PingAccess 8.3 (June 2025)

New PA-15886

Map custom plain text values and return custom claims for anonymous users to give backend applications more context.

In the PingAccess admin console, a new section and checkbox are available in the JWT identity mapping advanced settings: Custom JWT Claims and Create JWT for Anonymous Users. Learn more in Creating JWT identity mappings.

New PA-15920

Configure PingAccess web sessions and admin UI SSO authentication to allow OIDC sign-on reattempts if PingAccess can’t exchange the authorization code for the ID and access tokens. When PingFederate authentication sessions are enabled, this can result in retries without requiring user interaction.

This provides a more seamless sign-on experience for autoscaling token provider environments and replaces vague error messaging about what to do next if an authorization code expires before the exchange.

You can configure how many times PingAccess should retry a sign-on attempt and how long it should wait between attempts. Learn more in the descriptions for the Max Login Retries and Login Retry Delay (Sec.) fields in advanced web session settings and configuring admin UI SSO authentication.

You can also configure the name of the temporary cookie created to track the current sign-on state. Learn more in the Login State Cookie Name in configuring web session management settings.

New PA-15925, PA-15926, & PA-16050

Authenticate PingAccess agents to the engine nodes with a stronger authentication method.

After you configure a compatible PingAccess agent with the updated agent.properties file and select Require Token Authentication in the agent’s configuration, the agent creates, signs, and sends a unique JWT for every authentication request.

Learn more in the PingAccess 8.2 release notes. You can find setup instructions in Configuring PingAccess agents to use bearer token authentication and Agent SDK for C 3.0 (April 2025).

New PA-16051 & PA-16052

Added support for NGINX R33 and R34. Learn more in NGINX agent system requirements.

New PA-16054

Use the Sign Device Profile checkbox to sign and increase the security of device profiles captured by PingAccess and sent to PingOne Protect as part of the PingOne Protect integration. You can find configuration information in Risk policy field descriptions.

New PA-16059

You can now specify a value to use as the typ header for web sessions and JWT identity mappings with the Type Header Value field. PingAccess adds the configured header to the JWTs it generates unless you leave the field blank.

For example, when using a JWT access token, use the Type Header Value field to comply with IETF RFC 9068 - JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens. This enables resource servers to verify that the typ header value matches the recommended value of at+jwt (or application/at+jwt, if this value is required) for any configured JWTs.

You can find specific configuration guidance in the Type Header Value field description in Configuring advanced web session settings and Creating JWT identity mappings.

New PA-16092

You can now write PingAccess logs in JSON format and can configure the logs to output to the console instead of a file. Learn more in Writing logs in JSON format.

Improved PA-15575

The run.sh and obfuscate.sh scripts are now POSIX compliant.

Improved PA-15921

PingAccess no longer collects user behavioral data by default when the Device Profiling Method is Captured by PingAccess because this subset of data wasn’t rendered interactively in PingAccess. Streamlining data collection can reduce limitations caused by header size.

Improved PA-15938

Upgraded to BCFIPS 2.0 for FIPS 140-3 compliance, resulting in the following changes:

Improved PA-15967

PingAccess engine nodes can now authenticate bearer tokens sent by a PingAccess agent without requiring the shared secret to be sent as well.

By default, agents continue to send both the shared secret and the bearer token when the Require Token Authentication checkbox is selected. To prevent an agent from sending a shared secret, remove the agent.engine.configuration.shared.secret property from the agent.properties file you download.

Learn more about bearer token authentication in Configuring PingAccess agents to use bearer token authentication and Agent field descriptions.

Improved PA-16081

Added a warning that configuring the Cookie Name and Session State Cookie Name web session management settings with the same value can lead to unexpected runtime behavior. For example, PingAccess might require you to reauthenticate for every request, or it might unset the cookie and remove the PingAccess session. Learn more in configuring web session management settings.

Fixed PA-15924

Fixed an issue that caused a Null Pointer Exception error when starting PingAccess in Federal Information Processing Standards (FIPS) mode if you had any AWS CloudHSM key pairs configured. This issue was also applicable if you tried to configure a new CloudHSM key pair while in FIPS mode.

Fixed PA-15965

Fixed an issue that prevented referencing any statement after the first when mapping statement responses to headers for a PingAuthorize policy decision access control rule.

Fixed PA-15966

Fixed inability to send an optional response body to PingAuthorize with the PingAuthorize policy decision access control rule.

Fixed PA-16102

Fixed an issue that prevented PingOne Advanced Identity Cloud token provider configurations from migrating to PingAccess 8.3 when upgrading from PingAccess 8.2.1.

Fixed PA-16035

Fixed an issue that prevented changing the default content security policy when using the HTML OIDC Authentication Request authentication challenge response generator.

Added the pf.redirect.use.default.csp property to the run.properties file. Learn more in the Security headers properties section of the Configuration file reference.

Fixed PA-16036

PingAccess now enforces encryption of the pa.keystore.pw property in the run.properties file. Learn more in Upgrade considerations.

Fixed PA-16037

Fixed an issue that prevented PingAccess from using certificate authorities (CAs) in the Java trust store for client certificate trust anchor validation when CRL Checking or OSCP is enabled and CAs haven’t been configured within the trusted certificate group.

Fixed PA-16039

Fixed an issue that caused inconsistent behavior with default and custom content security policy (CSP) headers set by the pf.redirect.headers in the run.properties file.

Fixed PA-16055

Fixed an issue that caused a Null Pointer Exception when importing or exporting PKCS#12 key pairs.

Fixed PA-16080

Added a new advanced setting to the PingOne Protect policy configuration, Max Device Profile Retries. This configuration fixes an issue causing PingOne Protect device profiling to get stuck in an infinite loop. Learn more in Risk policy field descriptions.

This issue isn’t fixed for those using Chrome DevTools. Learn more in the following release note.

Issue PA-16094

Performing PingOne Protect device profiling with Chrome Devtools open causes an infinite loop. To proceed with device profiling, close Chrome Devtools.

Issue PA-16103

Key pairs stored in a Safenet Luna HSM cause SSL exceptions if using Luna HSM Client 10.8.

A potential workaround for this issue is to disable TLS 1.3 and RSASSA-PSS in the run.properties file. You can find more information in the TLS/SSL section of the PingAccess Configuration file reference.

Issue PA-16104

PingAccess fails to shut down when the Safenet Luna HSM libCryptoki2.so directory is in the deploy directory, which is a deployment requirement for Adding a Safenet Luna provider on a Linux system. This is an issue specific to Luna HSM Client 10.8.