Added Logout virtual resource
Added a new Logout response generator for virtual resources,
enabling you to customize logout behavior for each application. See Adding application resources for more information.
CRL processing improvements
PingAccess
now supports trace-level logging to help troubleshoot certification revocation
issues and provides an option to bypass trust anchor validation. This helps
improve interoperability with certificate authority (CA) infrastructure.
See Creating trusted certificate groups for more information.
Added support for web session access token identity mappings
PingAccess
now supports creating web session access token identity mappings. This helps
ease integration with existing APIs, in particular in the context of Single Page
Applications (SPAs). See Creating web session access token identity mappings for more
information.
Added support for reversed trust chain certificate validation
PingAccess
now supports validation for client certificate chains that are not in the
standard order, such as a reversed certificate chain of
[root,
intermediate, leaf]. See Creating trusted certificate groups for more
information.Runtime state clustering no longer supported
PingAccess
no longer supports runtime state clustering. Clustered environments that do not
use runtime state clustering are not affected.
Fixed security issue
Fixed a potential security issue.
Fixed security issue
Fixed a potential security issue.
Fixed security issue
Fixed a potential security issue.
Fixed security issue
Fixed a potential security issue.
Fixed security issue
Fixed a potential security issue.
Fixed security issue
Fixed a potential security issue.
Fixed security issue
Fixed a potential security issue.
Fixed security issue
Fixed a potential security issue.
Fixed security issue
Fixed a potential security issue.
Fixed security issue
Fixed a potential security issue.
Fixed a typo affecting the upload of external scripts
Fixed a typo in the Content-Security-Policy header that prevented
PingAccess from
loading external scripts from HTML responses.
Fixed an issue that returned a 500 error code
Fixed an issue in the CRL client certificate authentication flow
that returned a 500 error code when PingAccess is in FIPS
mode.
UI displays alias of selected certificates
Updated the PingAccess UI to display the alias of the selected certificates
in the Trusted Certificate Group List.
Expanded character limit on the primary administrative node host field
Fixed an issue that limited the host field for the Primary
Administrative Node to 64 characters, instead of the standard 255
characters.
Added URL encoding for special characters
Added handling to URL encode client secrets with special
characters per RFC 6749.
Fixed incorrect assumption that a revoked certificate is the first in the chain
Fixed an issue where upon detecting a revoked certificate in a
chain, PingAccess
incorrectly assumes it is always the first cert in the chain.
Fixed 500 error issue related to key pair endpoints
Fixed an issue that returned a 500 error when requesting key pairs
endpoints with special characters in the chain certs field.
Fixed an issue that switched the admin and system token providers
Fixed an issue that caused key rolling to result in Admin Token
Provider and System Token Provider being switched.
Fixed a typo causing warnings when running PingAccess as a Windows Service
Fixed a typo that could cause warnings when running PingAccess as a Windows
Service.
Fixed non-ASCII character encoding issue
Fixed an issue that prevented PingAccess from encoding
non-ASCII characters when they are in the domain only.
Fixed an error caused by omission of the response.body parameter
Fixed an issue that caused PingAccess to trigger an
error when using the PingAuthorize Access
Control rule and the target Sideband provider returns a response that omits the
response.body parameter.
Fixed an issue with application initialization in the Admin UI
Fixed an issue that caused PingAccess Admin UI to
incorrectly initialize an application with the state of another application
leading to scenarios where an administrator could mistakenly update an
application with the data of another application.
Fixed an issue preventing PEM key pair header warnings from being sent
Fixed an issue that prevented header warnings from being sent for
PEM key pairs with a single duplicate chain certificate.
Added INFO level logging
Added INFO level logging at the start of configuration
import.
Fixed invalid ACME request display issue
Fixed an issue that prevented an ACME request with an INVALID
state and an empty problem description from displaying
correctly.
Fixed sideband transport issue with fixed ports
Fixed an issue that caused the PingAccess Sideband transport
to only use fixed ports when performing resource matching against incoming
sideband API requests.
Fixed display issue with the Signing Algorithm drop-down list
Fixed an issue that caused disabled algorithms to appear on the
Signing Algorithm drop-down list on the Auth Token Management
page.
Fixed an issue with JWT SSO Admin Authentication
Fixed an issue that prevented the SSO Admin Authentication method
in the PingAccess admin
console from functioning in clustered PingAccess deployments when
Private Key JSON Web Token (JWT) client authentication is
used.
Fixed no scope claim issue with the PingAccess sideband API
Fixed an issue that caused PingAccess Sideband API to
return an error when no scope claim is configured in the access
token.
Fixed Sideband API 'Transfer-Encoding' issue
Fixed an issue where the 'Transfer-Encoding' request header is
dropped from inbound PingAccess Sideband API request results.
Improved empty string error message
Improved error message when supplying an empty string to fields
that expect a charset.
Hibernate deadlock errors
There are a few potential scenarios when the PingAccess data layer might encounter deadlocks.
PingAccess should be able to recover
from these deadlocks, so hibernate error logs can be ignored when followed by
the log message "Recovered from database deadlock with transaction retry."
Cloud HSM limited in Java8u261
Cloud HSM functionality works in FIPS mode but not in regular mode
for
Java8u261 and later. RSASSA-PSS signing
algorithms fail with Java8u261 or later, and HSM vendors and
core Java use different naming conventions for the RSASSA-PSS
algorithm. There is a documented workaround in Adding an AWS CloudHSM provider.Kong API limitation
Due to an outstanding defect in the Kong API Gateway, the
ping-auth plugin currently does not support requests that
utilize the Transfer-Encoding header. If PingAccess is used as the external authorization
server, the Rewrite Content rule can prevent the page from displaying.
Zero downtime upgrade limitation
PingAccess 6.3 deployments
that use the Sideband API feature cannot be upgraded using the zero downtime
upgrade procedure. You must use a planned outage to upgrade such an
environment.
SameSite cookie upgrade issue
Depending
on the source version, the upgrade process may change the default settings for
the SameSite cookie attribute to make PingAccess cookies work on all browsers. Review
the settings for each web session in to verify that your SameSite cookie attribute values are set to
None or Lax, depending on the third-party context needs for PingAccess cookies.
TLS 1.3 limitation
PingAccess may have
difficulty maintaining TLS 1.3 connections when using JDK 11.0.0, 11.0.1, or
11.0.2 because of a
defect in those versions. This might cause upgrades to fail on
systems using these versions.
Engine and Admin Replica connection issue
Engines and admin replicas do not connect to admin console if a
combination of IP addresses and DNS names are used.
Token processor issue
Virtual hosts with shared hostnames retention issue
If you create multiple virtual hosts with a shared hostname and
associate the hostname with a server key pair, the virtual hosts retain the
connection with the server key pair even if they are subsequently renamed. The
virtual host must be deleted and recreated to remove the
association.
Risk-based authorization rule issue during upgrade
Upgrades will fail with a risk-based authorization rule if a
third-party service is not used in the rule.
Excessive log file warnings during startup
Log files may contain excessive warnings issued by Hibernate
during startup.
Asynchronous front-channel logout issue
Asynchronous front-channel logout might fail in some browsers
depending on end-user settings. See https://support.pingidentity.com/s/article/Managing-Single-Log-Out-in-different-browsers for browser-specific workarounds.
UI failure when assigning new key pair
Assigning a new key pair to the Admin HTTPS listener if the
browser does not trust the new key pair can prevent the UI from functioning. The
workaround is to close the browser and re-open it so that all connections to the
admin node use the new certificate.
Invalid special characters permitted in identity mappings
Invalid special characters
(
(),/;<=>?@[\]{}") can be added to the Certificate to
Header Mapping field in an identity mapping. Adding this identity mapping to an
application will cause 400 errors when the application is
accessed.Slow restarts in FIPS mode
If PingAccess is repeatedly
stopped and restarted in FIPS mode, subsequent restarts can take up to 5 minutes
to complete. The workaround is to use a tool such as rng-tools to refresh
/dev/random and make more entropy available faster. For
example:
sudo yum install rng-tools
sudo rngb -b
Firefox limitation for time range rules
Firefox does not correctly support the HTML5 time tag. When using
the Time Range rule, enter time in 24-hour format.
Spurious errors when installing PingAccess as a Windows service
When installing PingAccess as
a Windows service using Windows PowerShell and Java 8, the error message "Could
not find or load main class" can be safely ignored.
Request preservation not supported with Safari private browsing
Request Preservation is not supported with Safari Private
Browsing.
IPv6 limitation
Incorrect handling for IPv6 literals in Host header. Note that
IPv6 is not currently supported.
Spurious warning after upgrade or startup on Windows
After starting PingAccess for the first time on a Windows system or upgrading
PingAccess on a
Windows system, a warning message is logged reporting that the
pa.jwk file was not made non-executable. This message
can be ignored.