PingOne Advanced Identity Cloud

Regular channel changelog

Subscribe to get automatic updates: Regular channel changelog RSS feed

For release notes published before May 2024, refer to the Regular channel changelog archive.

November 2024

20 Nov 2024

Version 15472.10

No customer-facing features, enhancements, or fixes released.[1]

November 18, 2024

Version N/A

Notices

End of life for Autonomous Access and Autonomous Access documentation[2]

Ping Identity discontinued support for the Advanced Identity Cloud Autonomous Access product, effective October 31, 2024.

To support our Autonomous Access customers, we’re providing migration assistance to PingOne Protect, an advanced threat detection solution that leverages machine learning to analyze authentication signals and detect abnormal online behavior. PingOne Protect is a well-established product, trusted by hundreds of customers worldwide.

The Autonomous Access documentation has now moved to the documentation archive at https://docs.pingidentity.com/archive/.

For any questions, please contact Ping Identity support.

12 Nov 2024

Version 15472.8

Key features

PingOne Authorize node[3] (TNTP-183)

The new PingOne Authorize node sends a decision request to a specified decision endpoint in your PingOne Authorize environment.

Learn more in PingOne Authorize node.

Enhancements

  • IAM-6388: Added the ability to specify that inner journeys can’t be accessed directly. Learn more in Custom journeys.

  • IAM-7185: The mapping tab for application provisioning now shows the inbound or outbound application type without needing to inspect a drop-down.

  • OPENIDM-19810[3]: The _refProperties of the last relationship field leading to a vertex, whose state is harvested to constitute the RDVP state, can now be included in this RDVP state.

  • OPENIDM-19847[3]: The accountType for application grants is now configured in the object mapping under "accountTypes".

  • OPENIDM-20371[3]: IDM now allows up to 20 indexed string attributes per user in both Alpha and Bravo realms.

  • OPENIDM-20372[3]: IDM now supports up to ten custom relationships per managed object, except for one-to-many relationships.

Fixes

  • IAM-7415: When creating an assignment, the _id is now automatically generated instead of using the name specified.

04 Nov 2024

Version 15312.5

Enhancements

  • IAM-7187: Integration of SAP app template with IDM scripts.

  • IAM-7243[4]: Added text field to utilities category in IGA access request forms.

Fixes

  • IAM-7385: Unable to create user when required boolean property is set to false.

October 2024

29 Oct 2024

Version N/A

Configure PingOne as a federation IdP for Advanced Identity Cloud (FRAAS-17705)

You can now configure PingOne as a federation IdP for Advanced Identity Cloud. After configuration in PingOne, a tenant environment in Advanced Identity Cloud automatically displays PingOne in its list of federation IdPs.

24 Oct 2024

Version N/A

Key features

Proxy Connect (FRAAS-14278)

Ping Identity introduces Proxy Connect, a new add-on capability for Advanced Identity Cloud.

You can use Proxy Connect to configure a proxy service, such as a web application firewall (WAF) or a content delivery network (CDN), in front of your Advanced Identity Cloud tenant environments. This lets you secure traffic to your tenant environments in seamless compliance with the security controls you apply to your company’s other network resources.

16 Oct 2024

Version 15158.8

No customer-facing features, enhancements, or fixes released.[1]

15 Oct 2024

Version 15158.7

Key features

Scripted SAML v2.0 NameID values (AME-25921)

The NameID mapper script lets you customize SAML v2.0 NameID values per application.

Set State node (AME-26443)

The Set State node lets you add attributes to the journey state.

Http Client service (AME-27936)

The new Http Client service lets you create named instances that you can reference from a next-generation script to make mTLS connections to external services.

Learn more in Access HTTP services.

Support for LINE as a social identity provider (AME-28672)

You can now configure a social provider authentication with LINE Login when signing in from a browser. There is a separate configuration for authenticating from a mobile app.

Learn more in Social authentication.

Advanced Reporting (ANALYTICS-763)

Ping Identity introduces Advanced Reporting, a new add-on capability for Advanced Identity Cloud.

Advanced Reporting lets you create custom reports on activity in your tenant environments. You can query a number of metrics to create useful reports for your company.

Learn more in Advanced Reporting.

Identity Governance request and approval forms[4] (IAM-6358)

Identity Governance now lets you create request and approval forms to make it easier for end users to request access to applications.

Learn more in Identity Governance forms.

Additional cloud connectors

The following connectors are now bundled with Advanced Identity Cloud:

  • AWS IAM Identity Center Connector v1.5.20.23 (OPENIDM-20038)

  • Box Connector v1.5.20.23 (OPENIDM-20367)

Learn more in the ICF documentation.

Enable Device Management node (SDKS-2919)

The new Enable Device Management node lets end users manage devices from their account.

Enhancements

  • FRAAS-21728: Updated the cookie domain API to add default values for GET requests where cookie domain values haven’t been overridden by a PUT request. The default values are derived from the existing tenant cookie domain configuration, so are backward compatible.

  • AME-26594: Added secrets API binding to all next-generation script contexts.

  • AME-27129: Added option to exclude client certificate from SAML hosted SP metadata.

  • AME-27792: Added AM-TREE-LOGIN-COMPLETED audit log event that outputs a result of FAILED.

  • AME-27839: Added the ability to specify connection and response timeouts for Http Client service instances.

  • AME-28008: You can now disable certificate revocation checks, or all certificate checks entirely, on your Http Client service instances.

  • IAM-4753: Added a toggle to the application catalog to hide deprecated templates.

  • OPENIDM-19698: Added ability to use wildcards in the watchedFields property.

  • OPENAM-22666: The well-known endpoint is no longer required when configuring a social identity provider service. If it is not provided, AM uses the client secret for signature verification.

  • SDKS-1752[3]: Enhance WebAuthn Authentication node, OATH Token Verifier node, and Push Result Verifier node to store creation date and last sign-on date.

Fixes

  • FRAAS-16228: Promotions are now halted if the AM CORS service is disabled; the service is essential to the correct functioning of promotions.

  • FRAAS-21715: Environments can now be unlocked if configuration rollback fails because there are no promotions to roll back.

  • OPENAM-15410: Fixed an issue that prevented customization of claims if profile and openid scopes are requested.

  • OPENAM-20609: Fixed inconsistent error message when generating access token using refresh token after changing username.

  • OPENAM-21974: Adds an OAuth 2.0 client configuration for the new version of the LinkedIn provider.

  • OPENAM-22298: Log unretrieved SP and IdP descriptors in SAML2 Authentication node.

  • OPENIDM-19336: Fixed an issue where delegated administrators couldn’t add new users to their organization.

  • OPENIDM-20238: Fixed an issue where clustered reconciliation can fail with "Expecting a Map or List" under specific circumstances.

September 2024

25 Sept 2024

Version 14800.8

No customer-facing issues released.[1]

18 Sep 2024

Version 14800.7

Key features

DocuSign application template (IAM-6194)

The DocuSign application lets you manage DocuSign service accounts and synchronize DocuSign accounts and Advanced Identity Cloud identities.

Enhancements

  • IAM-6493: The PingOne application template now supports specifying an LDAP gateway.

  • IAM-6868: Added screen reader label to end-user access approval button.

  • IAM-6870: Added screen reader label to end-user access request button.

  • IAM-6880: Added a toggle in the hosted pages journey settings to disable the error heading fallback that displays if there is no heading in the page content. (FORGEROCK-1582)

Fixes

  • FRAAS-21713: The promotion process now retries getting an access token from the lower environment, preventing promotion failures.

  • IAM-7033: Unable to save user filter in AD/LDAP app template.

05 Sept 2024

Version 14620.5

No customer-facing issues released.[1]

03 Sep 2024

Version 14620.4

Key features

BeyondTrust application template (IAM-6492)

The BeyondTrust application lets you manage and synchronize data from Advanced Identity Cloud to BeyondTrust.

Enhancements

  • IAM-7011: Older app templates are no longer marked "deprecated".

August 2024

20 Aug 2024

Version 14442.2

Enhancements

  • IAM-5233: Update SAP SuccessFactors app template to support connector version 1.5.20.22.

  • IAM-6874: Update journey analytics to use hourly data.

Fixes

  • FRAAS-21318: Promotion report now categorizes AM session service changes correctly.

06 Aug 2024

Version 14260.4

Key features

Adobe Admin Console application template (IAM-6195)

The Advanced Identity Cloud Adobe Admin Console application lets you manage users, groups, and user group memberships between Adobe Admin Console and Advanced Identity Cloud.

Paris added to data residency regions (FRAAS-20850)

The Paris region (europe-west9) is now available. For more information, refer to:

Enhancements

  • AME-26135[3]: The Advanced Identity Cloud admin UI now lets you configure a secret from a secret store for these features:

    • Identity Gateway agents

    • Web and Java agents

    • OAuth 2.0 agents

    You can now optionally set a secret label identifier for these features instead of a manually entered client secret.

  • IAM-4279: Display available ESV placeholders in Decision Node script editor.

  • IAM-4654: Enable creation of all script types in Advanced Identity Cloud admin UI.

Fixes

  • FRAAS-20397: The promotion process now retries tagging the lower environment after a network interruption, preventing blocking promotion failures.

  • IAM-5356: Session logout warning not displaying when maximum idle time set to a higher value than maximum session time.

  • IAM-6628: New draft option shouldn’t exist for out-of-the-box workflows.

  • IAM-6779: Pagination for list of apps not working when there are over 4000 apps.

July 2024

30 Jul 2024

Version 14077.9

No customer-facing issues released.[1]

29 Jul 2024

Version 14077.8

No customer-facing issues released.[1]

23 Jul 2024

Version 14077.0

Fixes

  • FRAAS-20970: The /monitoring/logs endpoint now returns an X-Ratelimit-Limit header with a fixed value of 60. Previously, the value was misleading due to the way it was calculated when scaling an environment’s resources. The X-Ratelimit-Remaining header continues to report the number of requests that may be sent before receiving a rate limited response.

  • FRAAS-20983: Promotion reports now list changes to the default OAuth 2.0 provider.

22 Jul 2024

Version 13945.13

No customer-facing issues released.[1]

11 Jul 2024

Version 13945.9

Key features

Additional cloud connectors

The following connectors are now bundled with Advanced Identity Cloud:

  • Adobe Admin Console connector (OPENIDM-19843)

  • DocuSign connector (OPENIDM-20190)

For more information, refer to the ICF documentation.

Fixes

  • OPENIDM-20142: Resolved a communication failure between Advanced Identity Cloud and RCS instances that could result in a prolonged failure to activate remote connectors.

Changed functionality

  • OPENIDM-20178: You can’t use scope private fields in query filters. For more information, refer to Security Advisory #202402.

10 Jul 2024

Version 13945.8

Key features

Product name change for Identity Cloud (FRAAS-20178)

To align ForgeRock products with Ping family names, ForgeRock Identity Cloud has been renamed to PingOne Advanced Identity Cloud. Name and logo changes have been updated throughout the user interfaces, and documentation updates will occur when the UI changes are released to the regular channel.

For more information, refer to the New names for ForgeRock products FAQ

Organization-based certification[4] (IAM-5237)

Advanced Identity Cloud introduces organization-based certification—​a new Identity Governance feature that lets you configure B2B customers and partners as organizations and allow designated organization administrators to certify access for the users in their organization.

For more information, refer to Certify access by organization.

Segregation of duties (SoD) (IAM-5624)

Advanced Identity Cloud introduces a new Identity Governance compliance feature designed to help you create and manage segregation of duties (SoD) policies and rules. SoD is a crucial practice that ensures no single individual has privileges that could lead to a conflict of interest.

For more information, refer to Configure compliance policies.

Scoping rules[4] (IAM-5629)

Advanced Identity Cloud introduces a new Identity Governance feature that lets you create scoping rules to determine what actions an end user can perform and on what resource.

For more information, refer to Configure scoping rules to resources.

Enhancements

  • IAM-4785: Synchronize only the modified properties on a target source during reconciliation of applications.

  • IAM-5487: Correlation rules moved to the top of the reconciliation settings page.

  • IAM-6231: Scripted Decision Node now updates the list of scripts when a script is added or edited.

  • IAM-6544: Add reviewer column to administrator list view of compliance violations.

Fixes

  • FRAAS-20604: Removed superfluous AM metrics related to token store internals:

    • am_cts_connection_count

    • am_cts_connection_seconds

    • am_cts_connection_seconds_total

    • am_cts_connection_state

    • am_cts_reaper_cache_size

    • am_cts_reaper_deletion

    • am_cts_reaper_deletion_count

    • am_cts_reaper_deletion_total

  • IAM-6135: ESV values containing accents get corrupted by encoding process.

  • IAM-6562: Label duplicated for OAuth 2.0 access token and ID token endpoints.

  • IAM-6669[4]: Badge count of violations in end-user navigation doesn’t update when an action is performed.

01 Jul 2024

Version 13848.13

Fixes

  • OPENIDM-18495[5]: Disable sorting in the connector data tab in the IDM admin UI (native console). (FORGEROCK-1582)

June 2024

26 Jun 2024

Version 13848.8

Key features

Certificate API[6] (FRAAS-7319)

You can now use the certificate API to upload SSL certificates to your tenant environments. You can create the certificates in two ways:

Promotion rollback API (FRAAS-20048)

You can now roll back configuration promotions using the API. You can roll back an environment successively to revert as many previous promotion changes as needed.

For more information, refer to Run a rollback.

New utility binding available for scripting (AME-25519)

You can now use a new utility binding in your scripts to access several common utility classes. For example, the utility binding includes classes for generating random UUIDs and for base64 encoding and decoding.

PingOne Protect nodes (TNTP-180)

The following PingOne Protect nodes are now available in the regular channel:

Before using the PingOne Protect nodes, you must:

Enhancements

  • AME-26199: Added the ability to set additional claims, including non-registered claims, during JWT assertion and generation, as per the specification.

  • AME-26820: Provided library scripts with access to all common script bindings.

  • AME-26993: Enhanced secret mapping for agents. Updating a secret label identifier value now causes any corresponding secret mapping for the previous identifier to also be updated, provided no other agent shares that secret mapping. If another agent shares the secret mapping, PingOne Advanced Identity Cloud creates a new secret mapping for the updated identifier and copies its aliases from the previously shared secret mapping.

  • AME-27346: Renamed Secret ID Identifier to Secret Label Identifier in the SAML remote entity provider configuration.

  • AME-27478: Renamed Client ID Token Public Encryption Key property to ID Token Encryption Public Key in the OAuth 2.0 client configuration.

  • AME-27775: Added scripting thread pool metrics per script context.

  • OPENAM-16564: Enabled next-generation scripts to access the cookies in incoming requests.

  • OPENAM-21800: Added page node functionality to next-generation scripts.

  • OPENAM-21933: Enabled auto-encoding of the httpClient form body in next-generation scripts.

Fixes

  • FRAAS-20786: Fixed the case where a promotion attempts to delete the same application more than once.

  • FRAAS-19461: Fixed an issue where large audit logs could be missing from IGA events and processing.

  • FRAAS-20154: ESVs with special characters are now correctly encoded. The workaround of double-encoding ESVs is no longer required.

  • OPENAM-21748: Restored the missing get wrapper function for HiddenValueCallback in next-generation scripting.

  • OPENAM-21830[3]: Unable to get entitlement info hashmap values in SAML IdPAdapter script

  • OPENAM-21864: Fixed an issue that prevented setting the tracking cookie to resume a journey after returning from a redirect flow.

  • OPENAM-21897: Corrected inconsistent results from the policy evaluateTree endpoint.

  • OPENAM-21951: Enabled setting of the selectedIndex property in a ChoiceCallback in next-generation scripts.

  • OPENAM-22181: Corrected an issue with UMA approve and approveAll requests failing.

  • TNTP-166:

    • Add configuration options to P1 Verify Authentication nodes.

    • Verify code not visible when using QR option.

    • Set claim mapping only in shared state in P1 Proofing node.

18 Jun 2024

Version 13664.10

No customer-facing issues released.[1]

11 Jun 2024

Version 13664.8

Key features

Localize the Advanced Identity Cloud admin UI[3] (IAM-6267)

You can now localize static content and server messages in the Advanced Identity Cloud admin UI to support your company’s tenant administrators in different language locales. The localization is implemented in the same way as the existing localization functionality used by the login and end-user UIs. Refer to Configure tenant localization.

Oracle E-Business Suite app template (IAM-6342)

The Advanced Identity Cloud Oracle E-Business Suite (EBS) application lets you manage and synchronize accounts between EBS and Advanced Identity Cloud.

Enhancements

  • FRAAS-15404: When updating ESV secrets, the API saves a new secret version only when it differs from the previous value.

  • FRAAS-19982: Configuration promotion now fails if Advanced Identity Cloud services do not restart successfully with the new configuration.

  • IAM-6376: In the applications rules tab, you can now configure custom logic to perform specific actions, such as sending an email, when an account is successfully created or updated.

  • IAM-6380: In the applications rules tab, you can now use the provisioning failure rule to configure custom logic to perform specific actions when provisioning fails.

Fixes

  • FRAAS-11180: Authentication session whitelisting is now enabled by default for new tenants

  • IAM-5593: Adding roles to certain objects no longer breaks readable titles

  • IAM-6537: Journey import now alerts users if they try to import a file containing missing references

  • IAM-6548[3]: Advanced Identity Cloud admin UI now loads Identity Gateway profile properties

07 Jun 2024

The following issues were released on May 30, 2024 but inadvertently excluded from the changelog.

Version 13465.7

Key features

Improved promotion of applications (FRAAS-19241)

It is now possible to promote applications via the API and not just the UI.

Additionally, the provisional report has been improved to only show applications that have changed, rather than show all applications in the report.

Epic EMP application template (IAM-2407)

The Advanced Identity Cloud Epic EMP application lets you manage and synchronize data between Epic EMP and Advanced Identity Cloud.

Enhancements

  • IAM-2653: Configure object properties with user-friendly display names.

  • IAM-3857: Application list view displays enabled/disabled status of enterprise apps.

  • IAM-5913[4]: Create custom access request workflows.

Fixes

  • IAM-6264: Approval actions display in the UI even when they are not available due to permissions.

  • IAM-6296: UI doesn’t display paginated results on application data and recon tabs.

  • IAM-6409: Logging out of UI generates malformed redirect realm URLs.

04 Jun 2024

Version 13465.8

No customer-facing issues released.[1]

May 2024

20 May 2024

Version 13313.4

No customer-facing issues released.[1]

20 May 2024

The following issues were released on February 6, 2024 but inadvertently excluded from the changelog.

Key features

Social Provider Handler node (OPENAM-20924)

The new Social Provider Handler node adds an outcome to better handle interruptions in a social authentication journey after requesting profile information.

Enhancements

  • OPENAM-21575: Add org.forgerock.json.jose.jwe.JweHeader to the allowlist for the Scripted Decision node

14 May 2024

Version 13313.2

Key features

Event-based certification[4] (IAM-5148)

Identity Governance now allows tenant administrators to configure certifications that are triggered by specific governance events, a process referred to as event-based certification. This method offers faster certification resolution compared to scheduled—​and often lengthy—​campaigns spanning weeks or months and involving numerous applications, intricate rules, and hundreds of reviewers.

The event-based certifications feature kicks off an identity certification for the following events:

  • User create. Advanced Identity Cloud detects when a user account has been created.

  • User modify. Advanced Identity Cloud detects when an existing user account has been modified or updated.

  • Attribute change. Advanced Identity Cloud detects changes in the attributes of an existing user account.

  • User delete/deactivate. Advanced Identity Cloud detects if a user account has been deleted or deactivated.

For more information, refer to Certify access by event.

Grant entitlements to users and roles[4] (IAM-5146)

Identity Governance now allows tenant administrators to carry out more fine-grained entitlement grants for their user accounts. Tenant administrators can now:

  • Create a role and grant entitlements to the role.

  • Revoke entitlements in a role.

  • Grant entitlements to a user account.

  • Revoke entitlements from a user account.

For more information, refer to Manage entitlements.

Authenticate gateway and agent profiles with a shared secret (IAM-5833)

The Advanced Identity Cloud admin UI for gateways and agents now lets you authenticate with a shared secret instead of a password. Use this to set the label for the shared secret.

Authenticate OAuth 2.0 applications with a shared secret (IAM-6028)

The Advanced Identity Cloud admin UI for OAuth 2.0 applications now lets you authenticate with a shared secret instead of a password. Use this to set the label for the shared secret.

Enhancements

  • IAM-3199: HTML styling in the Message node journey editor allows you to left justify text.

Fixes

  • FRAAS-19334: Failure to look up service account names following changes applied through the ESV API.

  • IAM-5079[4]: End-user roles page sometimes shows role grants as conditional even when the grants are direct.

  • IAM-5363[4]: Show the total number of approvals and access reviews in the inbox.

  • IAM-5858[4]: Missing support for access request global configuration options.

  • IAM-6138[4]: The governance events filter builder incorrectly validates before and after properties in the user created state.

  • IAM-6176[4]: The end-user access request rejection is missing a justification message.

  • IAM-6203[4]: The governance events filter doesn’t use after temporal values for user created flows.

  • IAM-6209: The Advanced Identity Cloud admin UI navigation panel text appears when the panel is collapsed.

  • OPENIDM-19879: Identity management reconciliation service processes additional source query pages whenever a query returns a pagedResultsCookie.

  • OPENIDM-19924: Unnecessary quotes not being removed from email addresses.

  • TNTP-166:

    • Add configuration options to P1 Verify Authentication nodes.

    • Verify code not visible when using QR option.

    • Set claim mapping only in shared state in P1 Proofing node.

02 May 2024

Version 13162.12

Fixes

  • FRAAS-19593: The promotion API incorrectly reports as ready, resulting in a blocking promotion failure when trying to promote (FORGEROCK-1319)

01 May 2024

Version 13162.0

Key features

Identity Assertion node (AME-26821)

The new Identity Assertion node provides a secure communication channel for authentication journeys to communicate directly with PingGateway.

PingOne Verify service (TNTP-118)

The PingOne Verify service lets you configure and use PingOne Verify nodes (PingOne Verify Authentication node and PingOne Verify Proofing node) in your authentication journeys.

For more information, refer to PingOne Verify service.

PingOne nodes (TNTP-119)
PingOne node

The PingOne node node establishes trust between PingOne and Advanced Identity Cloud by leveraging a federated connection. For more information, refer to PingOne node.

PingOne DaVinci API node

The PingOne DaVinci API node node lets an Advanced Identity Cloud journey trigger a PingOne DaVinci flow through the API integration method. For more information, refer to PingOne DaVinci API node.

Enhancements

  • AME-26085: SAML v2.0 NameID mapping can be configured per SP

  • AME-27126: A SAML SP can now authenticate to IDPs using mutual TLS (mTLS) when making an artifact resolution request.

  • AME-27133: "Secret ID" has been renamed to "Secret Label" for secret mappings

  • The following services now support configuration using the Secrets API:

    • AME-16536: The OAuth 2.0 provider hash salt secret

    • AME-25885: The persistent cookie core authentication attribute

    • AME-26110: The client-side session signing key

    • AME-26134: The social provider service

    • AME-26441: The new CAPTCHA node (replaces the legacy CAPTCHA node)

    • AME-26442: The OIDC Token Validator node now lets you store the client secret in any type of secret store

    • AME-26633: The OAuth 2.0 client clientJwtPublicKey

    • AME-26637: The OAuth 2.0 client idTokenPublicEncryptionKey

    • AME-26639: OAuth 2.0 client mTLS self-signed certificates

    • AME-26668: The post authentication process (PAP) replay password

    • AME-26670: The web agents replay password key

    • AME-26998: The OAuth 2.0 client secret

  • The following services now support rotation of secrets using secret versions:

    • AME-25988: The persistent cookie encryption secret

    • AME-26999: OAuth 2.0 client secrets

    • AME-27000: OAuth 2.0 client clientJwtPublicKey

    • AME-27001: OAuth 2.0 client mTLS self-signed certificates

  • OPENAM-21031: The performance of Google KMS has been improved by the introduction of caching.

Fixes

  • FRAAS-19596: Promotion report should include changes to realm authentication settings.

  • OPENAM-21473: If you set the collection method of a Certificate Collector node to REQUEST, HEADER, or EITHER, and the certificate is not provided in the request or in the header, the node now returns a status of Not collected.


1. This release focuses on internal improvements and technical updates to enhance the overall stability, performance, and maintainability of the platform. While there are no direct customer-facing changes, these updates lay the groundwork for future feature releases and improvements.
2. This feature was removed on November 11, 2024 but the documentation support sites were not yet available.
3. This issue was inadvertently excluded from the rapid changelog.
4. This issue applies to a feature only available in PingOne Identity Governance, which must be purchased separately.
5. This issue is a hotfix so has been released in the rapid and regular channels at the same time.
6. This feature was released earlier but the required scopes were not yet available.