Added Federal Information Processing Standards (FIPS) Mode
PingAccess can now be placed in FIPS mode, ensuring that all encryption algorithms used are FIPS-compliant. See Federal Information Processing Standards (FIPS) Mode for more information.
Added support for PEM-encoded key pairs
You can import or export PEM-encoded key pairs. See Importing existing key pairs for more information.
Updated PingAccess database to Apache Derby
The PingAccess database now uses Apache Derby for additional security.
Replaced MD5 with SHA256
The MD5 algorithm has been replaced with the SHA256 algorithm.
Added sideband API
You can configure PingAccess sideband API clients to request access decisions from PingAccess. See Sideband Clients for more information.
Added capability for redirectless authentication using PingFederate
When configuring an authentication challenge policy, you can enable redirectless authentication using PingFederate. See Configuring authentication challenge policies for more information.
Enhanced redirect rules and rejection handlers to allow relative URLs
You can use relative URLs in redirect rules and rejection handlers. See Adding redirect rules and Creating rejection handlers for more information.
Added additional JWT signing algorithms
You can now use RS384, RS512, PS256, PS384, and PS512 with a 2048-bit key size as signing algorithms for JSON web tokens. RSASSA-PSS signing algorithms are only available if the version of Java used on the PingAccess system supports them.
Improved PingFederate host name support
When configuring PingFederate as a token provider, you can provide a separate host name for the certificate or skip hostname verification. See Configuring PingFederate administration for more information.
Added single-page application developer's guide
This guide and its associated code samples explain how to prepare a single-page application to work with PingAccess. See the PingAccess developer resources on Github for more information.

Resolved issues

Ticket ID Description
N/A Fixed potential security issues.
PA-13830 Fixed an issue that caused the user interface to crash after viewing some rule summaries.
PA-14151 Fixed an issue that returned an empty response when a request to the /keyPairs endpoint contained invalid JSON.
PA-14071 Fixed an issue that prevented key rolling for keys retrieved using the JWKS endpoints through Agent port 3030.
PA-13913 Fixed an issue that caused the applicationId and applicationName attributes to be empty on error pages when values should have been available.
PA-14004 Fixed an issue that caused a null pointer exception when the trusted certificate supplied for a newly created agent, engine, or replica administrative node was about to expire.
PA-14141 Fixed an issue that prevented a proxied PingFederate token provider from using the context root during OIDC metadata collection.
PA-14248 Fixed an issue that caused the user interface to crash when viewing some rule set groups.
PA-14082 Fixed an issue that prevented some invalid requests received by PingAccess from generating log entries.
PA-13498 Fixed an issue that incorrectly displayed the access token validator for an application if PingOne was configured as the token provider.
PA-14026 Fixed an issue that hid fields in Availability Profile summaries if their value was 0.
PA-14011 Fixed an issue that caused the destination field of a sideband client to revert to a previous value when saved.
PA-14009 Fixed an issue that validated new token provider configurations against disabled existing configurations, preventing migration to new configurations.
PA-13844 Fixed an issue that prevented PingFederate configuration and prevented PingAccess from starting if the OAuth signing algorithm was set to an empty string.
PA-13823 Fixed an issue that prevented object-valued arrays in JWT identity mappings with inclusion lists from being processed correctly.
PA-13757 Fixed an issue that caused JSON objects to be incorrectly excluded from JWT identity mappings with exclusion lists.
PA-13753 Fixed an issue that caused the Skip Hostname Verification option in the PingFederate runtime configuration to be ignored in some environments.
PA-13760 Fixed an issue that caused the API to incorrectly use the system token provider instead of the admin token provider when enabling Admin SSO.
PA-13841 Fixed an issue that caused a 500 response if a signing algorithm was set to a blank value through the /websessionManagement or /authTokenManagement endpoints.
PA-13842 Fixed an issue that caused the non-default P-256 signing algorithm to be used if the signing algorithm was removed using the /authTokenManagement endpoint.
PA-13867 Fixed an issue that caused spurious log entries after configuring a global unprotected resource.
PA-13851 Fixed an issue that caused the /webSession endpoint to allow a POST or PUT without a specified credentialsType value.
PA-13678 Fixed an issue that prevented a configuration import if PingAccess was installed in a directory that included /data/ in its filepath.
PA-13744 Fixed an issue that displayed the Change Token Provider Type option for auditors.
PA-13758 Fixed an issue that sometimes prevented configuration import or upgrade after a change in token provider and UI authentication method.
PA-13815 Fixed an issue that caused stale signing algorithm data to persistently display in the /websessionManagement or /authTokenManagement endpoints.
PA-14006 Fixed an issue that prevented rules from being saved or displaying an error if it shared a name with an existing rule.
PA-13820 Fixed an issue that prevented agent token caching for API requests if the Cache tokens option was disabled.