PingAccess 8.2 (December 2024)

PingAccess for Azure AD program ends in December 2025

Info PA-15870

The PingAccess for Azure AD program ends on December 31, 2025. To continue using PingAccess, you must upgrade to a commercial PingAccess license. Learn more in:

PingAccess for Azure AD Overview for an overview of license differences
Manage license keys
View or upload a new license

Create custom log level categories

New PA-15743

Add a custom log level category and manage its verbosity in the admin console. Learn more in Creating custom log level categories.

Added support for Java 21

New PA-15765

Added support for Java 21. Learn more in System requirements.
Updated Managing Federal Information Processing Standards (FIPS) mode to include more information about default TLS cipher suites and running PingAccess as a Windows service.

Configure PingOne Advanced Identity Cloud or PingAM as a token provider

New PA-15768

Configure PingOne Advanced Identity Cloud or PingAM as a token provider and OAuth authorization server in PingAccess. Learn more in Configuring PingOne Advanced Identity Cloud or PingAM as the token provider.

Configure an expected response header for CORS preflight requests

New PA-15766

Google Chrome cross-origin resource sharing (CORS) preflight requests will soon include a new request header, Access-Control-Request-Private-Network: true. If a preflight request that contains this header doesn’t receive a Access-Control-Allow-Private-Network: true header in response, access requests will be denied.

To respond to CORS preflight requests with the expected response header, select the new checkbox in the PingAccess cross-origin request rule: Allow Private Access Network.

Configure `SameSite` settings on PingAccess nonce cookies

New PA-15803

Use the Nonce SameSite Cookie list to select a level of restriction for when nonce cookies can be sent in a cross-site request. Learn more in Configuring web session management settings.

Configure a PingAuthorize policy decision access control rule for fine-grained access control

New PA-15770

Added a new rule that makes use of the Policy Decision Endpoint in PingAuthorize. This enables more control over fine-grain authorization decisions sent to PingAuthorize than the PingAuthorize access control rule.

Learn more in Adding PingAuthorize policy decision access control rules.

The PingAuthorize policy decision access control rule isn’t compatible with PingOne Authorize.

Configure multiple JWKS endpoints for access token validation

New PA-15871

Added a new access token validator type, Multiple JSON Web Key Set (JWKS) Endpoint. This access token validator enables you to validate incoming access tokens from multiple authorization servers.

Learn more in Adding access token validators.

Configure PingAccess to allow agents to authenticate with a bearer token

New PA-15872

Authenticate PingAccess agents to the engine nodes with a stronger authentication method. Learn more in Configuring PingAccess agents to use bearer token authentication.

Added a new checkbox to the agent configuration page in the PingAccess administrative console: Require Token Authentication. This checkbox configures the PingAccess engine nodes for bearer token authentication. Learn more in Agent field descriptions.

The PingAccess agent for Apache (Windows) hasn’t yet been updated to support bearer token authentication yet. You can configure the Apache (Windows) agent with the new agent.properties file with no performance impact, but leave the Require Token Authentication checkbox cleared until both:

Agent compatibility is added
You’ve upgraded all agents to the supported version

Added support for Amazon Linux 2023

New PA-15783

Added support for Amazon Linux 2023. Learn more in System requirements.

Configure PingAuthorize access control and response filtering rules with PingOne Authorize

Improved PA-15790

The PingAuthorize access control and response filtering rules are now compatible with PingOne Authorize, with the following limitations:

PingAuthorize access control rule: Make sure that the Include Identity Attributes checkbox is selected in step 7 of Adding PingAuthorize access control rules.
PingAuthorize response filtering rule: Detailed request context isn’t available during response processing, so response filtering can’t be performed with the PingOne.API Access Management.Identity.Access Token attribute.

Fixed agent page behavior after downloading `agent.properties` in Firefox

Fixed PA-13704

Fixed an issue that caused the agent configuration page in the PingAccess administrative console to stop responding after a user downloaded the agent.properties file in Mozilla Firefox.

Fixed default value rendering

Fixed PA-15763

Fixed an issue that caused some authentication challenge policy (ACP) configuration fields to render their default value only after they were saved.

Fixed OIDC login failure when port 443 is used in the `id_token` issuer

Fixed PA-15772

Fixed an issue that caused id_token validation to fail because PingAccess didn’t accept the well-known HTTPS port 443 in id_token issuers and wouldn’t register the issuer as a match.

Fixed an issue with bearer token case-sensitivity

Fixed PA-15890

Fixed an issue that caused false 401 errors because PingAccess was processing bearer tokens case-sensitively. PingAccess has been updated to meet RFC 9110.

Fixed shared secret timestamps in agent summaries

Fixed PA-15896

Fixed an issue that caused the PingAccess administrative console to fail to display agent shared secret timestamps in the agent configuration summary.

Cannot assign rule sets containing a singular CORS rule

Issue PA-15785

Rule sets or rule set groups containing a singular CORS rule cannot be assigned to applications or resources. Attempts result in the following validation error:

Invalid rule assignment for Application '<app_name>': assigning multiple Cross-Origin Request Policies to a Resource or RuleSet is not allowed.

Saving overwrites the sslCiphers and sslProtocol fields in the administrative API

Issue PA-15863

Saving a configuration in the PingAccess administrative console overwrites the values of the API-only fields sslCiphers and sslProtocols.

This issue is only relevant for the following pages in the administrative console:

System > Token Provider (with PingOne Advanced Identity Cloud / PingAM selected)
System > Admin Authentication > Admin Token Provider

It affects the following administrative API endpoints:

/pingone/advancedIdentityCloud
/auth/tokenProvider

Cannot use FIPS mode with a AWS CloudHSM or Safenet Luna HSM

Issue PA-15924 PA-15928

Federal Information Processing Standards (FIPS) mode doesn’t work with AWS CloudHSM or Safenet Luna HSM. Trying to configure a key pair or enter FIPS mode with a key pair already configured causes a Null Pointer Exception error.

ACME account creation fails while PingAccess is in FIPS mode

Issue PA-15929

Federal Information Processing Standards (FIPS) mode cannot be used with ACME certificate management if you need to create an ACME account.

Cannot use FIPS mode with Oracle JDK 17 and 21

Issue PA-15935

PingAccess fails to start in Federal Information Processing Standards (FIPS) mode when using Oracle JDK 17 and 21. Currently, FIPS mode can only be used with OpenJDK or Amazon Corretto.

PingAccess