Regular channel changelog

AME-30984 and AME-30609: Enhanced authentication audit logging to include the SAML Identity Provider (IdP) and Service Provider (SP) entity IDs during SAML flows. This information lets you report on the SAML applications users are accessing, supporting analytics and dashboarding efforts.

AME-30985: In SAML v2.0 single sign-on (SSO) flows, the JSON web token (JWT) created in the browser’s session storage no longer expires.

AME-31082 and SDKS-3681: Added support for device token refreshing to the Push Notification Service endpoint, enabling the reception of new tokens from mobile devices.

AME-31351 and AME-31471: Improvements to the Device Code flow mean that end users are now prompted to reauthenticate even when there’s an existing session for must-run and app journeys.

AME-31398: The PingOne Protect Evaluation node has been enhanced to support custom attributes. To specify custom attributes to be used in PingOne Protect for custom predictors, set the Node State Attribute For Custom Attributes in the node configuration. The node retrieves a map of custom attributes from the node state to be used in the evaluation request to PingOne Protect.

AME-31656 and AME-31468: The PingOne Protect Evaluation node has been enhanced to support dynamic risk policy IDs and target app IDs. To set the risk policy set ID dynamically, enable Use Node State Attribute For Risk Policy Set ID in the node configuration. To set the target app ID dynamically, enable Use Node State Attribute For Target App ID in the node configuration. This instructs the node to obtain these IDs from the node state.

AME-31487: Improvements to SAML v2.0 standalone mode include replacing legacy JSPs with URL endpoints.

OPENAM-23051 and AME-31918: A new ESV, esv.oauth2.request.object.restrictions.enforced lets you enforce stricter adherence to the PAR and JAR specifications.

IAM-8236: The ability to edit journeys from the AM native admin console has been removed. Use the Advanced Identity Cloud admin console to edit journeys.

IAM-9000, IAM-9001: Add annotations and sticky notes to journeys to assist learning and collaboration.

IAM-9237: Allow ESVs to be embedded in URL fields for federation IdPs. This lets you set up federation IdPs with fewer ESVs because you can define a single ESV containing a UUID shared by multiple URL fields.

IAM-9246: Table columns are now resized uniformly across all table views.

OPENAM-20776: A new OIDC client configuration option, Private Key JWT Audience, lets you configure and override the audience (aud) claim of a Private Key JWT.

OPENAM-21783: Improved token management for OAuth 2.0 client applications.

OPENAM-23669: Full scopes (scopes ending in *) can now be used by service accounts in all cases where more specific scopes (for example, :read) are used.

OPENAM-23710: The httpClient binding is now available to legacy SAML 2.0 IdP adapter scripts.

OPENAM-23850: Enhanced the PingOne Verify Evaluation node with an Allow same device verification option that lets end users continue verification on their current device.

OPENAM-23867: The LDAP Decision node no longer logs credential failures as errors. It now logs them at the info level.

OPENAM-24062: Added support for the ECDSA algorithm to the utils.crypto.subtle next-generation binding. This algorithm is supported for key generation, signing, and verification.

AME-31351 and AME-31471: Improvements to the Device Code flow mean that end users are now prompted to reauthenticate even when there’s an existing session for must-run and app journeys.

AME-31481: Validation around policy creation has been improved. If you’re using the legacy "Policy" environment condition (or a custom environment condition), you’ll need to add that to the list of allowed environment conditions for your policy set to create or update policies that use that condition type.

IAM-9153: Password validation now works correctly when pasting a value that matches the existing value.

OPENAM-20749: A new ESV, esv-enable-oauth2-sync-refresh-token-issuer causes a stateful OAuth 2.0 introspect response to overwrite the iss claim of the introspectable token. To enable this behavior, set this ESV to false.

OPENAM-23770: Canceling a WebAuthn flow now results in a Client Error outcome, rather than an internal failure.

OPENAM-24159: Fixed an issue that prevented multiple Identity Assertion nodes from being used in a single journey.

OPENAM-24486: Improved performance when creating large numbers of OAuth 2.0 clients simultaneously.

OPENDJ-11486: Fixed an exception caused when identity management queries for users with a filter containing wildcards and specific object classes.

RCS 1.5.20.32 is now available to download. Learn more in ICF release notes.

IAM-9374: Fixed an issue where managed identity searches were querying all properties, causing slow performance.

ANALYTICS-582^[2][3]: Custom objects can now be used as data sources for reporting. The system uses an object’s configured title for the data source name, makes its properties available as attributes, and represents all object relationships.

ANALYTICS-1165^[2]: Added the capability to change a report name.

ANALYTICS-1195^[2]: Added the ability to import and export report templates using reports API endpoints.

FRAAS-25919: You can now use the API to configure custom domains for the Advanced Identity Cloud admin console.

IAM-8922: The Advanced Identity Cloud admin console now accepts ESV placeholders for the following federation fields:

IAM-8982^[4]: Add event function for setting the query filter/select options of a select field.

IAM-9066: Added Tenant Auditor option to Advanced Identity Cloud admin console federation groups claim.

IAM-9099, IAM-9146, IAM-9167: Many table views now support column resizing and customization.

IAM-5488: Terms and Conditions now respects target attribute in anchor tags.

IAM-6588: The Advanced Identity Cloud admin console now correctly displays journey status for journeys disabled and enabled using ESVs.

IAM-8887: Prevent browsers auto-filling passwords in user registration journeys.

IAM-8940: Managed identity number property now accepts float values.

IAM-8956: Deselecting the Personal Information option now disables the section containing the user avatar in hosted account pages.

IAM-9169: Fixed styling for responsive table layouts with sticky action column in Identities table views.

OPENIDM-21372: Advanced Identity Cloud now prevents access to the identity repository endpoint, /openidm/repo. This prevents uncontrolled and potentially incompatible schema changes.

Best practices for naming and arranging PingOne environments.

Best practices for configuring PingOne workers and Advanced Identity Cloud worker services when integrating with PingOne products.

How to configure, test, and optimize PingOne Protect.

OPENAM-24476^[5]: Added java.util.zip.Deflater, java.util.zip.Inflater, java.util.zip.DeflaterOutputStream, and java.util.zip.InflaterInputStream to the allowlist for Scripted Decision nodes.

FRAAS-24857: CNAME verification is no longer required when creating a custom domain.

FRAAS-25547: The sender address for emails sent to Advanced Identity Cloud tenant administrators is now saas@pingidentity.com.

FRAAS-26063: You can now override the samlErrorPageUrl. To do so, configure an ESV variable named esv-global-saml-error-page-url and set its value to your SAML error page URL. If you don’t set this variable, Advanced Identity Cloud uses the default value of /saml2/jsp/saml2error.jsp.

FRAAS-25734: Exception stacktraces in access management and identity management logs are now truncated to approximately 300-400 lines.

FRAAS-25821^[6]: Fixed an issue that prevented IP rules in Proxy Connect from being disabled.

AME-32756: Fixed an issue with policy evaluation returning results from a stale policy index cache.

OPENDJ-11634: Advanced Identity Cloud now prevents searches with many results and no applicable index from overloading the system.

OPENAM-24384: Added javax.crypto.SecretKeyFactory, javax.crypto.spec.PBEKeySpec, and com.sun.crypto.provider.PBKDF2KeyImpl classes to the allowlist for the OAUTH2_ACCESS_TOKEN_MODIFICATION scripting context.

OPENAM-24393^[5]: Fixed an issue where the InnerTreeEvaluator node failed for authentication journeys initially accessed using REST without an authId.

AME-31372^[9]: An Agent journey is now available by default in both Alpha and Bravo realms. The Agent journey makes it easier to integrate with Ping Identity agents and gateways. It validates the agent credentials with an Agent Data Store Decision node.

AME-30050: You can now enable a next-generation script in the AM admin console native console to run after a Dynamic Client Registration request is processed.

AME-30716: Removed Failed to create SSO Token from logs at warning level. To observe these warnings, increase the log level to debug.

AME-30801: The Inner Tree Evaluator node now has an optional Error Outcome that lets you capture exception details if an exception occurs during the evaluation of the child journey.

FRAAS-25818: The built-in SMTP server in new tenants now has a limit of 10 emails per minute and a fixed email sender address with the format noreply@<tenant-fqdn>.

IAM-7581: Text wrapping in table views has been improved for readability.

IAM-8573: IDM now includes an endpoint to retrieve individual themes from the /themerealm configuration using either an ID or a _queryFilter by name. This improves performance and ensures reliable theme loading, even on slow networks.

IAM-8610: When you create an SSO application for Microsoft 365, the application now generates a signing certificate, which you can download or rotate as needed.

IAM-8633: You can now add, remove, and rearrange table columns for managed identities and application provisioning tables.

IAM-8925^[10]: In Identity Governance, you can now configure actions that trigger automatically when a form first loads or when a user changes the value of a specific field.

OPENAM-22467: Customers can now provide any value in the typ header in JWTs.

Greater control over journey session duration and authenticated session timeouts:

OPENAM-23438: Following WebAuthn registration and authentication, new information is added to the transient state.

OPENAM-20709: On successful authentication, the WebAuthn Authentication node now adds the UUID of the device (webauthnDeviceUuid) and the name of the device (webauthnDeviceName) to the shared state. This lets you track the use of biometric authentication and the device used to authenticate.

AME-30969: If the OIDC Claims Plugin Type in the OAuth 2.0 provider is set to SCRIPTED but no script is selected, the userinfo endpoint now returns the sub claim, in compliance with the OIDC specification. Previously, the userinfo endpoint returned an empty JSON object. If you still require this behavior, set the esv-scripting-legacynulloidcclaimsscriptbehaviour ESV to true.

IAM-4397: Fixed an issue in the hosted journey pages where the prompt text for the Choice Collector node wasn’t fully visible and the default option wasn’t visible at all.

IAM-8632: Fixed an issue where validation errors were incorrectly displayed for pre-populated fields.

IAM-8789: Managed identity modals now correctly handle both single-value and array-based enum types.

IAM-8871: The hosted account pages no longer freeze and throw an error when editing details if there are empty custom enum array values.

IAM-8902: The application username field in SAML 2.0 NameID flows is now correctly set to uid instead of username.

IAM-8933: Fixed an issue in the Advanced Identity Cloud admin console when creating or modifying identity objects with a required boolean property. You can now set the value of the required boolean property to false.

IAM-9062: Hosted pages themes no longer continuously refresh when trying to set up or confirm two-factor authentication (2FA).

OPENAM-20749: For server-side OAuth 2.0 tokens, the /oauth2/introspect response can now overwrite the iss claim of the introspectable token. To enable this behavior, set the esv-enable-oauth2-sync-refresh-token-issuer ESV to false.

OPENAM-22928: When agents authenticate to Advanced Identity Cloud, the session created no longer expires.

OPENAM-23303^[9]: Fixed an issue where access management scripts were failing to load because they contained strings that resembled configuration placeholders. The code that parses these scripts now correctly ignores configuration placeholders and any strings that resemble them.

OPENAM-23334: You can now use the mergeShared and mergeTransient methods to add nested objects to ObjectAttributes.

OPENAM-23519: Improved error handling during WebAuthn registration when the Android lock screen isn’t enabled.

OPENAM-24159: Fixed an issue with Identity Assertion nodes failing if there are more than one in a journey.

AME-31379: Setting the new ESV esv-oauth2-provider-request-object-processing-enforced to true now lets admins enforce which validation rules are applied when processing OAuth 2.0 request objects.

FRAAS-25437: Tenant administrators with the tenant-auditor role can now use federated access to authenticate to Advanced Identity Cloud.

IAM-3441: Added pagination to all list views.

IAM-7265: You can now right-click a node in the journey editor to access a context menu.

IAM-7266: Added an action bar to the journey editor that lets you deselect or delete currently selected nodes.

IAM-7580: Pages now span the full width of the screen, improving navigation and usability.

IAM-8260: Advanced Identity Cloud now supports multiple WS-Fed^[8] applications.

IAM-8640: The Release Notes link in Tenant Settings now opens the release notes for the tenant’s specific version.

IAM-8714^[4]: You can now configure columns in the Identity Governance access review page.

OPENIDM-21206: Usernames and application names must now be unique, as enforced by the datastore.

IAM-7413: The reCAPTCHA Enterprise node is now fully supported.

IAM-8489: Fixed an issue with the display of application logos in the hosted account pages.

IAM-8770: Fixed an issue with the calendar icon position in date fields.

IAM-8773: Fixed an issue where key actions such as realm login were blocked in older tenants with an unmodified original theme.

The RCS 1.5.20.30 release is now available to download. Learn more in ICF release notes.

The PingGateway 2025.6.1 release is now available to download. Learn more in PingGateway 2025.6.1.

IAM-8314^[5]: Fixed an issue where setting ESVs in connector or provisioner configuration stops the Advanced Identity Cloud admin console from being able to update connectors or run a liveSync operation.

FRAAS-25155: Increased log batching size to avoid truncation of large JSON log entries.

ANALYTICS-868: The Tenant Admin Activity report has been changed to the Tenant Admin Initiated Entity Type Changes report. The new report provides more detailed and business-friendly insights into changes made by tenant administrators:

IAM-8405: You can now duplicate out-of-the-box reports.

IAM-8591: Dynamic sorting for report results. You can now sort report results directly in the Advanced Identity Cloud admin console after running a report.

FRAAS-25142: Fixed a memory issue in the ESV service.

FRAAS-25434: Fix issue causing source to sometimes be defined as unknown in /monitoring/logs/* endpoints.

FRAAS-25226: Allow a higher threshold for large JSON log entries before splitting them into smaller plaintext log entries.

FRAAS-23329: Access to ESV REST API endpoints using the fr:idm:* scope is now deprecated.

FRAAS-23330: Access to ESV REST API endpoints using resource version 1.0 is now deprecated.

FRAAS-25269: The IDC.CLI OAuth 2.0 client is now deprecated in existing tenants and no longer provisioned in new tenants.

FRAAS-25205: Consolidated End User UI, Login UI, Administrator Registration UI, and Administrator UI status page components into a single Administrator UI component as they were all reporting the same service.

IAM-2453^[9]: Hosted pages themes now show the loading spinner until they are fully loaded.

IAM-4769^[9]: Hosted journey pages now fall back to the default theme if a journey is configured with a deleted theme.

IAM-6781^[9]: Password policy hints now show all policy conditions when creating a new user identity in the Advanced Identity Cloud admin console.

IAM-7615^[9]: The Certificate Collector node now validates the value set in the HTTP Header Name for Client Certificate field based on the value selected in the Certificate Choice Method field.

IAM-8358^[9][4]: Hosted account pages now display a New User button in the Users list view for delegated administrators.

OPENIDM-15771: You can now set locales in identity management scripts with the _locale parameter.

OPENIDM-17680: Advanced Identity Cloud now supports enumerations in string and number attributes of its identity schema. To make an attribute an enumeration, add "enum" : [ "one", "two", "three" ] to the attribute. Advanced Identity Cloud requires create and update privileges to use one of the enumerated values.

OPENIDM-19918: You can now choose whether synchronization detects identity array changes using ordered or unordered comparisons. Set the comparison configuration property in the schema. Unordered JSON array comparison ignores the order of elements and can negate the need for certain custom scripts within mappings. Relationship and virtual property array fields default to unordered comparisons. All other fields default to ordered comparisons.

OPENIDM-20023: RCS communication with Advanced Identity Cloud can now use stricter authorization. Learn more in Secure RCS access and Migration dependent features.

FRAAS-25256: Fixed an issue that was causing missing data in analytics dashboards.

IAM-1479^[9]: Email field validation in the Advanced Identity Cloud admin console now runs only when typing stops or the field is unfocused.

IAM-7858^[9]: Hosted account pages now use the access management maxIdleExpirationTime value to prompt the You will be signed out soon modal.

IAM-8382^[9]: Fixed an issue in the bookmark app where the URL field validation stopped the Create Application button working the first time it was clicked.

IAM-8383^[9]: Fixed an issue in the bookmark app where the URL field accepted ESV secrets.

IAM-8398^[9]: Field labels positioned above a field now remain left aligned when autofill is triggered.

IAM-8441^[9]: Fixed a display issue in the Advanced Identity Cloud admin console where connector servers and connector server clusters with long names went off the edge of the screen.

OPENAM-21783: Improved token management for OAuth 2.0 clients that override the Use Client-Side Access & Refresh Tokens setting. The OAuth 2.0 applications endpoint now correctly shows all tokens issued to these clients. Additionally, administrators can now successfully revoke any of the tokens issued to these clients.

OPENDJ-11486^[9]: Fixed an exception caused by identity management user queries with a filter containing wildcards and specific object classes.

ANALYTICS-1004^[3]: Support for custom attributes and relationships in the organization entity for advanced reports.

OPENAM-23218: Legacy SAML 2.0 IDP attribute mapper scripts now have access to the httpClient binding.

OPENAM-23710: Legacy SAML 2.0 IDP adapter scripts now have access to the httpClient binding.

OPENIDM-20995: Fixed an issue that prevented error reports during certain operations on groups or users. For example, trying to remove a non-existing attribute or null value now correctly results in an exception message to the client if these operations are not supported by the target system.

IAM-987: Added support for enums (drop-down lists) to hosted account pages.

IAM-1116: Added support for enums (drop-down lists) to the Advanced Identity Cloud admin console.

IAM-2103: Added support for enums (drop-down lists) to hosted journey pages.

IAM-6822: Added the ability to manage cookie domains in the Advanced Identity Cloud admin console.

IAM-7412: Updated the password policy feature in the Advanced Identity Cloud admin console. Added the ability to specify a minimum substring length between 3 - 64 to use when validating passwords against user attribute values. The default is still 5 characters, but can now be reduced to as few as 3 characters to catch shorter string matches.

IAM-7794^[4]: Added support for using custom identity objects in the form builder.

IAM-7919: Improved color contrast ratio of the Delete Account button text when focused.

IAM-7934: Improved color contrast ratio of date fields when focused.

IAM-7957: Improved color contrast ratio of the Deselect button text when focused.

IAM-7966: Improved color contrast ratio of In Progress text.

IAM-8016^[4]: Allow form authors to specify a user filter when dynamic enums are selected.

IAM-8085: Updated the Add a Parameter reports modal to use entity attributes for input.

FRAAS-15518: Fixed issue that prevented localization of Session timed out message in certain locales.

FRAAS-24449: Enhanced the reliability of metrics collection under high-load conditions.

FRAAS-24990: Fixed an issue where requests to the /monitoring/logs and /monitoring/logs/tail endpoints timed out after 15 seconds rather than the expected 60 seconds.

IAM-5834: Fixed a double-encoding issue in the SAML app that affected IdP-initiated sign on.

IAM-6796: Jobs are now prevented from being scheduled with frequencies that cause invalid date errors.

IAM-7855: Fixed a typo in the help text returned when there are no results to display.

IAM-8237: Corrected floating labels in the date picker in the hosted journey pages.

IAM-8361: The Save button in the Edit Bookmark application is now inactive while checking if the ESV exists.

IAM-8364: Fixed issues in SAML end-to-end scenarios.

IAM-8378: Fixed an issue that stripped HTML elements from email templates.

IAM-8403: Fixed border focus location and floating label issues in Tag fields.

IAM-8434: Fixed an issue that prevented duplication of new themes that contain special characters.