Release Notes
New features and improvements in PingAccess. Updated December 13, 2024.
PingAccess 8.2 (December 2024)
PingAccess for Azure AD program ends in December 2025
Info PA-15870
The PingAccess for Azure AD program ends on December 31, 2025. To continue using PingAccess, you must upgrade to a commercial PingAccess license. Learn more in:
|
Create custom log level categories
New PA-15743
Add a custom log level category and manage its verbosity in the admin console. Learn more in Creating custom log level categories.
Added support for Java 21
New PA-15765
-
Added support for Java 21. Learn more in System requirements.
-
Updated Managing Federal Information Processing Standards (FIPS) mode to include more information about default TLS cipher suites and running PingAccess as a Windows service.
Configure PingOne Advanced Identity Cloud or PingAM as a token provider
New PA-15768
Configure PingOne Advanced Identity Cloud or PingAM as a token provider and OAuth authorization server in PingAccess. Learn more in Configuring PingOne Advanced Identity Cloud or PingAM as the token provider.
Configure an expected response header for CORS preflight requests
New PA-15766
Google Chrome cross-origin resource sharing (CORS) preflight requests will soon include a new request header, Access-Control-Request-Private-Network: true
. If a preflight request that contains this header doesn’t receive a Access-Control-Allow-Private-Network: true
header in response, access requests will be denied.
To respond to CORS preflight requests with the expected response header, select the new checkbox in the PingAccess cross-origin request rule: Allow Private Access Network.
Configure SameSite
settings on PingAccess nonce cookies
New PA-15803
Use the Nonce SameSite Cookie list to select a level of restriction for when nonce cookies can be sent in a cross-site request. Learn more in Configuring web session management settings.
Configure a PingAuthorize policy decision access control rule for fine-grained access control
New PA-15770
Added a new rule that makes use of the Policy Decision Endpoint in PingAuthorize. This enables more control over fine-grain authorization decisions sent to PingAuthorize than the PingAuthorize access control rule.
Learn more in Adding PingAuthorize policy decision access control rules.
The PingAuthorize policy decision access control rule isn’t compatible with PingOne Authorize. |
Configure multiple JWKS endpoints for access token validation
New PA-15871
Added a new access token validator type, Multiple JSON Web Key Set (JWKS) Endpoint. This access token validator enables you to validate incoming access tokens from multiple authorization servers.
Learn more in Adding access token validators.
Configure PingAccess to allow agents to authenticate with a bearer token
New PA-15872
Authenticate PingAccess agents to the engine nodes with a stronger authentication method. Learn more in Configuring PingAccess agents to use bearer token authentication.
Added a new checkbox to the agent configuration page in the PingAccess administrative console: Require Token Authentication. This checkbox configures the PingAccess engine nodes for bearer token authentication. Learn more in Agent field descriptions.
The PingAccess agents haven’t been updated to support bearer token authentication yet.
You can configure the agents with the new
|
Added support for Amazon Linux 2023
New PA-15783
Added support for Amazon Linux 2023. Learn more in System requirements.
Configure PingAuthorize access control and response filtering rules with PingOne Authorize
Improved PA-15790
The PingAuthorize access control and response filtering rules are now compatible with PingOne Authorize, with the following limitations:
-
PingAuthorize access control rule: Make sure that the Include Identity Attributes checkbox is selected in step 7 of Adding PingAuthorize access control rules.
-
PingAuthorize response filtering rule: Detailed request context isn’t available during response processing, so response filtering can’t be performed with the
PingOne.API Access Management.Identity.Access Token
attribute.
Fixed agent page behavior after downloading agent.properties
in Firefox
Fixed PA-13704
Fixed an issue that caused the agent configuration page in the PingAccess administrative console to stop responding after a user downloaded the agent.properties
file in Mozilla Firefox.
Fixed an issue with post-authentication method type expectations
Fixed PA-15762
Fixed an issue that caused requests to fail because of resource method enforcement.
By default, PingAccess disables request preservation for the templated, redirect, and PF Authentication API challenge response generators, expecting the frontend SPA to maintain any data that requires preservation.
As a result, PingAccess was expecting a GET
request after authentication instead of a POST
request, because PingAccess only maintains post-authentication requests as a POST
if request preservation is enabled.
Fixed default value rendering
Fixed PA-15763
Fixed an issue that caused some authentication challenge policy (ACP) configuration fields to render their default value only after they were saved.
Fixed OIDC login failure when port 443 is used in the id_token
issuer
Fixed PA-15772
Fixed an issue that caused id_token
validation to fail because PingAccess didn’t accept the well-known HTTPS port 443 in id_token
issuers and wouldn’t register the issuer as a match.
Fixed an issue with bearer token case-sensitivity
Fixed PA-15890
Fixed an issue that caused false 401
errors because PingAccess was processing bearer tokens case-sensitively.
PingAccess has been updated to meet RFC 9110.
Fixed shared secret timestamps in agent summaries
Fixed PA-15896
Fixed an issue that caused the PingAccess administrative console to fail to display agent shared secret timestamps in the agent configuration summary.
Cannot assign rule sets containing a singular CORS rule
Issue PA-15785
Rule sets or rule set groups containing a singular CORS rule cannot be assigned to applications or resources. Attempts result in the following validation error:
Invalid rule assignment for Application '<app_name>': assigning multiple Cross-Origin Request Policies to a Resource or RuleSet is not allowed.
Saving overwrites the sslCiphers and sslProtocol fields in the administrative API
Issue PA-15863
Saving a configuration in the PingAccess administrative console overwrites the values of the API-only fields sslCiphers and sslProtocols.
This issue is only relevant for the following pages in the administrative console:
-
System > Token Provider (with PingOne Advanced Identity Cloud / PingAM selected)
-
System > Admin Authentication > Admin Token Provider
It affects the following administrative API endpoints:
-
/pingone/advancedIdentityCloud
-
/auth/tokenProvider
Cannot use FIPS mode with a AWS Cloud HSM or Safenet Luna HSM
Issue PA-15924 PA-15928
Federal Information Processing Standards (FIPS) mode doesn’t work with AWS Cloud HSM or Safenet Luna HSM.
Trying to configure a key pair or enter FIPS mode with a key pair already configured causes a Null Pointer Exception
error.
ACME account creation fails while PingAccess is in FIPS mode
Issue PA-15929
Federal Information Processing Standards (FIPS) mode cannot be used with ACME certificate management if you need to create an ACME account.
Cannot use FIPS mode with Oracle JDK 17 and 21
Issue PA-15935
PingAccess fails to start in Federal Information Processing Standards (FIPS) mode when using Oracle JDK 17 and 21. Currently, FIPS mode can only be used with OpenJDK or Amazon Corretto.
PingAccess 8.1.2 (October 2024)
Create custom log level categories
New PA-15743
Add a custom log level category and manage its verbosity in the admin console. Learn more in Creating custom log level categories.
PingAccess 8.1.1 (August 2024)
Fixed a security vulnerability with URL-encoded characters
Security PA-15776
Added the pa.uri.canonicalize
parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.
Set response headers for OAuth errors
Improved PA-15764
Added the oauth.error.headers
and oauth.error.header.Content-Security-Policy
parameters to the Configuration file reference.
PingAccess 8.1 (June 2024)
Improved request header security
Security PA-15610
Fixed an issue with connection request header handling. Learn more in SECADV045.
PingAccess 9.0 will remove Java 11 support in December 2025
Info
Ping Identity intends to remove Java 11 support from PingAccess in December 2025. For more information, including Java 17 support, see Installation requirements.
Cache multiple token-types for Web + API applications
New PA-15516
If you use a Web + API application, the vnd-pi-resource-cache
PingAccess agent protocol (PAAP) header now contains an additional path so Web + API applications can cache both cookie and authorization header token-types. A new PAAP header, vnd-pi-token-cache-oauth-ttl
, helps the agent distinguish between cookie and authorization header cache TTLs.
When the application type is Web + API, PingAccess only returns the TTL header corresponding with the token-type that it used to make the access decision, vnd-pi-token-cache-ttl
or vnd-pi-token-cache-oauth-ttl
. For more information, see PAAP agent response, and, after upcoming agent releases, the agent.cache.defaultTokenType
property in one of the following agent configuration pages:
Previously, cache definitions were only maintained for the cookie token-type. Accordingly, the ability to cache cookie and authorization header token-types simultaneously improves system performance because an agent doesn’t have to call the PingAccess server every time it receives a request with an authorization header.
Existing agent environments ignore the new To see the performance boost, upgrade to PingAccess 8.1 and, after upcoming agent releases, upgrade to the latest version of the desired Apache or IIS agent. Otherwise, continue to use an earlier agent version. |
CEF logging
New PA-15579
Enable PingAccess to write any of its five audit logs in Common Event Format (CEF). Learn more in Writing audit logs in Common Event Format.
Skip the request or response payload in a PingAuthorize call
New PA-15585
You can now control whether to include the request body in a call to PingAuthorize or a response body in the modified response. Excluding request and response bodies improves performance if the request or response body isn’t required to make an access decision or to modify the response.
Map static header values to a PingAuthorize call
New PA-15586
Declare headers that should be added to the PingAuthorize request or to the modified response. PingAuthorize uses the additional headers to determine the policy set that’s most relevant to the request or response context.
Use PingAuthorize access control rules on agent applications and resources
New PA-15587
You can now use PingAuthorize access control rules in PingAccess agent deployments. Learn more in Adding PingAuthorize access control rules.
Set PingAccess cookies with the partitioned
attribute
New PA-15588 and PA-15690
Added the ability to set PingAccess cookies with the Partitioned
attribute to align with the Cookies Having Independent Partitioned State (CHIPS) specification. This helps maintain support for applications that use an iframe or other third-party embedded context to interact with web resources that PingAccess protects as browsers phase out third-party cookies that don’t support CHIPS.
CHIPS enables third-party sites to continue to set cross-site cookies as long as they have the Partitioned
attribute. To limit cross-site tracking, partitioned cookies can only be read within the same context of the top-level site where they were initially set. Learn more about CHIPS in https://developer.mozilla.org/en-US/docs/Web/Privacy/Privacy_sandbox/Partitioned_cookies and https://developers.google.com/privacy-sandbox/3pcd/chips.
In the PingAccess administrative console or API, use the Partitioned Cookie setting to control whether to add the Partitioned
attribute to all cookies that PingAccess sets for a specific web session or the admin web session.
In the run.properties
file, use the pa.default.cookie.attributes.partitioned.excludedUserAgentPatterns
property to exclude the Partitioned
attribute only when using a browser that doesn’t support it. Learn more in the Engine properties section of the Configuration file reference.
The |
Encrypt PingAccess cookies using AES-GCM encryption algorithms
New PA-15605
Added support for Advanced Encryption Standard Galois/Counter Mode (AES-GCM) encryption algorithms. Three AES-GCM encryption algorithms are now available in the Encryption Algorithm list on the Web Session Management page:
-
AES 128 with GCM
-
AES 192 with GCM
-
AES 256 with GCM
Learn more about configuring encryption algorithms in Configuring web session management settings.
Configure the SameSite=Strict
attribute on web session cookies
New PA-15706
Added a new level of restriction to the SameSite Cookie list in advanced web session settings, SameSite=Strict
. The SameSite=Strict
attribute provides the strongest level of cross-site request forgery (CSRF) protection, but should not be configured as the sole means of defense against CSRF.
Temporarily promote a replica admin node to the primary admin node
New PA-15707
Added two new endpoints to the replica admin console server:
-
GET /adminConfig/replicaAdmin/status
-
POST /adminConfig/replicaAdmin/promote
Made the following endpoints available from the replica admin console server:
-
GET /adminConfig/replicaAdmins/
-
GET /adminConfig/replicaAdmins/{id}
In DevOps environments, you can now temporarily promote the replica admin node through the replica admin API if the primary node is unavailable, but you must complete the Manually promoting the replica administrative node procedure to make this change permanent. This change provides greater availability for the PingAccess admin console by decreasing the amount of time it takes to promote the replica admin node. Learn more in Using the admin API to temporarily promote the replica administrative node.
Opt out of automatic URL encoding
Improved PA-15697
By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.
You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:
Fixed NullPointerException
with the rewrite content rule
Fixed PA-15612
Fixed an issue that caused a NullPointerException
error when the rewrite content rule was used on a resource that returned an empty chunked response body.
Fixed an issue with the agent response returning a non-default token TTL for unprotected API resources
Fixed PA-15622
Fixed an issue that caused unprotected agent API resources to have unexpected OAuth TTL values.
Fixed an issue with accessing global unprotected resources
Fixed PA-15692
Fixed a regression issue that caused a 500
error response when accessing a global unprotected resource on a Web + API application.
Fixed issues with query parameter behavior due to automatic URL encoding
Fixed PA-15696
Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing =
to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.
Fixed admin JWKS endpoint returning a 401
or 500
response instead of the OAuth key set
Fixed PA-15723
Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS
endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401
unauthorized responses or 500
internal server errors.
PingAccess 8.0.5 (October 2024)
Create custom log level categories
New PA-15743
Add a custom log level category and manage its verbosity in the admin console. Learn more in Creating custom log level categories.
PingAccess 8.0.4 (August 2024)
Fixed a security vulnerability with URL-encoded characters
Security PA-15776
Added the pa.uri.canonicalize
parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.
Opt out of automatic URL encoding
Improved PA-15697
By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.
You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:
Set response headers for OAuth errors
Improved PA-15764
Added the oauth.error.headers
and oauth.error.header.Content-Security-Policy
parameters to the Configuration file reference.
Fixed issues with query parameter behavior due to automatic URL encoding
Fixed PA-15696
Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing =
to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.
Fixed admin JWKS endpoint returning a 401
or 500
response instead of the OAuth key set
Fixed PA-15723
Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS
endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401
unauthorized responses or 500
internal server errors.
PingAccess 8.0.2 (April 2024)
Configure CEF logging
New PA-15703
Enable PingAccess to write any of its five audit logs in Common Event Format (CEF). Learn more in Writing audit logs in Common Event Format.
PingAccess 8.0.1 (March 2024)
Improved request header security
Security PA-15610
Fixed an issue with connection request header handling. Learn more in SECADV045.
Fixed NullPointerException
with the rewrite content rule
Fixed PA-157612
Fixed an issue that caused a NullPointerException
error when the rewrite content rule was used on a resource that returned an empty chunked response body.
PingAccess 8.0 (December 2023)
PingAccess 8.0 upgrade notice - removed H2 dependency
Info PA-15358
If you have PingAccess 6.2 or below, you cannot upgrade directly to PingAccess 8.0. You must upgrade to a version above 6.2 first, and then upgrade to 8.0.
This is because in PingAccess 8.0, an outdated H2 JAR file was removed, and PingAccess 6.2 and below use an H2 embedded database.
Implement device profiling for PingOne Protect
New PA-15374
If you’re using the PingOne Protect integration, you can now enable device profiling to implement attribute-based access control (ABAC) and enforce a complete zero trust strategy with PingAccess and PingOne Protect. You can:
-
Set stricter constraints around when to perform a new risk evaluation.
-
Automatically perform a new device profile collection and risk evaluation when an end user’s IP address changes.
-
Include device-related predictor types in the PingOne risk policy that you use for risk evaluation, including user and event behavior analytics and bot detection risk predictors. This enables you to use the default PingOne risk policy without needing to make any modifications and to trigger enforcement strategies like step-up authentication if abnormal device settings are detected.
Learn more about enabling device profiling in PingAccess in Risk policy field descriptions. Learn more about PingOne predictor types in Risk policies.
Device profile collection adds the device profile to the user’s browser as cookies, which are sent to PingAccess during subsequent requests. These cookies are usually 8192 bytes in size. Before enabling device profiling, you should increase the |
Use and validate OAuth 2.0 DPoP-bound access tokens
New PA-15517
Added the ability to use OAuth 2.0 Demonstrating Proof of Possession (DPoP) capabilities in a resource server role. This enables you to meet potential FAPI 2.0 Advanced Profile authorization server requirements in the future and prevent fraudulent access token usage.
You won’t be able to use DPoP with PingAccess unless both the OAuth API client and the token provider support DPoP as well. As a security best practice, keep the value of the DPoP Proof Lifetime (SEC.) field low and consistent with the DPoP implementation of your API client anywhere that you configure DPoP settings in PingAccess. |
Enable DPoP-bound access tokens in your token provider or admin token provider configuration. You can also override the global DPoP settings in your API authentication settings, or at the application or resource level for an API
or Web + API
application. For more information, see:
-
If you’re using PingFederate as the token provider, see Configuring OAuth resource servers. You must use PingFederate 11.3 or later.
-
If you’re using PingOne as the token provider, see Configuring PingOne.
-
If you’re using a common token provider, see Configuring OAuth authorization servers.
-
To configure DPoP in your admin token provider settings, see Configuring an admin token provider.
-
To override the global DPoP settings for API authentication, see Configuring API authentication.
-
To override the global DPoP settings at the application level, see Application field descriptions.
-
To override the global DPoP settings at the resource level, see Adding application resources.
Configure Microsoft Azure AD as a common token provider when protecting an API application
New PA-15369
PingAccess has made common token provider configuration more flexible:
-
When you’re configuring the OAuth authorization server for a common token provider, the Introspection Endpoint field is now required only if you configure a remote access token validator on your PingAccess application.
-
When you’re configuring an application, before you can select a remote access token validator from the Access Validation list, you must configure an Introspection Endpoint on the OAuth Authorization Server tab.
This increased flexibility enables you to configure Azure AD as the common token provider for protected API applications.
Because Azure AD doesn’t have an |
Filter applications by SPA support status
New PA-15375
-
Added the ability to filter your applications by their SPA support status. For more information, see Editing an application.
-
Added the
SPA Support
property to the Properties tab on PingAccess applications. You can now check whether an application has SPA support enabled by expanding the application instead of having to expand and open it.
Configure static signing keys for Private Key JWT
New PA-15376
By default, private key JWT OIDC code flow uses dynamic keys managed automatically by PingAccess. You can now opt to use static keys instead if you want to control key rotation yourself. For more information, see Configuring static signing keys.
PingAccess currently only supports JWT signing with static keys, but might support encryption in the future. |
You can:
-
Enable static keys and select a signing key from your list of configured key pairs on a new page in the administrative console, Static OAuth/OIDC Keys. Then select a Signing Algorithm on the associated web session.
-
Complete your static key configuration at the token provider. Click View Metadata on the Static OAuth/OIDC Keys page to retrieve your JWKS information and submit this information to your token provider. Alternately, use the PingAccess admin API endpoint
GET /staticKeys/JWKS
to retrieve your JWKS information.You must update your JWKS information at the token provider because static and dynamic keys use different JWKS endpoints in PingAccess.
For example, if you’re using PingFederate as the token provider, you must update the JWKS URL field in your configured OAuth client.
Use Microsoft SQL Server 2022 for audit event storage
New PA-15510
Added support for Microsoft SQL Server 2022 to enable migration to SQL server versions included in Microsoft’s mainstream support policy.
Use Server-Sent Events (SSE) to push information from protected resource servers to web clients
New PA-15511
Qualified support for server-sent events (SSE) in PingAccess. You can use WebSockets or SSE to facilitate communication between the requesting client and a protected site. SSE pushes real-time updates in one direction, from server to client, whereas WebSockets uses bidirectional communication.
Follow the defined standards to signal PingAccess to establish an SSE connection to the backend server and listen for real-time events, such as:
After it receives the appropriate header from either the backend server or the client request, PingAccess establishes an SSE connection to the backend server when it grants a user access to a protected resource. PingAccess processes and acts on each event it receives from the backend server, then pushes an update to the client through a separate SSE connection. |
Configure Microsoft Azure AD as the token provider for administrative API OAuth
New PA-15518
Added support for OAuth tokens created by Microsoft Azure AD for administrative API OAuth. This improves account security for administrators with Microsoft Azure AD configured as the token provider and enables administrators to use their own accounts to make PingAccess API changes. Relaxed the following PingAccess requirements:
-
If you’re using either a common token provider or administrative token provider configuration, you can now use a local access token validator to bypass administrative API OAuth validation that checks whether the token provider supports the introspection endpoint. This is necessary because Microsoft Azure AD does not have an introspection endpoint.
-
If the administrative token is validated by a local access validator, the administrative API OAuth no longer enforces whether an administrative token contains a
scope
claim with a configurable value, because Microsoft Azure AD uses ascp
claim instead.
Map SAML tokens as HTTP request headers
New PA-15525
Added the ability to map the SAML token received from a SAML token mediator site authenticator to an HTTP request header that you specify instead of mapping the token as a request cookie. For more information, see the Logged In Header Name field.
Choose a case-matching strategy for Admin SSO and OAuth roles
New PA-15527
You can now choose a case-matching strategy for administrative single sign-on and OAuth roles, not just web session attribute rules. Selection options are:
-
Case-sensitive
-
Case-insensitive
-
DN matching
For more information, see Configuring API authentication and Configuring admin UI SSO authentication.
Updated PingAccess documentation link to be version-specific
Improved PA-15378
Updated the Help icon link in the administrative console that takes you to the PingAccess documentation. In PingAccess 8.0 forward, this link will now take you to the version of the documentation that matches the version of PingAccess that you’re using.
Improved error message for configuring a risk policy with invalid data
Improved PA-15399
Improved an error message caused by sending an admin API request to create or update a risk policy with invalid or missing data. The error message no longer returns a NullPointerException
error.
Removed non-system fonts
Improved PA-15529
Removed old fonts from the PingAccess administrative console to improve user experience.
Fixed inaccurate OAuth endpoint description in the PingAccess administrative API documentation
Fixed PA-15241
Fixed inaccurate reference to the OAuth authorization server as the OpenID Connect provider in the DELETE
method of the oauth/authServer
endpoint.
Fixed SniHandlerConfigBuilder
parameter keystore type declaration
Fixed PA-15270
Fixed an issue that caused the SniHandlerConfigBuilder
to fail to declare a specific keystore type for the PingAccess SslContext
server, which could result in PingAccess taking longer to start up if the target JVM’s default keystore type was PKCS#12.
The SniHandlerConfigBuilder
now specifically declares JKS as the keystore type to prevent unexpected performance losses.
Fixed UI rendering issue when optional field is missing from plugin
Fixed PA-15273
Fixed an issue that caused the PingAccess administrative console UI to fail to render if a newly added configuration field was missing from the plugin data that was saved previously.
For more information, see create your own plugins.
Fixed a race condition resulting in null values for replication data
Fixed PA-15380
Fixed an issue that caused unexpected behavior in PingAccess if you deleted an entity while a clustered console node was preparing a replication payload to share with other nodes in the cluster. Some examples of this unexpected behavior included:
-
Hibernate throwing
EntityNotFoundExceptions
errors. -
PingAccess adding null objects to the replication payload. This behavior didn’t always register as an error in the administrative console, but could still cause the replication data readers to throw exception errors.
Fixed UI rendering breakage when using Groovy script fields in composite plugin fields
Fixed PA-15381
Fixed an issue that caused the PingAccess administrative console UI to display a blank page if you attempted to configure a Groovy script field within a plugin entity in a composite field.
For more information, see create your own plugins.
Fixed form data registration of list fields in composite plugin fields
Fixed PA-15382
Fixed an issue that caused list fields embedded in composite plugin fields to register improperly in the form data for the PingAccess administrative console UI.
For more information, see create your own plugins.
Fixed object ID override of key pairs and certificates imported through the administrative API
Fixed PA-15386
Fixed an issue that caused PingAccess to replace object IDs defined on key pairs or certificates imported through the administrative API with an auto-generated object ID.
Additionally, the POST /keyPairs/import
and POST
/certificates
API models have been updated to include more information on how to assign an ID for these object types.
Fixed log category preferences not sticking on restart
Fixed PA-15390
Fixed an issue that caused PingAccess to reset an environment’s configured log setting categories on startup.
Fixed early expiration of cached PingOne Protect risk evaluation results
Fixed PA-15396
Fixed an issue with the PingOne Protect integration that caused PingAccess to calculate expiration values for cached risk evaluation results in milliseconds instead of seconds. This unexpected input value was disabling token caching after making a risk evaluation because PingAccess was receiving a false positive result that the risk evaluation cache data had expired.
Fixed Azure AD access token validation issue
Fixed PA-15496
Azure AD creates a Application (Client) ID
value that exceeds 36 characters and automatically assigns that value as the Audience
value in the access token. This prevented PingAccess from validating Azure AD access tokens because PingAccess previously accepted a maximum of 32 characters for an Audience
value.
PingAccess can now accept a longer Audience
value.
Fixed replication configuration identifiers updating before configuration changes were applied
Fixed PA-15506
Fixed an issue that caused PingAccess engine or replica admin nodes to update their replication configuration identifier before they had finished integrating changes into their runtime configuration. This would result in nodes using stale configuration information until a new configuration change event happened.
Fixed exclusion of admin API OAuth configuration from bulk export
Fixed PA-15537
Fixed an issue that caused admin API OAuth settings to be excluded from bulk export operations if you configure admin API OAuth with an access token validator but haven’t set client credentials.
Fixed import failure caused by multiple trusted certificates in configuration
Fixed PA-15568
Fixed an issue that could cause PingAccess configuration imports to fail if you had multiple trusted certificates configured in your environment.
Spurious errors when installing PingAccess as a Windows service
Issue
When installing PingAccess as a Windows service using Windows PowerShell and Java 8, the error message Could not find or load main class
can be safely ignored.
Zero downtime upgrade limitation
Issue PAPQ-1034
PingAccess 6.3 deployments that use the Sideband API feature cannot be upgraded using the zero downtime upgrade procedure. You must use a planned outage to upgrade such an environment.
TLS 1.3 limitation
Issue STAGING-8707
PingAccess may have difficulty maintaining TLS 1.3 connections when using JDK 11.0.0, 11.0.1, or 11.0.2 because of a defect in those versions. This might cause upgrades to fail on systems using these versions.
IPv6 limitation
Issue PA-1894
Incorrect handling for IPv6 literals in host header. Note that IPv6 is not currently supported.
Request preservation not supported with Safari private browsing
Issue PA-2896
Request Preservation is not supported with Safari Private Browsing.
Engine and Admin Replica connection issue
Issue PA-4888
Engines and admin replicas do not connect to admin console if a combination of IP addresses and DNS names are used.
Token processor issue
Issue PA-6262
The token processor can’t connect to a JWKS endpoint via SSL when an IP is used rather than a hostname. To workaround this issue, add the hostname as the subject alt name on the key pair.
Unread message body handling
Issue PA-7068
In custom PingAccess plugins, using com.pingidentity.pa.sdk.http.Message#setBody
or com.pingidentity.pa.sdk.http.Message#setBodyContent
directly on an exchange’s Response object to modify content from the backend can put PingAccess connections into indeterminate states. The workaround is to:
-
Either make a new instance or a copy of the Response object and modify body content in the copy.
-
Call
com.pingidentity.pa.sdk.http.Exchange#setResponse
with the new or copied request and response objects.com.pingidentity.pa.sdk.http.Exchange#setResponse
discards the pending response body from the backend immediately. In a future release, a fix will be added to discard the response body only when PingAccess writes the response to the frontend.
Firefox limitation for time range rules
Issue PA-8651
Firefox does not correctly support the HTML5 time tag. When using the time range rule, enter time in 24-hour format.
Risk-based authorization rule issue during upgrade
Issue PA-10505
Upgrades will fail with a risk-based authorization rule if a third-party service is not used in the rule.
Virtual hosts with shared hostnames retention issue
Issue PA-11390
If you create multiple virtual hosts with a shared hostname and associate the hostname with a server key pair, the virtual hosts retain the connection with the server key pair even if they are subsequently renamed. The virtual host must be deleted and recreated to remove the association.
Asynchronous front-channel logout issue
Issue PA-12647
Asynchronous front-channel logout might fail in some browsers depending on end-user settings. See https://support.pingidentity.com/s/article/Managing-Single-Log-Out-in-different-browsers for browser-specific workarounds.
Invalid special characters permitted in identity mappings
Issue PA-13214
Invalid special characters ((),/;<⇒?@[\]\{}"
) can be added to the certificate to Header Mapping field in an identity mapping. Adding this identity mapping to an application will cause 400
errors when the application is accessed.
UI failure when assigning new key pair
Issue PA-13500
Assigning a new key pair to the Admin HTTPS listener if the browser does not trust the new key pair can prevent the UI from functioning. The workaround is to close the browser and re-open it so that all connections to the admin node use the new certificate.
Slow restarts in FIPS mode
Issue PA-14239
If PingAccess is repeatedly stopped and restarted in FIPS mode, subsequent restarts can take up to 5 minutes to complete. The workaround is to use a tool such as rng-tools to refresh /dev/random
and make more entropy available faster. For example:
sudo yum install rng-tools sudo rngd -b
Cloud HSM limited in Java8u261
Issue PA-14414
Cloud HSM functionality works in FIPS mode but not in regular mode for Java8u261
and later. RSASSA-PSS
signing algorithms fail with Java8u261
or later, and HSM vendors and core Java use different naming conventions for the RSASSA-PSS
algorithm. There is a documented workaround in Adding an AWS CloudHSM provider.
Kong API limitation
Issue PA-14466
Due to an outstanding defect in the Kong API Gateway, the ping-auth
plugin currently does not support requests that utilize the Transfer-Encoding
header. If PingAccess is used as the external authorization server, the rewrite content rule can prevent the page from displaying.
Certificate revocation list memory issue
Issue PA-14621
If a client certificate has a certificate revocation list (CRL) DistributionPoint that points to an extremely large CRL, PingAccess might suffer from high memory usage leading to Out of memory (OOM) exceptions.
Spurious warning after upgrade or startup on Windows
Issue PA-14907
After starting PingAccess for the first time on a Windows system or upgrading PingAccess on a Windows system, a warning message is logged reporting that the pa.jwk
file was not made non-executable. This message can be ignored.
Hibernate deadlock errors
Issue PA-14985
There are a few potential scenarios when the PingAccess data layer might encounter deadlocks. PingAccess should be able to recover from these deadlocks, so hibernate error logs can be ignored when followed by the log message Recovered from database deadlock with transaction retry.
Deadlock when importing applications with significant reuse
Issue PA-14978
A race condition caused by importing applications with significant reuse of virtual hosts or context roots can deadlock the Apache Derby DB.
PA-14974 added systematic deadlock handling to reattempt operations that lead to a deadlock condition in Apache Derby, but a specific fix for this deadlock scenario will be added in a future release to reduce wasted cycles and warning or error log messages.
Console Log Settings page doesn’t immediately reflect changes made in the API
Issue PA-15351
If you have the administrative console and API open at the same time and you’re on a console page that isn’t Log Settings, the Log Settings page won’t immediately populate any log changes that you make in the API.
To work around this issue, go to the Log Settings page. Perform a hard refresh, or go to another page and then return to Log Settings.
Mutual TLS with TLS 1.3 might not work with some target servers
Issue PA-15449
Mutual TLS with a backend site that requires post-handshake authentication is not supported when using TLS 1.3. Current workaround options are to remove the requirement for post-handshake authentication from the backend site or to disable TLS 1.3.
SNI isn’t set up for virtual hosts only used in redirects
Issue PA-15559
Currently, SNI is only set up for virtual hosts that are actively configured in an application. This can prevent PingAccess from presenting an expected certificate for a given redirect host.
The workaround is to configure the source host in a redirect as the virtual host for a disabled PingAccess application.