Adjust web session timeouts based on specific user attributes
Added a new advanced setting, the Timeout Groovy Script field, to the Web Sessions page. With this feature, you can attach a groovy script to a web session to overwrite its default Max Timeout and Idle Timeout values based on specific user attributes returned by the token provider. For more information and an example script, see Creating web sessions.
Access reserved resources from an application's context root
Added a new advanced setting, Use context root as reserved resource base path, to the Applications page. Selecting this check box prepends the specified application's <context root> before the globally-defined <reserved application context root> in the file path to reserved resources and runtime API endpoints, making accessibility to these resources more flexible. For more information and examples, see Application field descriptions.
Establish web sessions in Microsoft Office products
Added a new out-of-the-box authentication challenge policy which enables you to open Microsoft Office applications in an in-app browser that redirects to the OpenID Provider (OP) for authentication. See Authentication for more information on system-provided policies and Configuring authentication challenge policies for more information on how to use the MS-OFBA challenge response mapping and the MS-OFBA Authentication Request Redirect challenge response generator to address edge-case scenarios regarding MS-OFBA support.
Include requested resource URL in additional authentication challenge responses
Added additional parameters to the Redirect Challenge and Templated Challenge response generators. They can now store the URL of the resource a user was trying to access before they were redirected to authenticate, as well as the authentication API parameters necessary for the user to access that resource. This features aids in the creation of your own user sign-on experience, but some additional coding is required. For more information, see Authentication challenge response generator descriptions and Configuring authentication challenge policies .
Provide user feedback on authentication challenge reason for expired sessions
Added feedback keys to the OIDC Authentication Request Redirect, Redirect Challenge, and Templated Challenge response generators. When a user is redirected to an authentication source by one of these authentication challenge response generators, PingAccess sends the feedback key to the authentication source to let it know that the user was directed there because their session expired. The authentication source can then configure and display a user-facing message to let the user know why they were redirected.
To enable PingAccess to send feedback to the authentication source, you must select the Provide Authentication Feedback check box on the web session you intend to use. For more information, see Configuring authentication challenge policies and Creating web sessions.
Configure prompt parameter in OIDC authentication requests
Added a prompt parameter to the following authentication challenge response generators:
- Browser-handled OIDC Authentication Request
- HTML OIDC Authentication Request
- MS_OFBA Authentication Request Redirect
- OIDC Authentication Request Redirect
- PingFederate Authentication API Challenge
The prompt parameter can be used to confirm that the end-user is still present for the current session, or to draw attention to the authentication request. For more information, see Configuring authentication challenge policies. You can also configure the prompt parameter on a web session, but a prompt parameter specified on a challenge response generator takes precedence. For more information, see Creating web sessions.
Additionally, PingAccess can now send pushed authorization requests (PAR) to provide an additional layer of security to requests if PingFederate is configured as the token provider. For more information, see Enable Push Authorization in Creating web sessions.
Create PingOne Protect policies through the PingAccess administrative API
Added two new admin API endpoints, /pingone/connections
and
/risk/policies
. Administrators can integrate PingOne Protect evaluations into PingAccess through the
/pingone/connections
endpoint. With the
risk/policies
endpoint, administrators can create risk
policies to dynamically monitor end-user requests and invoke specific access
control or authentication challenge policies set by the administrator based
on the PingOne Protect score that the user's
activity generates. For more information, see PingOne Protect integration.
Stale engine node deletion
You can configure administrative nodes to automatically remove stale engine node entities. For more information, see Configuring administrative nodes.
Removed extraneous algorithm to improve replication times
Consolidated an algorithm that assisted in calculating invalidation timestamps for agent resources to improve performance speed.
Improved Apache Derby replication times regarding slow database queries
Resource database queries were performing slowly in Apache Derby when run at scale. The query used with the resource table has been changed to improve the speed of policy data collection.
Fixed replication of rules and rulesets configured on a proxied version of PingFederate
Fixed sample plugins failing to build with Maven 3.8.1+
Fixed population of original resource IDs in upgrade audit logs
The upgrade audit log is used to review entity migration after you've upgraded PingAccess to a new version. Original resource IDs within the upgrade audit log were incorrectly displaying a value of zero instead of their real values. This issue has been fixed.
Fixed PingAccess nonce “set-cookie” interaction with Blackberry SDK
Case-sensitivity was causing the Blackberry SDK to remove the cookie set by the PingAccess nonce, which was formerly “set-cookie.” Set-Cookie now uses title-case capitalization to ensure that the cookie is set properly.
Fixed identity mapping exclusion list issue
Fixed an issue that prevented an identity mapping from being saved through the API if the exclusion list attributes were null.
Fixed identity mapping for unprotected API applications
Fixed an issue that prevented identity mappings from being assigned to unprotected API applications.
Fixed sign on failure issue
Fixed an issue that sometimes caused UI lockout after multiple failed sign on attempts.
Fixed engine status field descriptions
Added descriptions of the fields for the GET /engines/status
endpoint.
Fixed potential deadlock issue
Added handling to recover from deadlocks encountered during configuration import and other asynchronous Admin API actions.