Rapid channel changelog
Subscribe to get automatic updates: Rapid channel changelog RSS feed
For release notes published before September 2024, refer to the Rapid channel changelog archive.
February 2025
04 Feb 2025
Version 16508.0
Enhancements
-
IAM-4692: Managed identity boolean fields now use a checkbox instead of a toggle.
-
IAM-6581: SAML 2.0 application journeys can now be configured in the Advanced Identity Cloud admin UI.
-
IAM-7248[2]: In IGA sources, the
displayName
andlogo
can now be obtained from the CDN. -
IAM-7874[2]: The Governance > Requests > Settings tab now lets you activate or deactivate Governance LCM.
January 2025
31 Jan 2025
Versions 16460.0, 16466.0
No customer-facing features, enhancements, or fixes released.[1]
29 Jan 2025
Versions 16437.0, 16441.0
No customer-facing features, enhancements, or fixes released.[1]
24 Jan 2025
Versions 16410.0, 16412.0
Enhancements
-
FRAAS-23002: Improvements to OATH support for MFA authenticators
-
Update the default OATH shared secret length from 32 to 40 for existing and new tenants so that tenant administrators can use Google Authenticator with MFA when signing on using their Advanced Identity Cloud native accounts.
-
Make the OATH shared secret length configurable (using a support request) to support other MFA authenticators.
-
23 Jan 2025
Versions 16386.0, 16388.0
No customer-facing features, enhancements, or fixes released.[1]
22 Jan 2025
Versions 16368.0, 16376.0
No customer-facing features, enhancements, or fixes released.[1]
20 Jan 2025
Versions 16345.0, 16348.0
15 Jan 2025
Versions 16294.0, 16297.0
Enhancements
-
FRAAS-23375: You can now obtain the HTTP client location from the
X-Client-City
&X-Client-City-Lat-Long
HTTP headers in Advanced Identity Cloud scripts and journeys.X-Client-City
contains the name of the city from which the request originated, for example,Mountain View
for Mountain View, California. There is no canonical list of valid values for this variable. The city names can contain US-ASCII letters, numbers, spaces, and the following characters:"!#$%&'*+-.^_`|~"
.X-Client-City-Lat-Long
contains the latitude and longitude of the city from which the request originated, for example,37.386051,-122.083851
for a request from Mountain View.
14 Jan 2025
Versions 16276.0, 16278.0
No customer-facing features, enhancements, or fixes released.[1]
10 Jan 2025
Versions 16216.0, 16229.0
Enhancements
-
IAM-6833: Made existing synchronization tokens editable for incremental reconciliations.
-
IAM-7223[2]: Added the ability to set user, role, organization, application, or entitlement objects to provide predefined values for select and multiselect fields in request forms.
03 Jan 2025
Version 15989.0
Enhancements
-
ANALYTICS-459[3]: Report query data is now retained for 30 days for customers using OOTB reports and 90 days for customers with Advanced Reporting[4].
-
ANALYTICS-495[3]: Replace
email
withusername
in User Last Login report. -
ANALYTICS-817[3][6]: Report authors can now query on "Password Last Changed Time" for user entity.
-
ANALYTICS-818[3][6]: Report authors can now query on "Password Expiration Time" for user entity.
Fixes
-
ANALYTICS-474[3]: The User Journey Stats report now provides aggregates by outcome in the report result when more than one outcome is selected.
-
ANALYTICS-837[3]: The User Count by Status report now provides aggregates by status in the report result when more than one outcome is selected
-
ANALYTICS-585[3][6]: Remove Report Admin and Report Owner group selection when creating a new report.
December 2024
17 Dec 2024
Version 16028.0
Enhancements
-
OPENDJ-9287: The password validation mechanism has been enhanced to include checks for portions of attribute values within passwords. This improvement ensures that even partial matches between portions of passwords and portions of attribute values are identified and restricted, thereby enhancing security.
For example, if the password is
abcdef
and the attribute value isabcdef123
, the password is rejected. Similarly, if the password isabcdefAZERTY
and the attribute value isabcdef123
, the password is rejected.
16 Dec 2024
Version 15989.0
This release reintroduces many features, enhancements, and fixes previously present in reverted versions.
Key features
- PingOne Authorize node (TNTP-183)
-
Use this node to send a decision request to a specified decision endpoint in your PingOne Authorize environment.
- PingOne node improvements (SDKS-3468)
-
- PingOne Create, Identify, and Delete Nodes
-
The following PingOne nodes are now available:
- PingOne Identity Match node
-
Use the PingOne Identity Match node to identify if a user exists both in the user repository and in PingOne, using defined attributes.
- PingOne Create User node
-
Create new users in the PingOne platform using the PingOne Create User node. Create users based on an existing user’s properties or choose to create the user anonymously. For example, when used in conjunction with PingOne Verify.
- PingOne Delete User node
-
Delete users from the PingOne platform with the PingOne Delete User node.
- PingOne Verify nodes
-
Use the following PingOne Verify nodes in conjunction with the PingOne Identity Match node, PingOne Create User node, and PingOne Delete User node to create a seamless verification process in your journey:
- PingOne Verify Evaluation node
-
Leverage PingOne Verify to initiate or continue a verification transaction with the PingOne Verify Evaluation Node.
- PingOne Verify Completion Decision node
-
Determine the completion status of the most recent identity verification transaction for an end user.
Use before the PingOne Verify Evaluation node to determine the status of the verification process or after the PingOne Verify Evaluation node using a script to evaluate the transaction.
For example, you can evaluate if the transaction was completed using a passport and route your journey accordingly.
Use these nodes in place of the PingOne Verify Marketplace nodes. - reCAPTCHA Enterprise node (SDKS-3322)
-
The reCAPTCHA Enterprise node node adds Google reCAPTCHA Enterprise support to your journeys.
- SAML application journeys (AME-27850)
-
Added support for SAML application journeys with a new setting on the remote SP. Configure a specific authentication journey that always runs for users authenticating with your SAML 2.0 app, regardless of existing sessions or configured authentication context.
Learn more in Configure a SAML 2.0 application journey.
- Set Failure Details node (AME-27871)
-
Use the Set Failure Details node to configure a localized error message on journey failure. You can also configure extra details in the response body of the failure request.
- Set Success Details node (OPENAM-12335)
-
Use the Set Success Details node to add additional details to the success response of a journey.
- UI support for managing certificates (IAM-5813)
-
You can now use the Advanced Identity Cloud admin UI to generate CSRs and upload SSL certificates in your tenant environments.
Learn more in Manage SSL certificates using the UI.
Enhancements
-
AME-26050: You can now create Next-generation Policy Condition scripts that have access to all common bindings, such as
openidm
andhttpClient
. Additionally, some existing bindings have been wrapped to improve usability in scripts. -
AME-28228: OAuth 2.0 audit logs now include the OAuth 2.0 client ID and any journey associated with the client.
-
AME-29009: When using the new FIDO Metadata Service, if you link to the FIDO metadata using a URL, Advanced Identity Cloud periodically downloads and updates the latest FIDO metadata based on the
nextUpdate
date specified in the downloaded data. -
AME-29093: Added configuration for integration with WebAuthn Metadata Services (such as the FIDO Metadata Service). This includes a realm-level WebAuthn Metadata service and a new FIDO Certification Level configuration attribute in the WebAuthn Registration Node.
-
FRAAS-22321: You can now obtain the HTTP client location from the
X-Client-Region
HTTP header within your scripts and journeys. TheX-Client-Region
header contains the country (or region) associated with the client’s IP address in the form of a Unicode CLDR region code, such asUS
orFR
. For most countries, these codes correspond directly to ISO-3166-2 codes. -
FRAAS-23073: The SAML scripting adapter now lets scripts access
org.forgerock.http.protocol.*
. -
IAM-3323: You can now use XPath transformation functions with additional Workday application template attributes.
-
IAM-4540: You can now change the border color of a selected input field in journey and end-user pages.
-
IAM-6397: The Advanced Identity Cloud admin UI now lets you page through the list of OAuth 2.0 client profiles.
-
OPENAM-23109: During a WebAuthn registration flow, if Store data in transient state is enabled, the Authenticator Attestation Global Unique Identifier (AAGUID) is now added to the node state under the
webauthnData
key.
Fixes
-
AME-28016: When an invalid redirect URI is provided to the
/par
endpoint, the URI mismatch error is nowredirect_uri_mismatch
instead ofinvalid_request
. -
AME-28017: Advanced Identity Cloud now accepts the requested OAuth 2.0 endpoint as a valid JWT audience claim, as per RFC 7519 and RFC 9126.
-
AME-29170: On LDAP Decision node login failure, stack traces are now logged at
debug
level. -
AME-29965: The Configuration Provider node now works with the Inner Tree Evaluator node for nested inner journeys.
-
IAM-1782: Long gateway and agent IDs no longer overflow in the Advanced Identity Cloud admin UI.
-
IAM-7523[2]: A user receiving a forwarded fulfillment task now has permission to approve or reject the task.
-
IAM-7537[2]: Governance functionality is now only shown for the
alpha
realm. -
IAM-7689[2]: The Advanced Identity Cloud admin UI now displays the Assigned To value in the task list for a user assigned to a role who receives a forwarded fulfillment task.
-
OPENAM-18252: Journeys acting on multiple identities now successfully update
universalId
in the journey context during the authentication flow. -
OPENAM-20314: Added the ability to indicate whether an OIDC provider doesn’t return a unique value for the
sub
claim. -
OPENAM-22966: Social IDPs now support NONE as a client authentication method. This option should be used if the provider doesn’t require client authentication at the token endpoint.
03 Dec 2024
02 Dec 2024
Version 15824.0
This release reintroduces many features, enhancements, and fixes previously present in reverted versions.
Key features
- PingOne Authorize node
-
Use this node to send a decision request to a specified decision endpoint in your PingOne Authorize environment.
- PingOne Create, Identify, and Delete Nodes
-
The following PingOne nodes are now available:
- PingOne Identity Match node
-
Use the PingOne Identity Match node to identify if a user exists both in the user repository and in PingOne, using defined attributes.
- PingOne Create User node
-
Create new users in the PingOne platform using the PingOne Create User node. Create users based off of an existing user’s properties or choose to create the user anonymously. For example, when used in conjunction with PingOne Verify.
- PingOne Delete User node
-
Delete users from the PingOne platform with the PingOne Delete User node.
- PingOne Verify Nodes
-
Use the following PingOne Verify nodes in conjunction with the PingOne Identity Match node, PingOne Create User node, and PingOne Delete User node to create a seamless verification process in your journey:
- PingOne Verify Evaluation node
-
Leverage PingOne Verify to initiate or continue a verification transaction with the PingOne Verify Evaluation Node.
- PingOne Verify Completion Decision node
-
Determine the completion status of the most recent identity verification transaction for an end user.
Use before the PingOne Verify Evaluation node to determine the status of the verification process or after the PingOne Verify Evaluation node using a script to evaluate the transaction.
For example, you can evaluate if the transaction was completed using a passport and route your journey accordingly.
Use these nodes in place of the PingOne Verify Marketplace nodes. - reCAPTCHA Enterprise node
-
The reCAPTCHA Enterprise node node adds Google reCAPTCHA Enterprise support to your journeys.
- SAML application journeys (AME-27850)
-
Added support for SAML application journeys with a new setting on the remote SP. Configure a specific authentication journey that always runs for users authenticating with your SAML 2.0 app, regardless of existing sessions or configured authentication context.
Learn more in Configure a SAML 2.0 application journey.
- Set Failure Details node (AME-27871)
-
Use the Set Failure Details node to configure a localized error message on journey failure. You can also configure extra details in the response body of the failure request.
- Set Success Details node (OPENAM-12335)
-
Use the Set Success Details node to add additional details to the success response of a journey.
Enhancements
-
AME-26050: You can now create Next-generation Policy Condition scripts that have access to all common bindings, such as
openidm
andhttpClient
. Additionally, some existing bindings have been wrapped to improve usability in scripts. -
AME-28228: OAuth 2.0 audit logs now include the OAuth 2.0 client ID and any journey associated with the client.
-
AME-29009: When using the new FIDO Metadata Service, if you link to the FIDO metadata using a URL, Advanced Identity Cloud periodically downloads and updates the latest FIDO metadata based on the
nextUpdate
date specified in the downloaded data. -
AME-29093: Added configuration for integration with WebAuthn Metadata Services (such as the FIDO Metadata Service). This includes a realm-level WebAuthn Metadata service and a new FIDO Certification Level configuration attribute in the WebAuthn Registration Node.
-
AME-29769: The Social Provider Handler node has a new configuration option, Store Tokens, that allows access and refresh tokens to be stored in the transient state.
-
FRAAS-22321: You can now obtain the HTTP client location from the
X-Client-Region
HTTP header within your scripts and journeys. TheX-Client-Region
header contains the country (or region) associated with the client’s IP address in the form of a Unicode CLDR region code, such asUS
orFR
. For most countries, these codes correspond directly to ISO-3166-2 codes. -
IAM-3323: You can now use XPath transformation functions with additional Workday application template attributes.
-
IAM-4540: You can now change the border color of a selected input field in journey and end-user pages.
-
OPENAM-23109: During a WebAuthn registration flow, if Store data in transient state is enabled, the Authenticator Attestation Global Unique Identifier (AAGUID) is now added to the node state under the
webauthnData
key.
Fixes
-
AME-28016: When an invalid redirect URI is provided to the
/par
endpoint, the URI mismatch error is nowredirect_uri_mismatch
instead ofinvalid_request
. -
AME-28017: Advanced Identity Cloud now accepts the requested OAuth 2.0 endpoint as a valid JWT audience claim, as per RFC 7519 and RFC 9126.
-
AME-28906: The stack trace of an authentication exception generated on login failure is now logged only when
debug
level logging is enabled. -
AME-29170: On LDAP Decision node login failure, stack traces are now logged at
debug
level. -
IAM-7523[2]: A user receiving a forwarded fulfillment task now has permission to approve or reject the task.
-
IAM-7537[2]: Governance functionality is now only shown for the
alpha
realm. -
OPENAM-18252: Journeys acting on multiple identities now successfully update
universalId
in the journey context during the authentication flow. -
OPENAM-20314: Added the ability to indicate whether an OIDC provider doesn’t return a unique value for the
sub
claim. -
OPENAM-22966: Social IDPs now support
NONE
as a client authentication method. Use this option if the provider doesn’t require client authentication at the token endpoint.
November 2024
26 Nov 2024
25 Nov 2024
Version 15770.0
Enhancements
-
FRAAS-22321: You can now obtain the HTTP client location from the
X-Client-Region
HTTP header within your scripts and journeys. TheX-Client-Region
header contains the country (or region) associated with the client’s IP address in the form of a Unicode CLDR region code, such asUS
orFR
. For most countries, these codes correspond directly to ISO-3166-2 codes.
21 Nov 2024
Version 15726.0 (supplementary)
This version has been reverted and all associated changes withdrawn. |
Key features
- PingOne Create, Identify, and Delete Nodes [7]
-
The following PingOne nodes are now available:
- PingOne Identity Match node
-
Use the PingOne Identity Match node to identify if a user exists both in the user repository as well as in PingOne, using defined attributes.
- PingOne Create User node
-
Create new users in the PingOne platform using the PingOne Create User node. Create users based off of an existing user’s properties or choose to create the user anonymously. For example, when used in conjunction with PingOne Verify.
- PingOne Delete User node
-
Delete users from the PingOne platform with the PingOne Delete User node.
- PingOne Verify Nodes [7]
-
Use the following PingOne Verify nodes in conjunction with the PingOne Identity Match node, PingOne Create User node, and PingOne Delete User node to create a seamless verification process in your journey:
- PingOne Verify Evaluation node
-
Leverage PingOne Verify to initiate or continue a verification transaction with the PingOne Verify Evaluation Node.
- PingOne Verify Completion Decision node
-
Determine the completion status of the most recent identity verification transaction for an end user.
Use before the PingOne Verify Evaluation node to determine the status of the verification process, or after the PingOne Verify Evaluation node using a script to evaluate the transaction.
For example, you can evaluate if the transaction was completed using a passport and route your journey accordingly.
Use these nodes in place of the PingOne Verify Marketplace nodes. - reCAPTCHA Enterprise node [7]
-
The reCAPTCHA Enterprise node node adds Google reCAPTCHA Enterprise support to your journeys.
20 Nov 2024
Version 15726.0
This version has been reverted and all associated changes withdrawn. |
Key features
- Set Success Details node (OPENAM-12335)
-
Use the Set Success Details node to add additional details to the success response of a journey.
- Set Failure Details node (AME-27871)
-
Use the Set Failure Details node to configure a localized error message on journey failure. You can also configure extra details in the response body of the failure request.
Enhancements
-
AME-29769: The Social Provider Handler node has a new configuration option, Store Tokens, that allows access and refresh tokens to be stored in the transient state.
-
AME-29009: When using the new FIDO Metadata Service, if you link to the FIDO metadata using a URL, Advanced Identity Cloud periodically downloads and updates the latest FIDO metadata based upon the
nextUpdate
date specified in the downloaded data. -
AME-29093: Added configuration for integration with WebAuthn Metadata Services (such as the FIDO Metadata Service). This includes a realm-level WebAuthn Metadata service and a new FIDO Certification Level configuration attribute in the WebAuthn Registration Node.
-
AME-26050: You can now create Next-generation Policy Condition scripts that have access to all common bindings, such as
openidm
andhttpClient
. Additionally, some existing bindings have been wrapped to improve usability in scripts. -
OPENAM-23109: During a WebAuthn registration flow, if Store data in transient state is enabled, the Authenticator Attestation Global Unique Identifier (AAGUID) is now added to the node state under the
webauthnData
key.
Fixes
-
AME-28016: When an invalid redirect URI is provided to the
/par
endpoint, the URI mismatch error is nowredirect_uri_mismatch
instead ofinvalid_request
. -
AME-28017: Advanced Identity Cloud now accepts the requested OAuth 2.0 endpoint as a valid JWT audience claim, as per RFC 7519 and RFC 9126.
-
AME-28906: The stack trace of an authentication exception generated on login failure is now logged only when
debug
level logging is enabled. -
AME-29170: On LDAP Decision node login failure, stack traces are now logged at
debug
level. -
OPENAM-18252: Journeys acting on multiple identities now successfully update
universalId
in the journey context during the authentication flow. -
OPENAM-22966: Social IDPs now support
NONE
as a client authentication method. Use this option if the provider doesn’t require client authentication at the token endpoint. -
OPENAM-20314: Added the ability to indicate whether an OIDC provider doesn’t return a unique value for the
sub
claim.
19 Nov 2024
Versions 15711.0, 15715.0
No customer-facing features, enhancements, or fixes released.[1]
18 Nov 2024
Versions 15703.0, 15708.0
No customer-facing features, enhancements, or fixes released.[1]
15 Nov 2024
Versions 15687.0, 15696.0, 15699.0
No customer-facing features, enhancements, or fixes released.[1]
06 Nov 2024
Version 15572.0
Key features
- Configure journey to always run[8] (AME-27848)
-
Added a new setting for journeys to always run regardless of existing user sessions.
Learn more in Configure an authentication journey to always run.
- SAML application journeys (AME-27850)
-
Added support for SAML application journeys with a new setting on the remote SP. Configure a specific authentication journey that always runs for users authenticating with your SAML 2.0 app, regardless of existing sessions or configured authentication context.
Learn more in Configure a SAML 2.0 application journey.
- SAML application script binding[8] (AME-28012)
-
Added a new
samlApplication
binding for querying the SAML 2.0 authentication request properties and IdP and SP configuration attributes.Learn more in Query SAML application and authentication request.
- Suspend and resume journeys (OPENAM-21806)
-
Next-generation decision node scripts can now use the new
action.suspend()
method to suspend the current authentication session and send a message to the user. Implement custom logic with the resume URI, for example, to send an email or SMS using the HTTP client service.Learn more in Suspend and resume journeys.
Enhancements
-
AME-27074: Added a new
configProviderScript
action to each authentication node endpoint to generate a configuration provider template script, for example:authentication/authenticationtrees/nodes/MessageNode?_action=configProviderScript
. -
AME-28258: Added a new "webAuthnExtensions" input to the WebAuthn Registration and Authentication nodes. This can be set via a Scripted Decision node. It is expected to contain a map of extension name to input. Output is currently not available.
-
AME-28384: The outcome of a Scripted Decision node can now also be a
CharSequence
type. -
AME-28777: The refresh token grace period now applies to both client-side refresh tokens and server-side refresh tokens.
-
AME-29157: Authentication nodes with limited possible outcomes are now available to the Configuration Provider node, including:
The Identity Assertion node, Push Wait node, and Enable Device Management node nodes with fixed outcomes are also now available to the Configuration Provider node.
-
OPENAM-22601: You can now use the next-generation script binding,
utils
, to generate secure random numbers. -
OPENAM-22811: NodeState has two new methods:
mergeShared(Map<String, Object>)
andmergeTransient(Map<String, Object>)
. Use them to merge keys into the shared/transient state, including "objectAttributes" keys.
Fixes
-
AME-25491: The Configuration Provider node script now correctly reads node state after an inner tree callback.
-
AME-28786: Removed several unused UI properties from default social identity provider profiles.
-
AME-29027: WebAuthN attestations containing a self-signed root CA are now rejected instead of silently removed.
-
OPENAM-22465: Fixed error to return
invalid_resource_uri
when request_uri client doesn’t match request parameter client in PAR authorise request. -
OPENAM-22675: In next-generation scripting, you can now set a default name correctly when creating a NameCallback.
-
OPENAM-22688: Fixed Page node localization to default to correct locale when the incoming
accepted-language
header doesn’t match the node’s language configuration.
October 2024
29 Oct 2024
Versions 15466.0, 15472.0
17 Oct 2024
Versions 15335.0, 15337.0
No customer-facing features, enhancements, or fixes released.[1]
15 Oct 2024
Versions 15310.0, 15312.0
No customer-facing features, enhancements, or fixes released.[1]
14 Oct 2024
Version 15300.0
Enhancements
-
IAM-7187: Integration of SAP app template with IDM scripts.
-
IAM-7243[2]: Added text field to utilities category in IGA access request forms.
September 2024
20 Sept 2024
Versions 15044.0, 15052.0
Key features
- Support for LINE as a social identity provider (AME-28672)
-
You can now configure a social provider authentication with LINE Login when signing in from a browser. There is a separate configuration for authenticating from a mobile app.
Learn more in Social authentication.
- Identity Governance request and approval forms[2] (IAM-6358)
-
Identity Governance now lets you create request and approval forms to make it easier for end users to request access to applications.
Learn more in Identity Governance forms.
16 Sept 2024
Version 14975.0
Key features
- Additional cloud connectors
-
The following connectors are now bundled with Advanced Identity Cloud:
-
AWS IAM Identity Center Connector v1.5.20.23 (OPENIDM-20038)
-
Box Connector v1.5.20.23 (OPENIDM-20367)
Learn more in the ICF documentation.
-
13 Sept 2024
Version 14962.0
Key features
- Advanced Reporting[4] (ANALYTICS-763)
-
Advanced Identity Cloud now offers Advanced Reporting to let you create custom reports on activity in your tenant environments. You can query a number of metrics to create useful reports for your company.
Learn more in Advanced Reporting.
09 Sept 2024
Versions 14868.0, 14888.0
Key features
- Scripted SAML v2.0 NameID values(AME-25921)
-
The NameID mapper script lets you customize SAML v2.0 NameID values per application.
- Set State node (AME-26443)
-
The Set State node lets you add attributes to the journey state.
- Http Client service (AME-27936)
-
The new Http Client service lets you create named instances that you can reference from a next-generation script to make mTLS connections to external services.
Learn more in Access HTTP services.
- Enable Device Management node (SDKS-2919)
-
The new Enable Device Management node lets end users manage devices from their account.
Enhancements
-
FRAAS-21728: Updated the cookie domain API to add default values for GET requests where cookie domain values haven’t been overridden by a PUT request. The default values are derived from the existing tenant cookie domain configuration, so are backward compatible.
-
AME-26594: Added secrets API binding to all next-generation script contexts.
-
AME-27129: Added option to exclude client certificate from SAML hosted SP metadata.
-
AME-27792: Added
AM-TREE-LOGIN-COMPLETED
audit log event that outputs aresult
ofFAILED
. when a journey ends with an error. -
AME-27839: Added the ability to specify connection and response timeouts for Http Client service instances.
-
AME-28008: You can now disable certificate revocation checks, or all certificate checks entirely, on your Http Client service instances.
Fixes
-
OPENAM-15410: Fixed an issue that prevented customization of claims if
profile
andopenid
scopes are requested. -
OPENAM-20609: Fixed inconsistent error message when generating access token using refresh token after changing username.
-
OPENAM-21974: Adds an OAuth 2.0 client configuration for the new version of the LinkedIn provider.
-
OPENAM-22298: Log unretrieved SP and IdP descriptors in SAML2 Authentication node.