Release Notes

Fixed PAZ-13013

We fixed an issue where, when using PingAuthorize Server’s API security gateway in embedded PDP mode, policy decision logging could cause memory leaks and negatively impact the performance of long-running server instances.

Fixed DS-49071

We fixed an issue where config-diff would result in an Unknown property error when comparing configuration objects of different types.

Fixed DS-49119

We fixed an issue where alert types that were disabled would still produce suppression messages.

Fixed PAZ-12145

We fixed an issue where, when making HTTP service calls, the policy decision point would incorrectly assign default values to the request body and the content-type header.

Fixed PAZ-12245

We fixed an issue where, when sending a Policy Query API request with an unbounded attribute in the query array, the system would return a 500 error status code if the unbounded attribute’s value was resolved to an empty collection.

Fixed PAZ-12752

We fixed an issue where the same request to the Policy Query API could produce inconsistent responses.

Fixed PAZ-12454

We fixed an issue where the status field of an HTTP service log message would include a status message, such as OK, rather than a status code.

Fixed PAZ-12014

We fixed an issue where, when making a service call with a PIP key store for MTLS configured and the Server (TLS) option set to None or Default, the service would incorrectly return a Client TLS certificate is required error.

Fixed STAGING-22303

We fixed an issue with the exclusion of certain headers from the cache key of cached HTTP service responses. Now, each change to these header values no longer invalidates the service response cache, and the decision engine isn’t forced to invoke the service again on subsequent requests.

Fixed PAZ-11726

We fixed an issue with the display of headers excluded from cached HTTP service responses in the Trust Framework. Now, you can navigate away from an HTTP service with caching enabled, navigate back to that service, and still see the excluded headers you originally defined.

Info

The PingAuthorize version number was incremented due to changes released for PingDirectory. There are no release notes for this version of PingAuthorize.

New

With the new Policy Query API, you can now issue decision requests containing valueless and multivalued attributes to receive decisions more complex than Permit or Deny, enabling you to dynamically drive user interfaces. For more information, see Policy queries.

New

To improve decision evaluation performance and reduce latency, you can cache dynamic service response values for faster retrieval on subsequent requests. When enabling caching for HTTP services, you can exclude certain headers from the service response. This prevents invalidation of the cache when values of those headers change. For more information, see Service caching.

New

To build your authorization logic more efficiently, you can make editable copies of attribute resolvers. For more information, see Copying elements.

New

To control the granularity of policy evaluation, you can disable rules in policies. This causes the decision engine to skip disabled rules during policy evaluation and allows you more flexibility in testing and deployment of policy logic. For more information, see Creating policies and policy sets.

Info

Although Camel services have been removed from the default PingAuthorize configuration, you can now enable Camel version 3.21.2 if your policies depend on such services. For more information, see Apache Camel availability

Info

We have added support for Java 17 and removed support for Java 8. For more information, see System requirements. For information on upgrading from a PingAuthorize instance installed with Java 8, see Upgrade considerations introduced in PingAuthorize 10.0.

Info PAZ-10754

To avoid HTTP 400 responses when SNI hostname checks fail, these checks are now disabled by default for the PingAuthorize server and Policy Editor. We added a new setup option, --disableSniHostnameChecks, to control whether PingAuthorize performs this check. For important considerations when upgrading from a previous version and attempting to reuse your configuration, see Upgrade considerations introduced in PingAuthorize 10.0.

Info PAZ-1795

We have disabled the OIDC Implicit flow implementation in the Policy Editor because the OAuth Working Group no longer recommends its use. In its place, you should use the Authorization Code with PKCE flow. For more information, see Configuring an OIDC provider for single sign-on requests from PingAuthorize.

Improved

We added two database indexes to the db-cli module to improve performance when querying the CurrentEntityVersion and EnetityRelationship tables.

Fixed PAZ-8473

We fixed an issue where requests to create SCIM entries were not always observing the case-exact=false property, leading to incorrect case-sensitivity errors.

Fixed PAZ-10643

We fixed an issue where the decision engine only checked if an attribute cache entry had expired when accessing that entry, leading to Out of Memory errors. Now, attribute caching uses the Redis library directly, allowing a unique Time to Live (TTL) for each cache entry. Redis instances invalidate cache entries once the TTL has elapsed, rather than when the entries are accessed. For more information, see Attribute caching.

Fixed PAZ-6335

We fixed an issue, where, in the Response tab of policy testing, the root-level statements array was not appearing if left empty in the testing scenario.

Fixed PAZ-10350

We fixed an issue where the HTTP Service Executor was not properly capturing error messages in the APP WARN logs from the policy information provider (PIP) endpoint.

Fixed DS-47655

We fixed the check-replication-domains tool so that the --serverRoot argument is no longer required. This argument now defaults to the server’s root directory.

Fixed DS-45206

We fixed an issue where running dsjavaproperties --initialize would append duplicate arguments to the common.java-args in the java.properties file.

Fixed DS-47455

We fixed an issue where a NullPointerException error occurred when an alert or alarm was raised, and one more of the alert handlers was not configured. An alert notification is now recorded in logs/errors instead.

Fixed DS-46312

We fixed an issue where TLS timeouts prevented LDAP Request Handlers from responding to client requests. The request-handler-per-connection configuration property is now available for LDAP and LDAPS Connection Handlers.