a good thing!
Federal Information Processing Standard (FIPS) 140-2 compliance requires that software use only a strict set of cryptographic features and practices. With the new FIPS mode, PingAccess gives our customers this high level of security with a simple switch, enabling it to be deployed in compliance with FedRAMP. In addition, PingAccess 6.3 adds support for API Gateways and new features for modern web developers. These features make it easier to support modern apps, empowering IAM teams with centralized access control and access auditing thus improving security and reducing risk.
With PingAccess 6.3 beta, admins can now configure sideband API clients, such as API Gateways, to request access decisions from PingAccess. Furthermore, additional JWT signing algorithms make it simpler to integrate with single page applications to provide a single pane of glass for all access control needs. Finally, admins can enable redirectless authentication when configuring authentication challenge policies with PingFederate.
Developers can use this guide to take advantage of the features that we have recently made available to protect Single-Page Applications (SPAs). The Github posting includes explanations, containers using our DevOps tooling to stand up local instances of PingFederate and PingAccess, and a basic To-Do List SPA, which demonstrates an example of using identity information to secure a SPA.
Application owners can now use authentication challenge response policies in PingAccess to send custom responses to SPAs, removing the need to modify application code to accept standard responses. Furthermore, SPA resources which don’t correspond to an application resource (e.g. those with no URL path) can now be easily defined and protected in PingAccess.
With this beta release, customers can now view the details of a transaction before approval by including custom scopes in OIDC backchannel authentication requests. In addition, administrators can now more easily configure identity mappings with an option to add all attributes, as well as segregate admin accounts by using a separate token provider.
PingAccess agents can now send informational headers that can be included in PingAccess logs (version 6.0 or higher required). This ensures that administrators know the active agents deployed, their versions, hostnames, and the platforms where they reside. Improvements also include admins being able to send arbitrary strings, which can be logged for agent inventory purposes for better reporting.
Customers can now automatically import configurations on startup, and upgrade configurations on import. Further simplifying administration, resources can be defined using query parameters in addition to specific path parameters. Customers can also enhance security by using an integration with iovation Fraudforce to check device health before granting resource access, and by configuring PingAccess to validate certificates on Mutual TLS Connections.
PingAccess 6.0.3 is a cumulative maintenance release for PingAccess 6.0, which introduced several new features, including ACME certificate management, Amazon CloudHSM support, and a simplified upgrade process, along with several other enhancements.
To improve security, PingAccess can now authenticate to supported OIDC identity providers such as PingFederate and Microsoft Azure Active Directory using mutual TLS, and check the validity of certificates used when proxying a mutual TLS client connection to protected applications. Administration has been made easier with the relocation of key pair assignments for HTTPS listeners, as well as the logging of complete requests and responses for troubleshooting. Note: this is a beta release.
Increase security by automating the lifecycle of HTTPS certificates via Automated Certificate Management Environment (ACME) and storage of HTTPS and client private keys in an Hardware Security Module (HSM). Additionally, the new administrative UI is much faster, providing an even better admin experience in large deployments, and the upgrade process has been simplified allowing administrators to work more and wait less.
PingAccess 5.3.2 is a cumulative maintenance release which introduced several new features, including performance enhancements, logging improvements, simplified PingFederate configuration, and greater control over trusted certificate groups, along with several other enhancements.
PingAccess 5.3.1 is a cumulative maintenance release for PingAccess 5.3, which introduced several new features including performance enhancements, logging improvements, simplified configuration with PingFederate, and greater control over trusted certificate groups, along with several other enhancements.
A new rule type enabled by added support for the Client Initiated Backchannel Authentication (CIBA) standard allows PingAccess to perform one-time authorizations for defined high-risk transactions like a high-dollar transfer. Additionally, support for Proof Key for Code Exchange (PKCE) has been added to increase security by preventing interception attacks with a dynamic one-time cryptographically secure code and verification mechanism between PingAccess and the OpenID Provider (OP).
Performance and logging enhancements have been implemented to efficiently provide access security to thousands of applications, with customers able to monitor health for all of these resources with additional logging capabilities that include startup and response times. To further reduce administrative efforts, a new web session scope and JWT identity mapping exclusion lists have also been added in this release. In addition, the PingAccess Agent for Nginx Plus has been updated to support R18.
Organizations leveraging PingAccess for agent based protection of resources now have more configuration options. The PAAEnabled directive can now be used inside a directory or location container. Additionally, the ability to set policy caching mechanisms using a property in the agent.properties file has been added. Finally, functionality to enable or disable agent processing for requests based on a note field is now available. The following agents have each received these updates:
Organizations can now apply granular authorization policies for applications running on Apache for Windows (VC14+ 64-bit) with a new agent. WAM coexistence has also been made easier with Apache PingAccess agents able to run in conjunction with legacy WAM agents, with the flexibility to enable or disable agent processing as needed.
We expanded the platform support for PingAccess by releasing a new version of the NGINX Agent that supports both r16 and r17 of the NGINX Plus server. That new agent is available from the PingAccess Downloads site.
This beta release of PingAccess 5.3 adds customer-requested functions to help with the modernization of their Web Access Management solutions. This includes allowing administrators to view OIDC metadata that is available from the configured token provider.
PingAccess Policy Migration (PA PM) is a new product that removes the burdensome and error-prone processes involved in manually migrating hundreds of policies from your legacy WAM system to PingAccess. PA PM allows you to maintain your existing network architecture with options to migrate to agent or proxy configurations. During migration, PA PM also enables you to review corresponding import and export values to ensure accuracy, as well as troubleshoot common mapping and export errors.
The newest PingAccess release makes it easier for customers to migrate from legacy WAMs and modernize their IAM environment by increasing flexibility to match existing deployment architectures and incorporate data from API-enabled systems like mobile device management solutions and threat detection systems to make better access decisions.
With this beta release, customers can now configure the end user’s logout experience on a per-application basis, allowing them to "onboard" more applications without making changes to application code. Customization options include whether or not to use the OIDC Provider’s single logout (SLO) feature to logout of all application sessions, and where to redirect the user’s browser after logout.