New features

You can specify the number of times the provisioner service retries failed activation using the new property openidm.icf.maxActivationRetries.

You can set this property to any integer. The default value is -1, infinite retries.

Learn more in ICF configuration properties used by IDM.

The bc-fips-2.1.2 library is now available. Learn more in Download the Bouncy Castle libraries.

A new setting, sniHostCheckEnabled, is available in the webserver.listener-*.json configuration files to control Jetty’s SNI host check. Although not recommended for security reasons, disabling this check might be necessary in certain proxy configurations, such as SSL pass-through.

Learn more in Disable SNI host check.

You can create stricter RCS authorization and access rules. To enable authorization for RCS, add an appropriate role to the static-user mapping used for the RCS subject and write the appropriate access rules to permit this role to be granted access to the openicf servlet on the path (pattern) corresponding to the RCS name used in the RCS configuration.

Learn more in Secure RCS access.

You can configure PingIDM to meet Federal Information Processing Standard (FIPS) 140-3 compliance standards. Learn more in FIPS 140-3 compliance.

You can run a distributed trace in PingIDM using OpenTelemetry and export the data to an external trace collector for telemetry storage and visualization.

Learn more in Distributed tracing.

The embedded Jetty web server supports Jetty 12. Instead of jetty.xml, the updated configuration uses a webserver.json for global settings and a webserver.listener-*.json to detect changes. Learn more in Embedded Jetty configuration.

You can choose how synchronization detects managed object array changes using unordered or ordered comparison using the configuration property comparison in the schema. Unordered JSON array comparison ignores the order of elements and can negate the need for certain custom scripts within mappings.

Learn more about managed object schema properties and array comparison.

IDM now uses Logback to generate server logs. Learn more in Server logs.

You can run IDM with Java 21. Learn more in Java requirements.

To verify the current server state without generating audit logs, use the new openidm/health endpoint. Learn more in Audit-free health check.

New metrics are available for ICF operations.

You can configure automatic encryption of your filesystem secret store.

You can store credentials for many services as secrets. The list of supported services has been expanded to include:

Learn more in Secret stores.

Requests passing the _api parameter now require authorization. Learn more in Common REST.

Upgrading to DS 7.3 is now supported. For more information, refer to Supported repositories.

IDM now supports property-based secret stores and can read keys and trusted certificates from properties that contain keys in Privacy-Enhanced Mail (PEM) format.

For more information, see Property secret stores.

The default IDM configuration now includes two scanning tasks that activate and deactivate a user’s accountStatus, based on their activeDate and inactiveDate. For more information, see Activate and deactivate accounts.

You can now use cc and bcc parameters with the sendTemplate action. For more information, see:

The Flowable embedded workflow engine has been upgraded to version 6.6.0. This upgrade fixes the issue with native email tasks previously mentioned in the Workflow Guide.

You can now validate field removal using the policy action validateProperty.

Relationship-derived Virtual Properties now include reference fields with details of the referenced relationship.

The latest version of the Active Directory password synchronization plugin (v1.7.0) uses UTC timestamps for logs.

Previously, the property openidm.fileinstall.enabled also controlled the configs being loaded on startup. Therefore, to disable file monitoring, you had to first start IDM with it enabled in order to load the configs into the repository, and then restart IDM with it disabled. The new setting openidm.config.bootstrap.enabled (which defaults to true), allows file monitoring to be disabled, and the bootstrap process will load the configuration into the repository.

For more information, see Disable automatic configuration updates.

IDM can now log warnings when API version headers are not specified.

Reconciliation has been enhanced in the following ways:

A new property has been added to synchronization mappings, optimizeAssignmentSync, which determines whether modifications to an assignment’s attributes or relationships should be treated as a synchronization event for members of that assignment or role, or if it should only be treated as a synchronization event for members if the modified assignment is directly relevant to that mapping, or if effectiveAssignments is included in triggerSyncProperties.

Learn more in the Synchronization reference.

For versions of IDM running DS or PostgreSQL as a repository, queryFilter now supports filtering on the contents of arrays. For more information, see Filter objects in arrays.

New metrics are available for workflow and JVM.

The Synchronize data between IDM and Azure Active Directory sample uses the MS Graph API connector to synchronize users between IDM and Azure AD.

Previously, KBA answers were always hashed as SHA-256 upon save, which is still the default setting. However, you can now specify an alternative hashing algorithm.

You can now specify default values for properties in the managed object configuration. For example, the default managed object configuration includes a default value that makes accountStatus:active, which effectively replaces the onCreate script that was previously used to achieve the same result.

You can now perform REST queries on properly configured array fields. Learn more:

The optional waitForCompletion parameter is now available to the config endpoint for create, update, and patch requests. Learn more:

To protect production servers from unauthorized API descriptor requests, IDM now requires admin authentication for the API endpoint. Learn more in Secure the API Explorer.

Queries on explicit tables in JDBC now support bool:, num:, and long: in addition to the previously supported query parameters (strings, list:, and int:).

You can now configure access rules over REST, at the openidm/config/access endpoint. In previous releases, access rules were configured in the access.js file. This script file has been replaced by an access.json configuration file, that performs the same function. Learn more in Authorization and roles.

You can now create privilege dynamic filters for delegated administrators.

You can now configure the temporary storage file size for HTTP I/O requests.

You can use _queryFilter to directly filter expanded relationships from a collection, such as authzRoles. Learn more in Filter expanded relationships.

By default, JWTs are now signed with deterministic Elliptic Curve Digital Signature Algorithm (ECDSA). In order to use this more secure signing method, Bouncy Castle, which is included in the default IDM installation, must be installed. If Bouncy Castle is unavailable or the key is incompatible, IDM falls back to normal ECDSA.

In previous releases, setting javascript.exception.debug.info=true in the boot.properties file enabled additional debug information, including line numbers and file names for JavaScript exceptions. In this release, setting groovy.exception.debug.info=true lets you gather comparable debug information for Groovy scripts.

IDM now supports the ability to specify the REST API version in HTTP calls and scripts. For more information, see REST API Versioning.

The following APIs have been updated in this release:

IDM now supports using AM bearer tokens for authentication, with the rsFilter authentication module. Going forward, this is the only supported method for integrating AM and IDM. Learn more in Authenticate through AM.

Notifications of changes to managed objects are injected into a property in that object type. Previously, the name of this property was always _notifications. In this IDM release, you can customize the name of the notifications property. Learn more in Configure notifications.

The new recon/assoc endpoint can be used to gather detailed information about the associations created between a source and a target object during a reconciliation. This endpoint requires the following tables and views to be added to your repository: reconassoc, reconassocentry, and reconassocentryview. Learn more about reconciliation association details.

For instructions on updating your existing repositories to enable this feature, refer to Upgrade an Existing Repository in the IDM 7.0 documentation.

A new endpoint has been added to self-service, which lets you get a percentage value regarding the completeness of a specified user’s profile.

By default, IDM now safelists fields that are safe to log. Learn more in Use policies to filter audit data.

The in expression clause provides limited support for queries on singleton string properties.

In version 1.5.20.11 of the ICF framework, the framework disposes of idle connector instances in the connection pool (for poolable connectors such as the LDAP connector and the Database Table connector).

A connection pool cleaner thread now runs every minute and removes connections whose lastUsed time is larger than the minEvictableIdleTimeMillis.

This behavior is an improvement on previous releases, where a connection that had been used then returned to the connection pool remained there until the next connector operation. The previous behavior could result in several connections in the pool, that were idle but still connected to the target resource.

This release lets you configure mappings in separate mapping files, instead of, or in addition to one sync.json file. You cannot manage separate mapping configurations through the Admin UI. Learn more in Resource mapping.

This release provides the ability to configure an infinite number of queued synchronization retries. Learn more in Configure queued synchronization.

mat-icon has been added to the schema property of the managed object configuration.

Queries on explicit tables in JDBC now support bool:, num:, and long: in addition to the previously supported query parameters (strings, list:, and int:).

The following content was added to the default config.properties file: