PingAccess 7.0 (December 2021) - PingAccess - 7.3

PingAccess

bundle
pingaccess-73
ft:publication_title
PingAccess
Product_Version_ce
PingAccess 7.3
category
Product
pa-73
pingaccess
ContentType_ce

Added Logout virtual resource

New PA-14281
Added a new Logout response generator for virtual resources, enabling you to customize logout behavior for each application. See Adding application resources for more information.

CRL processing improvements

New PA-14227 & PA-14410
PingAccess now supports trace-level logging to help troubleshoot certification revocation issues and provides an option to bypass trust anchor validation. This helps improve interoperability with certificate authority (CA)certificate authority (CA)CA An entity that issues digital certificates. infrastructure. See Creating trusted certificate groups for more information.

Added support for web session access token identity mappings

New PA-14412
PingAccess now supports creating web session access token identity mappings. This helps ease integration with existing APIs, in particular in the context of Single Page Applications (SPAs). See Creating web session access token identity mappings for more information.

Added support for reversed trust chain certificate validation

New PA-14422
PingAccess now supports validation for client certificate chains that are not in the standard order, such as a reversed certificate chain of [root, intermediate, leaf]. See Creating trusted certificate groups for more information.

Runtime state clustering no longer supported

Info PA-14435
PingAccess no longer supports runtime state clustering. Clustered environments that do not use runtime state clustering are not affected.

Fixed security issue

Security PA-14403
Fixed a potential security issue.

Fixed security issue

Security PA-14296
Fixed a potential security issue.

Fixed security issue

Security PA-14284
Fixed a potential security issue.

Fixed security issue

Security PA-14279
Fixed a potential security issue.

Fixed security issue

Security PA-14287
Fixed a potential security issue.

Fixed security issue

Security PA-14331
Fixed a potential security issue.

Fixed security issue

Security PA-14302
Fixed a potential security issue.

Fixed security issue

Security PA-14134
Fixed a potential security issue.

Fixed security issue

Security PA-14135
Fixed a potential security issue.

Fixed security issue

Security PA-14143
Fixed a potential security issue.

Fixed a typo affecting the upload of external scripts

Fixed PA-14542
Fixed a typo in the Content-Security-Policy header that prevented PingAccess from loading external scripts from HTML responses.

Fixed an issue that returned a 500 error code

Fixed PA-14541
Fixed an issue in the CRL client certificate authentication flow that returned a 500 error code when PingAccess is in FIPS mode.

UI displays alias of selected certificates

Fixed PA-14421
Updated the PingAccess UI to display the alias of the selected certificates in the Trusted Certificate Group List.

Expanded character limit on the primary administrative node host field

Fixed PA-14433
Fixed an issue that limited the host field for the Primary Administrative Node to 64 characters, instead of the standard 255 characters.

Added URL encoding for special characters

Fixed PA-14083
Added handling to URL encode client secrets with special characters per RFC 6749.

Fixed incorrect assumption that a revoked certificate is the first in the chain

Fixed PA-14445
Fixed an issue where upon detecting a revoked certificate in a chain, PingAccess incorrectly assumes it is always the first cert in the chain.

Fixed 500 error issue related to key pair endpoints

Fixed PA-14304
Fixed an issue that returned a 500 error when requesting key pairs endpoints with special characters in the chain certs field.

Fixed an issue that switched the admin and system token providers

Fixed PA-14467
Fixed an issue that caused key rolling to result in Admin Token Provider and System Token Provider being switched.

Fixed a typo causing warnings when running PingAccess as a Windows Service

Fixed PA-14477
Fixed a typo that could cause warnings when running PingAccess as a Windows Service.

Fixed non-ASCII character encoding issue

Fixed PA-14402
Fixed an issue that prevented PingAccess from encoding non-ASCII characters when they are in the domain only.

Fixed an error caused by omission of the response.body parameter

Fixed PA-14468
Fixed an issue that caused PingAccess to trigger an error when using the PingAuthorize Access Control rule and the target Sideband provider returns a response that omits the response.body parameter.

Fixed an issue with application initialization in the Admin UI

Fixed PA-14392
Fixed an issue that caused PingAccess Admin UI to incorrectly initialize an application with the state of another application leading to scenarios where an administrator could mistakenly update an application with the data of another application.

Fixed an issue preventing PEM key pair header warnings from being sent

Fixed PA-14314
Fixed an issue that prevented header warnings from being sent for PEM key pairs with a single duplicate chain certificate.

Added INFO level logging

Fixed PA-14258
Added INFO level logging at the start of configuration import.

Fixed invalid ACME request display issue

Fixed PA-14280
Fixed an issue that prevented an ACME request with an INVALID state and an empty problem description from displaying correctly.

Fixed sideband transport issue with fixed ports

Fixed PA-14290
Fixed an issue that caused the PingAccess Sideband transport to only use fixed ports when performing resource matching against incoming sideband API requests.

Fixed display issue with the Signing Algorithm drop-down list

Fixed PA-14238
Fixed an issue that caused disabled algorithms to appear on the Signing Algorithm drop-down list on the Auth Token Management page.

Fixed an issue with JWT SSO Admin Authentication

Fixed PA-14265
Fixed an issue that prevented the SSO Admin Authentication method in the PingAccess admin console from functioning in clustered PingAccess deployments when Private Key JSON Web Token (JWT)JSON Web Token (JWT)JWT An IETF standard container format for a JSON object used for the secure exchange of content, such as identity or entitlement information. To read the industry standard, see RFC 7519 client authentication is used.

Fixed no scope claim issue with the PingAccess sideband API

Fixed PA-14029
Fixed an issue that caused PingAccess Sideband API to return an error when no scope claim is configured in the access token.

Fixed Sideband API 'Transfer-Encoding' issue

Fixed PA-14305
Fixed an issue where the 'Transfer-Encoding' request header is dropped from inbound PingAccess Sideband API request results.

Improved empty string error message

Fixed PA-14472
Improved error message when supplying an empty string to fields that expect a charset.

Hibernate deadlock errors

Issue PA-14985
There are a few potential scenarios when the PingAccess data layer might encounter deadlocks. PingAccess should be able to recover from these deadlocks, so hibernate error logs can be ignored when followed by the log message "Recovered from database deadlock with transaction retry."

Cloud HSM limited in Java8u261

Issue PA-14414
Cloud HSM functionality works in FIPS mode but not in regular mode for Java8u261 and later. RSASSA-PSS signing algorithms fail with Java8u261 or later, and HSM vendors and core Java use different naming conventions for the RSASSA-PSS algorithm. There is a documented workaround in Adding an AWS CloudHSM provider.

Kong API limitation

Issue PA-14466
Due to an outstanding defect in the Kong API Gateway, the ping-auth plugin currently does not support requests that utilize the Transfer-Encoding header. If PingAccess is used as the external authorization server, the Rewrite Content rule can prevent the page from displaying.

Zero downtime upgrade limitation

Issue PAPQ-1034
PingAccess 6.3 deployments that use the Sideband API feature cannot be upgraded using the zero downtime upgrade procedure. You must use a planned outage to upgrade such an environment.

SameSite cookie upgrade issue

Issue
Depending on the source version, the upgrade process may change the default settings for the SameSite cookie attribute to make PingAccess cookies work on all browsers. Review the settings for each web session in Access > Web Sessions to verify that your SameSite cookie attribute values are set to None or Lax, depending on the third-party context needs for PingAccess cookies.

TLS 1.3 limitation

Issue STAGING-8707
PingAccess may have difficulty maintaining TLS 1.3 connections when using JDK 11.0.0, 11.0.1, or 11.0.2 because of a defect in those versions. This might cause upgrades to fail on systems using these versions.

Engine and Admin Replica connection issue

Issue PA-4888
Engines and admin replicas do not connect to admin console if a combination of IP addresses and DNS names are used.

Token processor issue

Issue PA-6262
The token processor can't connect to a JWKS endpoint via SSLSSL (Secure Sockets Layer) A protocol for authenticated and encrypted links between networked machines, typically over HTTPS. SSL was deprecated in 1999 in favor of Transport Layer Security (TLS). when an IP is used rather than a hostname. To workaround this issue, add the hostname as the subject alt name on the key pairkey pair The private key and public key represented by a certificate. .

Virtual hosts with shared hostnames retention issue

Issue PA-11390
If you create multiple virtual hosts with a shared hostname and associate the hostname with a server key pair, the virtual hosts retain the connection with the server key pair even if they are subsequently renamed. The virtual host must be deleted and recreated to remove the association.

Risk-based authorization rule issue during upgrade

Issue PA-10505
Upgrades will fail with a risk-based authorization rule if a third-party service is not used in the rule.

Excessive log file warnings during startup

Issue
Log files may contain excessive warnings issued by Hibernate during startup.

Asynchronous front-channel logout issue

Issue PA-12647
Asynchronous front-channel logout might fail in some browsers depending on end-user settings. See https://support.pingidentity.com/s/article/Managing-Single-Log-Out-in-different-browsers for browser-specific workarounds.

UI failure when assigning new key pair

Issue PA-13500
Assigning a new key pair to the Admin HTTPS listener if the browser does not trust the new key pair can prevent the UI from functioning. The workaround is to close the browser and re-open it so that all connections to the admin node use the new certificate.

Invalid special characters permitted in identity mappings

Issue PA-13214
Invalid special characters ((),/;<=>?@[\]{}") can be added to the Certificate to Header Mapping field in an identity mapping. Adding this identity mapping to an application will cause 400 errors when the application is accessed.

Slow restarts in FIPS mode

Issue PA-14239
If PingAccess is repeatedly stopped and restarted in FIPS mode, subsequent restarts can take up to 5 minutes to complete. The workaround is to use a tool such as rng-tools to refresh /dev/random and make more entropy available faster. For example:
sudo yum install rng-tools
sudo rngb -b 

Firefox limitation for time range rules

Issue
Firefox does not correctly support the HTML5 time tag. When using the Time Range rule, enter time in 24-hour format.

Spurious errors when installing PingAccess as a Windows service

Issue
When installing PingAccess as a Windows service using Windows PowerShell and Java 8, the error message "Could not find or load main class" can be safely ignored.

Request preservation not supported with Safari private browsing

Issue PA-2896
Request Preservation is not supported with Safari Private Browsing.

IPv6 limitation

Issue PA-1894
Incorrect handling for IPv6 literals in Host header. Note that IPv6 is not currently supported.

Spurious warning after upgrade or startup on Windows

Issue PA-14907
After starting PingAccess for the first time on a Windows system or upgrading PingAccess on a Windows system, a warning message is logged reporting that the pa.jwk file was not made non-executable. This message can be ignored.