Rapid channel changelog

FRAAS-28370: Fixed an issue where requests to the /monitoring/prometheus/am and /monitoring/prometheus/idm endpoints occasionally didn’t return timely responses.

AME-32979: The Core Token Service (CTS) now stores AUTHENTICATION_WHITELIST tokens with millisecond-level precision for the expiry timestamp. This minimizes contention in indexes.

IAM-9000, IAM-9001: Add annotations and sticky notes to journeys to assist learning and collaboration.

IAM-9237: Allow ESVs to be embedded in URL fields for federation IdPs. This lets you set up federation IdPs with fewer ESVs because you can define a single ESV containing a UUID shared by multiple URL fields.

IAM-9246: Table columns are now resized uniformly across all table views.

IAM-9153: Password validation now works correctly when pasting a value that matches the existing value.

AME-30984 and AME-30609: Enhanced authentication audit logging to include the SAML Identity Provider (IdP) and Service Provider (SP) entity IDs during SAML flows. This information lets you report on the SAML applications users are accessing, supporting analytics and dashboarding efforts.

AME-30985: In SAML v2.0 single sign-on (SSO) flows, the JSON web token (JWT) created in the browser’s session storage no longer expires.

AME-31082 and SDKS-3681: Added support for device token refreshing to the Push Notification Service endpoint, enabling the reception of new tokens from mobile devices.

AME-31379: You can now enforce the OAuth 2.0 request object processing rules that apply, regardless of the request type. Create an ESV named esv.oauth2.provider.request.object.processing.enforced and set its value to true. This setting forces Advanced Identity Cloud to use the specification set in the Request Object Processing Specification field of the OAuth 2.0 provider configuration for JWT requests.

AME-31656 and AME-31468: The PingOne Protect Evaluation node has been enhanced to support dynamic risk policy IDs and target app IDs. To set the risk policy set ID dynamically, enable Use Node State Attribute For Risk Policy Set ID in the node configuration. To set the target app ID dynamically, enable Use Node State Attribute For Target App ID in the node configuration. This instructs the node to obtain these IDs from the node state.

AME-31398: The PingOne Protect Evaluation node has been enhanced to support custom attributes. To specify custom attributes to be used in PingOne Protect for custom predictors, set the Node State Attribute For Custom Attributes in the node configuration. The node retrieves a map of custom attributes from the node state to be used in the evaluation request to PingOne Protect.

AME-31487: Improvements to SAML v2.0 standalone mode include replacing legacy JSPs with URL endpoints.

IAM-8236: The ability to edit journeys from the AM native admin console has been removed. Use the Advanced Identity Cloud admin console to edit journeys.

OPENAM-20776: A new OIDC client configuration option, Private Key JWT Audience, lets you configure and override the audience (aud) claim of a Private Key JWT.

OPENAM-21783: Improved token management for OAuth 2.0 client applications.

OPENAM-23051 and AME-31918: A new ESV, esv.oauth2.request.object.restrictions.enforced lets you enforce stricter adherence to the PAR and JAR specifications.

OPENAM-23669: _Full scopes (scopes ending in *) can now be used by service accounts in all cases where more specific scopes (for example, :read) are used.

OPENAM-23710: The httpClient binding is now available to legacy SAML 2.0 IdP adapter scripts.

OPENAM-23850: Enhanced the PingOne Verify Evaluation node with an Allow same device verification option that lets end users continue verification on their current device.

OPENAM-23867: The LDAP Decision node no longer logs credential failures as errors. It now logs them at the info level.

OPENAM-24062: Added support for the ECDSA algorithm to the utils.crypto.subtle next-generation binding. This algorithm is supported for key generation, signing, and verification.

AME-31351 and AME-31471: Improvements to the Device Code flow mean that end users are now prompted to reauthenticate even when there’s an existing session for must-run and app journeys.

AME-31481: Validation around policy creation has been improved. If you’re using the legacy "Policy" environment condition (or a custom environment condition), you’ll need to add that to the list of allowed environment conditions for your policy set to create or update policies that use that condition type.

OPENAM-20749: A new ESV, esv-enable-oauth2-sync-refresh-token-issuer causes a stateful OAuth 2.0 introspect response to overwrite the iss claim of the introspectable token. To enable this behavior, set this ESV to false.

OPENAM-23770: Canceling a WebAuthn flow now results in a Client Error outcome, rather than an internal failure.

OPENAM-24159: Fixed an issue that prevented multiple Identity Assertion nodes from being used in a single journey.

OPENAM-24486: Improved performance when creating large numbers of OAuth 2.0 clients simultaneously.

OPENDJ-11486: Fixed an exception caused when identity management queried for users with a filter containing wildcards and specific object classes.

ANALYTICS-1165^[2]: Added the capability to change a report name.

IAM-7547: Access policy modal now validates IPv4 or IPv6 format for IP addresses.

IAM-8922: The Advanced Identity Cloud admin console now accepts ESV placeholders for the following federation fields:

IAM-8982^[4]: Add event function for setting the query filter/select options of a select field.

IAM-9066: Added Tenant Auditor option to Advanced Identity Cloud admin console federation groups claim.

IAM-9099, IAM-9146, IAM-9167: Many table views now support column resizing and customization.

IAM-5488: Terms and Conditions now respects target attribute in anchor tags.

IAM-6588: The Advanced Identity Cloud admin console now correctly displays journey status for journeys disabled and enabled using ESVs.

IAM-8887: Prevent browsers auto-filling passwords in user registration journeys.

IAM-8940: Managed identity number property now accepts float values.

IAM-8956: Deselecting the Personal Information option now disables the section containing the user avatar in hosted account pages.

IAM-9169: Fixed styling for responsive table layouts with sticky action column in Identities table views.

FRAAS-25919: You can now use the API to configure custom domains for the Advanced Identity Cloud admin console.

OPENIDM-21372: Advanced Identity Cloud now prevents access to the identity repository endpoint, /openidm/repo. This prevents uncontrolled and potentially incompatible schema changes.

AME-32756: Fixed an issue with policy evaluation returning results from a stale policy index cache.

FRAAS-26287: Advanced Identity Cloud now correctly authenticates the sender address for emails sent to Advanced Identity Cloud tenant administrators, saas@pingidentity.com.

OPENDJ-11634: Advanced Identity Cloud now prevents searches with many results and no applicable index from overloading the system.

OPENAM-24393: Fixed an issue where the InnerTreeEvaluator node failed for authentication journeys initially accessed using REST without an authId.

FRAAS-25547: The sender address for emails sent to Advanced Identity Cloud tenant administrators is now saas@pingidentity.com.

OPENAM-24384: Added javax.crypto.SecretKeyFactory, javax.crypto.spec.PBEKeySpec, and com.sun.crypto.provider.PBKDF2KeyImpl classes to the allowlist for the OAUTH2_ACCESS_TOKEN_MODIFICATION scripting context.

FRAAS-25734: Exception stacktraces in access management and identity management logs are now truncated to approximately 300-400 lines.

FRAAS-25821^[5]: Fixed an issue that prevented IP rules in the Proxy Connect add-on from being disabled.

OPENAM-24159: Fixed an issue with Identity Assertion nodes failing if there are more than one in a journey.

FRAAS-24857: CNAME verification is no longer required when creating a custom domain.

FRAAS-26063: You can now override the samlErrorPageUrl. To do so, configure an ESV variable named esv-global-saml-error-page-url and set its value to your SAML error page URL. If you don’t set this variable, Advanced Identity Cloud uses the default value of /saml2/jsp/saml2error.jsp.

IAM-9062: Hosted pages themes no longer continuously refresh when trying to set up or confirm two-factor authentication (2FA).

FRAAS-25818: The built-in SMTP server in new tenants now has a limit of 10 emails per minute and a fixed email sender address with the format noreply@<tenant-fqdn>.

IAM-7581: Text wrapping in table views has been improved for readability.

IAM-8573: IDM now includes an endpoint to retrieve individual themes from the /themerealm configuration using either an ID or a _queryFilter by name. This improves performance and ensures reliable theme loading, even on slow networks.

IAM-8610: When you create an SSO application for Microsoft 365, the application now generates a signing certificate, which you can download or rotate as needed.

IAM-8633: You can now add, remove, and rearrange table columns for managed identities and application provisioning tables.

IAM-8925^[7]: In Identity Governance, you can now configure actions that trigger automatically when a form first loads or when a user changes the value of a specific field.

IGA-3674^[7]: A Wait node is now available for IGA workflows. This node pauses the workflow until a specified date and time, for example, if you need to seek approvals.

IGA-3700^[7]: Improved UI for suspended requests in table and request view.

IGA-3742^[7]: The form editor now includes icons in the list of fields in the left panel.

IAM-8789: Managed identity modals now correctly handle both single-value and array-based enum types.

IAM-4397: Fixed an issue in the hosted journey pages where the prompt text for the Choice Collector node wasn’t fully visible and the default option wasn’t visible at all.

IAM-8632: Fixed an issue where validation errors were incorrectly displayed for pre-populated fields.

IAM-8871: The hosted account pages no longer freeze and throw an error when editing details if there are empty custom enum array values.

IAM-8902: The application username field in SAML 2.0 NameID flows is now correctly set to uid instead of username.

IAM-8933: Fixed an issue in the Advanced Identity Cloud admin console when creating or modifying identity objects with a required boolean property. You can now set the value of the required boolean property to false.

AME-31372: An Agent journey is now available by default in both Alpha and Bravo realms. The Agent journey makes it easier to integrate with Ping Identity agents and gateways. It validates the agent credentials with an Agent Data Store Decision node.

AME-30050: You can now enable a next-generation script in the AM admin console native console to run after a Dynamic Client Registration request is processed.

AME-30716: Removed Failed to create SSO Token from logs at warning level. To observe these warnings, increase the log level to debug.

AME-30801: The Inner Tree Evaluator node now has an optional Error Outcome that lets you capture exception details if an exception occurs during the evaluation of the child journey.

OPENAM-22467: Customers can now provide any value in the typ header in JWTs.

Greater control over journey session duration and authenticated session timeouts:

OPENAM-23438: Following Webauthn Registration and Authentication, new information is added to the transient state.

OPENAM-20709: On successful authentication, the WebAuthn Authentication node now adds the UUID of the device (webauthnDeviceUuid) and the name of the device (webauthnDeviceName) to the shared state. This lets you track the use of biometric authentication and the device used to authenticate.

AME-30969: If the OIDC Claims Plugin Type in the OAuth 2.0 provider is set to SCRIPTED but no script is selected, the userinfo endpoint now returns the sub claim, in compliance with the OIDC specification. Previously, the userinfo endpoint returned an empty JSON object. If you still require this behavior, set the esv-scripting-legacynulloidcclaimsscriptbehaviour ESV to true.

OPENAM-20749: For server-side OAuth 2.0 tokens, the /oauth2/introspect response can now overwrite the iss claim of the introspectable token. To enable this behavior, set the esv-enable-oauth2-sync-refresh-token-issuer ESV to false.

OPENAM-22928: When agents authenticate to Advanced Identity Cloud, the session created no longer expires.

OPENAM-23334: You can now use the mergeShared and mergeTransient methods to add nested objects to ObjectAttributes.

OPENAM-23519: Improved error handling during WebAuthn registration when the Android lock screen isn’t enabled.

25 Jun 2025

IAM-8314: Fixed an issue where setting ESVs in connector or provisioner configuration stops the Advanced Identity Cloud admin console from being able to update connectors or run a liveSync operation.

AME-31379: Setting the new ESV esv-oauth2-provider-request-object-processing-enforced to true now lets admins enforce which validation rules are applied when processing OAuth 2.0 request objects.

FRAAS-25226: Allow a higher threshold for large JSON log entries before splitting them into smaller plaintext log entries.

FRAAS-25437: Tenant administrators with the tenant-auditor role can now use federated access to authenticate to Advanced Identity Cloud.

IAM-3441: Added pagination to all list views.

IAM-7265: You can now right-click a node in the journey editor to access a context menu.

IAM-7266: Added an action bar to the journey editor that lets you deselect or delete currently selected nodes.

IAM-7580: Pages now span the full width of the screen, improving navigation and usability.

IAM-8260: Advanced Identity Cloud now supports multiple WS-Fed applications^[6].

IAM-8640: The Release Notes link in Tenant Settings now opens the release notes for the tenant’s specific version.

IAM-8714^[4]: You can now configure columns in the Identity Governance access review page.

IAM-6820: The Email Suspend node now provides a drop-down list of available email templates.

OPENIDM-21206^[9]: Usernames and application names must now be unique, as enforced by the datastore.

IAM-7413: The reCAPTCHA Enterprise node is now fully supported.

IAM-8489: Fixed an issue with the display of application logos in the hosted account pages.

IAM-8770: Fixed an issue with the calendar icon position in date fields.

IAM-8773: Fixed an issue where key actions such as realm login were blocked in older tenants with an unmodified original theme.

ANALYTICS-868: The Tenant Admin Activity report has been changed to the Tenant Admin Initiated Managed Objects Changes report. The new report provides more detailed and business-friendly insights into changes made by tenant administrators:

OPENAM-21783: Improved token management for OAuth 2.0 clients that override the Use Client-Side Access & Refresh Tokens setting. The OAuth 2.0 applications endpoint now correctly shows all tokens issued to these clients. Additionally, administrators can now successfully revoke any of the tokens issued to these clients.

IAM-8405: You can now duplicate out-of-the-box reports.

IAM-8591: Dynamic sorting for report results. You can now sort report results directly in the Advanced Identity Cloud admin console after running a report.

FRAAS-25434: Fix issue causing source to sometimes be defined as unknown in /monitoring/logs/* endpoints.

FRAAS-25269: The IDC.CLI OAuth 2.0 client is now deprecated in existing tenants and no longer provisioned in new tenants. Use a service account instead.

FRAAS-25155: Increased log batching size to avoid truncation of large JSON log entries.

FRAAS-25142: Fixed a memory issue in the ESV service.

FRAAS-25205: Consolidated End User UI, Login UI, Administrator Registration UI, and Administrator UI status page components into a single Administrator UI component as they were all reporting the same service.

OPENIDM-15771: You can now set locales in identity management scripts with the _locale parameter.

OPENIDM-17680: Advanced Identity Cloud now supports enumerations in string and number attributes of its identity schema. To make an attribute an enumeration, add "enum" : [ "one", "two", "three" ] to the attribute. Advanced Identity Cloud requires create and update privileges to use one of the enumerated values.

OPENIDM-19918: You can now choose whether synchronization detects identity array changes using _ordered or unordered comparisons. Set the comparison configuration property in the schema. Unordered JSON array comparison ignores the order of elements and can negate the need for certain custom scripts within mappings. Relationship and virtual property array fields default to unordered comparisons. All other fields default to ordered comparisons.

OPENIDM-20023: RCS communication with Advanced Identity Cloud can now use stricter authorization. Learn more in Secure RCS access and Migration dependent features.

OPENIDM-20995: Fixed an issue that prevented error reports during certain operations on groups or users. For example, trying to remove a non-existing attribute or null value now correctly results in an exception message to the client if these operations are not supported by the target system.

FRAAS-25256: Fixed an issue that was causing missing data in analytics dashboards.

OPENIDM-20995: Fixed an issue that prevented error reports during certain operations on groups or users. For example trying to remove a non-existing attribute or null value now correctly results in an exception message to the client if these operations are not supported by the target system.

OPENAM-23218: Legacy SAML 2.0 IDP attribute mapper scripts now have access to the 'httpClient' binding.

OPENAM-23710: Legacy SAML 2.0 IDP adapter scripts now have access to the 'httpClient' binding.

ANALYTICS-1004^[3]: Support for custom attributes and relationships in the organization entity for advanced reports.

FRAAS-24990: Fixed an issue where requests to the /monitoring/logs and /monitoring/logs/tail endpoints timed out after 15 seconds rather than the expected 60 seconds.