazon Linux 2023 configure-pingauthorize-access-control-and-response-filtering-rules-with-pingone-authorize: Configure PingAuthorize access control and response filtering rules with PingOne Authorize fixed-agent-page-behavior-after-downloading-agent-properties-in-firefox: Fixed agent page behavior after downloading agent.properties in Firefox fixed-default-value-rendering: Fixed default value rendering fixed-oidc-login-failure-when-port-443-is-used-in-the-id_token-issuer: Fixed OIDC login failure when port 443 is used in the id_token issuer fixed-an-issue-with-bearer-token-case-sensitivity: Fixed an issue with bearer token case-sensitivity fixed-shared-secret-timestamps-in-agent-summaries: Fixed shared secret timestamps in agent summaries cannot-assign-rule-sets-containing-a-singular-cors-rule: Cannot assign rule sets containing a singular CORS rule saving-overwrites-the-sslciphers-and-sslprotocol-fields-in-the-administrative-api: Saving overwrites the sslCiphers and sslProtocol fields in the administrative API cannot-use-fips-mode-with-a-aws-cloudhsm-or-safenet-luna-hsm: Cannot use FIPS mode with a AWS CloudHSM or Safenet Luna HSM acme-account-creation-fails-while-pingaccess-is-in-fips-mode: ACME account creation fails while PingAccess is in FIPS mode cannot-use-fips-mode-with-oracle-jdk-17-and-21: Cannot use FIPS mode with Oracle JDK 17 and 21 --- # PingAccess 8.2 (December 2024) ## PingAccess for Azure AD program ends in December 2025 Info PA-15870 | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The PingAccess for Azure AD program ends on December 31, 2025. To continue using PingAccess, you must upgrade to a commercial PingAccess license. Learn more in:- [PingAccess for Azure AD Overview](../introduction_to_pingaccess/pa_for_azure_ad_intro.html) for an overview of license differences - [Manage license keys](https://support.pingidentity.com/s/manage-license-keys) - [View or upload a new license](../pingaccess_user_interface_reference_guide/pa_license.html) | ## Create custom log level categories New PA-15743 Add a custom log level category and manage its verbosity in the admin console. Learn more in [Creating custom log level categories](../pingaccess_user_interface_reference_guide/pa_creating_custom_log_level_categories.html). ## Added support for Java 21 New PA-15765 * Added support for Java 21. Learn more in [System requirements](../installing_and_uninstalling_pingaccess/pa_system_requirements.html). * Updated [Managing Federal Information Processing Standards (FIPS) mode](../configuring_and_customizing_pingaccess/pa_fips_mode.html) to include more information about default TLS cipher suites and [running PingAccess as a Windows service](../installing_and_uninstalling_pingaccess/pa_managing_pa_as_a_windows_service.html). ## Configure PingOne Advanced Identity Cloud or PingAM as a token provider New PA-15768 Configure PingOne Advanced Identity Cloud or PingAM as a token provider and OAuth authorization server in PingAccess. Learn more in [Configuring PingOne Advanced Identity Cloud or PingAM as the token provider](../pingaccess_user_interface_reference_guide/pa_configuring_p1aic_or_pingam_as_the_token_provider.html). ## Configure an expected response header for CORS preflight requests New PA-15766 Google Chrome cross-origin resource sharing (CORS) preflight requests will soon include a new request header, `Access-Control-Request-Private-Network: true`. If a preflight request that contains this header doesn't receive a `Access-Control-Allow-Private-Network: true` header in response, access requests will be denied. To respond to CORS preflight requests with the expected response header, select the new checkbox in the [PingAccess cross-origin request rule](../pingaccess_user_interface_reference_guide/pa_adding_a_cross_origin_request_rule.html): **Allow Private Access Network**. ## Configure `SameSite` settings on PingAccess nonce cookies New PA-15803 Use the **Nonce SameSite Cookie** list to select a level of restriction for when nonce cookies can be sent in a cross-site request. Learn more in [Configuring web session management settings](../pingaccess_user_interface_reference_guide/pa_configuring_web_session_management_settings.html). ## Configure a PingAuthorize policy decision access control rule for fine-grained access control New PA-15770 Added a new rule that makes use of the Policy Decision Endpoint in PingAuthorize. This enables more control over fine-grain authorization decisions sent to PingAuthorize than the [PingAuthorize access control rule](../pingaccess_user_interface_reference_guide/pa_adding_pingauth_access_control_rules.html). Learn more in [Adding PingAuthorize policy decision access control rules](../pingaccess_user_interface_reference_guide/pa_adding_pingauth_policy_decision_access_control_rules.html). | | | | - | ---------------------------------------------------------------------------------------------- | | | The PingAuthorize policy decision access control rule isn't compatible with PingOne Authorize. | ## Configure multiple JWKS endpoints for access token validation New PA-15871 Added a new access token validator type, **Multiple JSON Web Key Set (JWKS) Endpoint**. This access token validator enables you to validate incoming access tokens from multiple authorization servers. Learn more in [Adding access token validators](../pingaccess_user_interface_reference_guide/pa_adding_access_token_validators.html). ## Configure PingAccess to allow agents to authenticate with a bearer token New PA-15872 Authenticate PingAccess agents to the engine nodes with a stronger authentication method. Learn more in [Configuring PingAccess agents to use bearer token authentication](../pingaccess_user_interface_reference_guide/pa_configuring_pa_agents_to_use_bearer_token_authn.html). Added a new checkbox to the agent configuration page in the PingAccess administrative console: **Require Token Authentication**. This checkbox configures the PingAccess engine nodes for bearer token authentication. Learn more in [Agent field descriptions](../pingaccess_user_interface_reference_guide/pa_agent_field_descriptions.html). | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The PingAccess agent for Apache (Windows) hasn't yet been updated to support bearer token authentication. You can configure the Apache (Windows) agent with the new `agent.properties` file with no performance impact, but leave the **Require Token Authentication** checkbox cleared until both:- Agent compatibility is added - You've upgraded all agents to the supported version | ## Added support for Amazon Linux 2023 New PA-15783 Added support for Amazon Linux 2023. Learn more in [System requirements](../installing_and_uninstalling_pingaccess/pa_system_requirements.html). ## Configure PingAuthorize access control and response filtering rules with PingOne Authorize Improved PA-15790 The PingAuthorize access control and response filtering rules are now compatible with PingOne Authorize, with the following limitations: * PingAuthorize access control rule: Make sure that the **Include Identity Attributes** checkbox is selected in step 7 of [Adding PingAuthorize access control rules](../pingaccess_user_interface_reference_guide/pa_adding_pingauth_access_control_rules.html). * [PingAuthorize response filtering rule](../pingaccess_user_interface_reference_guide/pa_adding_pingauthz_response_filtering_rules.html): Detailed request context isn't available during response processing, so response filtering can't be performed with the `PingOne.API Access Management.Identity.Access Token` attribute. ## Fixed agent page behavior after downloading `agent.properties` in Firefox Fixed PA-13704 Fixed an issue that caused the agent configuration page in the PingAccess administrative console to stop responding after a user downloaded the `agent.properties` file in Mozilla Firefox. ## Fixed default value rendering Fixed PA-15763 Fixed an issue that caused some authentication challenge policy (ACP) configuration fields to render their default value only after they were saved. ## Fixed OIDC login failure when port 443 is used in the `id_token` issuer Fixed PA-15772 Fixed an issue that caused `id_token` validation to fail because PingAccess didn't accept the well-known HTTPS port 443 in `id_token` issuers and wouldn't register the issuer as a match. ## Fixed an issue with bearer token case-sensitivity Fixed PA-15890 Fixed an issue that caused false `401` errors because PingAccess was processing bearer tokens case-sensitively. PingAccess has been updated to meet [RFC 9110](https://www.rfc-editor.org/rfc/rfc9110#name-authentication-scheme). ## Fixed shared secret timestamps in agent summaries Fixed PA-15896 Fixed an issue that caused the PingAccess administrative console to fail to display agent shared secret timestamps in the agent configuration summary. ## Cannot assign rule sets containing a singular CORS rule Issue PA-15785 Rule sets or rule set groups containing a singular CORS rule cannot be assigned to applications or resources. Attempts result in the following validation error: ``` Invalid rule assignment for Application '': assigning multiple Cross-Origin Request Policies to a Resource or RuleSet is not allowed. ``` ## Saving overwrites the **sslCiphers** and **sslProtocol** fields in the administrative API Issue PA-15863 Saving a configuration in the PingAccess administrative console overwrites the values of the API-only fields **sslCiphers** and **sslProtocols**. This issue is only relevant for the following pages in the administrative console: * **System > Token Provider** (with **PingOne Advanced Identity Cloud / PingAM** selected) * **System > Admin Authentication > Admin Token Provider** It affects the following administrative API endpoints: * `/pingone/advancedIdentityCloud` * `/auth/tokenProvider` ## Cannot use FIPS mode with a AWS CloudHSM or Safenet Luna HSM Issue PA-15924 PA-15928 [Federal Information Processing Standards (FIPS) mode](../configuring_and_customizing_pingaccess/pa_fips_mode.html) doesn't work with [AWS CloudHSM](../pingaccess_user_interface_reference_guide/pa_adding_an_aws_cloudhsm_provider.html) or [Safenet Luna HSM](../pingaccess_user_interface_reference_guide/pa_adding_a_safenet_luna_provider.html). Trying to configure a key pair or enter FIPS mode with a key pair already configured causes a `Null Pointer Exception` error. ## ACME account creation fails while PingAccess is in FIPS mode Issue PA-15929 [Federal Information Processing Standards (FIPS) mode](../configuring_and_customizing_pingaccess/pa_fips_mode.html) cannot be used with [ACME certificate management](../pingaccess_user_interface_reference_guide/pa_managing_certificates_for_key_pairs_with_acme.html) if you need to create an ACME account. ## Cannot use FIPS mode with Oracle JDK 17 and 21 Issue PA-15935 PingAccess fails to start in [Federal Information Processing Standards (FIPS) mode](../configuring_and_customizing_pingaccess/pa_fips_mode.html) when using Oracle JDK 17 and 21. Currently, FIPS mode can only be used with OpenJDK or Amazon Corretto.