PingGateway

Release notes

These release notes cover multiple versions of PingGateway software. They are designed to make it easier to upgrade, especially when you are skipping releases.

Some older versions have reached the end of support (EOS) or end of life (EOL). Find out more from Product Support Lifecycle Policy | PingGateway and Agents. If you are still running an EOL version, upgrade as soon as possible to an actively maintained version.

PingGateway integrates web applications, APIs, and microservices with the Ping Identity Platform. Based on reverse proxy architecture, PingGateway enforces security and access control.

What's New

Discover new features.
Requirements

Check prerequisites.
Compatibility

Review incompatible changes.
Fixes

Review bug fixes, limitations, known issues.
Support

Get support and training.

Name changes for ForgeRock products

Product names changed when ForgeRock became part of Ping Identity.

The following name changes have been in effect since early 2024:

Old name New name

ForgeRock Identity Cloud

PingOne Advanced Identity Cloud

ForgeRock Access Management

PingAM

ForgeRock Directory Services

PingDS

ForgeRock Identity Management

PingIDM

ForgeRock Identity Gateway

PingGateway

Learn more about the name changes in New names for ForgeRock products in the Knowledge Base.

Requirements

Ping Identity supports customers using the versions specified here. Other versions and alternative environments might work as well. When opening a support ticket for an issue, however, make sure you can also reproduce the problem on a combination covered here.

Downloads

Download product software from the BackStage download site:

File Description

PingGateway-2024.11.0.zip

Cross-platform distribution including all software components.

PingGateway-sample-application-2024.11.0.jar

Web application for testing PingGateway configurations

For information about using the Docker image provided with the product software, refer to PingGateway’s Deploy with Docker.

Operating systems

Supported operating systems
PingGateway version

Vendor

7.2

2023.11

2024.3

2024.6

2024.9

2024.11

Amazon Linux

(Not supported)

2, 2023

Red Hat Enterprise Linux

7, 8

7, 8, 9

Centos OS

7

Ubuntu LTS

20.04

22.04, 20.04

Windows Server

2016, 2019

2016, 2019, 2022

SUSE Linux Enterprise

12, 15

Rocky Linux

(Not supported)

9.x

Java

PingGateway supports OpenJDK, including OpenJDK-based distributions:

  • AdoptOpenJDK/Eclipse Adoptium

  • Amazon Corretto

  • Azul Zulu

  • Red Hat OpenJDK

Eclipse Adoptium is tested most extensively.

Supported Java versions

PingGateway version

7.2

2023.11

2024.3

2024.6

2024.9

2024.11

Java version

11

17, 11

21, 17

Recommendations:

  • Use the HotSpot JVM.

  • Keep your Java installation updated with the latest security fixes.

  • Java 11 is the earliest long-term supported (LTS) Java version for IG 2023.11 and earlier versions. Earlier versions of Java don’t contain required cryptography fixes. If you are using an earlier version of Java, secure your installation.

HTTP protocol

HTTP/1.1 and HTTP/2.0 are supported. HTTP/1.0 is not supported.

FQDNs

PingGateway replication requires use of fully qualified domain names (FQDNs), such as ig.example.com.

Hostnames like example.com are acceptable for evaluation. In production, and when using replication across systems, you must either ensure DNS is set up correctly to provide FQDNs, or update the hosts file (/etc/hosts or C:\Windows\System32\drivers\etc\hosts) to supply unique, FQDNs.

Certificates

For secure network communications with client applications that you do not control, install a properly signed digital certificate that your client applications recognize, such as one that works with your organization’s PKI, or one signed by a recognized CA.

To use the certificate during installation, the certificate must be located in a file-based keystore supported by the JVM (JKS, JCEKS, PKCS#12), or on a PKCS#11 token. To import a signed certificate into the server keystore, use the Java keytool command.

Third-party software for encryption

Bouncy Castle is required for signature encryption with RSASSA-PSS or Deterministic ECDSA. For information, refer to The Legion of the Bouncy Castle.

Third-party software

Ping Identity provides support for using the following third-party software when logging common audit events:

Software Version

Java Message Service (JMS)

2.0 API

MySQL JDBC Driver Connector/J

8 (at least 8.0.19)

Splunk

8.0 (at least 8.0.2)

Elasticsearch and Splunk have native or third-party tools to collect, transform, and route logs. Examples include Logstash and Fluentd.

Use these alternatives if possible. These tools have advanced, specialized features focused on getting log data into the target system. They decouple the solution from the Ping Identity Platform systems and version, and provide inherent persistence and reliability. You can configure the tools to avoid losing audit messages if a Ping Identity Platform service goes offline, or delivery issues occur.

These tools can work with common audit logging:

  • Configure the server to log messages to standard output, and route from there.

  • Configure the server to log to files, and use log collection and routing for the log files.

Ping Identity provides support for using the following third-party software when monitoring servers:

Software Version

Grafana

5 (at least 5.0.2)

Graphite

1

Prometheus

2.0

For hardware security module (HSM) support, Ping Identity Platform software requires a client library that conforms to the PKCS#11 standard v2.20 or later.

Studio browser

Many browsers are tested with Studio, including the latest stable version of Chrome.

Features requiring later versions of AM

Feature Minimum version of AM

Session cache eviction.

AM 7.3, available after the IG 2023.2 release

OAuth2TokenExchangeFilter.

AM 7.1

Support for refresh of idle sessions when the SingleSignOnFilter is used for authentication with AM. For more information, refer to the sessionIdleRefresh property of AmService.

AM 6.5.3

Eviction of revoked OAuth 2.0 access tokens from the cache. Learn more from CacheAccessTokenResolver, and the cache property of OAuth2ResourceServerFilter.

AM 6.5.3

Support for OAuth 2.0 Mutual TLS (mTLS). Learn more from ConfirmationKeyVerifierAccessTokenResolver and Validate certificate-bound access tokens.

AM 6.5.1

What’s new

What’s new in PingGateway 2024.11

Device profile support for risk evaluation

PingGateway now supports gathering device profile data from the user-agent and including the profile data in PingOne Protect risk evaluation requests.

Learn more in PingOne Protect integration.

PKCE support for OAuth 2.0 clients

The AuthorizationCodeOAuth2ClientFilter and ClientRegistration configurations now support RFC 7636: Proof Key for Code Exchange by OAuth Public Clients (PKCE).

PKCE is enabled by default and recommended. To disable it, set "pkce_method": "none" or "pkceMethod": "none" as described in the reference documentation.

Graceful shutdown

The stop.sh and stop.bat scripts now accept additional arguments to change how long the script waits before forcing the PingGateway process to terminate.

Learn more in Graceful shutdown.

Lifetime for CDSSO sessions

The CrossDomainSingleSignOnFilter now has a "lifetime" setting to configure the duration after which PingGateway removes the initial CDSSO authentication session state.

Propagate disconnections

PingGateway now supports a ClientHandler and ReverseProxyHandler "propagateDisconnection" setting to reset the connection to the protected application when the user-agent disconnects and PingGateway is in streaming mode.

Support for DER certificates

PingGateway now supports a derCertificate(string) function to convert a base64-encoded DER-format string into a certificate.

More flexible AmSessionIdleTimeoutFilter settings

A new "idleTimeoutUpdate": "INCREASE_ONLY_THEN_ALWAYS" setting for AmSessionIdleTimeoutFilters lets you enforce the longest timeout of either the idle timeout from the current filter or the tracking token, and then set the tracking token timeout to the idle timeout of the filter.

PingGateway uses the updated tracking token on the next interaction with an AmSessionIdleTimeoutFilter. The next AmSessionIdleTimeoutFilter filter can use a different "idleTimeoutUpdate" setting, for example, to enforce a shorter idle timeout.

Support for AuthenticateToTreeConditionAdvice

PingGateway now supports AM policy decision AuthenticateToTreeConditionAdvice responses.

What’s new in PingGateway 2024.9

OpenTelemetry capabilities

This release adds the ability to push traces to an OpenTelemetry service.

These capabilities are available in Technology preview. They aren’t yet supported, may be functionally incomplete, and are subject to change without notice.

Learn more in the following documentation:

Multiple versions of a secret with FileSystemSecretStore

With the new FileSystemSecretStore versionSuffix setting you can have multiple versions of a secret with the same ID.

For details, refer to FileSystemSecretStore.

Replace setting for HeaderFilter

Use the new HeaderFilter replace setting to replace headers instead of removing then adding them.

For details, refer to HeaderFilter.

Runtime exception condition for retries

The new runtimeExceptionCondition setting lets you restrict which runtime exceptions lead to retries.

Learn more in ClientHandler and ReverseProxyHandler.

Security provider setting for keystores

The new securityProvider setting lets you choose the Java security provider to use when loading a keystore.

Learn more in KeyStoreSecretStore.

Delayed route metrics creation

The new delayRouteMetrics setting lets you defer creation of route metrics until a request passes through the route. This can improve startup times for deployments with many routes.

Learn more in Router.

Separate endpoint for administration

PingGateway now lets you configure a separate endpoint for administrative connections. PingGateway is expected to require a separate administrative endpoint in a future release.

For details, refer to AdminHttpApplication (admin.json).

New PingOne Authorize example

The documentation now includes an example showing how to protect a web application with help from PingOne Authorize.

Learn more in PingOne Authorize integration.

What’s new in PingGateway 2024.6

IG becomes PingGateway

Product names changed when ForgeRock became part of Ping Identity. PingGateway was formerly known as ForgeRock Identity Gateway, for example. Learn more about the name changes from New names for ForgeRock products in the Knowledge Base.

PingOne Protect integration

You can now use PingOne Protect risk evaluations to help protect web applications. Configure PingGateway routes to react dynamically to risk scores from PingOne Protect.

PingOne Protect integration is available in Technology preview. It isn’t yet supported, may be functionally incomplete, and is subject to change without notice.

Learn more from PingOne Protect integration.

Changes to the Prometheus Scrape Endpoint

To facilitate consumption of Prometheus metrics, the format of some metrics has been updated and the new format is available on the new endpoint …​/openig/metrics/prometheus/0.0.4.

The old format and endpoint are deprecated, but for backward compatibility, they remain enabled and available by default.

The new property serveDeprecatedPrometheusEndpoint in AdminHttpApplication is available to deliver Prometheus metrics in the deprecated format. It is enabled by default.

Learn more from Metrics at the Prometheus Scrape Endpoint.

New metrics at the Prometheus Scrape Endpoint

Startup and Websocket metrics are now available at the Prometheus Scrape Endpoint. Learn more from Startup metrics at the Prometheus Scrape Endpoint and WebSocket metrics at the Prometheus Scrape Endpoint.

PingOneApiAccessManagementFilter now supported

The PingOneApiAccessManagementFilter is now supported for general use.

Hardened security for OpenID Connect ID tokens

PingGateway now supports OpenID Connect ID token validation according to the OpenID Connect specifications.

For this release, signature validation is optional. The next major release is expected to make ID token signature validation required.

The following new properties enable validation of the ID token signatures and the iss, aud, exp, iat, and nonce claims:

  • ClientRegistration:

    • skipSignatureVerification

    • clientSecretUsage

    In addition, use the clientSecretId and secretsProvider properties for HMAC-based signature validation.

  • Issuer:

    • issuer

    • secretsProvider

    • idTokenVerificationSecretId

    • idTokenSkewAllowance

Learn more from ClientRegistration configurations and Issuer configurations in Incompatible changes.

What’s new in IG 2024.3

Local authentication on behalf of PingOne Advanced Identity Cloud and Kerberos validation

The following new objects are available for local processing on behalf of PingOne Advanced Identity Cloud as part of an PingOne Advanced Identity Cloud journey:

These objects exist alongside the Technical Preview objects IdentityAssertionHandlerTechPreview, ScriptableIdentityAssertionPluginTechPreview, and IdentityAssertionPluginTechPreview introduced in the last release.

Monitoring of caches

Monitoring metrics are now available at the Prometheus Scrape Endpoint and Common REST Monitoring Endpoint for the caches described in Caches.

Learn more from Cache metrics at the Prometheus Scrape Endpoint.

Use of secrets in Studio

IG now uses secrets instead of deprecated passwords. Learn about how IG manages migration in Upgrade from an earlier version of Studio.

Use of Splunk or ElasticSearch audit event handlers in Studio

IG Studio no longer uses the deprecated Splunk or ElasticSearch audit event handlers. Learn about how IG manages migration in Upgrade from an earlier version of Studio.

Hardened security for secrets

With PingOne Advanced Identity Cloud and from AM 7.5, passwords hardcoded in the identity provider configuration can optionally be managed by the identity provider’s secret service. These passwords include the IG agent passwords and OAuth 2.0 client passwords.

IssuerRepository

An IssuerRepository is provided as a default object. Learn more from Default objects.

Dedicated filter for PingOne’s API Access Management (Technology preview)

PingOneApiAccessManagementFilter is a new filter dedicated to PingOne’s API Access Management. Use this filter with API Access Management to evaluate HTTP requests and responses.

The PingOneApiAccessManagementFilter is available in Technology preview. It isn’t yet supported, may be functionally incomplete, and is subject to change without notice.

What’s new in IG 2023.11.1

IG 2023.11.1 is a maintenance version to fix issues listed in Fixed in 2023.11.1. It contains no new features.

What’s new in IG 2023.11

Harden OAuth 2.0 access token requests

GrantSwapJwtAssertionOAuth2ClientFilter is a new filter to transform requests for OAuth 2.0 access tokens into secure JWT bearer grant type requests.

Use this filter with PingOne Advanced Identity Cloud or AM to increase the security of less-secure grant-type requests such as Client credentials grant or Resource owner password credentials grant.

For more information, refer to Secure the OAuth 2.0 access token endpoint.

Include key ID in JWT header

The new property includeKeyId is available in JwtBuilderFilter to include the ID of the signature key in the header of a built JWT.

Local processing on behalf of PingOne Advanced Identity Cloud (Technology preview)

The following new objects are available for local processing on behalf of PingOne Advanced Identity Cloud as part of an PingOne Advanced Identity Cloud journey:

The IdentityAssertionHandlerTechPreview, ScriptableIdentityAssertionPluginTechPreview, and IdentityAssertionPluginTechPreview are available in Technology preview. They aren’t yet supported, may be functionally incomplete, and are subject to change without notice.
Secret format JwkPropertyFormat

JwkPropertyFormat is a new secret format. Use it with FileSystemSecretStore to decode JSON Web Key (JWK) formatted keys into secrets.

More flexible use of CA-certificates in mutual TLS

The new property certificateVerificationSecretId is available in SecretsTrustManager to facilitate the use of CA-certificates in mutual TLS. In previous releases, the use of CA-signed certificates was more restricted.

Safeguard against accidental exposure of private keys with JwkSetHandler

The new property exposePrivateSecrets is available in JwkSetHandler to safeguard against the accidental exposure of private keys in a JWK set.

The property is false by default to prevent exposure of private keys. To expose private keys, you must now explicitly set the property to true.

SAML

Prevention of redirect loops when session cookies are not present in the SAML flow

In SamlFederationFilter, the new property redirectionMarker is enabled by default to prevent redirect loops when a session cookie isn’t present in the SAML flow.

When the marker is present in the request query parameters, the request isn’t redirected for authentication.

What’s new in IG 2023.9

Revocation of access tokens initiated by OAuth 2.0 Resource Servers

The following new properties have been added in AuthorizationCodeOAuth2ClientFilter and Issuer:

  • AuthorizationCodeOAuth2ClientFilter:revokeOauth2TokenOnLogout

  • Issuer:revocationEndpoint

In OpenID Connect, use these properties to revoke access and refresh tokens issued by Authorization Servers during login.

Logout initiated by OpenID Connect relying parties

The following new properties have been added in AuthorizationCodeOAuth2ClientFilter and Issuer:

  • AuthorizationCodeOAuth2ClientFilter:openIdEndSessionOnLogout

  • Issuer:endSessionEndpoint

In OpenID Connect, use these properties to initiate logout from Authorization Servers.

Option to require the Authorization Server to prompt the end-user to reauthenticate and consent

A new property prompt is available in AuthorizationCodeOAuth2ClientFilter.

Use the property in OIDC flows to require the Authorization Server to prompt the end user to reauthenticate and consent.

Improved error handling for AuthorizationCodeOAuth2ClientFilter

When an OAuth 2.0 authorization operation fails, the AuthorizationCodeOAuth2ClientFilter injects the error and error description into the OAuth2FailureContext. In previous releases, OAuth2FailureContext was used only for the OAuth2TokenExchangeFilter.

New context for use with AuthorizationCodeOAuth2ClientFilter to retrieve the original target URI for a request

In AuthorizationCodeOAuth2ClientFilter, retrieve the original target URI for a request from the new context IdpSelectionLoginContext.

Improved security for CrossDomainSingleSignOnFilter

When verificationSecretId in CrossDomainSingleSignOnFilter isn’t configured, IG discovers and uses the AM JWK set to verify the signature of AM session tokens. If the JWK set isn’t available, IG doesn’t verify the tokens.

In earlier releases, IG did not verify the tokens when verificationSecretId in CrossDomainSingleSignOnFilter wasn’t configured.

To minimize the risk of CDSSO token tampering, always configure verificationSecretId in CrossDomainSingleSignOnFilter.

What’s new in IG 2023.6

Large JWT session cookies are automatically split

In stateless sessions, if the JWT session cookie exceeds 4 KBytes, IG automatically splits it into multiple cookies.

If your JWT session size is too close to the value of connectors:maxTotalHeadersSize in AdminHttpApplication, IG might block your next request containing split JWT session cookies. Consider increasing the value of connectors:maxTotalHeadersSize.

For more information, refer to Stateless sessions.

JWT session cookies not compressed by default

To improve security, JWT session cookies are no longer compressed by default. For more information, refer to the useCompression property of JwtSession.

Startup allowed if there is an existing PID file

Startup can now be allowed when there is an existing PID file. When activated, IG removes the existing PID file and creates a new one during startup. In previous releases, if there was an existing PID file during startup, the startup failed.

Activate the feature in the following ways:

  • By the new property pidFileMode in AdminHttpApplication.

  • With the new configuration token ig.pid.file.mode.

For more information, refer to Allow startup when there is an existing PID file in the Installation guide and ig.pid.file.mode in the Deployment guide.

Prevention of redirect loops when session cookies are not present in the CDSSO flow

In CrossDomainSingleSignOnFilter, the new property redirectionMarker is enabled by default to prevent redirect loops when the session cookie is not present in the CDSSO flow.

When the marker is present in the request query parameters, the request is not redirected for authentication.

Regex-based alias selection in KeyStoreSecretStore and HsmSecretStore

The new property mappings:aliasesMatching in KeyStoreSecretStore and HsmSecretStore is available to map all aliases that match a regular expression to a secret ID.

Some KeyStores, such as a global Java TrustStore, can contain hundreds of valid certificates. Use this property to map multiple aliases to a secret ID without listing them all in the mapping.

Entity of StaticResponseHandler can be an array of strings

To improve readability, the entity property of a StaticResponseHandler can now be defined as an array of strings or as a string.

Maximum size for the sum of all request headers

The new property connectors:maxTotalHeadersSize in AdminHttpApplication defines the maximum size in bytes of the sum of all headers in a request. This property replaces the deprecated Vert.x properties maxHeaderSize and initialSettings:maxHeaderListSize.

Support for unencoded policy advices

To support SDK in legacy installations, a new property useLegacyAdviceEncoding in the PolicyEnforcementFilter is available to provide unencoded advices. By default, advices are encoded with the encoder used by the AM version.

The use of this property is deprecated and should be used only to support SDK in legacy installations.

Configure forward proxies for WebSocket connections

websocket:proxyOptions is a new property in ReverseProxyHandler to provide a dedicated WebSocket reverse proxy.

Improved control of WebSocket connections to AM

The following properties are now available in AmService to improve control of WebSocket connections to AM:

  • notifications:connectionTimeout

  • notifications:idleTimeout

  • notifications:vertx

What’s new in IG 2023.4

Authentication of IG agent to PingOne Advanced Identity Cloud and AM

IG agents are automatically authenticated to PingOne Advanced Identity Cloud and AM by a non-configurable authentication module. Authentication chains and modules are deprecated in PingOne Advanced Identity Cloud and AM. They are replaced by trees and journeys.

You can now authenticate IG agents to PingOne Advanced Identity Cloud and AM 7.3 with a journey. The procedure is currently optional, but will be required when authentication chains and modules are removed in a future release.

For more information, refer to Authenticate an IG agent to PingOne Advanced Identity Cloud and Authenticate an IG agent to AM.

Policy advices from PingOne Advanced Identity Cloud and AM available in a header

By default, when PingOne Advanced Identity Cloud or AM denies a request with advices, IG returns a redirect response with advices as parameters.

From this release, when the request includes the x-authenticate-response header with the value header, IG returns the response with the advices in a WWW-authentication header.

Use this method for SDKs and single page applications. Placing advices in a header gives these applications more options for handling the advices.

For information about how the header is used in policy enforcement, refer to Deny requests with advices in a header.

The x-authenticate-response header name can be configured by the new property authenticateResponseRequestHeader in PolicyEnforcementFilter.

SAML

The SamlFederationHandler is deprecated and replaced by the SamlFederationFilter.

The SamlFederationFilter can be used in a route protect a downstream application in the same way as other authentication triggering filters, such as the SingleSignOnFilter or CrossDomainSingleSignOnFilter.

When triggered, the SamlFederationFilter can initiate the login or logout of a SAML service provider with a SAML identity provider.

WebSocket connection renewal

IG can now automatically renew WebSocket connections to AM after a defined delay. For more information, refer to the notifications.renewalDelay property of AmService.

Limit side effects when backend applications are slow

ClientHandler and ReverseProxyHandler have a new property waitQueueSize to set the maximum number of outbound requests allowed to queue when no downstream connections are available. Use this property to limit memory use when there is a backlog of outbound requests, for example, when the protected application or third-party service is slow.

In previous releases, the queue size was unlimited. In this release, by default it is limited to the square of the value of the connections property.

Route ID included access audit events

The name and ID of a route is now included by default in access audit events. For more information about auditing, refer to Auditing your deployment.

What’s new in IG 2023.2

Session eviction

AM 7.3 can be configured to invalidate sessions based on user ID, and send a notification with the topic /agent/session.v2 to IG. IG can now use the notification to evict all sessions bound to the user.

This feature requires AM 7.3, which will be available after the IG 2023.2 release.
Preserve POST data during authentication

The DataPreservationFilter triggers POST data preservation when an unauthenticated client posts HTML form data to a protected resource.

For more information, refer to DataPreservationFilter and POST data preservation.

Prevent unnecessary session expiry

When the AmService property sessionIdleRefresh is enabled, IG now requests session refresh:

  • The first time IG gets an SSO token from AM, irrespective of the age of the token

  • When sessionIdleRefresh.interval has elapsed

In previous releases, IG requested session refresh only after sessionIdleRefresh.interval elapsed. If IG got an SSO token that was close to its maximum idle time, the token could expire before sessionIdleRefresh.interval elapsed and IG triggered a refresh.

CapturedUserPasswordFilter supports secret rotation

When relying on a SecretsProvider to retrieve the shared key required by the CapturedUserPasswordFilter, you can now rotate a secret without reloading the filter if the underlying secret store supports secret rotation.

KeyStoreSecretStore allows unprotected KeyStores

KeyStoreSecretStore can now use KeyStores that are not password-protected. In previous releases, KeyStores had to be password-protected.

Delay destroying HttpClientHandlerHeaplets during shutdown

When IG is cleanly shut down, the destruction of HttpClientHandlerHeaplets is now delayed until after all other IG heaplets are destroyed. This change allows the other IG heaplets to use HttpClientHandlerHeaplets during shut down. For example, AmService can now call logout on any agent tokens it has allocated, which can help to reduce the build up of tokens in AM.

ClientHandlers and ReverseProxyHandlers are examples of HttpClientHandlerHeaplets.

Automatic reload of FileSystemSecretStore and KeystoreSecretStore

A new property autoRefresh is available in FileSystemSecretStore and KeyStoreSecretStore to configure automatic reloaded of the secret store when a file in the filesystem is edited or deleted, or a keystore is edited or deleted.

Groovy 4

IG now uses Groovy 4 for scripting. For more information, refer to Release notes for Groovy 4.0

Expression binding now

The expression binding now gives the time since epoch at the instant the expression is evaluated. For more information, refer to Dynamic bindings.

What’s new in IG 7.2

Token exchange

Token exchange filter

OAuth2TokenExchangeFilter is a new filter to exchange a client’s access token or ID token for a new token with increased or reduced scopes, while preserving the original token subject

Connectivity with OAuth 2.0-protected third-party services

OAuth2ClientFilter renamed as AuthorizationCodeOAuth2ClientFilter.

IG provides several client authentication filters, which protect resources by using different types of information and credentials. To make it easier to differentiate between these filters, the OAuth2ClientFilter has been renamed as AuthorizationCodeOAuth2ClientFilter. For backward compatibility, the name OAuth2ClientFilter can still be used in routes.

The following client authentication filters are available to authenticate clients:

ClientCredentialsOAuth2ClientFilter uses client_secret_basic or client_secret_post

The ClientCredentialsOAuth2ClientFilter can now obtain a client’s access token, using the token endpoint authentication method client_secret_post. In previous releases, it could use only client_secret_basic.

Client authentication is now provided by the endpointHandler property of ClientCredentialsOAuth2ClientFilter, which uses ClientSecretBasicAuthenticationFilter or ClientSecretPostAuthenticationFilter. In previous releases, it was provided by the now deprecated properties clientId and clientSecretId.

ResourceOwnerOAuth2ClientFilter for services to access resources protected by OAuth 2.0.

A new filter ResourceOwnerOAuth2ClientFilter is available for services to access resources protected by OAuth 2.0, using the Resource Owner Password Credentials grant type.

Filters to support OAuth 2.0 client authentication

When processing requests or responses, IG can require access to systems such as the PingOne Advanced Identity Cloud to query user information. The following filters have been added to faciliate OAuth 2.0 client authentication to these systems, where IG is the client:

Use these filters with the following objects:

OAuth 2.0 session sharing across routes

The property oAuth2SessionKey has been added to AuthorizationCodeOAuth2ClientFilter to allow multiple applications to share the same OAuth 2.0 session.

After a resource owner gives one application protected by IG consent to use its data, they don’t need to give consent for another application protected by IG.

In previous releases, the OAuth 2.0 session was bound to the full URI of the client callback, containing the IG hostname. So it was not possible to use the same OAuth 2.0 session to access different applications.

Circuit breaking

CircuitBreakerFilter

CircuitBreakerFilter is a new filter to monitor for failures. When the failures reach a specified threshold, the CircuitBreakerFilter prevents further calls to downstream filters and returns a runtime exception.

Circuit breaker in ClientHandler and ReverseProxyHandler

A new property circuitBreaker has been added to ClientHandler and ReverseProxyHandler to provide a circuit breaker service when the number of failures reaches a configured threshold.

Stability

JwtBuilderFilter produces encrypted JWT

The JwtBuilderFilter now produces encrypted JWTs, in addition to unsigned JWTs, signed JWTs, and signed then encrypted JWTs.

JwtSession cookie compression

The property useCompression has been added to JwtSession. When a session stores large items, such as tokens, use the default value true to reduce size of the cookie that stores the JWT.

Other

Windows start script for IG in standalone mode

A script is now provided to start IG in standalone mode on Windows.

Stop scripts for IG in standalone mode

Scripts are now provided to stop IG in standalone mode, on Unix/OS X and Windows.

IG_OPTS environment variables for startup

IG_OPTS is a new environment variable to separate Java runtime options for IG startup and stop scripts with IG in standalone mode. Use IG_OPTS instead of JAVA_OPTS for all options that are not shared with the stop script.

SNI to serve different certificates for TLS Connections to different server names

In ServerTlsOptions, sni is a new property to serve different secret key and certificate pairs for TLS connections to different server names in the deployment. In previous releases, only the keyManager property was available to serve the same secret key and certificate pair for TLS connections to all server names.

Use this property when IG is acting server-side, to front multiple services or websites on the same port of a machine.

IG proxies all WebSocket subprotocols by default

In previous releases, for IG in standalone mode it was necessary to list the WebSocket subprotocols that were proxied by IG, with the vertx property of admin.json.

From this release, IG proxies all WebSocket subprotocols by default; it is not neccessary to specify protocols. If you do specify protocols, IG supports only those protocols and no others.

Configurable conditions for retries in ClientHandler and ReverseProxyHandler

condition is a new property in the retries configuration of ClientHandler and ReverseProxyHandler. Use this property to configure a condition on which to trigger a retry. In previous releases, a retry could be triggered only for runtime exceptions.

User ID in audit logs

Audit logs can now include a user ID. Example scripts and setup information is provided in Recording user ID in audit events.

Tracking ID logged in access audit events

In routes containing an OAuth2ResourceServerFilter, OAuth 2.0 token tracking IDs are now logged in access audit events.

Transformation from string to placeholder string

The $string transformation has been added to facilitate the transformation from a string to a placeholder string, which is not encoded. Use this transformation for placeholder strings that that must not be encrypted, for example, when they reference a secret value.

For more information, see string in Token Transformation.

Use expressions to configure paths in UriPathRewriteFilter

The mapping object in UriPathRewriteFilter now uses configuration expressions to define the fromPath and toPath. In previous releases, the mapping object was a static JSON map.

For more information, see UriPathRewriteFilter.

PolicyDecisionContext includes actions from the policy decision response

Actions from the AM policy decision response are now available in the PolicyDecisionContext, and available for use.

The resource value that was used when making the policy request is now available in PolicyDecisionContext.

AmService detects AM version

AmService now reads the AM version from the AM endpoint, and uses the discovered version instead of the value configured in the AmService property version.

The property version is used only if AmService cannot discover the AM version.

Certificate issued by a trusted CA for any hostname or domain is accepted for a connection to any domain

When IG is acting as a WebSocket proxy, and the downstream application is on HTTPS, the WebSocket configuration host can now allow a certificate issued by a trusted CA for any hostname or domain to be accepted for a connection to any domain. For information, see the hostnameVerifier property of ClientTlsOptions.

Product information in startup logs

Key product information, such as the product version and build number, is now included in the startup logs.

Improved error handling in ScriptableFilter and ScriptableHandler

The ScriptableFilter and ScriptableHandler now propagate script exceptions as runtime exceptions in the promise flow. In previous releases, they replaced the exception with a response, with HTTP status 500. Users didn’t know if the response was from the requested endpoint or caused by an exception in the chain.

AmService Websocket connections protected from timeout

A heartbeat can be configured on the AmService WebSocket notification service to prevent Websocket connections from being closed for timeout.

Timeout of idle AM sessions

A new filter AmSessionIdleTimeoutFilter is available to force the revocation of AM sessions that have been idle for a specified timeout.

Use this filter in front of a SingleSignOnFilter or CrossDomainSingleSignOnFilter, to manage idle timeout for client sessions in AM.

Proxy configuration can be created in the heap and used for AM notifications

A new ProxyOptions heaplet is available to define a proxy to which a ClientHandler or ReverseProxyHandler can submit requests, and an AmService can submit Websocket notifications.

A new global ProxyOption heap object is provided.

Fixes

The following pages list important fixes in major or minor versions.

Fixed in PingGateway 2024.11

  • OPENIG-8853: Welcome page does not display current year in copyright section

Fixed in PingGateway 2024.9

  • OPENIG-8544: PingOneApiAccessManagementFilter "includeBody": false is not a possible value

  • OPENIG-8489: Attempting to create the default router directory can fail when filesystem is read-only even when the directory exists

  • OPENIG-8325: Fix undelivered connection closures found in performance test

  • OPENIG-8259: ig_http_server_active_requests metric shows negative values

  • OPENIG-7296: In Studio, switching deployment status of a route makes it out of sync

Fixed in PingGateway 2024.6

  • OPENIG-8432: Config expression doesn’t work in audit service’s event handler configuration

  • OPENIG-8370: IG standalone 2023.11 and above throws NPE and return response 500

  • OPENIG-8340: RouterHandler should validate the directory being set in the config

  • OPENIG-8295: When a trailing header is used in a StaticResponseHandler the HTTP response doesn’t conform to the HTTP spec

Fixed in IG 2024.3

  • OPENIG-7557: Inline named object declarations in IG config interactions with heap objects are misleading

  • OPENIG-7633: Http endRequest metrics should check if handler is null

  • OPENIG-7674: Misleading deprecation notice in ClientRegistration without secretsProvider

  • OPENIG-7680: GzipFlowableTransformer fails when there is empty bytebuffer after actual gzip content

  • OPENIG-7736: IG drops some bytes during POST and PUT of large data/images

  • OPENIG-7738: readWithCharset method doesn’t return the content of the file as a plain string.

  • OPENIG-7790: HTTP Client Active Request Gauge can display negative values

  • OPENIG-7859: org.forgerock.openig.filter.oauth2.client.ClientRegistration#revokeToken logs incorrect endpoint when revocation fails

  • OPENIG-7978: PEF should return 401 when no subjects can be found instead of 500

  • OPENIG-8069: Vertx threads are getting locked on org.forgerock.http.vertx.monitoring.meters.Gauges.get(Tags)

  • OPENIG-8070: vert.x threads are getting locked on SessionInfoCache$IndexTable

Fixed in IG 2023.11.1

  • OPENIG-7633: Http endRequest metrics should check if handler is null

  • OPENIG-7736: IG drops some bytes during POST and PUT of large data/images

Fixed in IG 2023.11

  • OPENIG-7453: SecretsTrustManager fails to load CA-signed certificates due to restrictive KeyUsage

  • OPENIG-7768: Declaring JwtSession named 'Session' in config.json fails

  • OPENIG-7774: CorsFilter should handle invalid policies better instead of throwing NPE

Fixed in IG 2023.9

  • OPENIG-5294: Clear Issuer cache on exception

Fixed in IG 2023.6

  • OPENIG-7429: IG cannot handle requests with IPv6 URL

  • OPENIG-7474: SwitchFilter’s handler fails to send original POST request entity

Fixed in IG 2023.4

  • OPENIG-5913: (UI) Route configuration lost sometime after un-deploy from route list

Fixed in IG 2023.2

  • OPENIG-6911: Failed agent authentication is not clear from the IG logs

Fixed in IG 7.2

  • OPENIG-6911: Failed agent authentication is not clear from the IG logs

  • OPENIG-6394: Stack traces are printed twice in the log files

  • OPENIG-6206: When checking for peer certificates in a request, validate that the SSLSession is available

  • OPENIG-5872: Stop Tyrus WebSocket connection retry when Websocket Client is closed

  • OPENIG-5868: WebSocketClientHandshakeException: Invalid subprotocol seen when using IG standalone to proxy WebSocket requests

  • OPENIG-5805: The notification service should attempt to refresh the caller token when receiving a 401 on WebSocket connections

  • OPENIG-5793: Unexpected behaviour of EL function matches

  • OPENIG-5778: sessionInfo requests can lead to a build up of agent tokens being created

  • OPENIG-5743: Standalone: Possible OOME for large requests

  • OPENIG-5725: Add SNI configuration

  • OPENIG-5683: HTTP/2 : set max connections

  • OPENIG-5610: Null Pointer Exception when using ForwardedRequestFilter with ResourceHandler

  • OPENIG-5540: PEM secret format fails to decode some EC private keys

  • OPENIG-5539: The ForwardedRequestFilter should not change original URI parameter values when rebasing

  • OPENIG-5425: JwkSetHandler: No error displayed when using an invalid configuration such as a public key exported -as jwk- for decryption usage

  • OPENIG-4956: Inbound WebSocket connection is not closed when outbound connection is closed abruptly

Security advisories

Ping Identity issues security advisories in collaboration with our customers to address any security vulnerabilities transparently and rapidly.

Ping Identity’s security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

You can find security advisories in the Knowledge Base.

Deprecated

Features and properties are deprecated and removed as defined in Product stability labels.

Unless otherwise stated, when a deprecated setting and its replacement setting are both provided, the replacement setting is used.

Deprecated in Feature or property Setting Replacement setting Removed in

2024.11

AdminHttpApplication (admin.json)

Provided objects you can override by defining objects with the same name:

"ApiProtectionFilter"
"MetricsProtectionFilter"
"StudioProtectionFilter"

Override defaults by defining filters for the new settings:

"apiProtectionFilter"
"metricsProtectionFilter"
"studioProtectionFilter"

Not yet removed

The "Session" key.

Define a "session" property instead.

Not yet removed

Define a "session" property without using a session manager.

The "session" value is an InMemorySessionManager or JwtSessionManager.

Not yet removed

AuthorizationCodeOAuth2ClientFilter

The "issuerRepository" and "useDeprecatedIssuerRepository" properties.

Each AuthorizationCodeOAuth2ClientFilter will have its own private list of issuers.

Not yet removed

GatewayHttpApplication (config.json)

The "Session" key.

Define a "session" property instead.

Not yet removed

Define a "session" property without using a session manager.

The "session" value is an InMemorySessionManager or JwtSessionManager.

Not yet removed

The session settings will no longer default to those defined in admin.json.

If no "session" is defined, PingGateway will use an InMemorySessionManager with default values.

Not yet removed

Issuer

The "issuerRepository" and "useDeprecatedIssuerRepository" properties.

Each AuthorizationCodeOAuth2ClientFilter will have its own private list of issuers.

Not yet removed

IssuerRepository

The entire object and the default "IssuerRepository" defined in the AdminHttpApplication or GatewayHttpApplication heap.

For issuers known in advance, add their settings to the ClientRegistration.

For discovery, if the IssuerRepository had an "issueHandler", configure an AuthorizationCodeOAuth2ClientFilter "discoveryHandler" instead.

Not yet removed

JwtSession

The entire object.

Use a JwtSessionManager for the "session" in admin.json, config.json, or individual Route configuration.

Not yet removed

Prometheus metrics

The parentId and parentKind metric dimensions are deprecated.

Use the parent_id and parent_kind dimensions instead.

Not yet removed

Router

The default path for the "directory" setting.

Set the "directory" explicitly.

Not yet removed

2024.9

AdminHttpApplication (admin.json)

Allow administrative connections on gateway endpoints (current default)

Configure a separate "adminConnector" endpoint

Not yet removed

"prefix" setting

-

Not yet removed

"vertx" > "host" setting

"host"

Not yet removed

Lazy loading in FileAttributesFilter and SqlAttributesFilter

target field

FileAttributesContext and SqlAttributesContext

Not yet removed

RouterHandler alias

RouterHandler

Router

Not yet removed

2024.6

Prometheus endpoint

…​/openig/metrics/prometheus

…​/openig/metrics/prometheus/0.0.4

Not yet removed

Prometheus metrics:

  • org.forgerock.monitoring.api.instrument.DistributionSummary

  • org.forgerock.monitoring.api.instrument.Timer

…​_count{…​} …​
…​_seconds_count{…​} …​
…​_total{…​} …​

…​_seconds_count{…​} …​
…​_seconds_sum{…​} …​
…​_sum{…​} …​

Not yet removed

Prometheus metrics:

  • ig_route_response_time

  • ig_route_response_time_seconds

  • ig_cache_loads

  • ig_cache_loads_seconds

  • ig_cache_evictions

…​_count{…​} …​
…​_seconds_total{…​} …​

…​_seconds_count{…​} …​
…​_seconds_sum{…​} …​

Not yet removed

TokenResolver class used as follows:

  • _token('property','default'}

  • _t('property','default'}

Whole class

Not replaced. Use the following expression format instead: &{…​}

Not yet removed

2024.3

Vert.x

Options described in 4.5.0 Deprecations and breaking changes

Options described in VertxOptions

Not yet removed

Common REST Monitoring Endpoint

Whole feature

Prometheus Scrape Endpoint

Not yet removed

2023.11

Java support

Java 11

Java 17

2024.3

2023.9

Retrieval of the target URI in AuthorizationCodeOAuth2ClientFilter

request.uri
or
originalUri in UriRouterContext

IdpSelectionLoginContext

Not yet removed

2023.6

Vert.x

maxHeaderSize

initialSettings.maxHeaderListSize

connectors:maxTotalHeadersSize in AdminHttpApplication

Not yet removed

PolicyEnforcementFilter

useLegacyAdviceEncoding

Advice encoding with the encoder used by the AM version.

Not yet removed

2023.4

CookieFilter

Use of the Set-Cookie2 HTTP header, obsoleted by RFC 6265: Set-Cookie2

Not replaced

Not yet removed

SamlFederationHandler

Whole object

SamlFederationFilter

Not yet removed

2023.2

Studio

Structured Editor

Not replaced

Not yet removed

KeyStoreSecretStore

Required property storePassword
Optional property keyEntryPassword

Optional property storePasswordSecretId
Optional property entryPasswordSecretId

Not yet removed

HsmSecretStore

property storePassword

property storePasswordSecretId

Not yet removed

Names of Prometheus counter metrics

request
response.error
response.null
response.status.client_error
response.status.informational
response.status.redirection
response.status.server_error
response.status.successful
response.status.unknown

In a future release, the deprecated names are expected to be replaced with names ending in _total.

Only the metric name is deprecated; the information provided by the metric is not deprecated. Other Prometheus metrics aren’t affected.

Not yet removed

Names of Vert.x counter metrics

vertx_net_client_bytes_read
vertx_net_client_bytes_written
vertx_net_client_errors
vertx_http_client_bytes_read
vertx_http_client_bytes_written
vertx_http_client_errors
vertx_net_server_bytes_read
vertx_net_server_bytes_written
vertx_net_server_errors
vertx_http_server_bytes_read
vertx_http_server_bytes_written
vertx_http_server_errors
vertx_datagram_errors
vertx_eventbus_processed
vertx_eventbus_published
vertx_eventbus_discarded
vertx_eventbus_sent
vertx_eventbus_received
vertx_eventbus_delivered
vertx_eventbus_reply_failures
vertx_pool_completed

In a future release, the deprecated names are expected to be replaced with names ending in _total.

Only the metric name is deprecated; the information provided by the metric is not deprecated. Other Vert.x metrics are not affected.

Not yet removed

KeyStore

Whole object

KeyStoreSecretsStore

There will be no replacement for keystore loading from a URL.

Not yet removed

KeyManager

Whole object

SecretsKeyManager

Not yet removed

TrustManager

Whole object

SecretsTrustManager

Not yet removed

CapturedUserPasswordFilter

A GenericSecret shared key

A CryptoKey shared key.

After removal, it will no longer be possible to store the shared key in a Base64SecretStore.

Not yet removed

7.2

CapturedUserPasswordFilter

keyType value DES

AES

Not yet removed

ClientCredentialsOAuth2ClientFilter

clientId, clientSecretId, handler

endpointHandler, which uses ClientSecretBasicAuthenticationFilter or ClientSecretPostAuthenticationFilter

Not yet removed

ClientHandler

proxy, systemProxy

proxyOptions

Not yet removed

hostnameVerifier

ClientTlsOptions property hostnameVerifier

Not yet removed

ClientRegistration

tokenEndpointAuthMethod
tokenEndpointAuthSigningAlg
privateKeyJwtSecretId
jwtExpirationTimeout

authenticatedRegistrationHandler

Not yet removed

OAuth2ClientFilter

Filter name

AuthorizationCodeOAuth2ClientFilter

Not yet removed

ReverseProxyHandler

proxy, systemProxy

proxyOptions

Not yet removed

hostnameVerifier

ClientTlsOptions property hostnameVerifier
If a ReverseProxyHandler includes the deprecated "hostnameVerifier": "ALLOW_ALL" configuration, it takes precedence, and deprecation warnings are written to the logs.

Not yet removed

Removed

The listed features and properties have been removed, as defined in Product stability labels.

Removed in Feature or property Setting Replacement setting Deprecated in

2024.11

-

-

-

-

2024.9

-

-

-

-

2024.6

-

-

-

-

2024.3

IG product

Creation of a .war file

.zip file

6

SingleSignOnFilter

logoutEndpoint

logoutExpression

7

Java support

Java 11

Java 17

2023.11

JwtSession

encryptionSecretId, signatureSecretId,cookieName, cookieDomain,password, alias, keystore, sharedSecret

authenticatedEncryptionSecretId, encryptionMethod, cookie

7, 6.5

OpenAmAccessTokenResolver

Whole object

None

7

JwtBuilderFilter

Use of unsigned or unencrypted JWTs

Use of signed or encrypted JWTs

7

GrantSwapJwtAssertionOAuth2ClientFilter

Use of unsigned or unencrypted JWTs

Use of signed or encrypted JWTs

Not deprecated

CryptoHeaderFilter

Whole object

JwtBuilderFilter

7

Ldap

LdapClient class and the ldap script binding

None

7.1

KeyManager

password

passwordSecretId

6.5

CapturedUserPasswordFilter

key

keySecretId

7

PasswordReplayFilter

headerDecryption

PasswordReplayFilter’s credentials property configured with a CapturedUserPasswordFilter

7

KeyStore

password

passwordSecretId

7

DesKeyGenHandler

Whole object

None

7

SqlAttributesFilter

dataSource as a JNDI lookup name

dataSource as a JdbcDataSource configuration object

7

AmService

agent subproperty password

agent subproperty passwordSecretId

6.5

TlsOptions

Whole object

ClientTlsOptions

7

ClientHandler and ReverseProxyHandler

proxy subproperty password

proxy subproperty passwordSecretId

7

JwtBuilderFilter

signature subproperties:

  • keystore

  • alias

  • password

signature subproperty secretId

6.5

AuditService

event-handlers

eventHandlers

7

ClientRegistration

keystore
privateKeyJwtAlias
privateKeyJwtPassword

privateKeyJwtSecretId

7

clientSecret

clientSecretId

7

The name of the ClientRegistration heaplet to identify a client registration when a user initiates a login

The clientId property of ClientRegistration

7

Route

secrets

A secretsProvider configuration in each affected object

7

2023.11

-

-

-

-

2023.9

-

-

-

-

2023.6

-

-

-

-

2023.4

-

-

-

-

2023.2

IG product

Delivery of a .war file

.zip file

6

Environment variable and system property

OPENIG_BASE
openig.base

IG_INSTANCE_DIR
ig.instance.dir

6

PolicyEnforcementFilter

executor

cache subproperty executor

6

ClientHandler and ReverseProxyHandler

keyManager
sslCipherSuites
sslContextAlgorithm
sslEnabledProtocols
trustManager

tls property to define a ClientTlsOptions object

6.5

UserProfileFilter

ssoToken

username

6.5

profileAttributes

userProfileService subproperty profileAttributes

6.5

amService

userProfileService subproperty amService

6.5

StatelessAccessTokenResolver

signatureSecretId

verificationSecretId

6.5.1

encryptionSecretId

decryptionSecretId

6.5.1

7.2

StaticResponseHandler

version

Not replaced

Not deprecated

Incompatible changes

Incompatible changes refer to changes that affect existing functionality and migration from a previous release. Before you upgrade, make appropriate changes to your scripts and plugins.

Version Description

2024.11

None

2024.9
Zero-valued Prometheus metrics

Following a performance improvement, the Prometheus output shows many new WebSocket proxy metrics with 0.0 values.

This could affect existing dashboards and reports.

2024.6
Router now checks for directory

The Router handler now checks the directory you specify in its configuration is an existing directory PingGateway can read. If not, PingGateway throws an exception.
ClientRegistration configurations

To enable OpenID Connect ID token signature validation and the provider uses HMAC-based signatures, ClientRegistration configurations now require settings to access the client secret used for signature validation:

  • "skipSignatureVerification": must be false to enable ID token signature validation

  • "clientSecretUsage": must be ID_TOKEN_VALIDATION_AND_CLIENT_AUTHENTICATION or ID_TOKEN_VALIDATION_ONLY

  • "clientSecretId": must identify the client secret

  • "secretsProvider": must provide for the client secret for signature validation

For details, refer to ClientRegistration.

The Issuer for AuthorizationCodeOAuth2ClientFilter now uses asymmetric signature validation by default.
Issuer configurations

When you enable OpenID Connect ID token signature validation, update these properties of your Issuer configurations:

  • "issuer": must match the iss claim value in the ID token (required unless it’s obtained from the provider’s well-known configuration URL)

  • "idTokenVerificationSecretId": (optional) identifies the provider’s public key for signature validation

  • "secretsProvider": (optional) provides the public key for signature validation

  • "idTokenSkewAllowance": (optional) permits clock skew during signature validation

For details, refer to Issuer.

The Issuer for AuthorizationCodeOAuth2ClientFilter now uses asymmetric signature validation by default.

2024.3
IG .war file

The IG .war file is no longer created. It was deprecated in IG 6 and stopped being delivered in IG 2023.2. For information about migration, refer to Migrate from web container mode to standalone mode.
secretsProvider property changes from optional to required

Because the default secret service has been removed, configuration of secretsProvider has changed from optional to required for the following properties:
Scripts

Groovy scripts used in the IG configuration must now use the UTF-8 character set. In previous releases, Groovy files referenced from the IG configuration could rely on default encoding or system properties.
IG Java 17

IG no longer supports Java 11. You must upgrade to Java 17.
Vert.x

Upgrade to Vert.x 4.5 renames and removes Vert.x options used by WebSocket connections to AM and accessed through the vertx attribute of AmService.

Learn more about Vert.x changes in 4.5.0 Deprecations and breaking changes.

Use the Vert.x options described in VertxOptions.
Handling of failed HTTP responses

IG now fails an HTTP response promise when:

  • Streaming is disabled by the streamingEnabled property of admin.json. This is the default setting.

  • The response provides response headers but not the entire response body.

In previous releases, IG completed the response promise but the response was unreadable.
JWT must be signed or encrypted

The following filters must now be configured with a SecretsProvider and signature or encryption:
Improved security for CrossDomainSingleSignOnFilter

When verificationSecretId in CrossDomainSingleSignOnFilter is configured, IG uses it to verify the signature of AM session tokens. When verificationSecretId isn’t configured, IG discovers and uses the AM JWK set to verify the signature of AM session tokens.

From this release, if verificationSecretId isn’t configured and IG can’t use the AM JWK set, the CrossDomainSingleSignOnFilter fails to start.

In previous releases, the CrossDomainSingleSignOnFilter accepted unsigned tokens.
IG .zip file

To prevent confusion during upgrade, PingGateway-2024.11.0.zip now unpacks to a directory containing the IG version number. For example, this release unpacks to /path/to/identity-gateway-2024.3.0.

In previous releases, PingGateway-2024.11.0.zip unpacked to /path/to/identity-gateway.
Treatment of HTTP 500 errors

HTTP 500 errors are no longer computed in Handlers or Filters. Instead, they fail the response promise with the Runtime exception that caused the failure.
Inline objects can’t be referenced from the configuration

In previous releases, other objects in a configuration could refer to an inline object through its name property. Inline objects can no longer be referenced by other objects; only named heap objects can be referenced by other objects.

2023.11
Change to host header capitalization for HTTP/2

For HTTP/2, PingGateway pseudo-headers and host response headers are now lowercase.

This isn’t a breaking change. RFC 2616, 4.2 Message Headers explains, "Field names are case-insensitive."

Some applications expect case-sensitive header names, such as Host, however. Update these applications to accept case-insensitive headers.
Safeguard against accidental exposure of private keys with JwkSetHandler

The new property exposePrivateSecrets is available in JwkSetHandler to safeguard against the accidental exposure of private keys in a JWK set.

The property is false by default to prevent exposure of private keys. To expose private keys, you must now explicitly set the property to true.

2023.9

None

2023.6
Improved security for scripts

To improve security, IG now runs scripts only from an absolute path, or from a path relative to the base script directory. Routes that refer to scripts otherwise, such as through a URL, fail to deploy.

For more information, refer to the file property of scripts.

2023.4

None

2023.2

The IG .war file is no longer delivered. Learn more in Migrate from web container mode to standalone mode.

7.2
ScriptableResourceUriProvider accepts returned values only as a String

ScriptableResourceUriProvider accepts returned values only as a String. In previous releases, it accepted returned values as a String or Promise<String>. For more information, see ScriptableResourceUriProvider in PolicyEnforcementFilter.
AM 5.x.x EOL

AM 5.x.x has reached product end of life and is no longer supported. The default value of the AmService property version has changed to 6. For more information, refer to Product Support Lifecycle Policy | PingGateway and Agents.
keyType for CapturedUserPasswordFilter is required

For better security, the keyType for CapturedUserPasswordFilter is now required, and the use of DES is deprecated.
JWT classes relocated to new packages

Classes related to JWT stateless sessions have moved from the package org.forgerock.openig.jwt to org.forgerock.openig.session.jwt.

Classes and functions used to validate a JWT, used with a JwtValidatorCustomizer in a JwtValidationFilter, have moved from the package org.forgerock.openig.tools.jwt to org.forgerock.openig.tools.jwt.validation.

The IG scripting engine has been updated to incorporate the changes automatically.
CDSSO requires session cookies with SameSite=None, Secure=True

To improve privacy, browsers have recently changed third-party cookie policies to require the following settings for session cookies: SameSite=None, Secure=True.

Depending on your deployment and route configuration, configure session cookies as follows:

Known issues

The following important issues remained open at the time of the latest release for each version:

PingGateway 2024.11

No known issues at the time of release.

PingGateway 2024.9

No known issues at the time of release.

PingGateway 2024.6

Issue Comment

OPENIG-8259: ig_http_server_active_requests metric shows negative values

Fixed in 2024.9

OPENIG-7296: In Studio, switching deployment status of a route makes it out of sync

Fixed in 2024.9

IG 2024.3

Issue Comment

OPENIG-7296: In Studio, switching deployment status of a route makes it out of sync

Fixed in 2024.9

IG 2023.11

Issue Comment

OPENIG-7736: IG drops some bytes during POST and PUT of large data/images

Fixed in 2024.3, 2023.11.1

OPENIG-7680: GzipFlowableTransformer fails when there is empty bytebuffer after actual gzip content

Fixed in 2024.3

OPENIG-7296: In Studio, switching deployment status of a route makes it out of sync

Fixed in 2024.9

OPENIG-4817: Can’t specify any host information for HTTP/2 request

Unresolved

IG 2023.9

Issue Comment

OPENIG-7736: IG drops some bytes during POST and PUT of large data/images

Fixed in 2024.3

OPENIG-7680: GzipFlowableTransformer fails when there is empty bytebuffer after actual gzip content

Fixed in 2024.3

OPENIG-7296: In Studio, switching deployment status of a route makes it out of sync

Fixed in 2024.9

OPENIG-4817: Can’t specify any host information for HTTP/2 request

Unresolved

IG 2023.6

Issue Comment

OPENIG-7736: IG drops some bytes during POST and PUT of large data/images

Fixed in 2024.3

OPENIG-7680: GzipFlowableTransformer fails when there is empty bytebuffer after actual gzip content

Fixed in 2024.3

OPENIG-7296: In Studio, switching deployment status of a route makes it out of sync

Fixed in 2024.9

OPENIG-5294: Clear Issuer cache on exception

Fixed in 2023.9

OPENIG-4817: Can’t specify any host information for HTTP/2 request

Unresolved

IG 2023.4

Issue Comment

OPENIG-7429: IG cannot handle requests with IPv6 URL

Fixed in 2023.6

OPENIG-7296: In Studio, switching deployment status of a route makes it out of sync

Fixed in 2024.9

OPENIG-5294: Clear Issuer cache on exception

Fixed in 2023.9

OPENIG-4817: Can’t specify any host information for HTTP/2 request

Unresolved

IG 2023.2

Issue Comment

OPENIG-5913 (UI) Route configuration lost sometime after un-deploy from route list

Fixed in 2023.4

OPENIG-5294: Clear Issuer cache on exception

Fixed in 2023.9

OPENIG-4817: Can’t specify any host information for HTTP/2 request

Unresolved

IG 7.2.0

Issue Comment

OPENIG-5913 (UI) Route configuration lost sometime after un-deploy from route list

Fixed in 2023.4

OPENIG-5294: Clear Issuer cache on exception

Fixed in 2023.9

OPENIG-4817 Can’t specify any host information for HTTP/2 request

Unresolved

Limitations

Limitations are inherent to the design, not bugs to be fixed.

Audit events

  • The log file of audit events can be overwritten when the log file is rotated.

    When a CsvAuditEventHandler is used to log audit events, PingGateway overwrites the log file if it is rotated before the rotationFileSuffix changes. By default, rotationFileSuffix is defined as a date in _yyyy-MM-dd format.

    PingGateway rotates log files when a maxFileSize, rotationInterval, or rotationTimes limit is reached.

    Set the log rotation parameters so the log isn’t likely to rotate before rotationFileSuffix changes.

Filters

  • The CookieFilter is not JwtSession compatible.

  • The JWT created by JwtBuilderFilter is not encrypted.

    Carefully consider the security of your configuration when using this filter.

  • Filters can’t use the value of System.currentTimeMillis().

    This applies to JwtBuilderFilter for claims such as exp and iat.

  • When a user has a pre-existing fragment cookie during authentication—​for example, from a previous, incomplete authentication attempt—​the pre-existing fragment overwrites the current fragment.

    To minimize the effect of this limitation, the FragmentFilter cookie has a maxAge property you can use to configure the maximum duration it can remain valid.

Handlers

  • ClientHandler blocks with asynchronous HTTP clients.

    PingGateway processes responses from asynchronous HTTP clients with two thread pools of the same size:

    • The first thread pool receives the response headers.

    • The second thread pool completes the promise by executing the callback and writing the response content to the stream. Reading and writing to the stream are synchronous, blocking operations.

    Synchronous operation can cause routes to declare a blocked ClientHandler. To recover from blocking, restart the route or, if the route is config.json, restart the server. To prevent blocking, increase the number of worker threads.

  • The ClientHandler and ReverseProxyHandler property systemProxy can’t be used with a proxy that requires a username and password. Use the handler’s proxy property instead.

HTTP

  • PingGateway doesn’t forward host information for HTTP/2 requests. * When acting as a reverse proxy and receiving HTTP/2 requests, PingGateway doesn’t forward the host information in the HTTP/2 :authority: pseudo-header to the protected application.

    If the protected application uses the HTTP/1.1 Host header or HTTP/2 :authority: pseudo-header to route requests, an error occurs.

  • When acting as a client for HTTPS mutual authentication, the PingGateway client certificate isn’t configurable.

    The client certificate must be the first in the ClientHandler or ReverseProxyHandler keystore.

SAML

  • When SAML is used with an AM policy agent, class cast exceptions occur.

  • The SamlFederationHandler doesn’t support filtering.

    This limitation is mitigated by the SAML 2.0 requests processed with original URI value feature.

    Do not use a SamlFederationHandler as the handler for a Chain.

    More generally, do not use a SamlFederationHandler when its use depends on something in the response. The response can be handled independently of PingGateway and can be null when control returns to PingGateway. For example, do not use this handler in a SequenceHandler where the post-condition depends on the response.

  • When the user defined mapping is incorrectly set, missing SAML assertions produce an infinite loop during authentication attempts.

Scripts

  • PingGateway scripts are not sandboxed. They can access anything in their environment.

    Make sure all scripts PingGateway loads are safe.

Streaming

  • PingGateway requires you set the admin.json property streamingEnabled set to true to process files bigger than 2 GB and Server Sent Events.

Studio

  • Studio deploys and undeploys routes through a main router named _router, the name of the main router in the default configuration.

    If you use a custom config.json, make sure that it contains a main router named _router.

  • To avoid undesirable side effects, Studio only lets you deploy or undeploy routes created and modified using Studio.

UMA

  • Shared resources do not persist across PingGateway restarts. They must be shared each time PingGateway restarts.

Appendix A: Release levels and interface stability

For information about release levels, refer to Product Support Lifecycle Policy | PingGateway and Agents.

Product stability labels

Ping Identity Platform software supports many features, protocols, APIs, GUIs, and command-line interfaces. Some of these are standard and very stable. Others offer new functionality that is continuing to evolve.

Ping Identity acknowledges that you invest in these features and interfaces, and therefore must know when and how Ping Identity expects them to change. For that reason, Ping Identity defines stability labels and uses these definitions in Ping Identity Platform products.

Stability label definitions
Stability Label Definition

Stable

This documented feature or interface is expected to undergo backwards-compatible changes only for major releases.

Changes may be announced at least one minor release before they take effect.

Evolving

This documented feature or interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release.

While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality.

Legacy

This feature or interface has been replaced with an improved version, and is no longer receiving development effort from Ping Identity.

You should migrate to the newer version, however the existing functionality will remain.

Legacy features or interfaces will be marked as Deprecated if they are scheduled to be removed from the product.

Deprecated

This feature or interface is deprecated, and likely to be removed in a future release.

For previously stable features or interfaces, the change was likely announced in a previous release.

Deprecated features or interfaces will be removed from Ping Identity products.

Removed

This feature or interface was deprecated in a previous release, and has now been removed from the product.

Technology Preview

Technology previews provide access to new features that are considered as new technology that is not yet supported. Technology preview features may be functionally incomplete, and the function as implemented is subject to change without notice.

DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT.

Customers are encouraged to test drive the technology preview features in a non-production environment, and are welcome to make comments and suggestions about the features in the associated forums.

Ping Identity does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of Ping Identity Platform.

Technology previews are provided on an “AS-IS” basis for evaluation purposes only, and Ping Identity accepts no liability or obligations for the use thereof.

Internal/Undocumented

Internal and undocumented features or interfaces can change without notice.

If you depend on one of these features or interfaces, contact support to discuss your needs.

Getting support

Ping Identity provides support services, professional services, training, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see https://www.pingidentity.com.

Ping Identity has staff members around the globe who support our international customers and partners. For details on Ping Identity’s support offering, visit https://www.pingidentity.com/support.

Ping Identity publishes comprehensive documentation online:

  • The Ping Identity Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage Ping Identity Platform software.

    While many articles are visible to everyone, Ping Identity customers have access to much more, including advanced information for customers using Ping Identity Platform software in a mission-critical capacity.

  • Ping Identity product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

Release timeline

Release date Version Release type(1)

2024-11

PingGateway 2024.11.0

Minor

2024-09

PingGateway 2024.9.0

Minor

2024-06

PingGateway 2024.6.0

Minor

2024-04

IG 2023.11.1

Maintenance

2024-03

IG 2024.3.0

Major

2023-11

IG 2023.11.0

Minor

2023-09

IG 2023.9.0

Minor

2023-06

IG 2023.6.0

Minor

2023-04-25

IG 2023.4.0

Minor

2023-02-21

IG 2023.2.0

Major

2022-06-28

IG 7.2.0

Minor

2022-04-06

IG 7.1.2

Maintenance

2021-09-24

IG 7.1.1

Maintenance

2022-05-11

IG 7.1.0

Minor

2021-03-16

IG 7.0.2

Maintenance

2021-03-12

IG 6.5.4

Maintenance

2020-10-27

IG 7.0.1

Maintenance

2020-09-24

IG 6.5.3

Maintenance

2020-08-07

IG 7.0.0

Major

2019-11-27

IG 6.5.2

Maintenance

2019-11-18

IG 5.5.2

Maintenance

2019-04-07

IG 6.5.1

Maintenance

2018-12-18

IG 5.5.1

Maintenance

2018-11-28

IG 6.5.0

Minor

2018-06-15

IG 6.1.0

Minor

2018-05-08

IG 6.0.0

Major

2017-10-19

IG 5.5.0

Minor

2017-04-03

OpenIG 5

Major

2016-01-27

OpenIG 4

Major

2014-08-11

OpenIG 3

Major

2012-05-15

OpenIG 2.1

Minor

(1) For information about the scope of expected changes for different release types, refer to Release levels and interface stability.