--- title: What’s new description: New features and enhancements in PingGateway, listed by version from 7.2 onwards. component: pinggateway version: release-notes page_id: pinggateway::whats-new canonical_url: https://docs.pingidentity.com/pinggateway/release-notes/whats-new.html revdate: 2026-04-21T12:00:00Z section_ids: whats-new-2026.3: PingGateway 2026.3 pingauthorize_support: PingAuthorize support auditing_for_administrative_endpoints: Auditing for administrative endpoints opentelemetry_logging: OpenTelemetry logging custom_login_pages: Custom login pages fapi_and_custom_data_audit_logging: FAPI and custom data audit logging file_permissions_in_jsonauditeventhandler: File permissions in JsonAuditEventHandler whats-new-2025.11: PingGateway 2025.11.x 2025_11_2: 2025.11.2 file_permissions_in_jsonauditeventhandler_2: File permissions in JsonAuditEventHandler additional_filter_support_for_well_known_endpoints_with_mcp: Additional filter support for well-known endpoints with MCP 2025_11_1: 2025.11.1 mcp_support: MCP support 2025_11_0: 2025.11.0 improvements_to_fapi_support: Improvements to FAPI support help_switching_to_pingone_advanced_identity_cloud: Help switching to PingOne Advanced Identity Cloud reloadable_route_properties: Reloadable route properties ensure_all_routes_load_successfully: Ensure all routes load successfully configurable_maximum_for_websocket_connections: Configurable maximum for WebSocket connections whats-new-2025.9: PingGateway 2025.9 fapi_support: FAPI support graceful_shutdown: Graceful shutdown custom_algorithm_setting_for_jwksethandler: Custom algorithm setting for JwkSetHandler configuration_conditions: Configuration conditions whats-new-2025.6: PingGateway 2025.6.x pinggateway_2025_6_2: PingGateway 2025.6.2 pinggateway_2025_6_1: PingGateway 2025.6.1 pinggateway_2025_6: PingGateway 2025.6 new_startup_readiness_endpoint: New startup readiness endpoint specify_the_journey_to_authenticate_to_am: Specify the journey to authenticate to AM audit_session_cache_clearing_events: Audit session cache clearing events limit_http_request_body_size: Limit HTTP request body size whats-new-2025.3: PingGateway 2025.3 use_bouncy_castle_fips: Use Bouncy Castle FIPS offload_tls_handshakes: Offload TLS handshakes close_connections_gracefully: Close connections gracefully custom_unauthorized_responses_for_kerberos: Custom unauthorized responses for Kerberos opentelemetry_now_supported: OpenTelemetry now supported whats-new-2024.11: PingGateway 2024.11.x pinggateway_2024_11_2: PingGateway 2024.11.2 pinggateway_2024_11_1: PingGateway 2024.11.1 pinggateway_2024_11_0: PingGateway 2024.11.0 device_profile_support_for_risk_evaluation: Device profile support for risk evaluation pkce_support_for_oauth_2_0_clients: PKCE support for OAuth 2.0 clients graceful_shutdown_2: Graceful shutdown lifetime_for_cdsso_sessions: Lifetime for CDSSO sessions propagate_disconnections: Propagate disconnections support_for_der_certificates: Support for DER certificates more_flexible_amsessionidletimeoutfilter_settings: More flexible AmSessionIdleTimeoutFilter settings whats-new-2024.9: PingGateway 2024.9 opentelemetry_capabilities: OpenTelemetry capabilities multiple_versions_of_a_secret_with_filesystemsecretstore: Multiple versions of a secret with FileSystemSecretStore replace_setting_for_headerfilter: Replace setting for HeaderFilter runtime_exception_condition_for_retries: Runtime exception condition for retries security_provider_setting_for_keystores: Security provider setting for keystores delayed_route_metrics_creation: Delayed route metrics creation separate_endpoint_for_administration: Separate endpoint for administration new_pingone_authorize_example: New PingOne Authorize example asynchronous_reads_in_fileattributesfilter_and_sqlattributesfilter: Asynchronous reads in FileAttributesFilter and SqlAttributesFilter whats-new-2024.6: PingGateway 2024.6 ig_becomes_pinggateway: IG becomes PingGateway pingone_protect_integration: PingOne Protect integration changes_to_the_prometheus_scrape_endpoint: Changes to the Prometheus Scrape Endpoint new_metrics_at_the_prometheus_scrape_endpoint: New metrics at the Prometheus Scrape Endpoint pingoneapiaccessmanagementfilter_now_supported: PingOneApiAccessManagementFilter now supported hardened_security_for_openid_connect_id_tokens: Hardened security for OpenID Connect ID tokens whats-new-2024.3: IG 2024.3 local_authentication_on_behalf_of_pingone_advanced_identity_cloud_and_kerberos_validation: Local authentication on behalf of PingOne Advanced Identity Cloud and Kerberos validation monitoring_of_caches: Monitoring of caches use_of_secrets_in_studio: Use of secrets in Studio use_of_splunk_or_elasticsearch_audit_event_handlers_in_studio: Use of Splunk or ElasticSearch audit event handlers in Studio hardened_security_for_secrets: Hardened security for secrets issuerrepository: IssuerRepository dedicated_filter_for_pingones_api_access_management_technology_preview: Dedicated filter for PingOne's API Access Management (Technology preview) whats-new-2023.111: IG 2023.11.x ig_2023_11_2: IG 2023.11.2 ig_2023_11_1: IG 2023.11.1 ig_2023_11_0: IG 2023.11.0 general_features: General features harden_oauth_2_0_access_token_requests: Harden OAuth 2.0 access token requests include_key_id_in_jwt_header: Include key ID in JWT header local_processing_on_behalf_of_pingone_advanced_identity_cloud_technology_preview: Local processing on behalf of PingOne Advanced Identity Cloud (Technology preview) secret_format_jwkpropertyformat: Secret format JwkPropertyFormat more_flexible_use_of_ca_certificates_in_mutual_tls: More flexible use of CA-certificates in mutual TLS safeguard_against_accidental_exposure_of_private_keys_with_jwksethandler: Safeguard against accidental exposure of private keys with JwkSetHandler saml: SAML prevention_of_redirect_loops_when_session_cookies_arent_present_in_the_saml_flow: Prevention of redirect loops when session cookies aren't present in the SAML flow whats-new-2023.9: IG 2023.9 revocation_of_access_tokens_initiated_by_oauth_2_0_resource_servers: Revocation of access tokens initiated by OAuth 2.0 Resource Servers logout_initiated_by_openid_connect_relying_parties: Logout initiated by OpenID Connect relying parties option_to_require_the_authorization_server_to_prompt_the_end_user_to_reauthenticate_and_consent: Option to require the Authorization Server to prompt the end-user to reauthenticate and consent improved_error_handling_for_authorizationcodeoauth2clientfilter: Improved error handling for AuthorizationCodeOAuth2ClientFilter new_context_for_use_with_authorizationcodeoauth2clientfilter: New context for use with AuthorizationCodeOAuth2ClientFilter improved_security_for_crossdomainsinglesignonfilter: Improved security for CrossDomainSingleSignOnFilter whats-new-2023.6: IG 2023.6 large_jwt_session_cookies_are_automatically_split: Large JWT session cookies are automatically split jwt_session_cookies_not_compressed_by_default: JWT session cookies not compressed by default startup_allowed_if_there_is_an_existing_pid_file: Startup allowed if there is an existing PID file prevention_of_redirect_loops_when_session_cookies_arent_present_in_the_cdsso_flow: Prevention of redirect loops when session cookies aren't present in the CDSSO flow regex_based_alias_selection_in_keystoresecretstore_and_hsmsecretstore: Regex-based alias selection in KeyStoreSecretStore and HsmSecretStore entity_of_staticresponsehandler_can_be_an_array_of_strings: Entity of StaticResponseHandler can be an array of strings maximum_size_for_the_sum_of_all_request_headers: Maximum size for the sum of all request headers support_for_unencoded_policy_advices: Support for unencoded policy advices configure_forward_proxies_for_websocket_connections: Configure forward proxies for WebSocket connections improved_control_of_websocket_connections_to_am: Improved control of WebSocket connections to AM whats-new-2023.4: IG 2023.4 authentication_of_ig_agent_to_pingone_advanced_identity_cloud_and_am: Authentication of IG agent to PingOne Advanced Identity Cloud and AM policy_advices_from_pingone_advanced_identity_cloud_and_am_available_in_a_header: Policy advices from PingOne Advanced Identity Cloud and AM available in a header saml_2: SAML websocket_connection_renewal: WebSocket connection renewal limit_side_effects_when_backend_applications_are_slow: Limit side effects when backend applications are slow route_id_included_access_audit_events: Route ID included access audit events whats-new-2023.2: IG 2023.2 session_eviction: Session eviction preserve_post_data_during_authentication: Preserve POST data during authentication prevent_unnecessary_session_expiry: Prevent unnecessary session expiry captureduserpasswordfilter_supports_secret_rotation: CapturedUserPasswordFilter supports secret rotation keystoresecretstore_allows_unprotected_keystores: KeyStoreSecretStore allows unprotected KeyStores delay_destroying_httpclienthandlerheaplets_during_shutdown: Delay destroying HttpClientHandlerHeaplets during shutdown automatic_reload_of_filesystemsecretstore_and_keystoresecretstore: Automatic reload of FileSystemSecretStore and KeystoreSecretStore groovy_4: Groovy 4 expression_binding_now: Expression binding now whats-new-7.2: IG 7.2 Token-exchange: Token exchange Authentication: Connectivity with OAuth 2.0-protected third-party services oauth2clientfilter_renamed_as_authorizationcodeoauth2clientfilter: OAuth2ClientFilter renamed as AuthorizationCodeOAuth2ClientFilter clientcredentialsoauth2clientfilter_uses_client_secret_basic_or_client_secret_post: ClientCredentialsOAuth2ClientFilter uses client_secret_basic or client_secret_post resourceowneroauth2clientfilter_for_services_to_access_resources_protected_by_oauth_2_0: ResourceOwnerOAuth2ClientFilter for services to access resources protected by OAuth 2.0 filters_to_support_oauth_2_0_client_authentication: Filters to support OAuth 2.0 client authentication oauth_2_0_session_sharing_across_routes: OAuth 2.0 session sharing across routes Circuit-breaking: Circuit breaking circuitbreakerfilter: CircuitBreakerFilter circuit_breaker_in_clienthandler_and_reverseproxyhandler: Circuit breaker in ClientHandler and ReverseProxyHandler stability: Stability jwtbuilderfilter_produces_encrypted_jwt: JwtBuilderFilter produces encrypted JWT jwtsession_cookie_compression: JwtSession cookie compression other: Other windows_start_script_for_ig_in_standalone_mode: Windows start script for IG in standalone mode stop_scripts_for_ig_in_standalone_mode: Stop scripts for IG in standalone mode ig_opts_environment_variables_for_startup: IG_OPTS environment variables for startup sni_to_serve_different_certificates_for_tls_connections_to_different_server_names: SNI to serve different certificates for TLS Connections to different server names ig_proxies_all_websocket_subprotocols_by_default: IG proxies all WebSocket subprotocols by default configurable_conditions_for_retries_in_clienthandler_and_reverseproxyhandler: Configurable conditions for retries in ClientHandler and ReverseProxyHandler user_id_in_audit_logs: User ID in audit logs tracking_id_logged_in_access_audit_events: Tracking ID logged in access audit events transformation_from_string_to_placeholder_string: Transformation from string to placeholder string use_expressions_to_configure_paths_in_uripathrewritefilter: Use expressions to configure paths in UriPathRewriteFilter policydecisioncontext_includes_actions_from_the_policy_decision_response: PolicyDecisionContext includes actions from the policy decision response amservice_detects_am_version: AmService detects AM version certificate_issued_by_a_trusted_ca_for_any_hostname_or_domain_is_accepted_for_a_connection_to_any_domain: Certificate issued by a trusted CA for any hostname or domain is accepted for a connection to any domain product_information_in_startup_logs: Product information in startup logs improved_error_handling_in_scriptablefilter_and_scriptablehandler: Improved error handling in ScriptableFilter and ScriptableHandler amservice_websocket_connections_protected_from_timeout: AmService Websocket connections protected from timeout timeout_of_idle_am_sessions: Timeout of idle AM sessions proxy_configuration_can_be_created_in_the_heap_and_used_for_am_notifications: Proxy configuration can be created in the heap and used for AM notifications --- # What's new ## PingGateway 2026.3 ### PingAuthorize support PingGateway now supports integration with PingAuthorize software for self-managed and on-premise deployments. Use the same filter as for PingOne Authorize with settings applicable to your PingAuthorize deployment. Learn more in the [PingAuthorizeFilter](https://docs.pingidentity.com/pinggateway/2026/reference/PingAuthorizeFilter.html) reference. ### Auditing for administrative endpoints PingGateway now supports auditing for administrative endpoints such as `/api/info` or `/metrics/prometheus/0.0.4`. Learn more in the `admin.json` reference about the new configuration property, [auditService](https://docs.pingidentity.com/pinggateway/2026/reference/AdminHttpApplication.html#AdminHttpApplication-auditService). ### OpenTelemetry logging PingGateway now supports logging events to an OpenTelemetry service. Learn more in [Log to an OpenTelemetry service](https://docs.pingidentity.com/pinggateway/2026/maintenance-guide/monitoring.html#monitoring-otlp-logging). ### Custom login pages If you use a custom login page instead of the PingOne Advanced Identity Cloud or AM default pages for authentication journeys, you have configured a Login URL Template for CDSSO in the PingGateway agent profile. In PingOne Advanced Identity Cloud and AM 8.1 and later, the URL template now supports a `${gotoOnFail}` parameter. If you have a custom login page: * Add the `${gotoOnFail}` parameter to the existing URL template in the PingGateway agent profile. For example, `&gotoOnFail=${gotoOnFail}` or `&failureUrl=${gotoOnFail}`. * Update the custom login page to use the new parameter, verify its value is valid to protect against open redirect attacks, and redirect the user-agent when authentication fails. By adding the `${gotoOnFail}` parameter, you ensure PingOne Advanced Identity Cloud or AM notifies PingGateway on failure, too. PingGateway uses the notification to remove stale session data. This parameter also allows PingGateway to redirect the user-agent on failure to an appropriate page. It is particularly helpful in headless authentication use cases like Windows Desktop SSO, where the user must decide how to authenticate on failure but isn't notified unless you provide a failure URL. Find out where to configure the URL template in: * [Register PingGateway with PingOne Advanced Identity Cloud](https://docs.pingidentity.com/pinggateway/2026/aic/preface.html#register-agent-idc) * [Register PingGateway with PingAM](https://docs.pingidentity.com/pinggateway/2026/gateway-guide/preface.html#register-agent-am) ### FAPI and custom data audit logging PingGateway now provides an `accessAuditExtension` context, which lets you log custom data in access audit logs using filters or Groovy. When this context is present, PingGateway logs `key:value` pairs with custom data in an extension object (`ext`) under the `ig` section of the event in access audit logs. The existing FAPI audit log has been migrated to use this new `accessAuditExtension` context. FAPI-specific audit attributes are now logged in the `ext` object for FAPI requests. Learn more in [Extend audit events with custom data](https://docs.pingidentity.com/pinggateway/2026/maintenance-guide/auditing.html#extend-audit-events-custom-data). ### File permissions in JsonAuditEventHandler PingGateway now supports configuring file permissions for log files generated by the [JsonAuditEventHandler](https://docs.pingidentity.com/pinggateway/2026/reference/JsonAuditEventHandler.html). The default file permission is `644`. This allows the owner to read and write the file, while group members and all other users can only read it. ## PingGateway 2025.11.x ### 2025.11.2 #### File permissions in JsonAuditEventHandler PingGateway now supports configuring file permissions for log files generated by the [JsonAuditEventHandler](https://docs.pingidentity.com/pinggateway/2025.11/reference/JsonAuditEventHandler.html). The default file permission is `644`. This allows the owner to read and write the file, while group members and all other users can only read it. #### Additional filter support for well-known endpoints with MCP PingGateway now supports specifying a filter for requests targeting the well-known endpoint. For example, use a `CorsFilter` to allow preflight requests in the browser. Learn more about the `"wellKnownFilter"` setting in the [McpProtectionFilter](https://docs.pingidentity.com/pinggateway/2025.11/reference/McpProtectionFilter.html) reference. ### 2025.11.1 #### MCP support PingGateway now helps you protect [Model Context Protocol (MCP)](https://modelcontextprotocol.io/docs/getting-started/intro) services. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This feature has [Evolving](stability.html#interface-stability) interface stability. It's subject to change without notice, even in a minor or maintenance release. | Find a tutorial you can try in [MCP security gateway](https://docs.pingidentity.com/pinggateway/2025.11/mcp/index.html). Learn more in these reference pages: * [McpAuditFilter](https://docs.pingidentity.com/pinggateway/2025.11/reference/McpAuditFilter.html) * [McpProtectionFilter](https://docs.pingidentity.com/pinggateway/2025.11/reference/McpProtectionFilter.html) * [McpValidationFilter](https://docs.pingidentity.com/pinggateway/2025.11/reference/McpValidationFilter.html) ### 2025.11.0 #### Improvements to FAPI support PingGateway includes a number of improvements related to [FAPI support](https://docs.pingidentity.com/pinggateway/2025.11/fapi/). | | | | - | -------------------------------------------------------------------------------------------------------------- | | | If you're configuring a self-managed PingAM deployment, FAPI functionality requires AM version 8.0.2 or later. | #### Help switching to PingOne Advanced Identity Cloud PingGateway can help you switch from a self-managed or on-premise AM deployment to PingOne Advanced Identity Cloud. Use it to redirect requests for OAuth 2.0 and OpenID Connect (OIDC) clients and for Security Assertion Markup Language (SAML) V2.0 service providers. Learn more in [Move to PingOne Advanced Identity Cloud](https://docs.pingidentity.com/pinggateway/2025.11/aic/switch-to-saas.html). #### Reloadable route properties PingGateway now supports reloading local properties files and the routes that depend on them. This allows you to update route configurations without changing the route files. Use this when you deploy PingGateway in an environment with locked-down route configurations, for example, with a read-only file system or a PingGateway `Router` setting of `"scanInterval": "disabled"`. This is common in Docker deployments that nevertheless need to support some updates. Learn more in the [Properties](https://docs.pingidentity.com/pinggateway/2025.11/reference/Properties.html) reference sections about `"$location:<_id>"` settings. #### Ensure all routes load successfully PingGateway now lets you configure a router to add its routes only when *all* routes load successfully. To do so, set `"failOnRouteError": true` in the [Router](https://docs.pingidentity.com/pinggateway/2025.11/reference/Router.html) configuration. #### Configurable maximum for WebSocket connections PingGateway `ReverseProxyHandler` configurations now support a setting to change the maximum number of pooled WebSocket connections through the handler. Learn more in the [ReverseProxyHandler](https://docs.pingidentity.com/pinggateway/2025.11/reference/ReverseProxyHandler.html#ReverseProxyHandler-websocket-maxConnections) reference. ## PingGateway 2025.9 ### FAPI support PingGateway now provides full support for the Financial-grade API (FAPI) standards, simplifying implementation of FAPI-compliant client registration, authorization services, and resource servers. Learn more in the tutorial for [evaluating FAPI support](https://docs.pingidentity.com/pinggateway/2025.9/fapi/) and in the [FAPI reference documentation](https://docs.pingidentity.com/pinggateway/2025.9/reference/Fapi.html). ### Graceful shutdown PingGateway now supports graceful shutdown, refusing new connections and waiting a configurable grace period before forcing existing connections to close. In `admin.json`, you can configure separate `"gracePeriod"` settings for [administrative connections](https://docs.pingidentity.com/pinggateway/2025.9/reference/AdminHttpApplication.html#AdminHttpApplication-adminConnector-gracePeriod) and [client application connections](https://docs.pingidentity.com/pinggateway/2025.9/reference/AdminHttpApplication.html#AdminHttpApplication-connectors-gracePeriod). ### Custom algorithm setting for JwkSetHandler The `JwkSetHandler` now supports a `"jwkAlgorithm"` setting to specify the algorithm to include in the generated JWK `alg` parameter. Learn more in [JwkSetHandler](https://docs.pingidentity.com/pinggateway/2025.9/reference/JwkSetHandler.html). ### Configuration conditions PingGateway now supports runtime conditions. Conditions extend PingGateway expressions, taking an optional label. Learn more in the reference page on [Conditions](https://docs.pingidentity.com/pinggateway/2025.9/reference/Conditions.html) and in the reference documentation for configuration elements that support conditions. ## PingGateway 2025.6.x ### PingGateway 2025.6.2 PingGateway 2025.6.2 is a maintenance release with no externally visible features or fixes. ### PingGateway 2025.6.1 PingGateway 2025.6.1 is a maintenance release to fix a third-party dependency issue. It includes no new features or other fixes. ### PingGateway 2025.6 #### New startup readiness endpoint PingGateway now exposes these health check administrative endpoints: * `health/liveness` (Interface stability: [Evolving](stability.html#interface-stability)) * `health/readiness` (Interface stability: [Evolving](stability.html#interface-stability)) * `health/startup` The `health/startup` endpoint replaces the deprecated `ping` endpoint. Learn more about the endpoints in [Health check endpoints](https://docs.pingidentity.com/pinggateway/2025.6/maintenance-guide/monitoring.html#health-check). Find the full path to the endpoint in the reference for the `admin.json` property, [adminConnector](https://docs.pingidentity.com/pinggateway/2025.6/reference/AdminHttpApplication.html#AdminHttpApplication-adminConnector). #### Specify the journey to authenticate to AM PingGateway now lets you specify the authentication journey (tree) the `AmService` uses when authenticating to AM. Learn more in the reference for the `AmService` [agent > journey](https://docs.pingidentity.com/pinggateway/2025.6/reference/AmService.html#AmService-agent-journey). #### Audit session cache clearing events The PingGateway `AmService` now lets you reference an `AuditService` to capture notifications from AM, such as cache clearing events, in an audit log. Learn more in the reference for the `AmService` [notifications > audit](https://docs.pingidentity.com/pinggateway/2025.6/reference/AmService.html#AmService-notifications-enabled) settings. #### Limit HTTP request body size PingGateway now lets you set the maximum acceptable body size for incoming HTTP requests. In [`admin.json`](https://docs.pingidentity.com/pinggateway/2025.6/reference/AdminHttpApplication.html), you can set: * [`adminMaxBodyLength`](https://docs.pingidentity.com/pinggateway/2025.6/reference/AdminHttpApplication.html#AdminHttpApplication-adminMaxBodyLength): Maximum body size in bytes for HTTP requests to the administration port. * [`maxBodyLength`](https://docs.pingidentity.com/pinggateway/2025.6/reference/AdminHttpApplication.html#AdminHttpApplication-maxBodyLength): Maximum body size in bytes for HTTP requests from client applications. This takes effect only when [`"streamingEnabled": false`](https://docs.pingidentity.com/pinggateway/2025.6/reference/AdminHttpApplication.html#AdminHttpApplication-streamingEnabled) in the `admin.json` file. ## PingGateway 2025.3 ### Use Bouncy Castle FIPS PingGateway now describes how to use Bouncy Castle FIPS to help with FIPS 140–3 compliance without requiring an HSM using a PKCS#11 interface. Learn more in [FIPS 140–3 compliance](https://docs.pingidentity.com/pinggateway/2025.3/installation-guide/fips.html). ### Offload TLS handshakes [ClientTlsOptions](https://docs.pingidentity.com/pinggateway/2025.3/reference/ClientTlsOptions.html) and [ServerTlsOptions](https://docs.pingidentity.com/pinggateway/2025.3/reference/ServerTlsOptions.html) now support an optional `offloadHandshake` setting (default: `false`). When processing a TLS handshake with revocation checks enabled, the handshake process can take an extended amount of time, blocking the event thread from processing other requests. When this option is `true`, PingGateway processes the TLS handshake in a separate worker thread. The event thread continues to process other requests. ### Close connections gracefully PingGateway now supports options to help close connections more gracefully. Use the new `"connectionTimeToLive"` and `"connectionShutdownGracePeriod"` settings for connections [to servers](https://docs.pingidentity.com/pinggateway/2025.3/reference/ClientHandler.html#ClientHandler-graceful-close) and [from client applications](https://docs.pingidentity.com/pinggateway/2025.3/reference/ReverseProxyHandler.html#ReverseProxyHandler-graceful-close). ### Custom unauthorized responses for Kerberos The [KerberosIdentityAssertionPlugin](https://docs.pingidentity.com/pinggateway/2025.3/reference/KerberosIdentityAssertionPlugin.html) now supports customzing the HTTP 401 Unauthorized responses with an optional `unauthorizedResponseHandler`. When a browser can't supply a Kerberos token and isn't configured to deal appropriately with HTTP 401 Unauthorized, the default response can leave the user stuck on an unauthorized page. Use the `unauthorizedResponseHandler` provide an appropriate response to resolve this issue. ### OpenTelemetry now supported OpenTelemetry support is no longer a technology preview. It is now a supported feature. The feature has [Evolving](stability.html#interface-stability) interface stability. It is subject to change without notice, even in a minor or maintenance release. ## PingGateway 2024.11.x ### PingGateway 2024.11.2 PingGateway 2024.11.2 is a maintenance release with no externally visible features or fixes. ### PingGateway 2024.11.1 PingGateway 2024.11.1 is a maintenance release to fix third-party dependency issues and the issue listed in [Fixed in PingGateway 2024.11.1](fixes.html#fix-in-2024.11.1). It includes no new features. ### PingGateway 2024.11.0 ### Device profile support for risk evaluation PingGateway now supports gathering device profile data from the user-agent and including the profile data in PingOne Protect risk evaluation requests. Learn more in [PingOne Protect integration](https://docs.pingidentity.com/pinggateway/2024.11/pingone/risk.html). ### PKCE support for OAuth 2.0 clients The [AuthorizationCodeOAuth2ClientFilter](https://docs.pingidentity.com/pinggateway/2024.11/reference/AuthorizationCodeOAuth2ClientFilter.html) and [ClientRegistration](https://docs.pingidentity.com/pinggateway/2024.11/reference/ClientRegistration.html) configurations now support [RFC 7636: Proof Key for Code Exchange by OAuth Public Clients](https://www.rfc-editor.org/rfc/rfc7636.html) (PKCE). PKCE is enabled by default and recommended. To disable it, set `"pkce_method": "none"` or `"pkceMethod": "none"` as described in the reference documentation. ### Graceful shutdown The `stop.sh` and `stop.bat` scripts now accept additional arguments to change how long the script waits before forcing the PingGateway process to terminate. Learn more in [Graceful shutdown](https://docs.pingidentity.com/pinggateway/2024.11/installation-guide/start-stop.html#graceful-shutdown). ### Lifetime for CDSSO sessions The [CrossDomainSingleSignOnFilter](https://docs.pingidentity.com/pinggateway/2024.11/reference/CrossDomainSingleSignOnFilter.html) now has a `"lifetime"` setting to configure the duration after which PingGateway removes the initial CDSSO authentication session state. ### Propagate disconnections PingGateway now supports a [ClientHandler](https://docs.pingidentity.com/pinggateway/2024.11/reference/ClientHandler.html) and [ReverseProxyHandler](https://docs.pingidentity.com/pinggateway/2024.11/reference/ReverseProxyHandler.html) `"propagateDisconnection"` setting to reset the connection to the protected application when the user-agent disconnects and PingGateway is in streaming mode. ### Support for DER certificates PingGateway now supports a [`derCertificate(string)` function](https://docs.pingidentity.com/pinggateway/2024.11/reference/Functions.html#functions-derCertificate) to convert a base64-encoded DER-format string into a certificate. ### More flexible `AmSessionIdleTimeoutFilter` settings A new `"idleTimeoutUpdate": "INCREASE_ONLY_THEN_ALWAYS"` setting for [AmSessionIdleTimeoutFilters](https://docs.pingidentity.com/pinggateway/2024.11/reference/AmSessionIdleTimeoutFilter.html) lets you enforce the longest timeout of either the idle timeout from the current filter or the tracking token, and then set the tracking token timeout to the idle timeout of the filter. PingGateway uses the updated tracking token on the next interaction with an AmSessionIdleTimeoutFilter. The next AmSessionIdleTimeoutFilter filter can use a different `"idleTimeoutUpdate"` setting, for example, to enforce a shorter idle timeout. ## PingGateway 2024.9 ### OpenTelemetry capabilities This release adds the ability to push traces to an [OpenTelemetry](https://opentelemetry.io/) service. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | These capabilities are available in [Technology preview](stability.html#interface-stability). They aren't yet supported, may be functionally incomplete, and are subject to change without notice. | Learn more in the following documentation: * [Push to an OpenTelemetry service](https://docs.pingidentity.com/pinggateway/2024.11/maintenance-guide/monitoring.html#monitoring-tracing) * [AdminHttpApplication (`admin.json`)](https://docs.pingidentity.com/pinggateway/2024.11/reference/AdminHttpApplication.html) * [Start the sample application](https://docs.pingidentity.com/pinggateway/2024.11/getting-started/start-sampleapp.html#start-sampleapp-start) ### Multiple versions of a secret with FileSystemSecretStore With the new FileSystemSecretStore `versionSuffix` setting you can have multiple versions of a secret with the same ID. Learn more in [FileSystemSecretStore](https://docs.pingidentity.com/pinggateway/2024.11/reference/FileSystemSecretStore.html). ### Replace setting for HeaderFilter Use the new HeaderFilter `replace` setting to replace headers instead of removing then adding them. Learn more in [HeaderFilter](https://docs.pingidentity.com/pinggateway/2024.11/reference/HeaderFilter.html). ### Runtime exception condition for retries The new `runtimeExceptionCondition` setting lets you restrict which runtime exceptions lead to retries. Learn more in [ClientHandler](https://docs.pingidentity.com/pinggateway/2024.11/reference/ClientHandler.html) and [ReverseProxyHandler](https://docs.pingidentity.com/pinggateway/2024.11/reference/ReverseProxyHandler.html). ### Security provider setting for keystores The new `securityProvider` setting lets you choose the Java security provider to use when loading a keystore. Learn more in [KeyStoreSecretStore](https://docs.pingidentity.com/pinggateway/2024.11/reference/KeyStoreSecretStore.html). ### Delayed route metrics creation The new `delayRouteMetrics` setting lets you defer creation of route metrics until a request passes through the route. This can improve startup times for deployments with many routes. Learn more in [Router](https://docs.pingidentity.com/pinggateway/2024.11/reference/Router.html). ### Separate endpoint for administration PingGateway now lets you configure a separate endpoint for administrative connections. PingGateway is expected to require a separate administrative endpoint in a future release. Learn more in [AdminHttpApplication (`admin.json`)](https://docs.pingidentity.com/pinggateway/2024.11/reference/AdminHttpApplication.html). ### New PingOne Authorize example The documentation now includes an example showing how to protect a web application with help from PingOne Authorize. Learn more in [PingOne Authorize integration](https://docs.pingidentity.com/pinggateway/2024.11/pingone/aam.html). ### Asynchronous reads in `FileAttributesFilter` and `SqlAttributesFilter` When you omit the deprecated `target` setting from a [FileAttributesFilter](https://docs.pingidentity.com/pinggateway/2024.11/reference/FileAttributesFilter.html) or an [SqlAttributesFilter](https://docs.pingidentity.com/pinggateway/2024.11/reference/SqlAttributesFilter.html), PingGateway reads the file or performs the SQL query asynchronously when calling the filter. Place the filter immediately before the entity reading the data from the context. ## PingGateway 2024.6 ### IG becomes PingGateway Product names changed when ForgeRock became part of Ping Identity. PingGateway was formerly known as ForgeRock Identity Gateway. Learn more about the name changes in [New names for ForgeRock products](https://support.pingidentity.com/s/article/New-names-for-ForgeRock-products). ### PingOne Protect integration You can now use PingOne Protect risk evaluations to help protect web applications. Configure PingGateway routes to react dynamically to risk scores from PingOne Protect. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | PingOne Protect integration is available in [Technology preview](stability.html#interface-stability). It isn't yet supported, may be functionally incomplete, and is subject to change without notice. | Learn more in [PingOne Protect integration](https://docs.pingidentity.com/pinggateway/2024.11/identity-cloud-guide/risk.html). ### Changes to the Prometheus Scrape Endpoint To facilitate consumption of Prometheus metrics, the format of some metrics has been updated and the new format is available on the new endpoint `…​/openig/metrics/prometheus/0.0.4`. The old format and endpoint are deprecated, but for backward compatibility, they are enabled and available by default. The new property `serveDeprecatedPrometheusEndpoint` in [AdminHttpApplication](https://docs.pingidentity.com/pinggateway/2024.11/reference/RequiredConfiguration.html) is available to deliver Prometheus metrics in the deprecated format. It is enabled by default. Learn more in [Metrics at the Prometheus Scrape Endpoint](https://docs.pingidentity.com/pinggateway/2024.11/reference/Monitoring.html#monitoring-metrics). ### New metrics at the Prometheus Scrape Endpoint Startup and Websocket metrics are now available at the Prometheus Scrape Endpoint. Learn more in [Startup metrics at the Prometheus Scrape Endpoint](https://docs.pingidentity.com/pinggateway/2024.11/reference/Monitoring.html#prom-startup-metrics) and [WebSocket metrics at the Prometheus Scrape Endpoint](https://docs.pingidentity.com/pinggateway/2024.11/reference/Monitoring.html#websocket-metrics-prom). ### PingOneApiAccessManagementFilter now supported The [PingOneApiAccessManagementFilter](https://docs.pingidentity.com/pinggateway/2024.11/reference/PingOneApiAccessManagementFilter.html) is now supported for general use. ### Hardened security for OpenID Connect ID tokens PingGateway now supports OpenID Connect ID token validation according to the OpenID Connect specifications. For this release, signature validation is optional. The next major release is expected to make ID token signature validation required. The following new properties enable validation of the ID token signatures and the `iss`, `aud`, `exp`, `iat`, and `nonce` claims: * [ClientRegistration](https://docs.pingidentity.com/pinggateway/2024.11/reference/MiscellaneousConfigurationObjects.html#ClientRegistration): * `skipSignatureVerification` * `clientSecretUsage` In addition, use the `clientSecretId` and `secretsProvider` properties for HMAC-based signature validation. - [Issuer](https://docs.pingidentity.com/pinggateway/2024.11/reference/MiscellaneousConfigurationObjects.html#Issuer): * `issuer` * `secretsProvider` * `idTokenVerificationSecretId` * `idTokenSkewAllowance` Learn more about *ClientRegistration configurations* and *Issuer configurations* in [Incompatible changes](changes.html). ## IG 2024.3 ### Local authentication on behalf of PingOne Advanced Identity Cloud and Kerberos validation The following new objects are available for local processing on behalf of PingOne Advanced Identity Cloud as part of an PingOne Advanced Identity Cloud journey: * [IdentityAssertionHandler](https://docs.pingidentity.com/pinggateway/2024.11/reference/IdentityAssertionHandler.html) * [IdentityRequestJwtContext](https://docs.pingidentity.com/pinggateway/2024.11/reference/IdentityRequestJwtContext.html) * [ScriptableIdentityAssertionPlugin](https://docs.pingidentity.com/pinggateway/2024.11/reference/ScriptableIdentityAssertionPlugin.html) * [KerberosIdentityAssertionPlugin](https://docs.pingidentity.com/pinggateway/2024.11/reference/KerberosIdentityAssertionPlugin.html) and the service objects UsernamePasswordServiceLogin and KeytabServiceLogin. These objects exist alongside the Technical Preview objects, IdentityAssertionHandlerTechPreview, ScriptableIdentityAssertionPluginTechPreview, and IdentityAssertionPluginTechPreview, introduced in the last release. ### Monitoring of caches Monitoring metrics are now available at the Prometheus Scrape Endpoint and Common REST Monitoring Endpoint for the caches described in [Caches](https://docs.pingidentity.com/pinggateway/2024.11/reference/Caches.html). Learn more in [Cache metrics at the Prometheus Scrape Endpoint](https://docs.pingidentity.com/pinggateway/2024.11/reference/Caches.html#prom-cache-metrics). ### Use of secrets in Studio IG now uses secrets instead of deprecated passwords. Learn how IG manages migration in [Upgrade from an earlier version of Studio](https://docs.pingidentity.com/pinggateway/2024.11/studio-guide/upgrade.html). ### Use of Splunk or ElasticSearch audit event handlers in Studio IG Studio no longer uses the deprecated Splunk or ElasticSearch audit event handlers. Learn how IG manages migration in [Upgrade from an earlier version of Studio](https://docs.pingidentity.com/pinggateway/2024.11/studio-guide/upgrade.html). ### Hardened security for secrets With PingOne Advanced Identity Cloud and from AM 7.5, passwords hardcoded in the identity provider configuration can optionally be managed by the identity provider's secret service. These passwords include the IG agent passwords and OAuth 2.0 client passwords. ### IssuerRepository An IssuerRepository is provided as a default object. Learn more in [Default objects](https://docs.pingidentity.com/pinggateway/2024.11/reference/RequiredConfiguration.html##admin-default-objects). ### Dedicated filter for PingOne's API Access Management ([Technology preview](stability.html#interface-stability)) [PingOneApiAccessManagementFilter](https://docs.pingidentity.com/pinggateway/2024.11/reference/PingOneApiAccessManagementFilter.html) is a new filter dedicated to PingOne's API Access Management. Use this filter with API Access Management to evaluate HTTP requests and responses. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The PingOneApiAccessManagementFilter is available in [Technology preview](stability.html#interface-stability). It isn't yet supported, may be functionally incomplete, and is subject to change without notice. | ## IG 2023.11.x ### IG 2023.11.2 IG 2023.11.2 is a maintenance version to fix third-party dependency issues and the issue listed in [Fixed in 2023.11.2](fixes.html#fix-in-2023.11.2). It contains no new features. ### IG 2023.11.1 IG 2023.11.1 is a maintenance version to fix issues listed in [Fixed in 2023.11.1](fixes.html#fix-in-2023.11.1). It contains no new features. ### IG 2023.11.0 #### General features ##### Harden OAuth 2.0 access token requests [GrantSwapJwtAssertionOAuth2ClientFilter](https://docs.pingidentity.com/pinggateway/2023.11/reference/GrantSwapJwtAssertionOAuth2ClientFilter.html) is a new filter to transform requests for OAuth 2.0 access tokens into secure [JWT bearer grant type](https://docs.pingidentity.com/pingam/8.1/oauth2-guide/oauth2-jwt-bearer-grant.html) requests. Use this filter with PingOne Advanced Identity Cloud or AM to increase the security of less-secure grant-type requests like [Client credentials grant](https://docs.pingidentity.com/pingam/8.1/oauth2-guide/oauth2-client-cred-grant.html) or [Resource owner password credentials grant](https://docs.pingidentity.com/pingam/8.1/oauth2-guide/oauth2-ropc-grant.html). Learn more in [Secure the OAuth 2.0 access token endpoint](https://docs.pingidentity.com/pinggateway/2023.11/identity-cloud-guide/grant-swap.html#oauth2-GrantSwapJwtAssertionOAuth2ClientFilter). ##### Include key ID in JWT header The new `includeKeyId` property is available in [JwtBuilderFilter](https://docs.pingidentity.com/pinggateway/2023.11/reference/JwtBuilderFilter.html) to include the ID of the signature key in the header of a built JWT. ##### Local processing on behalf of PingOne Advanced Identity Cloud ([Technology preview](stability.html#interface-stability)) The following new objects are available for local processing on behalf of PingOne Advanced Identity Cloud as part of an PingOne Advanced Identity Cloud journey: * [IdentityAssertionHandlerTechPreview](https://docs.pingidentity.com/pinggateway/2023.11/reference/IdentityAssertionHandlerTechPreview.html) * [ScriptableIdentityAssertionPluginTechPreview](https://docs.pingidentity.com/pinggateway/2023.11/reference/ScriptableIdentityAssertionPluginTechPreview.html) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The IdentityAssertionHandlerTechPreview, ScriptableIdentityAssertionPluginTechPreview, and IdentityAssertionPluginTechPreview are available in [Technology preview](stability.html#interface-stability). They aren't yet supported, may be functionally incomplete, and are subject to change without notice. | ##### Secret format JwkPropertyFormat [JwkPropertyFormat](https://docs.pingidentity.com/pinggateway/2023.11/reference/JwkPropertyFormat.html) is a new secret format. Use it with [FileSystemSecretStore](https://docs.pingidentity.com/pinggateway/2023.11/reference/FileSystemSecretStore.html) to decode JSON Web Key (JWK) formatted keys into secrets. ##### More flexible use of CA-certificates in mutual TLS The new property `certificateVerificationSecretId` is available in [SecretsTrustManager](https://docs.pingidentity.com/pinggateway/2023.11/reference/SecretsTrustManager.html) to use of CA certificates in mutual TLS. In previous releases, the use of CA-signed certificates was more restricted. ##### Safeguard against accidental exposure of private keys with JwkSetHandler The `exposePrivateSecrets` new property is available in [JwkSetHandler](https://docs.pingidentity.com/pinggateway/2023.11/reference/JwkSetHandler.html) to safeguard against the accidental exposure of private keys in a JWK set. The property is `false` by default to prevent exposure of private keys. To expose private keys, explicitly set the property to `true`. #### SAML ##### Prevention of redirect loops when session cookies aren't present in the SAML flow In [SamlFederationFilter](https://docs.pingidentity.com/pinggateway/2023.11/reference/SamlFederationFilter.html), the new `redirectionMarker` property is enabled by default to prevent redirect loops when a session cookie isn't present in the SAML flow. When the marker is present in the request query parameters, the request isn't redirected for authentication. ## IG 2023.9 ### Revocation of access tokens initiated by OAuth 2.0 Resource Servers The following new properties have been added in AuthorizationCodeOAuth2ClientFilter and Issuer: * `AuthorizationCodeOAuth2ClientFilter:revokeOauth2TokenOnLogout` * `Issuer:revocationEndpoint` In OpenID Connect, use these properties to revoke access and refresh tokens issued by Authorization Servers during login. ### Logout initiated by OpenID Connect relying parties The following new properties have been added in AuthorizationCodeOAuth2ClientFilter and Issuer: * `AuthorizationCodeOAuth2ClientFilter:openIdEndSessionOnLogout` * `Issuer:endSessionEndpoint` In OpenID Connect, use these properties to initiate logout from authorization servers. ### Option to require the Authorization Server to prompt the end-user to reauthenticate and consent A new property `prompt` is available in AuthorizationCodeOAuth2ClientFilter. Use the property in [OIDC flows](https://openid.net/specs/openid-connect-core-1_0.html) to require the authorization server to prompt the end user to reauthenticate and consent. ### Improved error handling for AuthorizationCodeOAuth2ClientFilter When an OAuth 2.0 authorization operation fails, the AuthorizationCodeOAuth2ClientFilter injects the error and error description into the OAuth2FailureContext. In previous releases, OAuth2FailureContext was used only for the OAuth2TokenExchangeFilter. ### New context for use with AuthorizationCodeOAuth2ClientFilter In AuthorizationCodeOAuth2ClientFilter, retrieve the original target URI for a request from the new IdpSelectionLoginContext. ### Improved security for CrossDomainSingleSignOnFilter When `verificationSecretId` in CrossDomainSingleSignOnFilter isn't configured, IG discovers and uses the AM JWK set to verify the signature of AM session tokens. If the JWK set isn't available, IG doesn't verify the tokens. In earlier releases, IG didn't verify the tokens when `verificationSecretId` in CrossDomainSingleSignOnFilter wasn't configured. To minimize the risk of CDSSO token tampering, always configure `verificationSecretId` in CrossDomainSingleSignOnFilter. ## IG 2023.6 ### Large JWT session cookies are automatically split When a JWT-based session cookie exceeds 4 KBytes, IG automatically splits it into multiple cookies. If your JWT session size is too close to the value of `connectors:maxTotalHeadersSize` in AdminHttpApplication, IG can block your next request containing split JWT session cookies. Consider increasing the value of `connectors:maxTotalHeadersSize`. ### JWT session cookies not compressed by default To improve security, JWT session cookies are no longer compressed by default. ### Startup allowed if there is an existing PID file IG can now start up when there is an existing PID file. When activated, IG removes the existing PID file and creates a new one during startup. In previous releases, if there was an existing PID file during startup, the startup failed. Activate the feature in the following ways: * By the new property `pidFileMode` in AdminHttpApplication. * With the new configuration token `ig.pid.file.mode`. ### Prevention of redirect loops when session cookies aren't present in the CDSSO flow In CrossDomainSingleSignOnFilter, the new `redirectionMarker` property is enabled by default to prevent redirect loops when the session cookie isn't present in the CDSSO flow. When the marker is present in the request query parameters, the request isn't redirected for authentication. ### Regex-based alias selection in KeyStoreSecretStore and HsmSecretStore The new `mappings:aliasesMatching` property in KeyStoreSecretStore and HsmSecretStore is available to map all aliases that match a regular expression to a secret ID. Some KeyStores, such as a global Java TrustStore, can contain hundreds of valid certificates. Use this property to map multiple aliases to a secret ID without listing them all in the mapping. ### Entity of StaticResponseHandler can be an array of strings To improve readability, you can now define the `entity` property of a StaticResponseHandler as an array of strings or as a string. ### Maximum size for the sum of all request headers The new `connectors:maxTotalHeadersSize` property in AdminHttpApplication defines the maximum size in bytes for the sum of all headers in a request. This property replaces the deprecated Vert.x properties `maxHeaderSize` and `initialSettings:maxHeaderListSize`. ### Support for unencoded policy advices To support SDK in legacy installations, a new `useLegacyAdviceEncoding` property in the PolicyEnforcementFilter is available to provide unencoded advices. By default, advices are encoded with the encoder used by the AM version. The use of this property is deprecated and should be used only to support SDK in legacy installations. ### Configure forward proxies for WebSocket connections `websocket:proxyOptions` is a new property in ReverseProxyHandler to provide a dedicated WebSocket reverse proxy. ### Improved control of WebSocket connections to AM The following properties are now available in AmService to improve control of WebSocket connections to AM: * `notifications:connectionTimeout` * `notifications:idleTimeout` * `notifications:vertx` ## IG 2023.4 ### Authentication of IG agent to PingOne Advanced Identity Cloud and AM IG agents automatically authenticate to PingOne Advanced Identity Cloud and AM with a non-configurable authentication module. Authentication chains and modules are deprecated and replaced by nodes, trees, and journeys. You can now authenticate IG agents to PingOne Advanced Identity Cloud and AM 7.3 with a journey. The procedure is currently optional, but will be required when authentication chains and modules are removed. ### Policy advices from PingOne Advanced Identity Cloud and AM available in a header By default, when PingOne Advanced Identity Cloud or AM denies a request with advices, IG returns a redirect response with advices as parameters. When the request includes the `x-authenticate-response` header with the value `header`, IG now returns the response with the advices in a `WWW-authentication` header. Use this method for SDKs and single page applications. Placing advices in a header gives these applications more options for handling the advices. Use the new `authenticateResponseRequestHeader` property in PolicyEnforcementFilter to configure the `x-authenticate-response` header name. ### SAML The SamlFederationHandler is deprecated and replaced by the SamlFederationFilter. The SamlFederationFilter can be used in a route protect a downstream application in the same way as other authentication-triggering filters like a SingleSignOnFilter or CrossDomainSingleSignOnFilter. When triggered, the SamlFederationFilter can initiate the login or logout of a SAML service provider with a SAML identity provider. ### WebSocket connection renewal IG can now automatically renew WebSocket connections to AM after a defined delay. ### Limit side effects when backend applications are slow ClientHandler and ReverseProxyHandler have a new `waitQueueSize` property to set the maximum number of outbound requests allowed to queue when no downstream connections are available. Use this property to limit memory use when there is a backlog of outbound requests, for example, when the protected application or third-party service is slow. In previous releases, the queue size was unlimited. It is now limited to the square of the value of the `connections` property by default. ### Route ID included access audit events The name and ID of a route is now included by default in access audit events. ## IG 2023.2 ### Session eviction AM 7.3 can be configured to invalidate sessions based on user ID and send a notification with the topic `/agent/session.v2` to IG. IG can now use the notification to evict all sessions bound to the user. | | | | - | ----------------------------- | | | This feature requires AM 7.3. | ### Preserve POST data during authentication The DataPreservationFilter triggers POST data preservation when an unauthenticated client posts HTML form data to a protected resource. ### Prevent unnecessary session expiry When the AmService property `sessionIdleRefresh` is enabled, IG now requests session refresh: * The first time IG gets an SSO token from AM, irrespective of the age of the token. * When `sessionIdleRefresh.interval` has elapsed. In previous releases, IG requested session refresh only after `sessionIdleRefresh.interval` elapsed. If IG got an SSO token close to its maximum idle time, the token could expire before `sessionIdleRefresh.interval` elapsed and IG triggered a refresh. ### CapturedUserPasswordFilter supports secret rotation When relying on a SecretsProvider to retrieve the shared key required by the CapturedUserPasswordFilter, you can now rotate a secret without reloading the filter if the underlying secret store supports secret rotation. ### KeyStoreSecretStore allows unprotected KeyStores KeyStoreSecretStore can now use KeyStores that aren't password-protected. In previous releases, KeyStores had to be password-protected. ### Delay destroying HttpClientHandlerHeaplets during shutdown When IG is cleanly shut down, the destruction of HttpClientHandlerHeaplets is now delayed until all other IG heaplets are destroyed. This change allows the other IG heaplets to use HttpClientHandlerHeaplets during shutdown. For example, AmService can now call logout on any agent tokens it has allocated, which can help to reduce the build up of tokens in AM. ClientHandlers and ReverseProxyHandlers are examples of HttpClientHandlerHeaplets. ### Automatic reload of FileSystemSecretStore and KeystoreSecretStore A new `autoRefresh` property is available in FileSystemSecretStore and KeyStoreSecretStore settings to configure automatic reloaded of the secret store when a file or a keystore is edited or deleted. ### Groovy 4 IG now uses Groovy 4 for scripting. Learn more in the [Release notes for Groovy 4.0](https://groovy-lang.org/releasenotes/groovy-4.0.html) ### Expression binding `now` The expression binding `now` gives the time since epoch at the instant the expression is evaluated. ## IG 7.2 ### Token exchange [OAuth2TokenExchangeFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/OAuth2TokenExchangeFilter.html) is a new filter to exchange a client's access token or ID token for a new token with increased or reduced scopes, while preserving the original token subject. ### Connectivity with OAuth 2.0-protected third-party services #### OAuth2ClientFilter renamed as AuthorizationCodeOAuth2ClientFilter IG provides several client authentication filters to protect resources using different types of information and credentials. To make it easier to differentiate between these filters, the OAuth2ClientFilter is now named AuthorizationCodeOAuth2ClientFilter. For backward compatibility, you can still use the name OAuth2ClientFilter in routes. The following client authentication filters are available to authenticate clients: * [AuthorizationCodeOAuth2ClientFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/AuthorizationCodeOAuth2ClientFilter.html), using OAuth 2.0 delegated authorization. * [ClientCredentialsOAuth2ClientFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/ClientCredentialsOAuth2ClientFilter.html), using the client's OAuth 2.0 credentials. * [ResourceOwnerOAuth2ClientFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/ResourceOwnerOAuth2ClientFilter.html), using the resource owner's password credentials. #### ClientCredentialsOAuth2ClientFilter uses `client_secret_basic` or `client_secret_post` The [ClientCredentialsOAuth2ClientFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/ClientCredentialsOAuth2ClientFilter.html) can now get a client's access token using the token endpoint authentication method `client_secret_post`. In previous releases, it could use only `client_secret_basic`. Client authentication is now provided by the `endpointHandler` property of ClientCredentialsOAuth2ClientFilter, which uses ClientSecretBasicAuthenticationFilter or ClientSecretPostAuthenticationFilter. In previous releases, it was provided by the now deprecated properties `clientId` and `clientSecretId`. #### ResourceOwnerOAuth2ClientFilter for services to access resources protected by OAuth 2.0 A new filter [ResourceOwnerOAuth2ClientFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/ResourceOwnerOAuth2ClientFilter.html) is available for services to access resources protected by OAuth 2.0 using the *Resource Owner Password Credentials* grant type. #### Filters to support OAuth 2.0 client authentication When processing requests or responses, IG can require access to systems such as the PingOne Advanced Identity Cloud to query user information. The following filters enable OAuth 2.0 client authentication to these systems, where IG is the client: * [ClientSecretBasicAuthenticationFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/ClientSecretBasicAuthenticationFilter.html) * [ClientSecretPostAuthenticationFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/ClientSecretPostAuthenticationFilter.html) * [EncryptedPrivateKeyJwtClientAuthenticationFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/EncryptedPrivateKeyJwtClientAuthenticationFilter.html) * [PrivateKeyJwtClientAuthenticationFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/PrivateKeyJwtClientAuthenticationFilter.html) Use these filters with the following objects: * [ClientRegistration](https://docs.pingidentity.com/pinggateway/7.2/reference/ClientRegistration.html) * [AuthorizationCodeOAuth2ClientFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/AuthorizationCodeOAuth2ClientFilter.html) * [OAuth2TokenExchangeFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/OAuth2TokenExchangeFilter.html) * [ClientCredentialsOAuth2ClientFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/ClientCredentialsOAuth2ClientFilter.html) * [ResourceOwnerOAuth2ClientFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/ResourceOwnerOAuth2ClientFilter.html) #### OAuth 2.0 session sharing across routes The `oAuth2SessionKey` property has been added to [AuthorizationCodeOAuth2ClientFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/AuthorizationCodeOAuth2ClientFilter.html) to allow multiple applications to share the same OAuth 2.0 session. After a resource owner gives one application protected by IG consent to use its data, they don't need to give consent for another application protected by IG. In previous releases, the OAuth 2.0 session was bound to the full URI of the client callback containing the IG hostname. It wasn't possible to use the same OAuth 2.0 session to access different applications. ### Circuit breaking #### CircuitBreakerFilter [CircuitBreakerFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/CircuitBreakerFilter.html) is a new filter to monitor for failures. When the failures reach a specified threshold, the CircuitBreakerFilter prevents further calls to downstream filters and returns a runtime exception. #### Circuit breaker in ClientHandler and ReverseProxyHandler A new property `circuitBreaker` has been added to [ClientHandler](https://docs.pingidentity.com/pinggateway/7.2/reference/ClientHandler.html) and [ReverseProxyHandler](https://docs.pingidentity.com/pinggateway/7.2/reference/ReverseProxyHandler.html) to provide a circuit breaker service when the number of failures reaches a configured threshold. ### Stability #### JwtBuilderFilter produces encrypted JWT The JwtBuilderFilter now produces encrypted JWTs, as well as unsigned JWTs, signed JWTs, and signed then encrypted JWTs. #### JwtSession cookie compression The property `useCompression` has been added to [JwtSession](https://docs.pingidentity.com/pinggateway/7.2/reference/JwtSession.html). When a session stores large items like tokens, use the default value `true` to reduce size of the cookie that stores the JWT. ### Other #### Windows start script for IG in standalone mode A script is now provided to start IG in standalone mode on Windows. #### Stop scripts for IG in standalone mode Scripts are now provided to stop IG in standalone mode on Unix/OS X and Windows. #### `IG_OPTS` environment variables for startup `IG_OPTS` is a new environment variable to separate Java runtime options for IG startup and stop scripts with IG in standalone mode. Use `IG_OPTS` instead of `JAVA_OPTS` for all options that aren't shared with the stop script. #### SNI to serve different certificates for TLS Connections to different server names In [ServerTlsOptions](https://docs.pingidentity.com/pinggateway/7.2/reference/ServerTlsOptions.html), `sni` is a new property to serve different secret key and certificate pairs for TLS connections to different server names in the deployment. In previous releases, only the `keyManager` property was available to serve the same secret key and certificate pair for TLS connections to all server names. Use this property when IG is acting server-side, or to front multiple services or websites on the same port of a machine. #### IG proxies all WebSocket subprotocols by default In previous releases, for IG in standalone mode it was necessary to list the WebSocket subprotocols IG proxied using the `vertx` property of [admin.json](https://docs.pingidentity.com/pinggateway/7.2/reference/RequiredConfiguration.html#AdminHttpApplication). IG now proxies all WebSocket subprotocols by default; it isn't necessary to specify protocols. If you do specify protocols, IG supports only those protocols and no others. #### Configurable conditions for retries in ClientHandler and ReverseProxyHandler `condition` is a new property in the `retries` configuration of ClientHandler and ReverseProxyHandler. Use this property to configure a condition on which to trigger a retry. In previous releases, a retry could be triggered only for runtime exceptions. #### User ID in audit logs Audit logs can now include a user ID. Example scripts and setup information is provided in [Recording user ID in audit events](https://docs.pingidentity.com/pinggateway/7.2/maintenance-guide/auditing.html#audit-userid). #### Tracking ID logged in access audit events In routes containing an [OAuth2ResourceServerFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/OAuth2ResourceServerFilter.html), OAuth 2.0 token tracking IDs are now logged in access audit events. #### Transformation from string to placeholder string The `$string` transformation has been added to facilitate the transformation from a string to a placeholder string that isn't encoded. Use this transformation for placeholder strings that mustn't be encrypted when they reference a secret value. Learn more in [string](https://docs.pingidentity.com/pinggateway/7.2/reference/PropertyValueSubstitution.html#token-functions-string) in *Token Transformation*. #### Use expressions to configure paths in UriPathRewriteFilter The `mapping` object in UriPathRewriteFilter now uses configuration expressions to define the `fromPath` and `toPath`. In previous releases, the `mapping` object was a static JSON map. Learn more in [UriPathRewriteFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/UriPathRewriteFilter.html). #### PolicyDecisionContext includes actions from the policy decision response Actions from the AM policy decision response are now available for use in the PolicyDecisionContext. The resource value used when making the policy request is now available in the [PolicyDecisionContext](https://docs.pingidentity.com/pinggateway/7.2/reference/PolicyDecisionContext.html). #### AmService detects AM version [AmService](https://docs.pingidentity.com/pinggateway/7.2/reference/AmService.html) now reads the AM version from the AM endpoint and uses the discovered version instead of the value configured in the AmService property `version`. The property `version` is used only if the AmService can't discover the AM version. #### Certificate issued by a trusted CA for any hostname or domain is accepted for a connection to any domain When IG is acting as a WebSocket proxy and the downstream application is on HTTPS, the WebSocket configuration host can now allow a certificate issued by a trusted CA for any hostname or domain to be accepted for a connection to any domain. Learn more in the documentation for the `hostnameVerifier` property of [ClientTlsOptions](https://docs.pingidentity.com/pinggateway/7.2/reference/ClientTlsOptions.html). #### Product information in startup logs Key product information, such as the product version and build number, is now included in the startup logs. #### Improved error handling in ScriptableFilter and ScriptableHandler The ScriptableFilter and ScriptableHandler now propagate script exceptions as runtime exceptions in the promise flow. In previous releases, they replaced the exception with a response with HTTP status 500. Users didn't know if the response was from the requested endpoint or caused by an exception in the chain. #### AmService Websocket connections protected from timeout A heartbeat can be configured for the [AmService](https://docs.pingidentity.com/pinggateway/7.2/reference/AmService.html) WebSocket notification service to prevent Websocket connections from being closed for timeout. #### Timeout of idle AM sessions A new filter, [AmSessionIdleTimeoutFilter](https://docs.pingidentity.com/pinggateway/7.2/reference/AmSessionIdleTimeoutFilter.html), is available to force the revocation of AM sessions that have been idle for a specified timeout. Use this filter in front of a SingleSignOnFilter or CrossDomainSingleSignOnFilter to manage idle timeout for client sessions in AM. #### Proxy configuration can be created in the heap and used for AM notifications A new [ProxyOptions](https://docs.pingidentity.com/pinggateway/7.2/reference/MiscellaneousConfigurationObjects.html#ProxyOptions) heaplet is available to define a proxy to which a [ClientHandler](https://docs.pingidentity.com/pinggateway/7.2/reference/Handlers.html#ClientHandler) or [ReverseProxyHandler](https://docs.pingidentity.com/pinggateway/7.2/reference/Handlers.html#ReverseProxyHandler) can submit requests. An [AmService](https://docs.pingidentity.com/pinggateway/7.2/reference/MiscellaneousConfigurationObjects.html#AmService) can use it to submit Websocket notifications. A new global ProxyOption heap object is provided.