Regular channel changelog

FRAAS-23812: You can now disable header-rules after disabling proxy-connect ip-rules.

FRAAS-23375: You can now obtain the HTTP client location from the X-Client-City & X-Client-City-Lat-Long HTTP headers in Advanced Identity Cloud scripts and journeys.

IAM-6833 : Made existing synchronization tokens editable for incremental reconciliations.

IAM-7223^[2]: Added the ability to set user, role, organization, application, or entitlement objects to provide predefined values for select and multiselect fields in request forms.

IAM-7454: The inbound mapping for all application templates and scripted application templates has now been configured to make fewer connector requests.

FRAAS-23780^[3]: Optimized network utilization to distribute workloads more effectively.

IAM-5242: The Previous link in the New Script modal now always shows the previous step.

IAM-5482: Password policy no longer allows Password length to be set as an empty string.

IAM-7799: Identity attributes with Time and DateTime format now trigger change events only when a change occurs.

ANALYTICS-459: Report query data is now retained for 30 days for customers using OOTB reports and 90 days for customers with Advanced Reporting^[4].

ANALYTICS-495: Replace email with username in User Last Login report.

ANALYTICS-817^[6]: Report authors can now query on "Password Last Changed Time" for user entity.

ANALYTICS-818^[6]: Report authors can now query on "Password Expiration Time" for user entity.

AME-26050: You can now create Next-generation Policy Condition scripts that have access to all common bindings, such as openidm and httpClient. Additionally, some existing bindings have been wrapped to improve usability in scripts.

AME-28228: OAuth 2.0 audit logs now include the OAuth 2.0 client ID and any journey associated with the client.

AME-29009: When using the new FIDO Metadata Service, if you link to the FIDO metadata using a URL, Advanced Identity Cloud periodically downloads and updates the latest FIDO metadata based on the nextUpdate date specified in the downloaded data.

AME-29093: Added configuration for integration with WebAuthn Metadata Services (such as the FIDO Metadata Service). This includes a realm-level WebAuthn Metadata service and a new FIDO Certification Level configuration attribute in the WebAuthn Registration Node.

FRAAS-22321: You can now obtain the HTTP client location from the X-Client-Region HTTP header within your scripts and journeys. The X-Client-Region header contains the country (or region) associated with the client’s IP address in the form of a Unicode CLDR region code, such as US or FR. For most countries, these codes correspond directly to ISO-3166-2 codes.

FRAAS-23073: The SAML scripting adapter now lets scripts access org.forgerock.http.protocol.*.

IAM-3323: You can now use XPath transformation functions with additional Workday application template attributes.

IAM-4540: You can now change the border color of a selected input field in journey and end-user pages.

IAM-6397: The Advanced Identity Cloud admin UI now lets you page through the list of OAuth 2.0 client profiles.

OPENAM-20314: Added the ability to indicate whether an OIDC provider doesn’t return a unique value for the sub claim.

OPENAM-22966: Social IDPs now support NONE as a client authentication method. This option should be used if the provider doesn’t require client authentication at the token endpoint.

OPENAM-23109: During a WebAuthn registration flow, if Store data in transient state is enabled, the Authenticator Attestation Global Unique Identifier (AAGUID) is now added to the node state under the webauthnData key.

OPENIDM-20542: Added a feature service named am/2fa/profiles to expose certain multi-factor attributes on alpha and bravo users.

ANALYTICS-474: The User Journey Stats report now provides aggregates by outcome in the report result when more than one outcome is selected.

ANALYTICS-837: The User Count by Status report now provides aggregates by status in the report result when more than one outcome is selected

ANALYTICS-585^[6]: Remove Report Admin and Report Owner group selection when creating a new report.

AME-28016: When an invalid redirect URI is provided to the /par endpoint, the URI mismatch error is now redirect_uri_mismatch instead of invalid_request.

AME-28017: Advanced Identity Cloud now accepts the requested OAuth 2.0 endpoint as a valid JWT audience claim, as per RFC 7519 and RFC 9126.

AME-28906: The stack trace of an authentication exception generated on login failure is now logged only when debug level logging is enabled.

AME-29170: On LDAP Decision node login failure, stack traces are now logged at debug level.

AME-29504: Fixed issue with script names not displaying in next-generation script logs.

AME-29965: The Configuration Provider node now works with the Inner Tree Evaluator node for nested inner journeys.

IAM-1782: Long gateway and agent IDs no longer overflow in the Advanced Identity Cloud admin UI.

IAM-7523^[2]: A user receiving a forwarded fulfillment task now has permission to approve or reject the task.

IAM-7537^[2]: Governance functionality is now only shown for the alpha realm.

IAM-7689^[2]: The Advanced Identity Cloud admin UI now displays the Assigned To value in the task list for a user assigned to a role who receives a forwarded fulfillment task.

OPENAM-18252: Journeys acting on multiple identities now successfully update universalId in the journey context during the authentication flow.

OPENDJ-9287: The password validation mechanism has been enhanced to include checks for portions of attribute values within passwords. This improvement ensures that even partial matches between portions of passwords and portions of attribute values are identified and restricted, thereby enhancing security.

AME-29769: The Social Provider Handler node has a new configuration option, Store Tokens, that allows access and refresh tokens to be stored in the transient state.

AME-27074: Added a new configProviderScript action to each authentication node endpoint to generate a configuration provider template script For example, authentication/authenticationtrees/nodes/MessageNode?_action=configProviderScript.

AME-28258: Added a new "webAuthnExtensions" input to the WebAuthn Registration and Authentication nodes. This can be set via a Scripted Decision node. It is expected to contain a map of extension name to input. Output is currently not available.

AME-28384: The outcome of a Scripted Decision node can now also be a CharSequence type.

AME-28777: The refresh token grace period now applies to both client-side refresh tokens and server-side refresh tokens.

AME-29157: Authentication nodes with limited possible outcomes are now available to the Configuration Provider node, including:

OPENAM-22601: You can now use the next-generation script binding, utils, to generate secure random numbers.

OPENAM-22811: NodeState has two new methods: mergeShared(Map<String, Object>) and mergeTransient(Map<String, Object>). Use them to merge keys into the shared/transient state, including objectAttributes keys.

OPENDJ-11012: Added support for Microsoft Identity Cloud PBKDF2-SHA512 password scheme in Advanced Identity Cloud.

AME-25491: The Configuration Provider node script now correctly reads node state after an inner tree callback.

AME-28786: Removed several unused UI properties from default social identity provider profiles.

AME-29027: WebAuthN attestations containing a self-signed root CA are now rejected instead of silently removed.

OPENAM-22465: Fixed error to return invalid_resource_uri when request_uri client doesn’t match request parameter client in PAR authorize request.

OPENAM-22675: In next-generation scripting, you can now set a default name correctly when creating a NameCallback.

OPENAM-22688: Page node localization now defaults to correct locale when the incoming accepted-language header doesn’t match the node’s language configuration.

IAM-6388: Added the ability to specify that inner journeys can’t be accessed directly. Learn more in Custom journeys.

IAM-7185: The mapping tab for application provisioning now shows the inbound or outbound application type without needing to inspect a drop-down.

OPENIDM-19810^[8]: The _refProperties of the last relationship field leading to a vertex, whose state is harvested to constitute the RDVP state, can now be included in this RDVP state.

OPENIDM-19847^[8]: The accountType for application grants is now configured in the object mapping under "accountTypes".

OPENIDM-20371^[8]: IDM now allows up to 20 indexed string attributes per user in both Alpha and Bravo realms.

OPENIDM-20372^[8]: IDM now supports up to ten custom relationships per managed object, except for one-to-many relationships.

IAM-7415: When creating an assignment, the _id is now automatically generated instead of using the name specified.

IAM-7187: Integration of SAP app template with IDM scripts.

IAM-7243^[2]: Added text field to utilities category in IGA access request forms.

IAM-7385: Unable to create user when required boolean property is set to false.

FRAAS-21728: Updated the cookie domain API to add default values for GET requests where cookie domain values haven’t been overridden by a PUT request. The default values are derived from the existing tenant cookie domain configuration, so are backward compatible.

AME-26594: Added secrets API binding to all next-generation script contexts.

AME-27129: Added option to exclude client certificate from SAML hosted SP metadata.

AME-27792: Added AM-TREE-LOGIN-COMPLETED audit log event that outputs a result of FAILED.

AME-27839: Added the ability to specify connection and response timeouts for Http Client service instances.

AME-28008: You can now disable certificate revocation checks, or all certificate checks entirely, on your Http Client service instances.

IAM-4753: Added a toggle to the application catalog to hide deprecated templates.

OPENIDM-19698: Added ability to use wildcards in the watchedFields property.

OPENAM-22666: The well-known endpoint is no longer required when configuring a social identity provider service. If it is not provided, AM uses the client secret for signature verification.

SDKS-1752^[8]: Enhance WebAuthn Authentication node, OATH Token Verifier node, and Push Result Verifier node to store creation date and last sign-on date.

FRAAS-16228: Promotions are now halted if the AM CORS service is disabled; the service is essential to the correct functioning of promotions.

FRAAS-21715: Environments can now be unlocked if configuration rollback fails because there are no promotions to roll back.

OPENAM-15410: Fixed an issue that prevented customization of claims if profile and openid scopes are requested.

OPENAM-20609: Fixed inconsistent error message when generating access token using refresh token after changing username.

OPENAM-21974: Adds an OAuth 2.0 client configuration for the new version of the LinkedIn provider.

OPENAM-22298: Log unretrieved SP and IdP descriptors in SAML2 Authentication node.

OPENIDM-19336: Fixed an issue where delegated administrators couldn’t add new users to their organization.

OPENIDM-20238: Fixed an issue where clustered reconciliation can fail with "Expecting a Map or List" under specific circumstances.

IAM-6493: The PingOne application template now supports specifying an LDAP gateway.

IAM-6868: Added screen reader label to end-user access approval button.

IAM-6870: Added screen reader label to end-user access request button.

IAM-6880: Added a toggle in the hosted pages journey settings to disable the error heading fallback that displays if there is no heading in the page content. (FORGEROCK-1582)

FRAAS-21713: The promotion process now retries getting an access token from the lower environment, preventing promotion failures.

IAM-7033: Unable to save user filter in AD/LDAP app template.

IAM-7011: Older app templates are no longer marked "deprecated".

IAM-5233: Update SAP SuccessFactors app template to support connector version 1.5.20.22.

IAM-6874: Update journey analytics to use hourly data.

FRAAS-21318: Promotion report now categorizes AM session service changes correctly.

AME-26135^[8]: The Advanced Identity Cloud admin UI now lets you configure a secret from a secret store for these features:

IAM-4279: Display available ESV placeholders in Decision Node script editor.

IAM-4654: Enable creation of all script types in Advanced Identity Cloud admin UI.

FRAAS-20397: The promotion process now retries tagging the lower environment after a network interruption, preventing blocking promotion failures.

IAM-5356: Session logout warning not displaying when maximum idle time set to a higher value than maximum session time.

IAM-6628: New draft option shouldn’t exist for out-of-the-box workflows.

IAM-6779: Pagination for list of apps not working when there are over 4000 apps.

FRAAS-20970: The /monitoring/logs endpoint now returns an X-Ratelimit-Limit header with a fixed value of 60. Previously, the value was misleading due to the way it was calculated when scaling an environment’s resources. The X-Ratelimit-Remaining header continues to report the number of requests that may be sent before receiving a rate limited response.

FRAAS-20983: Promotion reports now list changes to the default OAuth 2.0 provider.

OPENIDM-20142: Resolved a communication failure between Advanced Identity Cloud and RCS instances that could result in a prolonged failure to activate remote connectors.

OPENIDM-20178: You can’t use scope private fields in query filters. For more information, refer to Security Advisory #202402.

IAM-4785: Synchronize only the modified properties on a target source during reconciliation of applications.

IAM-5487: Correlation rules moved to the top of the reconciliation settings page.

IAM-6231: Scripted Decision Node now updates the list of scripts when a script is added or edited.

IAM-6544: Add reviewer column to administrator list view of compliance violations.

FRAAS-20604: Removed superfluous AM metrics related to token store internals:

IAM-6135: ESV values containing accents get corrupted by encoding process.

IAM-6562: Label duplicated for OAuth 2.0 access token and ID token endpoints.

IAM-6669^[2]: Badge count of violations in end-user navigation doesn’t update when an action is performed.

OPENIDM-18495^[3]: Disable sorting in the connector data tab in the IDM admin UI (native console). (FORGEROCK-1582)

AME-26199: Added the ability to set additional claims, including non-registered claims, during JWT assertion and generation, as per the specification.

AME-26820: Provided library scripts with access to all common script bindings.

AME-26993: Enhanced secret mapping for agents. Updating a secret label identifier value now causes any corresponding secret mapping for the previous identifier to also be updated, provided no other agent shares that secret mapping. If another agent shares the secret mapping, PingOne Advanced Identity Cloud creates a new secret mapping for the updated identifier and copies its aliases from the previously shared secret mapping.

AME-27346: Renamed Secret ID Identifier to Secret Label Identifier in the SAML remote entity provider configuration.

AME-27478: Renamed Client ID Token Public Encryption Key property to ID Token Encryption Public Key in the OAuth 2.0 client configuration.

AME-27775: Added scripting thread pool metrics per script context.

OPENAM-16564: Enabled next-generation scripts to access the cookies in incoming requests.

OPENAM-21800: Added page node functionality to next-generation scripts.

OPENAM-21933: Enabled auto-encoding of the httpClient form body in next-generation scripts.

FRAAS-20786: Fixed the case where a promotion attempts to delete the same application more than once.

FRAAS-19461: Fixed an issue where large audit logs could be missing from IGA events and processing.

FRAAS-20154: ESVs with special characters are now correctly encoded. The workaround of double-encoding ESVs is no longer required.

OPENAM-21748: Restored the missing get wrapper function for HiddenValueCallback in next-generation scripting.

OPENAM-21830^[8]: Unable to get entitlement info hashmap values in SAML IdPAdapter script

OPENAM-21864: Fixed an issue that prevented setting the tracking cookie to resume a journey after returning from a redirect flow.

OPENAM-21897: Corrected inconsistent results from the policy evaluateTree endpoint.

OPENAM-21951: Enabled setting of the selectedIndex property in a ChoiceCallback in next-generation scripts.

OPENAM-22181: Corrected an issue with UMA approve and approveAll requests failing.

TNTP-166:

FRAAS-15404: When updating ESV secrets, the API saves a new secret version only when it differs from the previous value.

FRAAS-19982: Configuration promotion now fails if Advanced Identity Cloud services do not restart successfully with the new configuration.

IAM-6376: In the applications rules tab, you can now configure custom logic to perform specific actions, such as sending an email, when an account is successfully created or updated.

IAM-6380: In the applications rules tab, you can now use the provisioning failure rule to configure custom logic to perform specific actions when provisioning fails.

FRAAS-11180: Authentication session whitelisting is now enabled by default for new tenants

IAM-5593: Adding roles to certain objects no longer breaks readable titles

IAM-6537: Journey import now alerts users if they try to import a file containing missing references

IAM-6548^[8]: Advanced Identity Cloud admin UI now loads Identity Gateway profile properties

IAM-2653: Configure object properties with user-friendly display names.

IAM-3857: Application list view displays enabled/disabled status of enterprise apps.

IAM-5913^[2]: Create custom access request workflows.

IAM-6264: Approval actions display in the UI even when they are not available due to permissions.

IAM-6296: UI doesn’t display paginated results on application data and recon tabs.

IAM-6409: Logging out of UI generates malformed redirect realm URLs.

OPENAM-21575: Add org.forgerock.json.jose.jwe.JweHeader to the allowlist for the Scripted Decision node

IAM-3199: HTML styling in the Message node journey editor allows you to left justify text.

FRAAS-19334: Failure to look up service account names following changes applied through the ESV API.

IAM-5079^[2]: End-user roles page sometimes shows role grants as conditional even when the grants are direct.

IAM-5363^[2]: Show the total number of approvals and access reviews in the inbox.

IAM-5858^[2]: Missing support for access request global configuration options.

IAM-6138^[2]: The governance events filter builder incorrectly validates before and after properties in the user created state.

IAM-6176^[2]: The end-user access request rejection is missing a justification message.

IAM-6203^[2]: The governance events filter doesn’t use after temporal values for user created flows.

IAM-6209: The Advanced Identity Cloud admin UI navigation panel text appears when the panel is collapsed.

OPENIDM-19879: Identity management reconciliation service processes additional source query pages whenever a query returns a pagedResultsCookie.

OPENIDM-19924: Unnecessary quotes not being removed from email addresses.

TNTP-166:

FRAAS-19593: The promotion API incorrectly reports as ready, resulting in a blocking promotion failure when trying to promote (FORGEROCK-1319)

AME-26085: SAML v2.0 NameID mapping can be configured per SP

AME-27126: A SAML SP can now authenticate to IDPs using mutual TLS (mTLS) when making an artifact resolution request.

AME-27133: "Secret ID" has been renamed to "Secret Label" for secret mappings

The following services now support configuration using the Secrets API:

The following services now support rotation of secrets using secret versions:

OPENAM-21031: The performance of Google KMS has been improved by the introduction of caching.

FRAAS-19596: Promotion report should include changes to realm authentication settings.

OPENAM-21473: If you set the collection method of a Certificate Collector node to REQUEST, HEADER, or EITHER, and the certificate is not provided in the request or in the header, the node now returns a status of Not collected.