PingAccess

PingAccess 8.1 (June 2024)

Improved request header security

Security PA-15610

Fixed an issue with connection request header handling. Learn more in SECADV045.

PingAccess 9.0 will remove Java 11 support in December 2025

Info

Ping Identity intends to remove Java 11 support from PingAccess in December 2025. For more information, including Java 17 support, see Installation requirements.

Cache multiple token-types for Web + API applications

New PA-15516

If you use a Web + API application, the vnd-pi-resource-cache PingAccess agent protocol (PAAP) header now contains an additional path so Web + API applications can cache both cookie and authorization header token-types. A new PAAP header, vnd-pi-token-cache-oauth-ttl, helps the agent distinguish between cookie and authorization header cache TTLs.

When the application type is Web + API, PingAccess only returns the TTL header corresponding with the token-type that it used to make the access decision, vnd-pi-token-cache-ttl or vnd-pi-token-cache-oauth-ttl. For more information, see PAAP agent response, and, after upcoming agent releases, the agent.cache.defaultTokenType property in one of the following agent configuration pages:

Previously, cache definitions were only maintained for the cookie token-type. Accordingly, the ability to cache cookie and authorization header token-types simultaneously improves system performance because an agent doesn’t have to call the PingAccess server every time it receives a request with an authorization header.

Existing agent environments ignore the new vnd-pi-token-cache-oauth-ttl header and additional paths in the vnd-pi-resource-cache header.

To see the performance boost, upgrade to PingAccess 8.1 and, after upcoming agent releases, upgrade to the latest version of the desired Apache or IIS agent. Otherwise, continue to use an earlier agent version.

CEF logging

New PA-15579

Enable PingAccess to write any of its five audit logs in Common Event Format (CEF). Learn more in Writing audit logs in Common Event Format.

Skip the request or response payload in a PingAuthorize call

New PA-15585

You can now control whether to include the request body in a call to PingAuthorize or a response body in the modified response. Excluding request and response bodies improves performance if the request or response body isn’t required to make an access decision or to modify the response.

Map static header values to a PingAuthorize call

New PA-15586

Declare headers that should be added to the PingAuthorize request or to the modified response. PingAuthorize uses the additional headers to determine the policy set that’s most relevant to the request or response context.

Use PingAuthorize access control rules on agent applications and resources

New PA-15587

You can now use PingAuthorize access control rules in PingAccess agent deployments. Learn more in Adding PingAuthorize access control rules.

Set PingAccess cookies with the partitioned attribute

New PA-15588 and PA-15690

Added the ability to set PingAccess cookies with the Partitioned attribute to align with the Cookies Having Independent Partitioned State (CHIPS) specification. This helps maintain support for applications that use an iframe or other third-party embedded context to interact with web resources that PingAccess protects as browsers phase out third-party cookies that don’t support CHIPS.

CHIPS enables third-party sites to continue to set cross-site cookies as long as they have the Partitioned attribute. To limit cross-site tracking, partitioned cookies can only be read within the same context of the top-level site where they were initially set. Learn more about CHIPS in https://developer.mozilla.org/en-US/docs/Web/Privacy/Privacy_sandbox/Partitioned_cookies and https://developers.google.com/privacy-sandbox/3pcd/chips.

In the PingAccess administrative console or API, use the Partitioned Cookie setting to control whether to add the Partitioned attribute to all cookies that PingAccess sets for a specific web session or the admin web session.

In the run.properties file, use the pa.default.cookie.attributes.partitioned.excludedUserAgentPatterns property to exclude the Partitioned attribute only when using a browser that doesn’t support it. Learn more in the Engine properties section of the Configuration file reference.

The pa.default.session.cookie.attributes.partitioned property is also new in PingAccess 8.1, but this property is moreso intended for potential future backports. In PingAccess 8.1 and later, the Partitioned Cookie setting is the preferred way to set the Partitioned attribute. The Partitioned Cookie value overrides the value of the pa.default.session.cookie.attributes.partitioned property.

Encrypt PingAccess cookies using AES-GCM encryption algorithms

New PA-15605

Added support for Advanced Encryption Standard Galois/Counter Mode (AES-GCM) encryption algorithms. Three AES-GCM encryption algorithms are now available in the Encryption Algorithm list on the Web Session Management page:

  1. AES 128 with GCM

  2. AES 192 with GCM

  3. AES 256 with GCM

Learn more about configuring encryption algorithms in Configuring web session management settings.

Configure the SameSite=Strict attribute on web session cookies

New PA-15706

Added a new level of restriction to the SameSite Cookie list in advanced web session settings, SameSite=Strict. The SameSite=Strict attribute provides the strongest level of cross-site request forgery (CSRF) protection, but should not be configured as the sole means of defense against CSRF.

Temporarily promote a replica admin node to the primary admin node

New PA-15707

Added two new endpoints to the replica admin console server:

  • GET /adminConfig/replicaAdmin/status

  • POST /adminConfig/replicaAdmin/promote

Made the following endpoints available from the replica admin console server:

  • GET /adminConfig/replicaAdmins/

  • GET /adminConfig/replicaAdmins/{id}

In DevOps environments, you can now temporarily promote the replica admin node through the replica admin API if the primary node is unavailable, but you must complete the Manually promoting the replica administrative node procedure to make this change permanent. This change provides greater availability for the PingAccess admin console by decreasing the amount of time it takes to promote the replica admin node. Learn more in Using the admin API to temporarily promote the replica administrative node.

Opt out of automatic URL encoding

Improved PA-15697

By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.

You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:

Fixed NullPointerException with the rewrite content rule

Fixed PA-15612

Fixed an issue that caused a NullPointerException error when the rewrite content rule was used on a resource that returned an empty chunked response body.

Fixed an issue with the agent response returning a non-default token TTL for unprotected API resources

Fixed PA-15622

Fixed an issue that caused unprotected agent API resources to have unexpected OAuth TTL values.

Fixed an issue with accessing global unprotected resources

Fixed PA-15692

Fixed a regression issue that caused a 500 error response when accessing a global unprotected resource on a Web + API application.

Fixed issues with query parameter behavior due to automatic URL encoding

Fixed PA-15696

Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing = to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.

Fixed admin JWKS endpoint returning a 401 or 500 response instead of the OAuth key set

Fixed PA-15723

Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401 unauthorized responses or 500 internal server errors.

Fixed engine self-registration failure

Fixed PA-15725

Fixed an engine self-registration failure issue caused by inability to determine if the engine self-registration token should be a Bearer or DPoP-bound token.