Rapid channel changelog

FRAAS-23812: You can now deactivate the header ruleset after deactivating the IP ruleset when configuring Proxy Connect.

IAM-4692: Managed identity boolean fields now use a checkbox instead of a toggle.

IAM-6581: SAML 2.0 application journeys can now be configured in the Advanced Identity Cloud admin UI.

IAM-7248^[2]: In IGA sources, the displayName and logo can now be obtained from the CDN.

IAM-7874^[2]: The Governance > Requests > Settings tab now lets you activate or deactivate Governance LCM.

IAM-1262: Clicking the Toggle Sidebar button now collapses the sidebar.

IAM-5801: For applications that mandate a minimum page size, the page size selector on the Data tab and the Reconciliation Results tab has been removed.

FRAAS-23780: Optimized network utilization to distribute workloads more effectively.

FRAAS-23002: Improvements to OATH support for MFA authenticators

IAM-7454: The inbound mapping for all application templates and scripted application templates has now been configured to make fewer connector requests.

IAM-5242: The Previous link in the New Script modal now always shows the previous step.

IAM-7799: Identity attributes with Time and DateTime format now trigger change events only when a change occurs.

FRAAS-23375: You can now obtain the HTTP client location from the X-Client-City & X-Client-City-Lat-Long HTTP headers in Advanced Identity Cloud scripts and journeys.

IAM-6833: Made existing synchronization tokens editable for incremental reconciliations.

IAM-7223^[2]: Added the ability to set user, role, organization, application, or entitlement objects to provide predefined values for select and multiselect fields in request forms.

IAM-5482: Password policy no longer allows Password length to be set as an empty string.

AME-29504: Fixed issue with script names not displaying in next-generation script logs.

OPENIDM-20542: Added a feature service named am/2fa/profiles to expose certain multi-factor attributes on alpha and bravo users.

OPENDJ-9287: The password validation mechanism has been enhanced to include checks for portions of attribute values within passwords. This improvement ensures that even partial matches between portions of passwords and portions of attribute values are identified and restricted, thereby enhancing security.

AME-26050: You can now create Next-generation Policy Condition scripts that have access to all common bindings, such as openidm and httpClient. Additionally, some existing bindings have been wrapped to improve usability in scripts.

AME-28228: OAuth 2.0 audit logs now include the OAuth 2.0 client ID and any journey associated with the client.

AME-29009: When using the new FIDO Metadata Service, if you link to the FIDO metadata using a URL, Advanced Identity Cloud periodically downloads and updates the latest FIDO metadata based on the nextUpdate date specified in the downloaded data.

AME-29093: Added configuration for integration with WebAuthn Metadata Services (such as the FIDO Metadata Service). This includes a realm-level WebAuthn Metadata service and a new FIDO Certification Level configuration attribute in the WebAuthn Registration Node.

FRAAS-22321: You can now obtain the HTTP client location from the X-Client-Region HTTP header within your scripts and journeys. The X-Client-Region header contains the country (or region) associated with the client’s IP address in the form of a Unicode CLDR region code, such as US or FR. For most countries, these codes correspond directly to ISO-3166-2 codes.

FRAAS-23073: The SAML scripting adapter now lets scripts access org.forgerock.http.protocol.*.

IAM-3323: You can now use XPath transformation functions with additional Workday application template attributes.

IAM-4540: You can now change the border color of a selected input field in journey and end-user pages.

IAM-6397: The Advanced Identity Cloud admin UI now lets you page through the list of OAuth 2.0 client profiles.

OPENAM-23109: During a WebAuthn registration flow, if Store data in transient state is enabled, the Authenticator Attestation Global Unique Identifier (AAGUID) is now added to the node state under the webauthnData key.

AME-28016: When an invalid redirect URI is provided to the /par endpoint, the URI mismatch error is now redirect_uri_mismatch instead of invalid_request.

AME-28017: Advanced Identity Cloud now accepts the requested OAuth 2.0 endpoint as a valid JWT audience claim, as per RFC 7519 and RFC 9126.

AME-29170: On LDAP Decision node login failure, stack traces are now logged at debug level.

AME-29965: The Configuration Provider node now works with the Inner Tree Evaluator node for nested inner journeys.

IAM-1782: Long gateway and agent IDs no longer overflow in the Advanced Identity Cloud admin UI.

IAM-7523^[2]: A user receiving a forwarded fulfillment task now has permission to approve or reject the task.

IAM-7537^[2]: Governance functionality is now only shown for the alpha realm.

IAM-7689^[2]: The Advanced Identity Cloud admin UI now displays the Assigned To value in the task list for a user assigned to a role who receives a forwarded fulfillment task.

OPENAM-18252: Journeys acting on multiple identities now successfully update universalId in the journey context during the authentication flow.

OPENAM-20314: Added the ability to indicate whether an OIDC provider doesn’t return a unique value for the sub claim.

OPENAM-22966: Social IDPs now support NONE as a client authentication method. This option should be used if the provider doesn’t require client authentication at the token endpoint.

02 Dec 2024

25 Nov 2024

AME-26050: You can now create Next-generation Policy Condition scripts that have access to all common bindings, such as openidm and httpClient. Additionally, some existing bindings have been wrapped to improve usability in scripts.

AME-28228: OAuth 2.0 audit logs now include the OAuth 2.0 client ID and any journey associated with the client.

AME-29009: When using the new FIDO Metadata Service, if you link to the FIDO metadata using a URL, Advanced Identity Cloud periodically downloads and updates the latest FIDO metadata based on the nextUpdate date specified in the downloaded data.

AME-29093: Added configuration for integration with WebAuthn Metadata Services (such as the FIDO Metadata Service). This includes a realm-level WebAuthn Metadata service and a new FIDO Certification Level configuration attribute in the WebAuthn Registration Node.

AME-29769: The Social Provider Handler node has a new configuration option, Store Tokens, that allows access and refresh tokens to be stored in the transient state.

FRAAS-22321: You can now obtain the HTTP client location from the X-Client-Region HTTP header within your scripts and journeys. The X-Client-Region header contains the country (or region) associated with the client’s IP address in the form of a Unicode CLDR region code, such as US or FR. For most countries, these codes correspond directly to ISO-3166-2 codes.

IAM-3323: You can now use XPath transformation functions with additional Workday application template attributes.

IAM-4540: You can now change the border color of a selected input field in journey and end-user pages.

OPENAM-23109: During a WebAuthn registration flow, if Store data in transient state is enabled, the Authenticator Attestation Global Unique Identifier (AAGUID) is now added to the node state under the webauthnData key.

AME-28016: When an invalid redirect URI is provided to the /par endpoint, the URI mismatch error is now redirect_uri_mismatch instead of invalid_request.

AME-28017: Advanced Identity Cloud now accepts the requested OAuth 2.0 endpoint as a valid JWT audience claim, as per RFC 7519 and RFC 9126.

AME-28906: The stack trace of an authentication exception generated on login failure is now logged only when debug level logging is enabled.

AME-29170: On LDAP Decision node login failure, stack traces are now logged at debug level.

IAM-7523^[2]: A user receiving a forwarded fulfillment task now has permission to approve or reject the task.

IAM-7537^[2]: Governance functionality is now only shown for the alpha realm.

OPENAM-18252: Journeys acting on multiple identities now successfully update universalId in the journey context during the authentication flow.

OPENAM-20314: Added the ability to indicate whether an OIDC provider doesn’t return a unique value for the sub claim.

OPENAM-22966: Social IDPs now support NONE as a client authentication method. Use this option if the provider doesn’t require client authentication at the token endpoint.

21 Nov 2024

[20-nov-2024]

FRAAS-22321: You can now obtain the HTTP client location from the X-Client-Region HTTP header within your scripts and journeys. The X-Client-Region header contains the country (or region) associated with the client’s IP address in the form of a Unicode CLDR region code, such as US or FR. For most countries, these codes correspond directly to ISO-3166-2 codes.

AME-29769: The Social Provider Handler node has a new configuration option, Store Tokens, that allows access and refresh tokens to be stored in the transient state.

AME-29009: When using the new FIDO Metadata Service, if you link to the FIDO metadata using a URL, Advanced Identity Cloud periodically downloads and updates the latest FIDO metadata based upon the nextUpdate date specified in the downloaded data.

AME-29093: Added configuration for integration with WebAuthn Metadata Services (such as the FIDO Metadata Service). This includes a realm-level WebAuthn Metadata service and a new FIDO Certification Level configuration attribute in the WebAuthn Registration Node.

AME-26050: You can now create Next-generation Policy Condition scripts that have access to all common bindings, such as openidm and httpClient. Additionally, some existing bindings have been wrapped to improve usability in scripts.

OPENAM-23109: During a WebAuthn registration flow, if Store data in transient state is enabled, the Authenticator Attestation Global Unique Identifier (AAGUID) is now added to the node state under the webauthnData key.

AME-28016: When an invalid redirect URI is provided to the /par endpoint, the URI mismatch error is now redirect_uri_mismatch instead of invalid_request.

AME-28017: Advanced Identity Cloud now accepts the requested OAuth 2.0 endpoint as a valid JWT audience claim, as per RFC 7519 and RFC 9126.

AME-28906: The stack trace of an authentication exception generated on login failure is now logged only when debug level logging is enabled.

AME-29170: On LDAP Decision node login failure, stack traces are now logged at debug level.

OPENAM-18252: Journeys acting on multiple identities now successfully update universalId in the journey context during the authentication flow.

OPENAM-22966: Social IDPs now support NONE as a client authentication method. Use this option if the provider doesn’t require client authentication at the token endpoint.

OPENAM-20314: Added the ability to indicate whether an OIDC provider doesn’t return a unique value for the sub claim.

AME-27074: Added a new configProviderScript action to each authentication node endpoint to generate a configuration provider template script, for example: authentication/authenticationtrees/nodes/MessageNode?_action=configProviderScript.

AME-28258: Added a new "webAuthnExtensions" input to the WebAuthn Registration and Authentication nodes. This can be set via a Scripted Decision node. It is expected to contain a map of extension name to input. Output is currently not available.

AME-28384: The outcome of a Scripted Decision node can now also be a CharSequence type.

AME-28777: The refresh token grace period now applies to both client-side refresh tokens and server-side refresh tokens.

AME-29157: Authentication nodes with limited possible outcomes are now available to the Configuration Provider node, including:

OPENAM-22601: You can now use the next-generation script binding, utils, to generate secure random numbers.

OPENAM-22811: NodeState has two new methods: mergeShared(Map<String, Object>) and mergeTransient(Map<String, Object>). Use them to merge keys into the shared/transient state, including "objectAttributes" keys.

AME-25491: The Configuration Provider node script now correctly reads node state after an inner tree callback.

AME-28786: Removed several unused UI properties from default social identity provider profiles.

AME-29027: WebAuthN attestations containing a self-signed root CA are now rejected instead of silently removed.

OPENAM-22465: Fixed error to return invalid_resource_uri when request_uri client doesn’t match request parameter client in PAR authorise request.

OPENAM-22675: In next-generation scripting, you can now set a default name correctly when creating a NameCallback.

OPENAM-22688: Fixed Page node localization to default to correct locale when the incoming accepted-language header doesn’t match the node’s language configuration.

IAM-6388: Added the ability to specify that inner journeys can’t be accessed directly.

IAM-7185: The mapping tab for application provisioning now shows the inbound or outbound application type without needing to inspect a drop-down.

IAM-7415: When creating an assignment, the _id is now automatically generated instead of using the name specified.

IAM-7187: Integration of SAP app template with IDM scripts.

IAM-7243^[2]: Added text field to utilities category in IGA access request forms.

IAM-7385: Unable to create user when required boolean property is set to false.

OPENAM-22666: The well-known endpoint is no longer required when configuring a social identity provider service. If it is not provided, Advanced Identity Cloud uses the client secret for signature verification.

FRAAS-16228: Promotions are now halted if the AM CORS service is disabled; the service is essential to the correct functioning of promotions.

OPENIDM-19698: Added ability to use wildcards in the watchedFields property.

OPENIDM-19336: Fixed an issue where delegated administrators couldn’t add new users to their organization.

OPENIDM-20238: Fixed an issue where clustered reconciliation can fail with "Expecting a Map or List" under specific circumstances.

FRAAS-21715: Environments can now be unlocked if configuration rollback fails because there are no promotions to roll back.

FRAAS-21728: Updated the cookie domain API to add default values for GET requests where cookie domain values haven’t been overridden by a PUT request. The default values are derived from the existing tenant cookie domain configuration, so are backward compatible.

AME-26594: Added secrets API binding to all next-generation script contexts.

AME-27129: Added option to exclude client certificate from SAML hosted SP metadata.

AME-27792: Added AM-TREE-LOGIN-COMPLETED audit log event that outputs a result of FAILED. when a journey ends with an error.

AME-27839: Added the ability to specify connection and response timeouts for Http Client service instances.

AME-28008: You can now disable certificate revocation checks, or all certificate checks entirely, on your Http Client service instances.

OPENAM-15410: Fixed an issue that prevented customization of claims if profile and openid scopes are requested.

OPENAM-20609: Fixed inconsistent error message when generating access token using refresh token after changing username.

OPENAM-21974: Adds an OAuth 2.0 client configuration for the new version of the LinkedIn provider.

OPENAM-22298: Log unretrieved SP and IdP descriptors in SAML2 Authentication node.