Automatic Engine Registration
A new capability lets you configure and download an engine node
registration file from the PingAccess UI. You can put this file on an engine node when it is
first started to automatically register the engine node. For more information,
see Configuring engine nodes using an auto-registration file.
Added capability for forced reauthorization
Authentication requirements rules now include an option for
maximum age. If the user has not authenticated within the specified timeframe,
they are prompted to reauthenticate. For more information, see Adding an authentication requirements rule.
Kong API Gateway Integration
Ping Identity provides a plugin for Kong Gateway that enables
PingAccess (and
other Ping Identity products) to be used for policy decisions. For more
information, see Kong API Gateway Integration.
IWA Integration
PingAccess, when protecting applications as a gateway, adds support
for protecting applications that rely on Integrated Windows Authentication
(IWA). This gives IAM teams consistent, centralized access control and
visibility for IWA-based applications, similar to their WAM-based applications
(PingAccess does not
mediate authentication methods for IWA-based applications. Authentication is
negotiated between the browser and the IWA-based application, passing through
PingAccess). For
more information, see IWA Integration.
Added SPA Support Disabled Authentication Challenge Policy
A new SPA Support Disabled Authentication Challenge Policy (ACP) has been
added that behaves the same as previously seen when Applications were set with
SPA Support disabled. Additionally, added an ability to define a default ACP to
be set when creating new applications in the PingAccess administrative UI.
For more information, see changes to Application field descriptions and System defaults, and Configuring authentication challenge policies.
Added
Content-Security-Policy
headers
The PingAccess Runtime
Authentication Challenge Policy behavior is modified to incorporate a default
CSP header in the response. Additionally, default
content-security-policy
headers have been added for various
error responses generated by PingAccess. For more information, see changes to Configuration file reference.Added support for PingFederate administrative APIs using OAuth authentication
PingAccess can authenticate
to PingFederate
administrative APIs using OAuth2 by sending a bearer token in the requests
PingAccess makes to the PingFederate administrative API.
For more information, see Configuring PingFederate administration.
Fixed security issue
Fixed a potential security issue with basic
authentication.
Fixed potential security issue
Fixed a potential security issue.
Fixed potential security issue
Fixed a potential security issue.
Fixed potential security issue
Fixed a potential security issue.
Fixed potential security issue
Fixed a potential security issue.
Updated Log4j to 2.17.1
PingAccess upgraded to Log4j
version 2.17.1.
Improved CSD tool
Added a default memory limit on the CSD tool.
Fixed certificate ID issue
Fixed an issue that restricted the available certificate IDs for
agents, engines, and replica administrative nodes.
Fixed authentication requirements issue
Fixed an issue that prevented an authentication requirements list
from correctly displaying the related authentication requirements rule after an
attempt to edit it.
Fixed non-FIPS HSM key pair issue
Fixed an issue where PingAccess could not use non-FIPS HSM key pairs at runtime.
Fixed DB password issue
Resolved an issue by disabling the DB password check in
Derby.
Fixed nonce cookie persistence issue
Fixed an issue where nonce cookies were not removed when SLO is
not enabled.
Fixed API swagger issue
Fixed an issue with API swagger where the GET Response Class
Models and Operational Models did not reflect the actual
response.
Fixed custom load balancing issue
Fixed an issue where custom load balancing strategies that
returned custom TargetHosts would result in runtime
exceptions.
Fixed error header issue
Fixed an issue where the
rule.error.headers
additional headers did not display from policy rule results.Java 17 limitation
BC-FIPS and HSMs are not supported when using Java
17.
Certificate revocation list memory issue
If a client certificate has a certificate revocation list (CRL)
DistributionPoint that points to an extremely large CRL, PingAccess might suffer from high memory usage
leading to Out of memory (OOM) exceptions.