Exercise fine-grained control over changes using self-governance
Build self-governance policies to manage access to your Policy Editor entities and operations. This
allows you to protect against unauthorized or accidental application policy
changes. For more information, see Self-governance.
Simpler OAuth token handling for PIPs using HTTP services
To reduce configuration complexity and time to production when connecting to HTTP services that require OAuth authentication, configure the Client Credentials flow to handle tokens directly from a token endpoint. For more information, see HTTP services.
Copy entities for faster configuration
To build your authorization logic more quickly and accurately, you
can make editable copies of many of your Policy Editor entities, including items
in the Trust Framework, Policy Manager, and Library. For more information, see
Copying entities.
New authorization comparators for IP subnet ranges
With the new In CIDR Block and
Not In CIDR Block comparators, you can check whether
a user’s IP address is in, or not in, a defined subnet range. These comparators
make it easier to add network information checks to your zero trust policies.
IPv4 and IPv6 addresses are supported. For more information, see Conditions.
Added a property that lets you control servlet information
Added the
include-servlet-information-in-error-pages
configuration
property to give you control over whether servlet information gets printed on
HTTP error pages or remains hidden (by default).Apache Camel services have been removed
To enhance overall security for PingAuthorize, Camel
services have been removed from the default configuration. If your policies
depend upon Camel, see Apache Camel availability for more
information.
Validate token signatures and claims in policy
You can now validate JWT signatures and claims in the
authorization layer, adding defense in depth and allowing you to build policy
and rule logic around genuine tokens. Enhances support for PDP API use cases.
For more information, see Conditions.
Better control over statements in decision outcomes
You now have more control over whether statements are included in
decision outcomes and the way statements propagate through decision evaluations.
This makes it easier to provide information in decision responses, such as
reasons for both
permit
and deny
decisions and
risk evaluation feedback. For more information, see Statements.Add parent resolvers to attributes more quickly
To reduce the number of clicks needed to add a parent resolver to
a Trust Framework attribute, we added the + Add Parent
Resolver button.
Better targeting for
regex-replace-attributes
We added the ability to target individual attributes using the
regex-replace-attributes
statement for a more precise
modification of the payload. For more information, see Regex Replace Attributes.Clarified WARN
logs by
migrating slow methods
We made
WARN
logging easier to interpret by
changing the logging level for slow methods from WARN
to
DEBUG
.More resilient audit logging in the
We updated the default configuration for the
decision-audit log to make audit logging more
resilient.
Timeouts improved for replication enable and remove defunct server operations
Improved various timeouts for replication enable and remove
defunct server operations to scale with the size of the topology. Smaller sized
topologies should not be impacted by these changes.
Improved how a backup of the config backend is handled
If during a backup of the config backend, a file is deleted from
the config/archived-configs directory, that deleted file
will now be ignored instead of causing the backup to fail.
Added a missing field value in audit logging
We fixed an audit logging issue where
ADMIN_POINT_AUDIT
was not logging the
operation
field.Fixed the Add Statement list display
We fixed a display issue where the Add
Statement drop-down list was running off of the page and
couldn't be fully accessed.
Corrected the linking behavior for Identity Properties
We fixed an issue where clicking the linked Identity
Properties in Identity Classes or
Identity Providers didn’t open the
Identity Properties editor.
Fixed a NullPointerException for URIs without hosts
We fixed an issue where JSON response bodies containing URIs
without hosts would produce a
NullPointerException
when
PingAuthorize was configured in gateway
mode.