New features

You can configure PingIDM to meet Federal Information Processing Standard (FIPS) 140-3 compliance standards. Learn more in FIPS 140-3 compliance.

You can run a distributed trace in PingIDM using OpenTelemetry and export the data to an external trace collector for telemetry storage and visualization.

Learn more in Distributed tracing.

The embedded Jetty web server supports Jetty 12.0.16. Instead of jetty.xml, the updated configuration uses a webserver.json for global settings and a webserver.listener-*.json to detect changes. Learn more in Embedded Jetty configuration.

You can choose how synchronization detects managed object array changes using unordered or ordered comparison using the configuration property comparison in the schema. Unordered JSON array comparison ignores the order of elements and can negate the need for certain custom scripts within mappings.

Learn more about managed object schema properties and array comparison.

IDM now uses Logback to generate server logs. Learn more in Server logs.

You can run IDM with Java 21. Learn more in Java requirements.

To verify the current server state without generating audit logs, use the new openidm/health endpoint. Learn more in Audit-free health check.

New metrics are available for ICF operations.

You can configure automatic encryption of your filesystem secret store.

You can store credentials for many services as secrets. The list of supported services has been expanded to include:

Learn more in Secret stores.

Connectors continue to be updated and released outside of IDM. To stay up-to-date with new features and versions, check out the ICF Release notes.

Although not bundled in this release of IDM, the two newest connectors are available to download from Backstage:

IDM now supports international email addresses. This feature is only available for supporting SMTP providers.

For more information, refer to International email addresses.

You can create custom relationship properties in the admin UI or with the REST API.

You can store credentials for various services as secrets. The supported services include:

For more information, refer to Secret stores.

You can have multiple versions of secrets stored in a file system secret store.

For more information, refer to Filesystem secret stores.

Managed objects can now receive relationship graph topology change signals through the SignalPropagationCalculator class that is active by default.

Learn more in Enhanced signal propagation.

The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you are upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.

The customizer script for the Connect to DS with ScriptedREST sample now includes OAuth capabilities for the client_credentials grant type.

Array properties now display in the End User UI.

You can now configure secret stores to use filesystem secret stores. Filesystem secret stores use a directory containing many files, each storing a single secret. For more information, refer to Filesystem secret stores.

In addition to the SMTP client, you can now configure the outbound email service to use the new MS Graph API Client.

For more information, refer to Outbound email service.

New metrics are available for livesync and scheduler functions. For example requests, refer to Scheduler metrics.

Queries within scripts now support the _countOnly parameter.

If you are using IDM with a DS repository, ForgeRock recommends using mTLS to authenticate to DS to better facilitate credential rotation. Refer to Configure mTLS.

The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you are upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.

Array properties now display in the End User UI.

IDM now supports the use of Bouncy Castle FIPS as a security provider. Bouncy Castle FIPS is useful when dealing with government data, where meeting the FIPS 140-2 security requirement is necessary for regulatory compliance.

For information on how to configure Bouncy Castle, refer to FIPS 140-3 compliance.

IDM now supports UTF-8 (non-ascii/international) characters in email addresses, such as zoë@example.com. When sending emails to these type of addresses, the configured SMTP server must also support UTF-8.

You can now disable delegated administrator sort and filter while searching resource collections in the End User UI. For more information, refer to Disable sort and filter for resource collections.

IDM workflows now support JavaScript in addition to Groovy. For more information about scripting workflows, refer to BPMN 2.0 and workflow tools.

It is now possible to patch the root of an object. The only supported patch operations on the root of an object are remove and replace.

/system endpoints now support specifying additional fields when also using *. This allows callers to get fields that are not returned by default.

New sync mapping configuration fields, defaultSourceFields and defaultTargetFields, allow specifying which fields to use for read and query requests made on source and target resource collections.

Upgrading to DS 7.3 is now supported. For more information, refer to Supported repositories.

IDM now supports property-based secret stores and can read keys and trusted certificates from properties that contain keys in Privacy-Enhanced Mail (PEM) format.

For more information, see Property secret stores.

The default IDM configuration now includes two scanning tasks that activate and deactivate a user’s accountStatus, based on their activeDate and inactiveDate. For more information, see Activate and deactivate accounts.

You can now use cc and bcc parameters with the sendTemplate action. For more information, see:

The Flowable embedded workflow engine has been upgraded to version 6.6.0. This upgrade fixes the issue with native email tasks previously mentioned in the Workflow Guide.

You can now validate field removal using the policy action validateProperty.

Relationship-derived Virtual Properties now include reference fields with details of the referenced relationship.

The latest version of the Active Directory password synchronization plugin (v1.7.0) uses UTC timestamps for logs.

Previously, the property openidm.fileinstall.enabled also controlled the configs being loaded on startup. Therefore, to disable file monitoring, you had to first start IDM with it enabled in order to load the configs into the repository, and then restart IDM with it disabled. The new setting openidm.config.bootstrap.enabled (which defaults to true), allows file monitoring to be disabled, and the bootstrap process will load the configuration into the repository.

For more information, see Disable automatic configuration updates.

IDM can now log warnings when API version headers are not specified.

Reconciliation has been enhanced in the following ways:

A new property has been added to synchronization mappings, optimizeAssignmentSync, which determines whether modifications to an assignment’s attributes or relationships should be treated as a synchronization event for members of that assignment or role, or if it should only be treated as a synchronization event for members if the modified assignment is directly relevant to that mapping, or if effectiveAssignments is included in triggerSyncProperties.

Learn more in the Synchronization reference.

For versions of IDM running DS or PostgreSQL as a repository, queryFilter now supports filtering on the contents of arrays. For more information, see Filter objects in arrays.

New metrics are available for workflow and JVM.

The Synchronize data between IDM and Azure Active Directory sample uses the MS Graph API connector to synchronize users between IDM and Azure AD.

Previously, KBA answers were always hashed as SHA-256 upon save, which is still the default setting. However, you can now specify an alternative hashing algorithm.

You can now specify default values for properties in the managed object configuration. For example, the default managed object configuration includes a default value that makes accountStatus:active, which effectively replaces the onCreate script that was previously used to achieve the same result.

You can now perform REST queries on properly configured array fields. Learn more:

The optional waitForCompletion parameter is now available to the config endpoint for create, update, and patch requests. Learn more:

To protect production servers from unauthorized API descriptor requests, IDM now requires admin authentication for the API endpoint. Learn more in Secure the API Explorer.

Queries on explicit tables in JDBC now support bool:, num:, and long: in addition to the previously supported query parameters (strings, list:, and int:).

You can now configure access rules over REST, at the openidm/config/access endpoint. In previous releases, access rules were configured in the access.js file. This script file has been replaced by an access.json configuration file, that performs the same function. Learn more in Authorization and roles.

You can now create privilege dynamic filters for delegated administrators.

You can now configure the temporary storage file size for HTTP I/O requests.

You can use _queryFilter to directly filter expanded relationships from a collection, such as authzRoles. Learn more in Filter expanded relationships.

By default, JWTs are now signed with deterministic Elliptic Curve Digital Signature Algorithm (ECDSA). In order to use this more secure signing method, Bouncy Castle, which is included in the default IDM installation, must be installed. If Bouncy Castle is unavailable or the key is incompatible, IDM falls back to normal ECDSA.

In previous releases, setting javascript.exception.debug.info=true in the boot.properties file enabled additional debug information, including line numbers and file names for JavaScript exceptions. In this release, setting groovy.exception.debug.info=true lets you gather comparable debug information for Groovy scripts.

IDM now supports the ability to specify the REST API version in HTTP calls and scripts. For more information, see REST API Versioning.

The following APIs have been updated in this release:

IDM now supports using AM bearer tokens for authentication, with the rsFilter authentication module. Going forward, this is the only supported method for integrating AM and IDM. Learn more in Authenticate through AM.

Notifications of changes to managed objects are injected into a property in that object type. Previously, the name of this property was always _notifications. In this IDM release, you can customize the name of the notifications property. Learn more in Configure notifications.

The new recon/assoc endpoint can be used to gather detailed information about the associations created between a source and a target object during a reconciliation. This endpoint requires the following tables and views to be added to your repository: reconassoc, reconassocentry, and reconassocentryview. Learn more about reconciliation association details.

For instructions on updating your existing repositories to enable this feature, refer to Upgrade an Existing Repository in the IDM 7.0 documentation.

A new endpoint has been added to self-service, which lets you get a percentage value regarding the completeness of a specified user’s profile.

By default, IDM now safelists fields that are safe to log. Learn more in Use policies to filter audit data.

The in expression clause provides limited support for queries on singleton string properties.

In version 1.5.20.11 of the ICF framework, the framework disposes of idle connector instances in the connection pool (for poolable connectors such as the LDAP connector and the Database Table connector).

A connection pool cleaner thread now runs every minute and removes connections whose lastUsed time is larger than the minEvictableIdleTimeMillis.

This behavior is an improvement on previous releases, where a connection that had been used then returned to the connection pool remained there until the next connector operation. The previous behavior could result in several connections in the pool, that were idle but still connected to the target resource.

This release lets you configure mappings in separate mapping files, instead of, or in addition to one sync.json file. You cannot manage separate mapping configurations through the Admin UI. Learn more in Resource mapping.

This release provides the ability to configure an infinite number of queued synchronization retries. Learn more in Configure queued synchronization.

mat-icon has been added to the schema property of the managed object configuration.

Queries on explicit tables in JDBC now support bool:, num:, and long: in addition to the previously supported query parameters (strings, list:, and int:).

The following content was added to the default config.properties file: