Feature enablement

Existing tenants can use the openidm/feature endpoint to install new features that require updating existing tenant configuration. Use this endpoint to test the feature in a developer environment before migrating those changes to production.

The openidm/feature endpoint requires an access token with the fr:idm:* scope. Learn more about making REST calls in Use an access token.

Uninstalling or disabling a feature once installed requires contacting support and rolling back your tenant. Always test installing a feature first, before making any changes to your production environment.

URI HTTP Operation Description

URI	HTTP Operation	Description
/openidm/feature?_queryFilter=true	GET	Returns a list of feature objects. If a feature is not installed, `installedVersion` returns `null`.

/openidm/feature?_queryFilter=true

GET

Returns a list of feature objects. If a feature is not installed, installedVersion returns null.

Groups feature

For more information, refer to Groups.

To install the groups feature, ensure the following:

The managed configuration defines the alpha_user and bravo_user objects.
The repo.ds configuration defines the alpha_user and bravo_user generic mappings.
The managed configuration for alpha_user and bravo_user does not define the groups or effectiveGroups properties.
The managed configuration does not define the alpha_group or bravo_group objects.
The repo.ds configuration for the alpha_user and bravo_user generic mappings does not define the groups or effectiveGroups properties.
Resources do not exist in the repository for alpha_group or bravo_group.

URI HTTP Operation Description

URI	HTTP Operation	Description
/openidm/feature/groups	GET	Returns the status of the groups feature.
/openidm/feature/groups?_action=validate	POST	Validates that the groups feature is available to install: Returns `status` as `true` if the feature can be installed. Returns `status` as `false` if the feature is already installed.
/openidm/feature/groups?_action=install	POST	Attempts to patch and install a tenant’s configuration to enable the groups feature.

/openidm/feature/groups

GET

Returns the status of the groups feature.

/openidm/feature/groups?_action=validate

POST

Validates that the groups feature is available to install:

Returns status as true if the feature can be installed.
Returns status as false if the feature is already installed.

/openidm/feature/groups?_action=install

POST

Attempts to patch and install a tenant’s configuration to enable the groups feature.

Password timestamp attributes

These attributes are enabled by default in tenants created on or after February 06, 2024.

This feature adds two indexed string attributes to your tenant that can be used to query when a user password was last changed and when it’s set to expire. Learn more in Password timestamps.

URI HTTP Operation Description

URI	HTTP Operation	Description
/openidm/feature/password/timestamps	GET	Returns the status of the password timestamp feature.
/openidm/feature/password/timestamps?_action=validate	POST	Validates that the password timestamp feature is available to install: Returns `status` as `true` if the feature can be installed. Returns `status` as `false` if the feature is already installed.
/openidm/feature/password/timestamps?_action=install	POST	Attempts to patch and install a tenant’s configuration to enable the password timestamp feature.

/openidm/feature/password/timestamps

GET

Returns the status of the password timestamp feature.

/openidm/feature/password/timestamps?_action=validate

POST

Validates that the password timestamp feature is available to install:

Returns status as true if the feature can be installed.
Returns status as false if the feature is already installed.

/openidm/feature/password/timestamps?_action=install

POST

Attempts to patch and install a tenant’s configuration to enable the password timestamp feature.

Additional indexed string attributes

These attributes are enabled by default in tenants created on or after November 12, 2024.

This feature adds 15 additional indexed string attributes to your tenant that can be used as general purpose extension attributes.

You can install this feature using the feature endpoint. To do so:

Confirm that the feature is available by calling GET openidm/feature/indexed/strings/6thru20:

{
    "_id": "indexed/strings/6thru20",
    "installedVersion": null,
    "availableVersions": [
        "1"
    ]
}

Validate that the feature is installable by calling POST /openidm/feature/indexed/strings/6thru20?_action=validate:
```
{
    "status": 200,
    "success": true,
    "message": "Validate complete."
}
```
Install the feature by calling POST /openidm/feature/indexed/strings/6thru20?_action=install:
```
{
    "status": 200,
    "message": "Install complete."
}
```

Confirm that the feature is no longer installable by calling POST /openidm/feature/indexed/strings/6thru20?_action=validate:

{
    "status": 200,
    "success": false,
    "message": "Validate complete.config/repo.ds: frIndexedString6 must not already exist.",
}

URI HTTP Operation Description

URI	HTTP Operation	Description
/openidm/feature/indexed/strings/6thru20	GET	Returns the status of the additional indexed strings feature.
/openidm/feature/indexed/strings/6thru20?_action=validate	POST	Validates that the additional indexed strings feature is available to install: Returns `status` as `true` if the feature can be installed. Returns `status` as `false` if the feature is already installed.
/openidm/feature/indexed/strings/6thru20?_action=install	POST	Attempts to patch and install a tenant’s configuration to enable the additional indexed strings feature.

/openidm/feature/indexed/strings/6thru20

GET

Returns the status of the additional indexed strings feature.

/openidm/feature/indexed/strings/6thru20?_action=validate

POST

Validates that the additional indexed strings feature is available to install:

Returns status as true if the feature can be installed.
Returns status as false if the feature is already installed.

/openidm/feature/indexed/strings/6thru20?_action=install

POST

Attempts to patch and install a tenant’s configuration to enable the additional indexed strings feature.

Two-factor authentication (2FA) profile attributes

These attributes are enabled by default in tenants created on or after January 09, 2025.

This feature adds the following five multivalue (array) strings to existing Alpha and Bravo realm user identities in PingOne Advanced Identity Cloud:

deviceProfiles
devicePrintProfiles
webauthnDeviceProfiles
oathDeviceProfiles
pushDeviceProfiles

The attributes can be used to store references to a user’s associated two-factor authentication (2FA) devices.

You can install this feature using the feature endpoint:

Confirm that the feature is available by calling GET openidm/feature/am/2fa/profiles:

{
  "_id": "am/2fa/profiles",
  "installedVersion": null,
  "availableVersions": [
    "1"
  ]
}

Validate that the feature is installable by calling POST /openidm/feature/am/2fa/profiles?_action=validate:
```
{
  "status": 200,
  "success": true,
  "message": "Validate complete."
}
```
Install the feature by calling POST /openidm/feature/am/2fa/profiles?_action=install:
```
{
  "status": 200,
  "message": "Install complete."
}
```

Confirm that the feature is no longer installable by calling POST /openidm/feature/am/2fa/profiles?_action=validate:

{
  "status": 200,
  "success": false,
  "message": "Validate complete.config/repo.ds: am2faProfiles must not already exist."
}

URI HTTP Operation Description

URI	HTTP Operation	Description
/openidm/feature/am/2fa/profiles	GET	Returns the status of the 2FA profile attributes feature.
/openidm/feature/am/2fa/profiles?_action=validate	POST	Validates that the 2FA profile attributes feature is available to install: Returns `status` as `true` if the feature can be installed. Returns `status` as `false` if the feature is already installed.
/openidm/feature/am/2fa/profiles?_action=install	POST	Attempts to patch and install a tenant’s configuration to enable the 2FA profile attributes feature.

/openidm/feature/am/2fa/profiles

GET

Returns the status of the 2FA profile attributes feature.

/openidm/feature/am/2fa/profiles?_action=validate

POST

Validates that the 2FA profile attributes feature is available to install:

Returns status as true if the feature can be installed.
Returns status as false if the feature is already installed.

/openidm/feature/am/2fa/profiles?_action=install

POST

Attempts to patch and install a tenant’s configuration to enable the 2FA profile attributes feature.