PingOne Advanced Identity Cloud

Regular channel changelog

Subscribe to get automatic updates: Regular channel changelog RSS feed

For release notes published before September 2024, refer to the Regular channel changelog archive.

February 2025

18 Feb 2025

Version 16508.8

Enhancements

  • FRAAS-23002: Improvements to OATH support for MFA authenticators

    • Update the default OATH shared secret length from 32 to 40 for existing and new tenants so that tenant administrators can use Google Authenticator with MFA when signing on using their Advanced Identity Cloud native accounts.

    • Make the OATH shared secret length configurable (using a support request) to support other MFA authenticators.

  • IAM-4692: Managed identity boolean fields now use a checkbox instead of a toggle.

  • IAM-6581: SAML 2.0 application journeys can now be configured in the Advanced Identity Cloud admin UI.

  • IAM-7248[1]: In IGA sources, the displayName and logo can now be obtained from the CDN.

  • IAM-7874[1]: The Governance > Requests > Settings tab now lets you activate or deactivate Governance LCM.

Fixes

  • IAM-1262: Clicking the Toggle Sidebar button now collapses the sidebar.

  • IAM-5801: For applications that mandate a minimum page size, the page size selector on the Data tab and the Reconciliation Results tab has been removed.

12 Feb 2025

Version 16368.11

No customer-facing features, enhancements, or fixes released.[2]

10 Feb 2025

Version 16368.9

Fixes

  • FRAAS-23812: You can now deactivate the header ruleset after deactivating the IP ruleset when configuring Proxy Connect.

04 Feb 2025

Version 16368.7

Enhancements

  • FRAAS-23375: You can now obtain the HTTP client location from the X-Client-City & X-Client-City-Lat-Long HTTP headers in Advanced Identity Cloud scripts and journeys.

  • IAM-6833 : Made existing synchronization tokens editable for incremental reconciliations.

  • IAM-7223[1]: Added the ability to set user, role, organization, application, or entitlement objects to provide predefined values for select and multiselect fields in request forms.

  • IAM-7454: The inbound mapping for all application templates and scripted application templates has now been configured to make fewer connector requests.

Fixes

  • FRAAS-23780[3]: Optimized network utilization to distribute workloads more effectively.

  • IAM-5242: The Previous link in the New Script modal now always shows the previous step.

  • IAM-5482: Password policy no longer allows Password length to be set as an empty string.

  • IAM-7799: Identity attributes with Time and DateTime format now trigger change events only when a change occurs.

January 2025

21 Jan 2025

Version 16139.9

No customer-facing features, enhancements, or fixes released.[2]

09 Jan 2025

Version 16100.4

Key features

PingOne Authorize node (TNTP-183)

Use this node to send a decision request to a specified decision endpoint in your PingOne Authorize environment.

PingOne node improvements (SDKS-3468)
PingOne Create, Identify, and Delete Nodes

The following PingOne nodes are now available:

PingOne Identity Match node

Use the PingOne Identity Match node to identify if a user exists both in the user repository and in PingOne, using defined attributes.

PingOne Create User node

Create new users in the PingOne platform using the PingOne Create User node. Create users based on an existing user’s properties or choose to create the user anonymously. For example, when used in conjunction with PingOne Verify.

PingOne Delete User node

Delete users from the PingOne platform with the PingOne Delete User node.

PingOne Verify nodes

Use the following PingOne Verify nodes in conjunction with the PingOne Identity Match node, PingOne Create User node, and PingOne Delete User node to create a seamless verification process in your journey:

PingOne Verify Evaluation node

Use PingOne Verify to initiate or continue a verification transaction with the PingOne Verify Evaluation Node.

PingOne Verify Completion Decision node

Determine the completion status of the most recent identity verification transaction for an end user.

Use before the PingOne Verify Evaluation node to determine the status of the verification process or after the PingOne Verify Evaluation node using a script to evaluate the transaction.

For example, you can evaluate if the transaction was completed using a passport and route your journey accordingly.

Use these nodes in place of the PingOne Verify Marketplace nodes.
reCAPTCHA Enterprise node (SDKS-3322)

The reCAPTCHA Enterprise node node adds Google reCAPTCHA Enterprise support to your journeys.

Set Failure Details node (AME-27871)

Use the Set Failure Details node to configure a localized error message on journey failure. You can also configure extra details in the response body of the failure request.

Set Success Details node (OPENAM-12335)

Use the Set Success Details node to add additional details to the success response of a journey.

Reports for IGA data sources (ANALYTICS-571)

Advanced Reporting[4] now supports various IGA[5] data sources and relationships. This lets IGA administrators create customer-friendly report templates.

Enhancements

  • ANALYTICS-459: Report query data is now retained for 30 days for customers using OOTB reports and 90 days for customers with Advanced Reporting[4].

  • ANALYTICS-495: Replace email with username in User Last Login report.

  • ANALYTICS-817[6]: Report authors can now query on "Password Last Changed Time" for user entity.

  • ANALYTICS-818[6]: Report authors can now query on "Password Expiration Time" for user entity.

  • AME-26050: You can now create Next-generation Policy Condition scripts that have access to all common bindings, such as openidm and httpClient. Additionally, some existing bindings have been wrapped to improve usability in scripts.

  • AME-28228: OAuth 2.0 audit logs now include the OAuth 2.0 client ID and any journey associated with the client.

  • AME-29009: When using the new FIDO Metadata Service, if you link to the FIDO metadata using a URL, Advanced Identity Cloud periodically downloads and updates the latest FIDO metadata based on the nextUpdate date specified in the downloaded data.

  • AME-29093: Added configuration for integration with WebAuthn Metadata Services (such as the FIDO Metadata Service). This includes a realm-level WebAuthn Metadata service and a new FIDO Certification Level configuration attribute in the WebAuthn Registration Node.

  • FRAAS-22321: You can now obtain the HTTP client location from the X-Client-Region HTTP header within your scripts and journeys. The X-Client-Region header contains the country (or region) associated with the client’s IP address in the form of a Unicode CLDR region code, such as US or FR. For most countries, these codes correspond directly to ISO-3166-2 codes.

  • FRAAS-23073: The SAML scripting adapter now lets scripts access org.forgerock.http.protocol.*.

  • IAM-3323: You can now use XPath transformation functions with additional Workday application template attributes.

  • IAM-4540: You can now change the border color of a selected input field in journey and end-user pages.

  • IAM-6397: The Advanced Identity Cloud admin UI now lets you page through the list of OAuth 2.0 client profiles.

  • OPENAM-20314: Added the ability to indicate whether an OIDC provider doesn’t return a unique value for the sub claim.

  • OPENAM-22966: Social IDPs now support NONE as a client authentication method. This option should be used if the provider doesn’t require client authentication at the token endpoint.

  • OPENAM-23109: During a WebAuthn registration flow, if Store data in transient state is enabled, the Authenticator Attestation Global Unique Identifier (AAGUID) is now added to the node state under the webauthnData key.

  • OPENIDM-20542: Added a feature service named am/2fa/profiles to expose certain multi-factor attributes on alpha and bravo users.

Fixes

  • ANALYTICS-474: The User Journey Stats report now provides aggregates by outcome in the report result when more than one outcome is selected.

  • ANALYTICS-837: The User Count by Status report now provides aggregates by status in the report result when more than one outcome is selected

  • ANALYTICS-585[6]: Remove Report Admin and Report Owner group selection when creating a new report.

  • AME-28016: When an invalid redirect URI is provided to the /par endpoint, the URI mismatch error is now redirect_uri_mismatch instead of invalid_request.

  • AME-28017: Advanced Identity Cloud now accepts the requested OAuth 2.0 endpoint as a valid JWT audience claim, as per RFC 7519 and RFC 9126.

  • AME-28906: The stack trace of an authentication exception generated on login failure is now logged only when debug level logging is enabled.

  • AME-29170: On LDAP Decision node login failure, stack traces are now logged at debug level.

  • AME-29504: Fixed issue with script names not displaying in next-generation script logs.

  • AME-29965: The Configuration Provider node now works with the Inner Tree Evaluator node for nested inner journeys.

  • IAM-1782: Long gateway and agent IDs no longer overflow in the Advanced Identity Cloud admin UI.

  • IAM-7523[1]: A user receiving a forwarded fulfillment task now has permission to approve or reject the task.

  • IAM-7537[1]: Governance functionality is now only shown for the alpha realm.

  • IAM-7689[1]: The Advanced Identity Cloud admin UI now displays the Assigned To value in the task list for a user assigned to a role who receives a forwarded fulfillment task.

  • OPENAM-18252: Journeys acting on multiple identities now successfully update universalId in the journey context during the authentication flow.

07 Jan 2025

Version 15726.9

Enhancements

  • OPENDJ-9287: The password validation mechanism has been enhanced to include checks for portions of attribute values within passwords. This improvement ensures that even partial matches between portions of passwords and portions of attribute values are identified and restricted, thereby enhancing security.

    For example, if the password is abcdef and the attribute value is abcdef123, the password is rejected. Similarly, if the password is abcdefAZERTY and the attribute value is abcdef123, the password is rejected.

December 2024

12 Dec 2024

Version 15726.7

Enhancements

  • AME-29769: The Social Provider Handler node has a new configuration option, Store Tokens, that allows access and refresh tokens to be stored in the transient state.

04 Dec 2024

Version 15726.4

Key features

Configure journey to always run (AME-27848)

Added a new setting for journeys to always run regardless of existing user sessions.

SAML application journeys (AME-27850)

Added support for SAML application journeys with a new setting on the remote SP. Configure a specific authentication journey that always runs for users authenticating with your SAML 2.0 app, regardless of existing sessions or configured authentication context.

SAML application script binding (AME-28012)

Added a new samlApplication binding for querying the SAML 2.0 authentication request properties and IdP and SP configuration attributes.

Suspend and resume journeys (OPENAM-21806)

Next-generation decision node scripts can now use the new action.suspend() method to suspend the current authentication session and send a message to the user. Implement custom logic with the resume URI, for example, to send an email or SMS using the HTTP client service.

Enhancements

  • AME-27074: Added a new configProviderScript action to each authentication node endpoint to generate a configuration provider template script For example, authentication/authenticationtrees/nodes/MessageNode?_action=configProviderScript.

  • AME-28258: Added a new "webAuthnExtensions" input to the WebAuthn Registration and Authentication nodes. This can be set via a Scripted Decision node. It is expected to contain a map of extension name to input. Output is currently not available.

  • AME-28384: The outcome of a Scripted Decision node can now also be a CharSequence type.

  • AME-28777: The refresh token grace period now applies to both client-side refresh tokens and server-side refresh tokens.

  • AME-29157: Authentication nodes with limited possible outcomes are now available to the Configuration Provider node, including:

    The Identity Assertion node, Push Wait node, and Enable Device Management node nodes with fixed outcomes are also now available to the Configuration Provider node.

  • OPENAM-22601: You can now use the next-generation script binding, utils, to generate secure random numbers.

  • OPENAM-22811: NodeState has two new methods: mergeShared(Map<String, Object>) and mergeTransient(Map<String, Object>). Use them to merge keys into the shared/transient state, including objectAttributes keys.

  • OPENDJ-11012: Added support for Microsoft Identity Cloud PBKDF2-SHA512 password scheme in Advanced Identity Cloud.

Fixes

  • AME-25491: The Configuration Provider node script now correctly reads node state after an inner tree callback.

  • AME-28786: Removed several unused UI properties from default social identity provider profiles.

  • AME-29027: WebAuthN attestations containing a self-signed root CA are now rejected instead of silently removed.

  • OPENAM-22465: Fixed error to return invalid_resource_uri when request_uri client doesn’t match request parameter client in PAR authorize request.

  • OPENAM-22675: In next-generation scripting, you can now set a default name correctly when creating a NameCallback.

  • OPENAM-22688: Page node localization now defaults to correct locale when the incoming accepted-language header doesn’t match the node’s language configuration.

November 2024

20 Nov 2024

Version 15472.10

No customer-facing features, enhancements, or fixes released.[2]

November 18, 2024

Version N/A

Notices

End of life announcement for Autonomous Access and Autonomous Access documentation[7]

Ping Identity announces the planned end of life for the Advanced Identity Cloud Autonomous Access product. The product will reach end of life on October 31, 2025. During the deprecation period, Ping Identity will not provide new patches, updates, or new features for Autonomous Access.

To support our Autonomous Access customers, we’re providing migration assistance to PingOne Protect, an advanced threat detection solution that leverages machine learning to analyze authentication signals and detect abnormal online behavior. PingOne Protect is a well-established product, trusted by hundreds of customers worldwide.

The Autonomous Access documentation has now moved to the documentation archive at https://docs.pingidentity.com/archive/.

For any questions, please contact Ping Identity support.

12 Nov 2024

Version 15472.8

Key features

PingOne Authorize node[8] (TNTP-183)

The new PingOne Authorize node sends a decision request to a specified decision endpoint in your PingOne Authorize environment.

Learn more in PingOne Authorize node.

Enhancements

  • IAM-6388: Added the ability to specify that inner journeys can’t be accessed directly. Learn more in Custom journeys.

  • IAM-7185: The mapping tab for application provisioning now shows the inbound or outbound application type without needing to inspect a drop-down.

  • OPENIDM-19810[8]: The _refProperties of the last relationship field leading to a vertex, whose state is harvested to constitute the RDVP state, can now be included in this RDVP state.

  • OPENIDM-19847[8]: The accountType for application grants is now configured in the object mapping under "accountTypes".

  • OPENIDM-20371[8]: IDM now allows up to 20 indexed string attributes per user in both Alpha and Bravo realms.

  • OPENIDM-20372[8]: IDM now supports up to ten custom relationships per managed object, except for one-to-many relationships.

Fixes

  • IAM-7415: When creating an assignment, the _id is now automatically generated instead of using the name specified.

04 Nov 2024

Version 15312.5

Enhancements

  • IAM-7187: Integration of SAP app template with IDM scripts.

  • IAM-7243[1]: Added text field to utilities category in IGA access request forms.

Fixes

  • IAM-7385: Unable to create user when required boolean property is set to false.

October 2024

29 Oct 2024

Version N/A

Configure PingOne as a federation IdP for Advanced Identity Cloud (FRAAS-17705)

You can now configure PingOne as a federation IdP for Advanced Identity Cloud. After configuration in PingOne, a tenant environment in Advanced Identity Cloud automatically displays PingOne in its list of federation IdPs.

24 Oct 2024

Version N/A

Key features

Proxy Connect (FRAAS-14278)

Ping Identity introduces Proxy Connect, a new add-on capability for Advanced Identity Cloud.

You can use Proxy Connect to configure a proxy service, such as a web application firewall (WAF) or a content delivery network (CDN), in front of your Advanced Identity Cloud tenant environments. This lets you secure traffic to your tenant environments in seamless compliance with the security controls you apply to your company’s other network resources.

16 Oct 2024

Version 15158.8

No customer-facing features, enhancements, or fixes released.[2]

15 Oct 2024

Version 15158.7

Key features

Scripted SAML v2.0 NameID values (AME-25921)

The NameID mapper script lets you customize SAML v2.0 NameID values per application.

Set State node (AME-26443)

The Set State node lets you add attributes to the journey state.

Http Client service (AME-27936)

The new Http Client service lets you create named instances that you can reference from a next-generation script to make mTLS connections to external services.

Learn more in Access HTTP services.

Support for LINE as a social identity provider (AME-28672)

You can now configure a social provider authentication with LINE Login when signing in from a browser. There is a separate configuration for authenticating from a mobile app.

Learn more in Social authentication.

Advanced Reporting (ANALYTICS-763)

Ping Identity introduces Advanced Reporting, a new add-on capability for Advanced Identity Cloud.

Advanced Reporting lets you create custom reports on activity in your tenant environments. You can query a number of metrics to create useful reports for your company.

Learn more in Advanced Reporting.

Identity Governance request and approval forms[1] (IAM-6358)

Identity Governance now lets you create request and approval forms to make it easier for end users to request access to applications.

Learn more in Identity Governance forms.

Additional cloud connectors

The following connectors are now bundled with Advanced Identity Cloud:

  • AWS IAM Identity Center Connector v1.5.20.23 (OPENIDM-20038)

  • Box Connector v1.5.20.23 (OPENIDM-20367)

Learn more in the ICF documentation.

Enable Device Management node (SDKS-2919)

The new Enable Device Management node lets end users manage devices from their account.

Enhancements

  • FRAAS-21728: Updated the cookie domain API to add default values for GET requests where cookie domain values haven’t been overridden by a PUT request. The default values are derived from the existing tenant cookie domain configuration, so are backward compatible.

  • AME-26594: Added secrets API binding to all next-generation script contexts.

  • AME-27129: Added option to exclude client certificate from SAML hosted SP metadata.

  • AME-27792: Added AM-TREE-LOGIN-COMPLETED audit log event that outputs a result of FAILED.

  • AME-27839: Added the ability to specify connection and response timeouts for Http Client service instances.

  • AME-28008: You can now disable certificate revocation checks, or all certificate checks entirely, on your Http Client service instances.

  • IAM-4753: Added a toggle to the application catalog to hide deprecated templates.

  • OPENIDM-19698: Added ability to use wildcards in the watchedFields property.

  • OPENAM-22666: The well-known endpoint is no longer required when configuring a social identity provider service. If it is not provided, AM uses the client secret for signature verification.

  • SDKS-1752[8]: Enhance WebAuthn Authentication node, OATH Token Verifier node, and Push Result Verifier node to store creation date and last sign-on date.

Fixes

  • FRAAS-16228: Promotions are now halted if the AM CORS service is disabled; the service is essential to the correct functioning of promotions.

  • FRAAS-21715: Environments can now be unlocked if configuration rollback fails because there are no promotions to roll back.

  • OPENAM-15410: Fixed an issue that prevented customization of claims if profile and openid scopes are requested.

  • OPENAM-20609: Fixed inconsistent error message when generating access token using refresh token after changing username.

  • OPENAM-21974: Adds an OAuth 2.0 client configuration for the new version of the LinkedIn provider.

  • OPENAM-22298: Log unretrieved SP and IdP descriptors in SAML2 Authentication node.

  • OPENIDM-19336: Fixed an issue where delegated administrators couldn’t add new users to their organization.

  • OPENIDM-20238: Fixed an issue where clustered reconciliation can fail with "Expecting a Map or List" under specific circumstances.

September 2024

25 Sept 2024

Version 14800.8

No customer-facing issues released.[2]

18 Sep 2024

Version 14800.7

Key features

DocuSign application template (IAM-6194)

The DocuSign application lets you manage DocuSign service accounts and synchronize DocuSign accounts and Advanced Identity Cloud identities.

Enhancements

  • IAM-6493: The PingOne application template now supports specifying an LDAP gateway.

  • IAM-6868: Added screen reader label to end-user access approval button.

  • IAM-6870: Added screen reader label to end-user access request button.

  • IAM-6880: Added a toggle in the hosted pages journey settings to disable the error heading fallback that displays if there is no heading in the page content. (FORGEROCK-1582)

Fixes

  • FRAAS-21713: The promotion process now retries getting an access token from the lower environment, preventing promotion failures.

  • IAM-7033: Unable to save user filter in AD/LDAP app template.

05 Sept 2024

Version 14620.5

No customer-facing issues released.[2]

03 Sep 2024

Version 14620.4

Key features

BeyondTrust application template (IAM-6492)

The BeyondTrust application lets you manage and synchronize data from Advanced Identity Cloud to BeyondTrust.

Enhancements

  • IAM-7011: Older app templates are no longer marked "deprecated".


1. This change applies to a feature only available in PingOne Identity Governance, which is an add-on capability and must be purchased separately.
2. This release focuses on internal improvements and technical updates to enhance the overall stability, performance, and maintainability of the platform. While there are no direct customer-facing changes, these updates lay the groundwork for future feature releases and improvements.
3. This issue is a hotfix so has been released in the rapid and regular channels at the same time.
4. Advanced Reporting is an add-on capability.
5. IGA is an add-on capability.
6. This change applies to a feature only available in Advanced Reporting, which is an add-on capability and must be purchased separately.
7. This feature was removed on November 11, 2024 but the documentation support sites were not yet available.
8. This issue was inadvertently excluded from the rapid changelog.