PingAccess 7.0 (December 2021) - PingAccess - 7.2


PingAccess 7.2

Added Logout virtual resource

Added a new Logout response generator for virtual resources, enabling you to customize logout behavior for each application. See Adding application resources for more information.

CRL processing improvements

NewPA-14227 & PA-14410
PingAccess now supports trace-level logging to help troubleshoot certification revocation issues and provides an option to bypass trust anchor validation. This helps improve interoperability with certificate authority (CA) infrastructure. See Creating trusted certificate groups for more information.

Added support for web session access token identity mappings

PingAccess now supports creating web session access token identity mappings. This helps ease integration with existing APIs, in particular in the context of Single Page Applications (SPAs). See Creating web session access token identity mappings for more information.

Added support for reversed trust chain certificate validation

PingAccess now supports validation for client certificate chains that are not in the standard order, such as a reversed certificate chain of [root, intermediate, leaf]. See Creating trusted certificate groups for more information.

Runtime state clustering no longer supported

PingAccess no longer supports runtime state clustering. Clustered environments that do not use runtime state clustering are not affected.

Fixed security issue

Fixed a potential security issue.

Fixed security issue

Fixed a potential security issue.

Fixed security issue

Fixed a potential security issue.

Fixed security issue

Fixed a potential security issue.

Fixed security issue

Fixed a potential security issue.

Fixed security issue

Fixed a potential security issue.

Fixed security issue

Fixed a potential security issue.

Fixed security issue

Fixed a potential security issue.

Fixed security issue

Fixed a potential security issue.

Fixed security issue

Fixed a potential security issue.

Fixed a typo affecting the upload of external scripts

Fixed a typo in the Content-Security-Policy header that prevented PingAccess from loading external scripts from HTML responses.

Fixed an issue that returned a 500 error code

Fixed an issue in the CRL client certificate authentication flow that returned a 500 error code when PingAccess is in FIPS mode.

UI displays alias of selected certificates

Updated the PingAccess UI to display the alias of the selected certificates in the Trusted Certificate Group List.

Expanded character limit on the primary administrative node host field

Fixed an issue that limited the host field for the Primary Administrative Node to 64 characters, instead of the standard 255 characters.

Added URL encoding for special characters

Added handling to URL encode client secrets with special characters per RFC 6749.

Fixed incorrect assumption that a revoked certificate is the first in the chain

Fixed an issue where upon detecting a revoked certificate in a chain, PingAccess incorrectly assumes it is always the first cert in the chain.

Fixed 500 error issue related to key pair endpoints

Fixed an issue that returned a 500 error when requesting key pairs endpoints with special characters in the chain certs field.

Fixed an issue that switched the admin and system token providers

Fixed an issue that caused key rolling to result in Admin Token Provider and System Token Provider being switched.

Fixed a typo causing warnings when running PingAccess as a Windows Service

Fixed a typo that could cause warnings when running PingAccess as a Windows Service.

Fixed non-ASCII character encoding issue

Fixed an issue that prevented PingAccess from encoding non-ASCII characters when they are in the domain only.

Fixed an error caused by omission of the response.body parameter

Fixed an issue that caused PingAccess to trigger an error when using the PingAuthorize Access Control rule and the target Sideband provider returns a response that omits the response.body parameter.

Fixed an issue with application initialization in the Admin UI

Fixed an issue that caused PingAccess Admin UI to incorrectly initialize an application with the state of another application leading to scenarios where an administrator could mistakenly update an application with the data of another application.

Fixed an issue preventing PEM key pair header warnings from being sent

Fixed an issue that prevented header warnings from being sent for PEM key pairs with a single duplicate chain certificate.

Added INFO level logging

Added INFO level logging at the start of configuration import.

Fixed invalid ACME request display issue

Fixed an issue that prevented an ACME request with an INVALID state and an empty problem description from displaying correctly.

Fixed sideband transport issue with fixed ports

Fixed an issue that caused the PingAccess Sideband transport to only use fixed ports when performing resource matching against incoming sideband API requests.

Fixed display issue with the Signing Algorithm drop-down list

Fixed an issue that caused disabled algorithms to appear on the Signing Algorithm drop-down list on the Auth Token Management page.

Fixed an issue with JWT SSO Admin Authentication

Fixed an issue that prevented the SSO Admin Authentication method in the PingAccess admin console from functioning in clustered PingAccess deployments when Private Key JSON Web Token (JWT) client authentication is used.

Fixed no scope claim issue with the PingAccess sideband API

Fixed an issue that caused PingAccess Sideband API to return an error when no scope claim is configured in the access token.

Fixed Sideband API 'Transfer-Encoding' issue

Fixed an issue where the 'Transfer-Encoding' request header is dropped from inbound PingAccess Sideband API request results.

Improved empty string error message

Improved error message when supplying an empty string to fields that expect a charset.

Hibernate deadlock errors

There are a few potential scenarios when the PingAccess data layer might encounter deadlocks. PingAccess should be able to recover from these deadlocks, so hibernate error logs can be ignored when followed by the log message "Recovered from database deadlock with transaction retry."

Cloud HSM limited in Java8u261

Cloud HSM functionality works in FIPS mode but not in regular mode for Java8u261 and later. RSASSA-PSS signing algorithms fail with Java8u261 or later, and HSM vendors and core Java use different naming conventions for the RSASSA-PSS algorithm. There is a documented workaround in Adding an AWS CloudHSM provider.

Kong API limitation

Due to an outstanding defect in the Kong API Gateway, the ping-auth plugin currently does not support requests that utilize the Transfer-Encoding header. If PingAccess is used as the external authorization server, the Rewrite Content rule can prevent the page from displaying.

Zero downtime upgrade limitation

PingAccess 6.3 deployments that use the Sideband API feature cannot be upgraded using the zero downtime upgrade procedure. You must use a planned outage to upgrade such an environment.

SameSite cookie upgrade issue

Depending on the source version, the upgrade process may change the default settings for the SameSite cookie attribute to make PingAccess cookies work on all browsers. Review the settings for each web session in Access > Web Sessions to verify that your SameSite cookie attribute values are set to None or Lax, depending on the third-party context needs for PingAccess cookies.

TLS 1.3 limitation

PingAccess may have difficulty maintaining TLS 1.3 connections when using JDK 11.0.0, 11.0.1, or 11.0.2 because of a defect in those versions. This might cause upgrades to fail on systems using these versions.

Engine and Admin Replica connection issue

Engines and admin replicas do not connect to admin console if a combination of IP addresses and DNS names are used.

Token processor issue

The token processor can't connect to a JWKS endpoint via SSL when an IP is used rather than a hostname. To workaround this issue, add the hostname as the subject alt name on the key pair.

Virtual hosts with shared hostnames retention issue

If you create multiple virtual hosts with a shared hostname and associate the hostname with a server key pair, the virtual hosts retain the connection with the server key pair even if they are subsequently renamed. The virtual host must be deleted and recreated to remove the association.

Risk-based authorization rule issue during upgrade

Upgrades will fail with a risk-based authorization rule if a third-party service is not used in the rule.

Excessive log file warnings during startup

Log files may contain excessive warnings issued by Hibernate during startup.

Asynchronous front-channel logout issue

Asynchronous front-channel logout might fail in some browsers depending on end-user settings. See for browser-specific workarounds.

UI failure when assigning new key pair

Assigning a new key pair to the Admin HTTPS listener if the browser does not trust the new key pair can prevent the UI from functioning. The workaround is to close the browser and re-open it so that all connections to the admin node use the new certificate.

Invalid special characters permitted in identity mappings

Invalid special characters ((),/;<=>?@[\]{}") can be added to the Certificate to Header Mapping field in an identity mapping. Adding this identity mapping to an application will cause 400 errors when the application is accessed.

Slow restarts in FIPS mode

If PingAccess is repeatedly stopped and restarted in FIPS mode, subsequent restarts can take up to 5 minutes to complete. The workaround is to use a tool such as rng-tools to refresh /dev/random and make more entropy available faster. For example:
sudo yum install rng-tools
sudo rngb -b 

Firefox limitation for time range rules

Firefox does not correctly support the HTML5 time tag. When using the Time Range rule, enter time in 24-hour format.

Spurious errors when installing PingAccess as a Windows service

When installing PingAccess as a Windows service using Windows PowerShell and Java 8, the error message "Could not find or load main class" can be safely ignored.

Request preservation not supported with Safari private browsing

Request Preservation is not supported with Safari Private Browsing.

IPv6 limitation

Incorrect handling for IPv6 literals in Host header. Note that IPv6 is not currently supported.

Spurious warning after upgrade or startup on Windows

After starting PingAccess for the first time on a Windows system or upgrading PingAccess on a Windows system, a warning message is logged reporting that the pa.jwk file was not made non-executable. This message can be ignored.