Release Notes

Info

Support for Java 11 has been removed. You must be running Java 17 or a later supported version, as detailed in the System requirements. Learn more about upgrading a PingAuthorize instance running Java 11 in Considerations when upgrading to version 10.3.

Info

Support for Internet Explorer 11 has been deprecated and will be removed in a future release.

Info

The following configuration.yml properties have been deprecated in the Policy Editor:

Info

We removed an extra application version number displayed by the Policy Editor.

Info

We added documentation for a library of custom SpEL functions introduced in PingAuthorize 10.2, focusing on common use cases for working with collections, dates and times, and Uniform Resource Identifiers (URIs).

Learn more in SpEL processing examples.

New PAZ-15881, PAZ-17469

We added JRE support for Oracle JDK 21 and OpenJDK 21.

New PAZ-17485

Although Camel services have been removed from the default PingAuthorize configuration, you can now use Camel version 4.0 if your policies depend on such services. Learn more in Enabling Camel service connections.

New PAZ-11577

By default, combining algorithms stop evaluating a policy’s child elements as soon as a final decision is reached. You can use the new Evaluate All option to override this behavior and ensure that all child policies or rules are evaluated, even if a final decision has been reached. This option allows additional statement information to propagate up to the parent policy, which can help with auditing, debugging, and analyzing policy outcomes.

Learn more in Combining algorithms.

New PAZ-18011

We added circuit breaker functionality for policy information points (PIPs). Circuit breakers enhance system resilience by preventing cascading failures from unhealthy PIPs. When a service fails repeatedly, the circuit breaker temporarily halts requests to that service and periodically tests for recovery.

Learn more about circuit breaker configuration in Connecting a service.

New PAZ-17552

The Policy Editor Branch Manager now displays a visual count of all branches defined in the system. You can define up to 100 top-level branches, including system and self-governance branches.

Learn more in Creating a branch.

New PAZ-17947

We added more detailed HTTP event logging to the file-based trace logger. You can now enable logging for individual event types across the entire HTTP request lifecycle. These events provide deeper visibility into request handling and can help identify performance bottlenecks.

Learn more in Advanced HTTP event logging.

New PAZ-18104

We added expensive HTTP thread monitoring to help identify and troubleshoot performance bottlenecks in the HTTP connection handler. When an HTTP thread’s execution time exceeds a configured threshold, PingAuthorize can generate a thread dump. This provides valuable insight into the exact point of delay, enabling quicker identification and resolution of slowdowns.

Learn more in Detecting expensive HTTP threads.

New PAZ-18013

We added a correlationId field to trace log messages that record details of downstream service calls. Correlation IDs help link service logs with other messages from the same decision request, giving you deeper visibility into the full request lifecycle.

Learn more about HTTP correlation ID behavior in About HTTP correlation IDs.

Improved DS-49566

We reduced the size of the PingAuthorize Server distribution by removing unnecessary .jar files.

Improved PAZ-17936

We made the following improvements to API security gateway request timeout behavior:

Improved PAZ-18509

We changed how policy query permutations are recorded in the policy query debug log. Now, each permutation is logged as an individual entry. This makes it easier to ingest and analyze detailed query logs in your SIEM or other log management systems, especially for query requests that generate many permutations.

Learn more in Policy query logging.

Improved PAZ-18106

To better protect sensitive information, we updated the collect-support-data tool. The tool now automatically redacts deployment package content from generated support file bundles, ensuring your proprietary data is kept more secure.

Improved PAZ-18422

To improve performance and usability when navigating large datasets, we added support for paging across all list and tree elements in the Policy Editor, including nested elements. Elements are loaded in fixed pages of 100, with a Load more option available to retrieve additional items incrementally.

Fixed PAZ-18152

We fixed an issue where attributes marked as secret were incorrectly encrypted in responses from the governance-engine/query endpoint, in addition to being encrypted in the policy query debug log.

Fixed PAZ-16760

We fixed an issue where key-value pairs defined as custom OAuth parameters didn’t reset after the authentication type for an HTTP service was changed.

Fixed PAZ-16349

We fixed an issue where the self-governance decision engine didn’t intercept requests to deployment package stores.

Fixed PAZ-18565

We fixed an issue where AWS S3 credentials were inadvertently included in application logs.

Fixed PAZ-16549

To improve request handling, we fixed an issue that caused a NullPointerException message to be logged when decision requests were missing the attributes property in the request body.

Fixed PAZ-18403

We fixed an issue where some database service connections didn’t properly close JDBC statement objects. This could lead to connection pool limits being reached because of unreleased resources, even at low traffic levels.

Fixed DS-48511

We fixed an issue with inconsistencies in id-attribute values returned in SCIM operation responses. Also, we fixed an issue with SCIM GET operations where a filter used to search for an entry would result in a 404 error.

Fixed DS-46253

We fixed an issue where the Monitor History Plugin wouldn’t preserve files longer than 14 days when the retain-files-sparsely-by-age setting was set to true.

Info

The PingAuthorize version number was incremented due to changes released for PingDirectory. There are no release notes for this version of PingAuthorize.

Info PAZ-16269

Support for Java 11 has been deprecated. PingAuthorize 10.3 and later will not support Java 11. To prevent problems when upgrading PingAuthorize, you should upgrade to Java 17. Learn more in System requirements.

Info

Several components will be upgraded in version 10.3 of PingAuthorize. If any of your custom Server SDK extensions have classes that import javax.* packages, you will need to migrate them to the equivalent jakarta.* packages and then recompile the extensions.

New PAZ-16062

For HTTP Services using the OAuth 2.0 (Client Credentials) grant type for authentication, we added the ability to include custom key-value pairs as additional parameters in the body of token endpoint requests. This level of customization is useful when integrating with authorization services that enforce specific configuration constraints. Learn more in HTTP services.

New PAZ-12855

To provide enhanced visibility into the logic underlying policy query responses, we added support for a new unfiltered policy query response view. This view includes every decision used to compose the final policy query response, regardless of the outcome or the presence of statements. Learn more in Configuring query response granularity.

New PAZ-12855

We added debugging capabilities for policy query audit logging in the PingAuthorize Server and the Policy Editor. Enabling debug logging brings enhanced visibility to the attribute data and policy dependencies involved in policy query responses. Learn more in Policy query logging.

New PAZ-16050

For policy query audit logs with debug logging enabled, we added the ability to specify additional levels of detail to include in each query permutation’s response field. This level of customization enables you to increase or decrease visibility into query requests and responses in both development and production environments. Learn more in Configuring the query permutation view.

New PAZ-16050

You can now exercise control over which attributes get logged as part of policy query responses in embedded or external PDP mode. This configuration logs full details of the specified attributes when they’re evaluated as part of the policy query request.

New PAZ-13188

We added support for Mapped Diagnostic Context (MDC) capabilities in PingAuthorize Server and Policy Editor logging. MDC enriches log messages with additional request context, enabling you to diagnose issues across application components. Learn more in Enabling Mapped Diagnostic Context for Policy Editor logs.

New PAZ-13089

We added support for Elliptic Curve Digital Signature Algorithm (ECDSA)-encoded signatures for JWT tokens when using the Has Valid Signature For JWKS and Has Invalid Signature For JWKS attribute comparators. Learn more in Conditions.

New PAZ-15718

We added the decision-point-spel-functions library to the PingAuthorize Server distribution. These functions add native capabilities for collection, datetime, and URI processing with SpEL.

New PAZ-15845

Although Camel services have been removed from the default PingAuthorize configuration, you can now use Camel version 3.22.2 if your policies depend on such services. Learn more in Enabling Camel service connections.

New DS-49135

Added the ability to cache key managers and trust managers to prevent loading keystore and truststore files from disk when establishing connections to process requests. Use the enable-key-manager-caching and enable-trust-manager-caching configuration properties to enable or disable caching. Learn more in Configuring key and trust manager providers.

Improved PAZ-12527

We improved and standardized error handling for requests sent to the JSON PDP API’s governance-engine/query endpoint.

Improved PAZ-12724

When making a policy query request, you might want to use a single-valued attribute to resolve a query attribute. Now, you can include this single-valued attribute in the query section, rather than the context section of the JSON PDP API request.

Improved DS-48729

We updated the PingAuthorize Server’s HTTP external server configuration to allow requests to be forwarded through an HTTP proxy server.

Fixed PAZ-12752

We fixed an issue where the same request sent to the JSON PDP API’s governance-engine/query endpoint could produce inconsistent responses.

Fixed PAZ-11133

We fixed an issue where running test scenarios that exceeded 50 kB in size would produce the following error: Failed to execute 'setItem' on 'Storage': Setting the value of 'xxx' exceeded the quota.

Now, although test scenarios of this size will still execute, these scenarios will not be stored in the Policy Editor’s local cache. Learn more in Testing policies.

Fixed PAZ-12166

We fixed an issue where creating a copy of an existing policy with the Policy Editor Management API would generate a redundant copy of that policy. This occurred because the version ID of the original policy was supplied in the POST request to create the policy copy. With this fix, users can no longer provide a version ID when creating a new policy.

Fixed PAZ-2355

We fixed an issue where the Policy Editor login screen was incorrectly aligned on displays with insufficient vertical height.

Fixed PAZ-16415

We fixed an issue where policy query responses were constructed with an excessively broad response view, causing performance issues.

Fixed PAZ-15930

We fixed an issue that would cause false conflicts when merging policy branches in the Policy Editor.

Fixed PAZ-16253

We fixed an issue that would prevent complete sign-off from the Policy Editor when using the Authorization Code with PKCE grant type.

Fixed PAZ-11767

We fixed an issue where pasting an audit log entry without the decisionTree or evaluationLog field into the Policy Editor’s Decision Visualizer would incorrectly return a Cannot read properties of undefined (reading 'create') error in addition to a decisionTree or evaluationLog must be enabled to visualize decision tree error.

Fixed PAZ-16140

We fixed an issue with the PingAuthorize Server that caused logs and monitors to make requests to deployment package stores more frequently than the configured polling interval, creating performance issues.

Fixed DS-47384

For the PingAuthorize Server, we changed the collect-support-data tool to use the latest monitor-history file if it can’t find ldap/monitor.ldif when exchanging monitor data.

Fixed DS-49161

We fixed an issue with the PingAuthorize Server where the Prometheus HTTP servlet would publish an excessive number of error messages to the error log when it lost connection to its remote counterpart.

Fixed DS-49071

We fixed an issue with the PingAuthorize Server where running the config-diff tool would result in an Unknown property error when comparing configuration objects of different types.

Fixed DS-49119

We fixed an issue with the PingAuthorize Server where alert types that were disabled would still output suppression messages.

New DS-49135

We added the ability to cache key managers and trust managers to prevent loading key store and trust store files from disk when establishing connections to process requests. Use the enable-key-manager-caching and enable-trust-manager-caching configuration properties to enable or disable caching. Learn more in Caching key and trust managers.

Fixed PAZ-16140

We fixed an issue with the PingAuthorize Server that caused logs and monitors to make requests to deployment package stores more frequently than the configured polling interval, causing performance issues.

Fixed DS-48511

We fixed an issue with inconsistencies in id-attribute values returned in SCIM operation responses. We also fixed an issue with SCIM GET operations, where a filter used to search for an entry would result in a 404 error.

Fixed DS-49119

We fixed an issue where alert types that were disabled would still output suppression messages.

New

We added support for a new unfiltered policy query response view. This view includes every decision used to compose the final query response, regardless of the outcome or the presence of statements. Learn more in Configuring query response granularity.

New

We added debugging capabilities for policy query audit logging. Enabling the DEBUG log level brings enhanced visibility to the attribute data and decision logic underlying query responses. Learn more in Troubleshooting policy queries.

New

We added support for Mapped Diagnostic Context (MDC) capabilities in logging. MDC enriches log messages with additional request context, enabling you to diagnose issues across application components. Learn more in Enabling Mapped Diagnostic Context for Policy Editor logs.

New

We added support for Elliptic Curve Digital Signature Algorithm (ECDSA)-encoded signatures for JWT tokens when using the Has Valid Signature For JWKS and Has Invalid Signature For JWKS attribute comparators. Learn more in Conditions.

Improved

We improved and standardized error handling for requests sent to the governance-engine/query endpoint.

Improved

When making a policy query request, you might want to use a single-valued attribute to resolve a query attribute. Now, you can include this single-valued attribute in the query section, rather than the context section of the request.

Fixed PAZ-12752

We fixed an issue where the same request sent to the governance-engine/query endpoint could produce inconsistent responses.

Fixed PAZ-11767

We fixed an issue where pasting an audit log entry without the decisionTree or evaluationLog field into the Decision Visualizer would incorrectly return a Cannot read properties of undefined (reading 'create') error in addition to a decisionTree or evaluationLog must be enabled to visualize decision tree error.

Fixed PAZ-13013

We fixed an issue where, when using the PingAuthorize Server’s API security gateway in embedded PDP mode, policy decision logging could cause a memory leak and negatively impact the performance of long-running server instances.

Fixed DS-49071

We fixed an issue where config-diff would result in an Unknown property error when comparing configuration objects of different types.

New

We added a new Database service type, enabling you to use relational databases as policy information points (PIP) during policy development. Services retrieve information from external data sources for use in context-aware authorization decisions. Now, you can dynamically query and transform such information from relational databases. Learn more in Database services.

New

We added a new Policy Decision Logger extension to the Server SDK for developing third-party decision log publishers. This extension enables you to configure custom decision logging behavior and log destinations. You can extend the provided PolicyDecisionLogger API in the Server SDK to implement your custom logic. Learn more in Managing Server SDK Extensions and the doc/getting-started directory in your SDK download.

New

We added the ability to map headers of incoming JSON PDP API requests to Trust Framework attributes. PingAuthorize uses these mappings to dynamically populate attribute values with the values of incoming request headers, enabling you to leverage header data as decision context in request bodies. Learn more in Configuring policy request header mappings.

New

We added the ability, for any call to external services with caching enabled, to determine whether the result of that call was retrieved from the cache. Learn more in Service caching.

New

We added the ability to enable Camel service connections in the Policy Editor with the command line. To ensure that Camel is used with the appropriate permissions and security controls, Camel services are disabled by default in the Policy Editor. Now, instead of manually updating the Policy Editor’s configuration, you can enable Camel service connections with the --enableCamelService option in non-interactive setup mode. Learn more in Enabling Camel service connections.

New

We added support for the dropwizard-json-logging library to the default Policy Editor loggers. Now, you can add this library in the Policy Editor’s configuration.yml file to each logger stream you wish to enable JSON formatting for. The availability of this library does not impact the application’s default configuration. Learn more in Enabling JSON formatting for Policy Editor logs.

New

We added support for Rocky Linux 9.3 and Red Hat Enterprise Linux 9.3. Learn more in System requirements.

Improved

To address the possibility of remote code execution attacks with H2 database services, we made the database driver allow list configurable and unlisted H2 by default. Learn more in Database services.

Info

To mitigate the performance impact of large archives, we updated the configuration archive to keep a maximum of 100 previous configurations by default

Fixed PAZ-12150

We fixed an issue where, in some cases, copying a policy created a redundant instance of that policy.

Fixed PAZ-9092

We fixed an issue where copying a rule containing a Library statement would create a new instance of that statement instead of reusing the existing one.

Fixed PAZ-12017

We fixed an issue where, after enabling caching for an LDAP service, specifying a Time to Live (TTL), and clicking Save, the specified TTL disappeared from the UI and backend configuration.

Fixed PAZ-12145

We fixed an issue where, when making HTTP service calls, the policy decision point would incorrectly assign default values to the request body and the content-type header.

Fixed PAZ-3306

We fixed an issue where, when using an imported policy snapshot, self-governance decision requests were missing values in the action field.

Fixed PAZ-12245

We fixed an issue where, when sending a Policy Query API request with an unbounded attribute in the query array, the system would return a 500 error status code if the unbounded attribute’s value was resolved to an empty collection.

Fixed PAZ-3469

We fixed an issue where the CLI tools reference page was incorrectly titled Configuration Reference. Now, the page is correctly titled CLI Tools Reference.

Fixed PAZ-11768

We fixed an issue where, when creating rules in the Policy Editor, the comparators list extended outside of the list area, preventing you from scrolling through the list.

Fixed PAZ-12150

We fixed an issue where a user could leave new elements defined in the Trust Framework unnamed, giving them a default name of Untitled. Now, you must specify a name for such elements before saving them.

Fixed PAZ-12150

We fixed an issue where Policy Editor elements created as copies would inherit the version ID of the original element. As a result, copies of elements would persist in the Policy Editor UI after being deleted but would return 404 errors when selected. Now, copies of Policy Editor elements have distinct version IDs.

Fixed PAZ-12454

We fixed an issue where the status field of an HTTP service log message would include a status message, such as OK, rather than a status code.

Fixed PAZ-12014

We fixed an issue where, when making a service call with a PIP key store for MTLS configured and the Server (TLS) option set to None or Default, the service would incorrectly return a Client TLS certificate is required error.

Fixed PAZ-13013

We fixed an issue where, when using PingAuthorize Server’s API security gateway in embedded PDP mode, policy decision logging could cause memory leaks and negatively impact the performance of long-running server instances.

Fixed DS-49071

We fixed an issue where config-diff would result in an Unknown property error when comparing configuration objects of different types.

Fixed DS-49119

We fixed an issue where alert types that were disabled would still produce suppression messages.

Fixed PAZ-12145

We fixed an issue where, when making HTTP service calls, the policy decision point would incorrectly assign default values to the request body and the content-type header.

Fixed PAZ-12245

We fixed an issue where, when sending a Policy Query API request with an unbounded attribute in the query array, the system would return a 500 error status code if the unbounded attribute’s value was resolved to an empty collection.

Fixed PAZ-12752

We fixed an issue where the same request to the Policy Query API could produce inconsistent responses.

Fixed PAZ-12454

We fixed an issue where the status field of an HTTP service log message would include a status message, such as OK, rather than a status code.

Fixed PAZ-12014

We fixed an issue where, when making a service call with a PIP key store for MTLS configured and the Server (TLS) option set to None or Default, the service would incorrectly return a Client TLS certificate is required error.

Fixed STAGING-22303

We fixed an issue with the exclusion of certain headers from the cache key of cached HTTP service responses. Now, each change to these header values no longer invalidates the service response cache, and the decision engine isn’t forced to invoke the service again on subsequent requests.

Fixed PAZ-11726

We fixed an issue with the display of headers excluded from cached HTTP service responses in the Trust Framework. Now, you can navigate away from an HTTP service with caching enabled, navigate back to that service, and still see the excluded headers you originally defined.

Info

The PingAuthorize version number was incremented due to changes released for PingDirectory. There are no release notes for this version of PingAuthorize.

New

With the new Policy Query API, you can now issue decision requests containing valueless and multivalued attributes to receive decisions more complex than Permit or Deny, enabling you to dynamically drive user interfaces. Learn more in Policy queries.

New

To improve decision evaluation performance and reduce latency, you can cache dynamic service response values for faster retrieval on subsequent requests. When enabling caching for HTTP services, you can exclude certain headers from the service response. This prevents invalidation of the cache when values of those headers change. Learn more in Service caching.

New

To build your authorization logic more efficiently, you can make editable copies of attribute resolvers. Learn more in Copying elements.

New

To control the granularity of policy evaluation, you can disable rules in policies. This causes the decision engine to skip disabled rules during policy evaluation and allows you more flexibility in testing and deployment of policy logic. Learn more in Creating policies and policy sets.

Info

Although Camel services have been removed from the default PingAuthorize configuration, you can now enable Camel version 3.21.2 if your policies depend on such services. Learn more in Enabling Camel service connections.

Info

We have added support for Java 17 and removed support for Java 8. Learn more in System requirements. For information on upgrading from a PingAuthorize instance installed with Java 8, refer to Upgrade considerations introduced in PingAuthorize 10.0.

Info PAZ-10754

To avoid HTTP 400 responses when SNI hostname checks fail, these checks are now disabled by default for the PingAuthorize server and Policy Editor. We added a new setup option, --disableSniHostnameChecks, to control whether PingAuthorize performs this check. For important considerations when upgrading from a previous version and attempting to reuse your configuration, refer to Upgrade considerations introduced in PingAuthorize 10.0.

Info PAZ-1795

We have disabled the OIDC Implicit flow implementation in the Policy Editor because the OAuth Working Group no longer recommends its use. In its place, you should use the Authorization Code with PKCE flow. Learn more in Configuring an OIDC provider for single sign-on requests from PingAuthorize.

Improved

We added two database indexes to the db-cli module to improve performance when querying the CurrentEntityVersion and EntityRelationship tables.

Fixed PAZ-8473

We fixed an issue where requests to create SCIM entries were not always observing the case-exact=false property, leading to incorrect case-sensitivity errors.

Fixed PAZ-10643

We fixed an issue where the decision engine only checked if an attribute cache entry had expired when accessing that entry, leading to Out of Memory errors. Now, attribute caching uses the Redis library directly, allowing a unique Time to Live (TTL) for each cache entry. Redis instances invalidate cache entries once the TTL has elapsed, rather than when the entries are accessed. Learn more in Attribute caching.

Fixed PAZ-6335

We fixed an issue, where, in the Response tab of policy testing, the root-level statements array was not appearing if left empty in the testing scenario.

Fixed PAZ-10350

We fixed an issue where the HTTP Service Executor was not properly capturing error messages in the APP WARN logs from the policy information provider (PIP) endpoint.

Fixed DS-47655

We fixed the check-replication-domains tool so that the --serverRoot argument is no longer required. This argument now defaults to the server’s root directory.

Fixed DS-45206

We fixed an issue where running dsjavaproperties --initialize would append duplicate arguments to the common.java-args in the java.properties file.

Fixed DS-47455

We fixed an issue where a NullPointerException error occurred when an alert or alarm was raised, and one more of the alert handlers was not configured. An alert notification is now recorded in logs/errors instead.

Fixed DS-46312

We fixed an issue where TLS timeouts prevented LDAP Request Handlers from responding to client requests. The request-handler-per-connection configuration property is now available for LDAP and LDAPS Connection Handlers.