Rapid channel changelog

ANALYTICS-1165^[2]: Added the capability to change a report name.

IAM-7547: Access policy modal now validates IPv4 or IPv6 format for IP addresses.

IAM-8687: The PingOne Verification node now supports same device verification by letting you configure a Continue on this device? button.

IAM-8922: The Advanced Identity Cloud admin console now accepts ESV placeholders for the following federation fields:

IAM-8982^[4]: Add event function for setting the query filter/select options of a select field.

IAM-9099, IAM-9146, IAM-9167: Many table views now support column resizing and customization.

IAM-5488: Terms and Conditions now respects target attribute in anchor tags.

IAM-6588: The Advanced Identity Cloud admin console now correctly displays journey status for journeys disabled and enabled using ESVs.

IAM-8887: Prevent browsers auto-filling passwords in user registration journeys.

IAM-8940: Managed identity number property now accepts float values.

IAM-8956: Deselecting the Personal Information option now disables the section containing the user avatar in hosted account pages.

IAM-9066: Added Tenant Auditor option to Advanced Identity Cloud admin console federation groups claim.

IAM-9169: Fixed styling for responsive table layouts with sticky action column in Identities table views.

FRAAS-25919: You can now use the API to configure custom domains for the Advanced Identity Cloud admin console.

OPENIDM-21372: Advanced Identity Cloud now prevents access to the identity repository endpoint, /openidm/repo. This prevents uncontrolled and potentially incompatible schema changes.

AME-32756: Fixed an issue with policy evaluation returning results from a stale policy index cache.

FRAAS-26287: Advanced Identity Cloud now correctly authenticates the sender address for emails sent to Advanced Identity Cloud tenant administrators, saas@pingidentity.com.

OPENDJ-11634: Advanced Identity Cloud now prevents searches with many results and no applicable index from overloading the system.

OPENAM-24393: Fixed an issue where the InnerTreeEvaluator node failed for authentication journeys initially accessed using REST without an authId.

FRAAS-25547: The sender address for emails sent to Advanced Identity Cloud tenant administrators is now saas@pingidentity.com.

OPENAM-24384: Added javax.crypto.SecretKeyFactory, javax.crypto.spec.PBEKeySpec, and com.sun.crypto.provider.PBKDF2KeyImpl classes to the allowlist for the OAUTH2_ACCESS_TOKEN_MODIFICATION scripting context.

FRAAS-#25734: Exception stacktraces in access management and identity management logs are now truncated to approximately 300-400 lines.

FRAAS-25821^[5]: Fixed an issue that prevented IP rules in the Proxy Connect add-on from being disabled.

OPENAM-24159: Fixed an issue with Identity Assertion nodes failing if there are more than one in a journey.

FRAAS-24857: CNAME verification is no longer required when creating a custom domain.

FRAAS-26063: You can now override the samlErrorPageUrl. To do so, configure an ESV variable named esv-global-saml-error-page-url and set its value to your SAML error page URL. If you don’t set this variable, Advanced Identity Cloud uses the default value of /saml2/jsp/saml2error.jsp.

IAM-9062: Hosted pages themes no longer continuously refresh when trying to set up or confirm two-factor authentication (2FA).

FRAAS-25818: The built-in SMTP server in new tenants now has a limit of 10 emails per minute and a fixed email sender address with the format noreply@<tenant-fqdn>.

IAM-7581: Text wrapping in table views has been improved for readability.

IAM-8573: IDM now includes an endpoint to retrieve individual themes from the /themerealm configuration using either an ID or a _queryFilter by name. This improves performance and ensures reliable theme loading, even on slow networks.

IAM-8610: When you create an SSO application for Microsoft 365, the application now generates a signing certificate, which you can download or rotate as needed.

IAM-8633: You can now add, remove, and rearrange table columns for managed identities and application provisioning tables.

IAM-8925^[7]: In Identity Governance, you can now configure actions that trigger automatically when a form first loads or when a user changes the value of a specific field.

IGA-3674^[7]: A Wait node is now available for IGA workflows. This node pauses the workflow until a specified date and time, for example, if you need to seek approvals.

IGA-3700^[7]: Improved UI for suspended requests in table and request view.

IGA-3742^[7]: The form editor now includes icons in the list of fields in the left panel.

IAM-8789: Managed identity modals now correctly handle both single-value and array-based enum types.

IAM-4397: Fixed an issue in the hosted journey pages where the prompt text for the Choice Collector node wasn’t fully visible and the default option wasn’t visible at all.

IAM-8632: Fixed an issue where validation errors were incorrectly displayed for pre-populated fields.

IAM-8871: The hosted account pages no longer freeze and throw an error when editing details if there are empty custom enum array values.

IAM-8902: The application username field in SAML 2.0 NameID flows is now correctly set to uid instead of username.

IAM-8933: Fixed an issue in the Advanced Identity Cloud admin console when creating or modifying identity objects with a required boolean property. You can now set the value of the required boolean property to false.

AME-31372: An Agent journey is now available by default in both Alpha and Bravo realms. The Agent journey makes it easier to integrate with Ping Identity agents and gateways. It validates the agent credentials with an Agent Data Store Decision node.

AME-30050: You can now enable a next-generation script in the AM admin console native console to run after a Dynamic Client Registration request is processed.

AME-30716: Removed Failed to create SSO Token from logs at warning level. To observe these warnings, increase the log level to debug.

AME-30801: The Inner Tree Evaluator node now has an optional Error Outcome that lets you capture exception details if an exception occurs during the evaluation of the child journey.

OPENAM-22467: Customers can now provide any value in the typ header in JWTs.

Greater control over journey session duration and authenticated session timeouts:

OPENAM-23438: Following Webauthn Registration and Authentication, new information is added to the transient state.

OPENAM-20709: On successful authentication, the WebAuthn Authentication node now adds the UUID of the device (webauthnDeviceUuid) and the name of the device (webauthnDeviceName) to the shared state. This lets you track the use of biometric authentication and the device used to authenticate.

AME-30969: If the OIDC Claims Plugin Type in the OAuth 2.0 provider is set to SCRIPTED but no script is selected, the userinfo endpoint now returns the sub claim, in compliance with the OIDC specification. Previously, the userinfo endpoint returned an empty JSON object. If you still require this behavior, set the esv-scripting-legacynulloidcclaimsscriptbehaviour ESV to true.

OPENAM-20749: For server-side OAuth 2.0 tokens, the /oauth2/introspect response can now overwrite the iss claim of the introspectable token. To enable this behavior, set the esv-enable-oauth2-sync-refresh-token-issuer ESV to false.

OPENAM-22928: When agents authenticate to Advanced Identity Cloud, the session created no longer expires.

OPENAM-23334: You can now use the mergeShared and mergeTransient methods to add nested objects to ObjectAttributes.

OPENAM-23519: Improved error handling during WebAuthn registration when the Android lock screen isn’t enabled.

25 Jun 2025

IAM-8314: Fixed an issue where setting ESVs in connector or provisioner configuration stops the Advanced Identity Cloud admin console from being able to update connectors or run a liveSync operation.

AME-31379: Setting the new ESV esv-oauth2-provider-request-object-processing-enforced to true now lets admins enforce which validation rules are applied when processing OAuth 2.0 request objects.

FRAAS-25226: Allow a higher threshold for large JSON log entries before splitting them into smaller plaintext log entries.

FRAAS-25437: Tenant administrators with the tenant-auditor role can now use federated access to authenticate to Advanced Identity Cloud.

IAM-3441: Added pagination to all list views.

IAM-7265: You can now right-click a node in the journey editor to access a context menu.

IAM-7266: Added an action bar to the journey editor that lets you deselect or delete currently selected nodes.

IAM-7580: Pages now span the full width of the screen, improving navigation and usability.

IAM-8260: Advanced Identity Cloud now supports multiple WS-Fed applications^[6].

IAM-8640: The Release Notes link in Tenant Settings now opens the release notes for the tenant’s specific version.

IAM-8714^[4]: You can now configure columns in the Identity Governance access review page.

IAM-6820: The Email Suspend node now provides a drop-down list of available email templates.

OPENIDM-21206^[9]: Usernames and application names must now be unique, as enforced by the datastore.

IAM-7413: The reCAPTCHA Enterprise node is now fully supported.

IAM-8489: Fixed an issue with the display of application logos in the hosted account pages.

IAM-8770: Fixed an issue with the calendar icon position in date fields.

IAM-8773: Fixed an issue where key actions such as realm login were blocked in older tenants with an unmodified original theme.

ANALYTICS-868: The Tenant Admin Activity report has been changed to the Tenant Admin Initiated Managed Objects Changes report. The new report provides more detailed and business-friendly insights into changes made by tenant administrators:

OPENAM-21783: Improved token management for OAuth 2.0 clients that override the Use Client-Side Access & Refresh Tokens setting. The OAuth 2.0 applications endpoint now correctly shows all tokens issued to these clients. Additionally, administrators can now successfully revoke any of the tokens issued to these clients.

IAM-8405: You can now duplicate out-of-the-box reports.

IAM-8591: Dynamic sorting for report results. You can now sort report results directly in the Advanced Identity Cloud admin console after running a report.

FRAAS-25434: Fix issue causing source to sometimes be defined as unknown in /monitoring/logs/* endpoints.

FRAAS-25269: The IDC.CLI OAuth 2.0 client is now deprecated in existing tenants and no longer provisioned in new tenants. Use a service account instead.

FRAAS-25155: Increased log batching size to avoid truncation of large JSON log entries.

FRAAS-25142: Fixed a memory issue in the ESV service.

FRAAS-25205: Consolidated End User UI, Login UI, Administrator Registration UI, and Administrator UI status page components into a single Administrator UI component as they were all reporting the same service.

OPENIDM-15771: You can now set locales in identity management scripts with the _locale parameter.

OPENIDM-17680: Advanced Identity Cloud now supports enumerations in string and number attributes of its identity schema. To make an attribute an enumeration, add "enum" : [ "one", "two", "three" ] to the attribute. Advanced Identity Cloud requires create and update privileges to use one of the enumerated values.

OPENIDM-19918: You can now choose whether synchronization detects identity array changes using _ordered or unordered comparisons. Set the comparison configuration property in the schema. Unordered JSON array comparison ignores the order of elements and can negate the need for certain custom scripts within mappings. Relationship and virtual property array fields default to unordered comparisons. All other fields default to ordered comparisons.

OPENIDM-20023: RCS communication with Advanced Identity Cloud can now use stricter authorization. Learn more in Secure RCS access and Migration dependent features.

OPENIDM-20995: Fixed an issue that prevented error reports during certain operations on groups or users. For example, trying to remove a non-existing attribute or null value now correctly results in an exception message to the client if these operations are not supported by the target system.

FRAAS-25256: Fixed an issue that was causing missing data in analytics dashboards.

OPENIDM-20995: Fixed an issue that prevented error reports during certain operations on groups or users. For example trying to remove a non-existing attribute or null value now correctly results in an exception message to the client if these operations are not supported by the target system.

OPENAM-23218: Legacy SAML 2.0 IDP attribute mapper scripts now have access to the 'httpClient' binding.

OPENAM-23710: Legacy SAML 2.0 IDP adapter scripts now have access to the 'httpClient' binding.

ANALYTICS-1004^[3]: Support for custom attributes and relationships in the organization entity for advanced reports.

FRAAS-24990: Fixed an issue where requests to the /monitoring/logs and /monitoring/logs/tail endpoints timed out after 15 seconds rather than the expected 60 seconds.

IAM-987: Added support for enums (drop-down lists) to hosted account pages.

IAM-1116: Added support for enums (drop-down lists) to the Advanced Identity Cloud admin console.

IAM-2103: Added support for enums (drop-down lists) to hosted journey pages.

IAM-6822: Added the ability to manage cookie domains in the Advanced Identity Cloud admin console.

IAM-7412: Updated the password policy feature in the Advanced Identity Cloud admin console. Added the ability to specify a minimum substring length between 3 - 64 to use when validating passwords against user attribute values. The default is still 5 characters, but can now be reduced to as few as 3 characters to catch shorter string matches.

IAM-7794^[4]: Added support for using custom identity objects in the form builder.

IAM-7919: Improved color contrast ratio of the Delete Account button text when focused.

IAM-7934: Improved color contrast ratio of date fields when focused.

IAM-7957: Improved color contrast ratio of the Deselect button text when focused.

IAM-7966: Improved color contrast ratio of In Progress text.

IAM-8016^[4]: Allow form authors to specify a user filter when dynamic enums are selected.

IAM-8085: Updated the Add a Parameter reports modal to use entity attributes for input.

FRAAS-15518: Fixed issue that prevented localization of Session timed out message in certain locales.

IAM-5834: Fixed a double-encoding issue in the SAML app that affected IdP-initiated sign on.

IAM-6796: Jobs are now prevented from being scheduled with frequencies that cause invalid date errors.

IAM-7855: Fixed a typo in the help text returned when there are no results to display.

IAM-8237: Corrected floating labels in the date picker in the hosted journey pages.

IAM-8361: The Save button in the Edit Bookmark application is now inactive while checking if the ESV exists.

IAM-8364: Fixed issues in SAML end-to-end scenarios.

IAM-8378: Fixed an issue that stripped HTML elements from email templates.

IAM-8403: Fixed border focus location and floating label issues in Tag fields.

IAM-8434: Fixed an issue that prevented duplication of new themes that contain special characters.

FRAAS-24449: Enhanced the reliability of metrics collection under high-load conditions.

FRAAS-24631: Fixed a promotions issue where ESVs mapped to secret labels aren’t identified as available in the upper environment.

FRAAS-24648: Fixed an issue with loading ESVs with values containing leading blank spaces.

IAM-7202: In the custom application modal, the native apps link now correctly points to the SDKs documentation.

FRAAS-24646: Fixed an issue where ESVs mapped to AM secret labels could block configuration promotions.

OPENDJ-11175: The password validation mechanism has been enhanced to include checks for attribute values shorter than the min-substring-length (the default is 5).

FRAAS-24546: Tenant-auditor role temporarily disabled in the Advanced Identity Cloud admin console.

AME-31141: Multiple Java libraries added to SAML SP Adapter scripting allowlist.

ANALYTICS-846: You can now select the attribute type and value for report entity attributes.

ANALYTICS-983^[3]: You can now use regular expression operators in Advanced Reporting.

OPENAM-23718: Added additional Java classes to the SAML 2.0 SP adapter scripting allowlist.

IAM-6996: Added the ability to create a specific OAuth 2.0 client when creating a connector server, rather than relying on the default RCSClient.

IAM-7109: You can now use an ESV to set the From Address in the email provider configuration.

IAM-7827/ANALYTICS-835^[3]: In the analytics report editor in Advanced Reporting, you can now reorder columns by dragging and dropping them.

IAM-7841/ANALYTICS-840^[3]: The reports page in Advanced Reporting is now a list view with pagination and search.

IAM-8321: In the journey editor, the node titles now wrap within the left nodes panel.

IAM-1504: User no longer needs to click the cancel button twice in some journey dialogs.

IAM-8111: Schedules can no longer be disabled when running.

AME-27705: Extend the utils binding for all next-generation scripts to support low-level cryptographic operations. These operations include encryption, decryption, hashing, signing, verification, and key generation.

AME-28780: Added an IDM policy condition that can assert conditions against an IDM resource type such as user identities.

AME-28954: Modified the import metadata endpoint to support updating signing and encryption certificates for existing SAML service providers (SPs) without requiring the deletion or recreation of SP configurations.

AME-29307: You can now use DER-encoded certificates for OAuth 2.0 client authentication.

AME-29810: The realm default authentication service can no longer be a journey with mustRun enabled. Also, mustRun can no longer be enabled on journeys that are set as the realm default authentication service.

AME-29835: Configuration Provider Node scripts can now use the next-generation scripting engine, which gives them access to common bindings such as openidm and httpClient.

AME-30076: New getApplicationId() method provides a consistent way to retrieve the application ID from both SAML and OAuth 2.0 applications.

AME-29504: The scriptName and logger bindings in library scripts referenced the same default script name and ID. Their previous behavior has now been restored by inheriting values from the referencing script.

AME-29965: The Configuration Provider node now works with the Inner Tree Evaluator for nested inner journeys.

AME-30377: The following two warning level log messages have been reduced to debug level because they’re rarely useful and appear frequently, drowning out more useful log entries:

OPENAM-22120: Back-channel logout tokens now include the exp claim.

OPENAM-23077: The access_token endpoint now responds with the correct error code when the code_verifier isn’t supplied (for example, invalid_grant).

IAM-7967^[4]: Added an image description for the approvals Low Priority icon.

IAM-7977: Improved the font color contrast ratio of the email address displayed in Advanced Identity Cloud admin console user profiles.

IAM-8053: The Advanced Identity Cloud end-user UI can now use defaultText value as a fallback value when the actual value of a field returns empty.

OPENIDM-20139: Applications can now use postAction scripts for the ONBOARD action.

IAM-7719^[4]: Users are now redirected back to the compliance Policy Rules tab after creating or editing a policy rule.

FRAAS-23812: You can now deactivate the header ruleset after deactivating the IP ruleset when configuring Proxy Connect.

IAM-4692: Managed identity boolean fields now use a checkbox instead of a toggle.

IAM-6581: SAML 2.0 application journeys can now be configured in the Advanced Identity Cloud admin console.

IAM-7248^[4]: In IGA sources, the displayName and logo can now be obtained from the CDN.

IAM-7874^[4]: The Governance > Requests > Settings tab now lets you activate or deactivate Governance LCM.

IAM-1262: Clicking the Toggle Sidebar button now collapses the sidebar.

IAM-5801: For applications that mandate a minimum page size, the page size selector on the Data tab and the Reconciliation Results tab has been removed.

FRAAS-23780: Optimized network utilization to distribute workloads more effectively.

FRAAS-23002: Improvements to OATH support for MFA authenticators

IAM-7454: The inbound mapping for all application templates and scripted application templates has now been configured to make fewer connector requests.

IAM-5242: The Previous link in the New Script modal now always shows the previous step.

IAM-7799: Identity attributes with Time and DateTime format now trigger change events only when a change occurs.

FRAAS-23375: You can now obtain the HTTP client location from the X-Client-City & X-Client-City-Lat-Long HTTP headers in Advanced Identity Cloud scripts and journeys.

IAM-6833: Made existing synchronization tokens editable for incremental reconciliations.

IAM-7223^[4]: Added the ability to set user, role, organization, application, or entitlement objects to provide predefined values for select and multiselect fields in request forms.

IAM-5482: Password policy no longer allows Password length to be set as an empty string.

AME-29504: Fixed issue with script names not displaying in next-generation script logs.

OPENIDM-20542: Added a feature service named am/2fa/profiles to expose certain multi-factor attributes on alpha and bravo users.

OPENDJ-9287: The password validation mechanism has been enhanced to include checks for portions of attribute values within passwords. This improvement ensures that even partial matches between portions of passwords and portions of attribute values are identified and restricted, thereby enhancing security.

AME-26050: You can now create Next-generation Policy Condition scripts that have access to all common bindings, such as openidm and httpClient. Additionally, some existing bindings have been wrapped to improve usability in scripts.

AME-28228: OAuth 2.0 audit logs now include the OAuth 2.0 client ID and any journey associated with the client.

AME-29009: When using the new FIDO Metadata Service, if you link to the FIDO metadata using a URL, Advanced Identity Cloud periodically downloads and updates the latest FIDO metadata based on the nextUpdate date specified in the downloaded data.

AME-29093: Added configuration for integration with WebAuthn Metadata Services (such as the FIDO Metadata Service). This includes a realm-level WebAuthn Metadata service and a new FIDO Certification Level configuration attribute in the WebAuthn Registration Node.

FRAAS-22321: You can now obtain the HTTP client location from the X-Client-Region HTTP header within your scripts and journeys. The X-Client-Region header contains the country (or region) associated with the client’s IP address in the form of a Unicode CLDR region code, such as US or FR. For most countries, these codes correspond directly to ISO-3166-2 codes.

FRAAS-23073: The SAML scripting adapter now lets scripts access org.forgerock.http.protocol.*.

IAM-3323: You can now use XPath transformation functions with additional Workday application template attributes.

IAM-4540: You can now change the border color of a selected input field in journey and end-user pages.

IAM-6397: The Advanced Identity Cloud admin console now lets you page through the list of OAuth 2.0 client profiles.

OPENAM-23109: During a WebAuthn registration flow, if Store data in transient state is enabled, the Authenticator Attestation Global Unique Identifier (AAGUID) is now added to the node state under the webauthnData key.

AME-28016: When an invalid redirect URI is provided to the /par endpoint, the URI mismatch error is now redirect_uri_mismatch instead of invalid_request.

AME-28017: Advanced Identity Cloud now accepts the requested OAuth 2.0 endpoint as a valid JWT audience claim, as per RFC 7519 and RFC 9126.

AME-29170: On LDAP Decision node login failure, stack traces are now logged at debug level.

AME-29965: The Configuration Provider node now works with the Inner Tree Evaluator node for nested inner journeys.

IAM-1782: Long gateway and agent IDs no longer overflow in the Advanced Identity Cloud admin console.

IAM-7523^[4]: A user receiving a forwarded fulfillment task now has permission to approve or reject the task.

IAM-7537^[4]: Governance functionality is now only shown for the alpha realm.

IAM-7689^[4]: The Advanced Identity Cloud admin console now displays the Assigned To value in the task list for a user assigned to a role who receives a forwarded fulfillment task.

OPENAM-18252: Journeys acting on multiple identities now successfully update universalId in the journey context during the authentication flow.

OPENAM-20314: Added the ability to indicate whether an OIDC provider doesn’t return a unique value for the sub claim.

OPENAM-22966: Social IDPs now support NONE as a client authentication method. This option should be used if the provider doesn’t require client authentication at the token endpoint.

02 Dec 2024

release-notes:rapid-channel-changelog-archive.adoc#25_nov_2024

AME-26050: You can now create Next-generation Policy Condition scripts that have access to all common bindings, such as openidm and httpClient. Additionally, some existing bindings have been wrapped to improve usability in scripts.

AME-28228: OAuth 2.0 audit logs now include the OAuth 2.0 client ID and any journey associated with the client.

AME-29009: When using the new FIDO Metadata Service, if you link to the FIDO metadata using a URL, Advanced Identity Cloud periodically downloads and updates the latest FIDO metadata based on the nextUpdate date specified in the downloaded data.

AME-29093: Added configuration for integration with WebAuthn Metadata Services (such as the FIDO Metadata Service). This includes a realm-level WebAuthn Metadata service and a new FIDO Certification Level configuration attribute in the WebAuthn Registration Node.

AME-29769: The Social Provider Handler node has a new configuration option, Store Tokens, that allows access and refresh tokens to be stored in the transient state.

FRAAS-22321: You can now obtain the HTTP client location from the X-Client-Region HTTP header within your scripts and journeys. The X-Client-Region header contains the country (or region) associated with the client’s IP address in the form of a Unicode CLDR region code, such as US or FR. For most countries, these codes correspond directly to ISO-3166-2 codes.

IAM-3323: You can now use XPath transformation functions with additional Workday application template attributes.

IAM-4540: You can now change the border color of a selected input field in journey and end-user pages.

OPENAM-23109: During a WebAuthn registration flow, if Store data in transient state is enabled, the Authenticator Attestation Global Unique Identifier (AAGUID) is now added to the node state under the webauthnData key.

AME-28016: When an invalid redirect URI is provided to the /par endpoint, the URI mismatch error is now redirect_uri_mismatch instead of invalid_request.

AME-28017: Advanced Identity Cloud now accepts the requested OAuth 2.0 endpoint as a valid JWT audience claim, as per RFC 7519 and RFC 9126.

AME-28906: The stack trace of an authentication exception generated on login failure is now logged only when debug level logging is enabled.

AME-29170: On LDAP Decision node login failure, stack traces are now logged at debug level.

IAM-7523^[4]: A user receiving a forwarded fulfillment task now has permission to approve or reject the task.

IAM-7537^[4]: Governance functionality is now only shown for the alpha realm.

OPENAM-18252: Journeys acting on multiple identities now successfully update universalId in the journey context during the authentication flow.

OPENAM-20314: Added the ability to indicate whether an OIDC provider doesn’t return a unique value for the sub claim.

OPENAM-22966: Social IDPs now support NONE as a client authentication method. Use this option if the provider doesn’t require client authentication at the token endpoint.