New PA-11502

We’ve made the following changes to all Content-Security-Policy (CSP) response headers that PingAccess sends:

Inline JavaScript script elements and CSS style tags are still allowed after the deprecation of unsafe-inline, but they now require valid nonce attributes. Use the new velocity template variable <cspNonce> to add a nonce attribute to any inline JavaScript. Learn more in:

New PA-16117

PingAccess now supports the device authorization grant flow, which allows users to sign on by entering a code after visiting a verification URI on a secondary device. This change makes it easier to authenticate when using a device without a keyboard, reducing friction and potential typos.

Configure the new Device Authorization Challenge challenge response generator (CRG) to present a QR code to an unauthenticated user attempting to access a protected resource. Scanning the QR code or entering the verification URI into a browser redirects the user to a pre-filled code submission page. After authenticating, all the user needs to do is verify the code and click Submit.

Use the new system-generated Device Authorization Grant authentication challenge policy (ACP) as an example.

New PA-16090

We added the ability to perform distributed tracing for inbound and outbound requests to the PingAccess server. This change simplifies troubleshooting by giving you better observability of server processing across request workflows. For example, you could troubleshoot a bottleneck to identify which components might be contributing to latency issues.

To enable support for distributed tracing, we added a new property to the run.properties file and created the <PA_HOME>/conf/opentelemetry.properties file to provide control over the OpenTelemetry configuration.

Learn more in Distributed tracing.

New PA-16295, PA-16468

New PA-16306

RFC 7523 now requires stricter handling of the audience claim in private key JWT OAuth client authentication. You must set the audience claim to the issuer identifier of the target Authorization Server.

To address these RFC updates, we added the Private Key JWT Audience list to all token providers configurable in the admin console. Learn more in the following sections of the PingAccess documentation:

By default, Private Key JWT Audience is set to Audience Endpoint to support backwards compatibility. You should change this selection to Issuer or Both in your authorization server configuration at your earliest convenience to ensure compliance with RFC 7523.

New PA-16316

To rotate certificates previously, you needed to update the bootstrap.properties file manually and restart each PingAccess engine node. Delaying certificate rotation on the engine nodes could leave engine nodes unable to connect to the admin node after updating the config query listener, leading to service outages.

PingAccess now uses a two-port certificate rotation approach. Engine nodes poll the /engines/rest/config-query-certificate endpoint to retrieve new certificates and add them to the engine node’s truststore.

Make sure to review the PingAccess 9.1 upgrade considerations and check the Port requirements, then assign a new key pair to the config query HTTPS listener to kick the changes off. Learn more in Automatic engine node key rotation for config query listeners.

New PA-16317

We’ve added a new advanced web session setting, the UI Locales field. This change makes it possible to set IETF BCP 47 language tags using the ui_locales OIDC request parameter, enabling you to provide the sign-on page in a wider variety of languages for end users.

Learn more in Configuring advanced web session settings.

New PA-16346

We’ve added a new availability profile setting, Retry on Unknown Host. Select this checkbox to retry a failed POST request against other configured backchannel hosts if the original request failed because of an UnknownHostException. This setting can improve service reliability during potential DNS changes.

You can find more information in Creating availability profiles.

Improved PA-16261

PingAccess now prevents application resource IDs from changing when you upgrade to PingAccess 9.1 or later from any version. This change enables you to reference application resource IDs in custom scripts stably and makes post-upgrade cleanup more efficient.

You can review the audit log output after upgrading PingAccess to confirm that a resource’s original id and new id match. Look for an entry that reads like the following example:

Security PA-16291

Updated third-party dependencies to address a potential security vulnerability.

Security PA-16298, PA-16214

Addressed potential security vulnerabilities relating to Bouncy Castle.

Security PA-16321

Upgraded the Apache Log4j library to address a potential security vulnerability.

Security PA-16459

Updated Netty’s parsing behavior to address a potential security vulnerability.

Security PA-16477

Updated dependency versions to address potential security vulnerabilities.

Security PA-16521

Addressed a potential security vulnerability related to request smuggling.

Security PA-16522

Addressed a potential security vulnerability related to resource allocation for multi-part headers.

Fixed PA-16320

Fixed an issue that caused the JWKS access token validators (ATVs) to generate unnecessary warning logs if you had configured a Path but not a Third-Party Service. This issue could occur when using API OAuth authentication with either JWKS ATV.

Fixed PA-16328

Fixed an issue that prevented PingAccess from assigning an availability handler when creating a new Third-Party Service with the default Availability Profile. This issue could occur when running PingAccess in a cluster.

Fixed PA-16348

Fixed an issue that caused 500 errors after a key roll was triggered because the key roll period had elapsed. This issue could occur when using local access token validation.

Fixed PA-16367

Fixed a performance degradation issue that occurred when upgrading to PingAccess 9.0. This issue could occur for configurations that have one or more applications with a large number of resources and rule sets.

Fixed PA-16449

Fixed an issue that prevented modified files in the conf/log4j/json-templates directory from carrying over to the target version when upgrading a PingAccess server. Additionally, PingAccess no longer logs warning messages about not migrating the json-templates during the upgrade.

Fixed PA-16458

Fixed an issue that caused PingAccess to log the following warning on startup or during an upgrade when using Java 17 or later:

Fixed PA-16463

Fixed an issue that caused PingAccess not to evaluate rules applied at the application level.

Fixed PA-16475, PA-16532

Fixed an issue that caused slow responses from the /engines/certificates PingAccess admin API endpoint.

Fixed PA-16495

Fixed an issue that caused automatic resource ordering to leave out root resources if another resource had been configured with the /* path pattern.

Fixed PA-16508

Fixed an issue that caused the PingAccess admin console to show a blank page when trying to view the References tab on a key pair, after configuring a JWT identity mapping without giving the Custom Claims field a value.

Fixed PA-16530

Fixed an issue that prevented PingAccess from importing key pairs that contain otherName attributes configured in the Subject Alternative Name field.

Fixed PA-16531

Fixed an issue that sometimes caused PingAccess to end POST parameter processing early if it encountered non-UTF-8 bytes that could be interpreted as valid UTF-8 bytes.

Issue PA-16292

The PingAccess Add-on SDK class com.pingidentity.pa.sdk.http.ResponseBuilder isn’t compatible in Groovy script rules with Java 17 and later.

Issue PA-16346, PA-16488

FIPS mode validation doesn’t prevent administrators from importing key pairs that contain chained certificates with a SHA1 signature algorithm. SHA1 isn’t FIPS-compliant.

As a workaround, set jdk.sha1.restriction.enabled=true to enforce exclusion of key pairs that use SHA1 in key pair and certificate imports.

Security PA-16321

Upgraded the Apache Log4j library to address a potential security vulnerability.

Security PA-16459

Updated Netty’s parsing behavior to address a potential security vulnerability.

Fixed PA-16458

Fixed an issue that caused PingAccess to log the following warning on startup or during an upgrade when using Java 17 or later:

Fixed PA-16463

Fixed an issue that caused PingAccess not to evaluate rules applied at the application level.

Fixed PA-16320

Fixed an issue that caused the JWKS access token validators (ATVs) to generate unnecessary warning logs if you had configured a Path but not a Third-Party Service. This issue could occur when using API OAuth authentication with either JWKS ATV.

Fixed PA-16328

Fixed an issue that prevented PingAccess from assigning an availability handler when creating a new Third-Party Service with the default Availability Profile. This issue could occur when running PingAccess in a cluster.

Fixed PA-16348

Fixed an issue that caused 500 errors after a key roll was triggered because the key roll period had elapsed. This issue could occur when using local access token validation.

Fixed PA-16367

Fixed a performance degradation issue that occurred when upgrading to PingAccess 9.0. This issue could occur for configurations that have one or more applications with a large amount of resources and rule sets.

Fixed PA-16283

By default, PingAccess removes extra backslashes and quotation marks when processing PingAuthorize access control rules. This can cause issues downstream when parsing request bodies attempting to use escape characters.

Added a new checkbox to the PingAuthorize access control rule configuration, Unescape Request Body. Select this checkbox to prevent PingAccess from removing extra backslashes or quotation marks used as escape characters.

Info PA-16062

Ping Identity removed Java 11 support from PingAccess in December 2025. You must upgrade to a supported Java version before installing PingAccess 9.0 or later. Learn more about supported Java versions in PingAccess system requirements.

New PA-16064

Create an SMTP notification publisher to have PingAccess send email reminders about expiring certificates. This makes it easier to manage multiple certificates and prevent service interruptions.

Learn more in Notifications.

New PA-16065

Added a new checkbox on logout virtual resources and admin SSO settings, Revoke Access Token.

Use this setting to revoke access tokens maintained in the associated PingAccess web session per RFC 7009 when someone accesses a logout virtual resource or when the PingAccess admin signs off.

This provides additional security and helps prevent session replay in cases where session validation and single logout aren’t available with the token provider. For example, you could use Revoke Access Token to sign off individual applications without disrupting the token provider session.

Learn more in Adding application resources and Configuring admin UI SSO authentication.

New PA-16066

Define custom properties globally and set specific values for them at the application level to provide additional information about your applications. Use these extended properties to provide meaningful details to admins and sort through configured applications more efficiently.

Learn more in Managing extended properties.

New PA-16087

Added a new advanced web session setting, Passthrough Request Parameters. Use this table to select parameters from the requested resource and map them to OIDC parameters the token provider uses during the access request.

This enables you to pass information to the token provider to customize user sign-on experience and make it more consistent with your brand. For example:

Learn more in Configuring advanced web session settings.

New PA-16223

Added support for NGINX R35 and dropped support for NGINX R31. Learn more in NGINX agent system requirements.

New PA-16225

PingAccess now allows you to validate access tokens against JWKS endpoints that aren’t hosted by the token provider, enabling you to validate access tokens against multiple issuers.

Add your JWKS endpoint as a third-party service by specifying the host and port. Then use the new Third-Party Service list in the access token validator configuration to select the third-party service you created.

Learn more in Adding access token validators.

Security PA-14023

Added a new property to the run.sh script to enhance security.

Security PA-14094

Removed support for RSA 1.5 with PKCS#1 to enhance security.

Security PA-16107, PA-16108, & PA-16109

Security PA-16113

Removed unused dependencies on the Apache Commons Validator and BeanUtils components.

Security PA-16211

Upgraded the Netty component to fix issues with chunk parsing and overlarge buffers.

Fixed PA-7068

Fixed an issue that caused com.pingidentity.pa.sdk.http.Exchange#setResponse to immediately discard the body of an existing response, which could have put a backend connection into an unknown state if the connection was going to be reused.

com.pingidentity.pa.sdk.http.Exchange#setRequest behaved similarly with existing requests. Now, the body of a request or response that’s going to be replaced isn’t discarded until the replacement message has been written successfully.

Also fixed an issue that caused com.pingidentity.pa.sdk.http.Message#setBody and com.pingidentity.pa.sdk.http.Message#setBodyContent to put backend connections into an unknown state because they weren’t discarding the message body.

Fixed PA-16114

Fixed an issue that sometimes caused a 500 error when using the PingAuthorize access control rule with a PingAccess API application. This issue could occur with PUT and POST requests made when there was already a high volume of requests.

Fixed PA-16122

Fixed an issue that sometimes caused conflicts during asynchronous backend connection handling when PingAccess modified response headers.

Fixed PA-16227

Fixed an issue that swapped the contents of the <PA_HOME>/conf/log4j/json-templates/sideband-client-audit-log.json file and the <PA_HOME>/conf/log4j/json-templates/sideband-audit-log.json file.

Also added the exchangeId to the pingaccess-log.json file.

Fixed PA-16237

Fixed an issue that caused configuration imports to fail if prompted by an administrator. This issue was applicable if both the administrator and platform administrator roles were enabled in an environment using admin SSO without a configured admin token provider.

Fixed PA-16240

Fixed an issue that caused the OIDC Authentication Request Redirect authentication challenge response generator to ignore the Prompt Request Parameter configured in the authentication challenge policy.

Fixed PA-16244

Fixed an issue that caused PUT API operations to fail when trying to modify a virtual host containing a wildcard. This issue was applicable to environments using a proxied PingFederate token provider.

Fixed PA-16266

Improved vague error messaging for invalid input formats in resource response generators. This error message now identifies the invalid value and the corresponding field.

Issue PAPQ-1034

PingAccess 6.3 deployments that use the Sideband API feature can’t be upgraded using the zero downtime upgrade procedure. You must use a planned outage to upgrade such an environment.

Issue PA-1894

Incorrect handling for IPv6 literals in host header. Note that IPv6 isn’t currently supported.

Issue PA-2896

Request preservation isn’t supported with Safari Private Browsing.

Issue PA-4888

Engines and admin replicas don’t connect to the admin console if a combination of IP addresses and DNS names are used.

Issue PA-6262

The token processor can’t connect to a JWKS endpoint using SSL when using an IP instead of a host name. To workaround this issue, add the host name as the subject alt name on the key pair.

Issue PA-8651

Firefox doesn’t correctly support the HTML5 time tag. When using the time range rule, enter time in 24-hour format.

Issue PA-10505

Upgrades will fail with a risk-based authorization rule if a third-party service isn’t used in the rule.

Issue PA-11390

If you create multiple virtual hosts with a shared host name and associate the host name with a server key pair, the virtual hosts retain the connection with the server key pair even if they are subsequently renamed. The virtual host must be deleted and recreated to remove the association.

Issue PA-12647

Asynchronous front-channel logout might fail in some browsers depending on end-user settings. You can find browser-specific workarounds in Managing single logout in different browsers in the Ping Identity Knowledge Base.

Issue PA-13214

Invalid special characters ((),/;<⇒?@[\]\{}") can be added to the certificate to Header Mapping field in an identity mapping. Adding this identity mapping to an application will cause 400 errors when the application is accessed.

Issue PA-13500

Assigning a new key pair to the Admin HTTPS listener if the browser doesn’t trust the new key pair can prevent the UI from functioning. The workaround is to close the browser and reopen it so that all connections to the admin node use the new certificate.

Issue PA-14239

If PingAccess is repeatedly stopped and restarted in FIPS mode, subsequent restarts can take up to 5 minutes to complete. The workaround is to use a tool such as rng-tools to refresh /dev/random and make more entropy available faster. For example:

Issue PA-14414

CloudHSM functionality works in FIPS mode but not in regular mode for Java8u261 and later. RSASSA-PSS signing algorithms fail with Java8u261 or later, and HSM vendors and core Java use different naming conventions for the RSASSA-PSS algorithm. There is a documented workaround in Adding an AWS CloudHSM provider.

Issue PA-14466

Due to an outstanding defect in the Kong API Gateway, the ping-auth plugin currently doesn’t support requests that utilize the Transfer-Encoding header. If PingAccess is used as the external authorization server, the rewrite content rule can prevent the page from displaying.

Issue PA-14621

If a client certificate has a certificate revocation list (CRL) DistributionPoint that points to an extremely large CRL, PingAccess might suffer from high memory usage leading to Out of memory (OOM) exceptions.

Issue PA-14907

After starting PingAccess for the first time on a Windows system or upgrading PingAccess on a Windows system, a warning message is logged reporting that the pa.jwk file was not made non-executable. This message can be ignored.

Issue PA-14978

A race condition caused by importing applications with significant reuse of virtual hosts or context roots can deadlock the Apache Derby DB.

PingAccess 7.3 added systematic deadlock handling to reattempt operations that lead to a deadlock condition in Apache Derby. Learn more about this original fix in PA-14974 in the PingAccess 7.3 release notes.

However, a specific fix for this deadlock scenario will be added in a future release to reduce wasted cycles and warning or error log messages.

Issue PA-14985

There are a few potential scenarios when the PingAccess data layer might encounter deadlocks. PingAccess should be able to recover from these deadlocks, so hibernate error logs can be ignored when followed by the log message Recovered from database deadlock with transaction retry.

Issue PA-15351

If you have the administrative console and API open at the same time and you’re on a console page that isn’t Log Settings, the Log Settings page won’t immediately populate any log changes that you make in the API.

To work around this issue, go to the Log Settings page. Perform a hard refresh, or go to another page and then return to Log Settings.

Issue PA-15499

Mutual TLS with a backend site that requires post-handshake authentication isn’t supported when using TLS 1.3. Current workaround options are to remove the requirement for post-handshake authentication from the backend site or to disable TLS 1.3.

Issue PA-15559

Currently, SNI is only set up for virtual hosts that are actively configured in an application. This can prevent PingAccess from presenting an expected certificate for a given redirect host.

The workaround is to configure the source host in a redirect as the virtual host for a disabled PingAccess application.

Issue PA-15785

Rule sets or rule set groups containing a singular CORS rule can’t be assigned to applications or resources. Attempts result in the following validation error:

Issue PA-15863

Saving a configuration in the PingAccess administrative console overwrites the values of the API-only fields sslCiphers and sslProtocols.

This issue is only relevant for the following pages in the administrative console:

It affects the following administrative API endpoints:

Issue PA-15928

Federal Information Processing Standards (FIPS) mode doesn’t work with Safenet Luna HSM. Trying to configure a key pair or enter FIPS mode with a key pair already configured causes a Null Pointer Exception error.

Issue PA-15929

Federal Information Processing Standards (FIPS) mode can’t be used with ACME certificate management if you need to create an ACME account.

Issue PA-16094

Performing PingOne Protect device profiling with Chrome Devtools open causes an infinite loop. To proceed with device profiling, close Chrome Devtools.

Issue PA-16103

Key pairs stored in a Safenet Luna HSM cause SSL exceptions if using Luna HSM Client 10.8.

A potential workaround for this issue is to disable TLS 1.3 and RSASSA-PSS in the run.properties file. You can find more information in the TLS/SSL section of the PingAccess Configuration file reference.

Issue PA-16104

PingAccess fails to shut down when the Safenet Luna HSM libCryptoki2.so directory is in the deploy directory, which is a deployment requirement for Adding a Safenet Luna provider on a Linux system. This is an issue specific to Luna HSM Client 10.8.

Issue PA-16230

Trying to access the Swagger 1.2 specification information for specific individual endpoints (such as /pa-admin-api/v3/api-docs/pa/accessTokenValidators) currently results in a 404 Not Found error.

This happens because Swagger 1.2 isn’t fully compatible with JDK 17. Ping Identity recommends using the OAS 2.0 specifications instead, which you can find at https://<pa_admin_host>:<pa_admin_port>/pa-admin-api/v3/api-docs/pa/api-docs-v2.json. Learn more in Administrative API endpoints.

Issue PA-16236

Trying to use CloudHSM key pairs in Managing Federal Information Processing Standards (FIPS) mode prompts an ERR_SSL_PROTOCOL_ERROR message.

Issue PA-16449

When upgrading a PingAccess server, modified files in the conf/log4j/json-templates directory don’t carry over to the target version. Additionally, PingAccess logs warning messages about not migrating the json-templates during the upgrade, even if you made no edits to the template files.