Rapid channel changelog archive

TNTP-166:

FRAAS-19593: The promotion API incorrectly reports as ready, resulting in a blocking promotion failure when trying to promote. (FORGEROCK-1319)

OPENIDM-19879: Identity Management reconciliation service processes additional source query pages whenever a query returns a pagedResultsCookie.

OPENIDM-19924: Unnecessary quotes not being removed from email addresses.

OPENAM-21031: The performance of Google KMS has been improved by the introduction of caching.

AME-27126: A SAML SP can now authenticate to IDPs using mutual TLS (mTLS) when making an artifact resolution request.

IAM-3199: HTML styling in the Message node journey editor allows you to left justify text.

FRAAS-19334: Failure to look up service account names following changes applied through the ESV API.

IAM-5079^[2]: End-user roles page sometimes shows role grants as conditional even when the grants are direct.

IAM-5363^[2]: Show the total number of approvals and access reviews in the inbox.

IAM-5858^[2]: Missing support for access request global configuration options.

IAM-6138^[2]: The governance events filter builder incorrectly validates before and after properties in the user created state.

IAM-6176^[2]: The end-user access request rejection is missing a justification message.

IAM-6203^[2]: The governance events filter doesn’t use after temporal values for user created flows.

IAM-6209: The Advanced Identity Cloud admin UI navigation panel text appears when the panel is collapsed.

OPENAM-21473: If you set the collection method of a Certificate Collector node to REQUEST, HEADER, or EITHER, and the certificate is not provided in the request or in the header, the node now returns a status of Not collected.

SDKS-2935: The Device Binding node now gracefully handles the case of a user being set to inactive.

FRAAS-19596: Configuration promotion report should include changes to realm authentication settings.

AME-26085: SAML v2.0 NameID mapping can be configured per SP

AME-27133: "Secret ID" has been renamed to "Secret Label" for secret mappings

The following services now support configuration using the Secrets API:

The following services now support rotation of secrets using secret versions:

FRAAS-19566: Add _sortKeys query parameter to ESV API

AME-26130^[3]: Updated the PUSH Notification service to store access keys as a secret

AME-25906^[3]: Updated Identity Gateway agents to store credentials as a secret

IAM-4585: Request and approvals page now shows the current and past approvers, their decisions, and the dates

IAM-4968: Expose additional top-level parameters in the advanced section of mapping pages

IAM-5769: Add grouping logic to journey node items

IAM-5674: Target application can use ONBOARD action for FOUND situation

IAM-5814: Allow fixed application usernames to be chosen for custom SAML apps

OPENAM-21575^[3]: Added org.forgerock.json.jose.jwe.JweHeader to the allowlist for Scripted Decision nodes

AME-25915^[3]: Assertion consumer processing fails if NameID format not present in the assertion response

IAM-3927^[2]: Identity Governance now enforces mandatory comments (if configured) for revoke and allow exceptions

IAM-4309: Access reviews no longer display the internal lastSync user attribute

IAM-4762: Authoritative apps are now requestable

IAM-4986: Platform UI can now determine whether to use a pagedResultsCookie or offset for paging results

IAM-5076: "Abstain from action" option no longer displays when a campaign has expired

IAM-5362: Marking a property as an authoritative app entitlement no longer causes target app config to be generated

IAM-5413: Account deprovisioning now works in AD/LDAP after deleting a user identity

IAM-5794: Border color of sign-in input fields in hosted pages can now be overridden in themes

IAM-5875: Journey editor no longer orphans deleted nodes

FRAAS-19414: You can now configure custom domains directly in all environments without needing to create ESVs or promote configurations. Existing custom domains will be migrated automatically.

OPENIDM-19921: The following connectors included with Advanced Identity Cloud were upgraded to 1.5.20.21:

FRAAS-19341: ESV support for AES keys through the base64aes encoding type

IAM-5602: Add functionality for viewing and deleting user’s trusted devices in Advanced Identity Cloud admin UI

The following services now support setting secrets using the secrets API rather than setting secrets in the service configuration:

The following nodes now support setting their secrets using the secrets API rather than setting secrets in the node configuration:

AME-26041: Enhanced handling of agents secret mappings – if you update or delete a secret label identifier, any corresponding secret mapping for the previous identifier is updated or deleted, provided no other agent shares that secret mapping

AME-25434: New Request Header node lets you inject values into shared state based on request header values

AME-26039: Added LDAP Affinity Level configuration option to the LDAP Decision node, to enable affinity-based load balancing for BIND requests

OPENAM-21768: Added org.forgerock.opendj.ldap.Rdn and org.forgerock.opendj.ldap.Dn classes to the allowlist for all script contexts

AME-24760: Inner nodes of a PageNode don’t independently audit node-login-complete events

AME-26158: Exception thrown when generating a Signed JWT with no encryption within a next-gen script called by a Scripted Journey node

OPENAM-17315: Scripts used to call 'response.getEntity()' in the past should now use 'response.getEntity().getString()' instead

OPENAM-21856: Introspecting stateless token with IG/Web agents causes OAuth2ChfException

IAM-4257: Azure AD app template updates

IAM-4342: MSGraphAPI connector includes a new optional licenseCacheExpiryTime configuration property

IAM-4892: Salesforce app template updates

IAM-4900: UI has been updated to show the Advanced Identity Cloud build number

IAM-5033: Added new "Remember my username" checkbox to authentication trees

IAM-5287: Updated username, password, and KBA heading size on the profile page to improve accessibility

IAM-5334: Expose "Guarded String" as an object type property for Scripted Groovy, ScriptedREST, ScriptedSQL, CSV, Database table, and SCIM connectors

IAM-5459: KBA answer field now contains question context

IAM-5461: Custom errors sent as TextOutputCallback.ERROR are now rendered as primary login errors, improving screen reader accessibility feature

IAM-5503: Rename Orchestrations to Workflows

IAM-5563: Google Apps app template updates

IAM-5603: Create device details modal for managed user identities

IAM-5606: Add "POWERED BY" metadata to marketplace nodes

IAM-5748: Make "PingOne" a special case on the federation providers page

IAM-5598: Styled terms and conditions included in a journey causes authenticate calls to fail

IAM-5611: Can’t revoke custom apps from roles or edit them from the role view

IAM-5641: Custom endpoints search returns endpoints created by other areas of the UI

IAM-5692: Console errors when opening the Add user modal for Bravo realm

IAM-5767: SAML SSO is not used when an application is saved from another tab after SSO setup

IAM-5873: Hosted page may fail to match user locale

OPENIDM-19405: Allow email addresses to contain non-ASCII characters for supported SMTP providers

FRAAS-18455: Prevent the latest version of a secret from being deleted

FRAAS-18788: Add AWS, GCP, and SAP S/4HANA connectors to Advanced Identity Cloud

FRAAS-18693: Validation bug prevents use of the base64encodedinlined and keyvaluelist ESV expression types

FRAAS-18414: Changes to an out-of-the-box journey can be incorrectly reported against both realms

FRAAS-18526: Script library functionality can’t be used in the UI in certain environments

OPENIDM-17878^[4]: Allow access to operational attributes in the Advanced Identity Cloud data store

OPENIDM-18645^[4]: Add ESV support to oauthProxy script

OPENIDM-18743^[4]: Attempts to use connectors fail with null pointer exceptions when operationOptions is defined in the provisioner configuration

AME-25906: Add the ability to configure the password for authenticating to an Identity Gateway agent as an ESV secret

AME-26130: Add the ability to configure the SNS access key secret for the push notification service to use an ESV secret

OPENAM-21575: Add org.forgerock.json.jose.jwe.JweHeader to the class allowlist for Scripted Decision node

AME-25915: SAML flow fails if a NameIDFormat element is not present in an assertion response

FRAAS-18464: Sandbox debug logging level set to WARN instead of DEBUG

IAM-5656: Fix alignment of text, buttons, and links in Message nodes

IAM-5660: Hosted pages not displaying list of themes

OPENAM-20924: Social Provider Handler node does not let end user switch to a different IdP

AME-26117: Updated nodes relating to one-time passwords to use secret labels for passwords. Refer to OTP Email Sender node and OTP SMS Sender node.

FRAAS-18271: Added the org.forgerock.opendj.ldap.Dn and org.forgerock.opendj.ldap.Rdn classes to all script contexts

OPENIDM-19674: The relationship-defined virtual property (RDVP) schema editor allows you to edit the flattenProperties property. The managed object schema editor allows you to edit the notifyRelationships property.

OPENIDM-18957: The scheduler now attempts to release any triggers it attempted to acquire during a timeout due to an unresponsive repository

OPENIDM-19141: Workflow engine queries now properly honor tablePrefix and tablePrefixIsSchema configuration options

OPENIDM-19279: Resource collection is required to create a relationship

OPENIDM-19565: The default apiVersion configuration has been updated with additional resource paths

FRAAS-18398: Allow the HTTP OPTIONS method on calls to /openidm/config/* endpoints for CORS preflight checks

OPENAM-21856: Introspecting stateless token with IG/Web agents will cause OAuth2ChfException

FRAAS-7382: Add ability to include JavaScript snippets in login and end-user UIs

IAM-4514^[2]: Allow reviewers to add user, entitlement, and role columns to an access review

IAM-4739: Add read schema option to SCIM application template to discover custom schemas/attributes

IAM-5201: Focus on first input field or button automatically upon page load

IAM-5268: Add source-missing situation rule to authoritative applications

FRAAS-16659: ESV mapping updates aren’t captured in promotions report

IAM-4810: Custom endpoint UI missing context option

IAM-5072: Inbound mapping tab shows in target applications

IAM-5171: Azure Active Directory application template doesn’t return a user’s role membership

IAM-5187: LDAP v2.1 application template doesn’t clear dc=example,dc=com base DN

IAM-5238: LDAP application template is missing the group object classes property

IAM-5422^[2]: Entitlement owner doesn’t show in the entitlement list

FRAAS-18108: Add warning to the Set up 2-step verification screen to indicate that 2-step verification will be enforced as of March 1, 2024

IAM-5275^[5]: Advanced Identity Cloud admin UI doesn’t add query parameters to the logout URL

IAM-4511: Hide fields in the Users & Roles tab when editing and creating unreadable properties

IAM-4615: Add a "Skip to main content" link to page headers

IAM-4991: When a suspendedId is in use, redirect to failureUrl fails

IAM-5075: Login messages are read twice by screen readers

IAM-5186: User identity related values aren’t saved after removal

FRAAS-17883: Tenant administrators cannot save edits to their personal information

IAM-5226: Tenant administrator security questions should not be shown when editing personal information

IAM-5240: No error message displays when a tenant administrator fails to save edits to their personal information

FRAAS-3841: Activate and deactivate journeys in the Advanced Identity Cloud admin UI. Refer to Deactivate journeys.

IAM-4191: Allow tenant session cookie name to be configured. Refer to Session cookie name.

IAM-4735: Add support for schema discovery in application templates

IAM-4806: Show outbound tenant IP addresses in Advanced Identity Cloud admin UI. Refer to Access global settings.

IAM-4853: Add AS400 application template. Refer to the AS400 section in Provision an application.

FRAAS-16785: Incorrect positioning of reCAPTCHA v2 elements

IAM-2936: Journeys hang indefinitely when using a State Metadata node within a Page node

IAM-4521: Screen readers announce field labels twice

IAM-4956: Advanced Identity Cloud admin UI doesn’t use the current realm when logging out

IAM-5113: Unable to remove an NAO assignment from a user in Advanced Identity Cloud admin UI

IAM-4211: Display disaster recovery region in the Advanced Identity Cloud admin UI

IAM-4369: Remove AM applications from application list view

IAM-5045: Display pop-up warning when an end user is about to be logged out of an Advanced Identity Cloud hosted page

IAM-4812: Correctly save array ESVs containing newline characters

IAM-4863: Display ESV buttons properly when the user gives them focus

IAM-4877: Display ESV selection button properly while user is modifying a script associated with a Scripted Decision node

IAM-4698: Fix accessibility issues with messages in page nodes

FRAAS-17373^[8]: The following connectors included with Advanced Identity Cloud were upgraded from 1.5.20.15 to 1.5.20.17:

ANALYTICS-311: The USER-LAST-LOGIN report doesn’t show results if the last journey failed

FRAAS-17413: Improve IDM service reliability during upgrades and routine maintenance

OPENICF-1723: Salesforce connector: Clarify usage of proxyUri configuration property

OPENICF-2297: SCIM connector: Roles attribute should be a list of Strings, not a list of Objects

OPENICF-2482: SCIM connector: Dynamic schema doesn’t default to static schema on all exceptions

OPENICF-2483: SCIM connector: Creating a user with special attributes fails with dynamically generated schema

OPENICF-2484: SCIM connector: PUT with schemas attribute fails for providers that support PATCH

OPENICF-2448: SCIM connector: HTTP client fails to handle OAuth 2.0 errors

IAM-4515^[9]: Include autocomplete attribute with login form fields

IAM-4525^[9]: Update profile picture modal with accessibility improvements for screen readers

IAM-4576^[9]: Increase time on screen for loading spinner so that screen readers can announce it

IAM-4616^[9]: Include contextual information with the show/hide buttons for improved accessibility

FRAAS-17278: Health status reports for AM, IDM, and platform-admin services incorrectly reported as available in some situations

IAM-4460^[9]: Screen readers read show/hide buttons for security questions as show/hide password

IAM-4523^[9]: Screen readers read avatar alt text when tabbing to action menu

IAM-4524^[9]: Two buttons with different labels open the same dialog

IAM-3648: ESV placeholders can now be entered from a drop-down list

IAM-3651: ESV placeholders can now be entered from key-value input fields

IAM-4236: Improve layout of the applications reconciliation tab

IAM-4367: Separate the connection status of OAuth 2.0 client applications into a dedicated list

IAM-4662: ESV placeholders can now be entered from tag input fields

IAM-4717: Added date, datetime, and time fields to the login UI

IAM-4789: Grant roles now show temporal constraints

OPENAM-20847: Sanitized HTML can now be added into messages for the Email Suspend node

IAM-4418: Fix accessibility issues with multi-select input fields

IAM-4489: Align checkbox color with other form elements

IAM-4491: Correctly label sidebar buttons when expanded or collapsed

IAM-4492: Make navigation bars in end-user UI accessible for screen readers

IAM-4798: The aria-label is now correctly displayed for all component types on sidebar buttons

IAM-4843: The user column in the certification task list now shows a user’s full name instead of only the first name

IAM-4528: Outbound reconciliation mapping preview shows generated password value

OPENAM-21416: Canada Central AWS region (ca-central-1) enabled for the PingAM push notification service

IAM-3650: Add a drop-down menu to checkbox inputs for selecting ESV placeholders

IAM-3826: Add the ability to specify a source and transformation script when mapping application properties. For details, refer to app-management:provision-an-application.adoc#apply-a-transformation-script-to-a-mapping.

IAM-4567: Add a warning when running reconciliations and selecting the persistAssociations option. For details, refer to View a report about the last reconciliation.

IAM-4366: Provide browser-specific logic to handle alternative CSS for accessibility

IAM-4409: Require at least three characters before running identity searches when there are more than 1000 identities of that type

IAM-4478: Only allow certain combinations of properties in a mapping transformation script

IAM-4493: Fix the heading hierarchy in the UI

IAM-4568: Do not enable the option to change a user association in the UI

IAM-4703: Fix display of password fields in some themes

IAM-4710: Fix rounded border of password fields in hosted pages

OPENAM-21346: Add classes java.util.concurrent.TimeUnit, java.util.concurrent.ExecutionException, and java.util.concurrent.TimeoutException to the scripting allowlist

IAM-4533: Journeys do not resume correctly when returning from a social identity provider without a realm identifier

IAM-4534: Redirect callbacks for journeys not working correctly

AME-25061^[10]: Provide additional context information in Marketplace authentication nodes to enable UI improvements

OPENAM-20772^[10]: Add new option to the CAPTCHA node to let the submit button be disabled until CAPTCHA verification is successful

OPENAM-18004^[10]: Audit logging does not specify transaction IDs correctly for internal requests to certain APIs

OPENAM-18709^[10]: Calls to the nodeState.get() method in Scripted Decision nodes do not return values in shared state when a variable is stored in both shared state and secure state

OPENAM-20230^[10]: Calls to classes in the allowlist fail occasionally with access prohibited messages

OPENAM-20682^[10]: Unable to encrypt id_token error when there are multiple JWKs with the same key ID but different encryption algorithms

OPENAM-20691^[10]: Session quota reached when oldest session is not destroyed due to race condition

OPENAM-20783^[10]: Logging is incorrect when the authorization code grant flow is used successfully

OPENAM-20920^[10]: Null pointer exceptions when a SAML v2.0 binding is null and the SSO endpoint list contains non-SAML v2.0 entries

OPENAM-20953^[10]: Policy evaluation with a subject type JwtClaim returns HTTP response code 500

OPENAM-20980^[10]: The OIDC social provider is unable to use an issuer’s comparison check regex

OPENAM-21001^[10]: Custom scripted SAML v2.0 IDP account mappers are determined incorrectly

OPENAM-21004^[10]: Invalid session ID error when session management is disabled in an OIDC provider

OPENAM-21046^[10]: The Create Object and Patch Object nodes do not log exception stack traces when they can’t retrieve the object schema

OPENAM-21164^[10]: XML string formatted incorrectly when using a custom adapter to get the assertion from a SAML v2.0 response

IAM-3502: Add the ability to set and reset a sync token for identity management account object type. For details, refer to Reset the last reconciliation job.

IAM-3678: Update error messages and labels in login and signup pages

IAM-3962: Improve design of push number challenge page for Push Wait node

IAM-4248: Add three additional non-account objects to ServiceNow page

IAM-4326: Improve onLink script to handle mapped properties of type array and object

IAM-4334: Update SuccessFactors application templates to support Advanced Identity Cloud built-in SuccessFactors connector

IAM-3877: UI loader spins indefinitely when realm is deactivated

IAM-4093: Replace Google Fonts in the login UI to meet GDPR compliancy requirements

IAM-4176: Advanced setting query filter does not show all available properties

IAM-4240: Accessibility issues in Page node when NVDA readers are used

IAM-4261: Accessing end-user UI with query parameter "code" displays empty page

IAM-4371: Unable to create applications due to userpassword property set

IAM-4384: Platform UI does not resume journeys with custom redirect logic

IAM-4427: Platform UI does not show assignments for tenants running deprecated application management

IAM-4475: Platform UI does not load after tenant administrator signs into an upper tenant during promotion

FRAAS-16471: ESV variables and secrets API endpoints slow for large result sets

OPENIDM-18292^[11]: Add support for the _fields request parameter to the sync getTargetPreview endpoint

OPENIDM-18898^[11]: Add support for the _countOnly parameter in identity management scripts

OPENIDM-18980^[11]: Add a new metric to measure the duration of a LiveSync event

OPENIDM-19098^[11]: Enable ES6 support for identity management scripts

FRAAS-16271: ESV secrets could be incorrectly marked as "not loaded" when tenant has many ESVs

IAM-4289: Unable to assign non-account object properties to roles

IAM-4293: Access reviews and line items not shown for staged campaigns

IAM-4295: Reviewer not redirected back to pending reviews after access review sign off

DATASCI-1331^[12]: Distributed attack heuristics

DATASCI-1677^[12]: Support the right to access or be forgotten (GDPR compliance)

IAM-2026: Support versioning of the application and connector templates

IAM-3408: Let provisioners use a range of connector versions

IAM-4074: Add a loading animation to the pie chart component

IAM-4242: Add "Conflicting changes" category to reconciliation summary

FRAAS-9230: Sanitize aria-hidden fields

FRAAS-16041: Users can choose Basic Auth for Identity Cloud logging endpoints

IAM-2972: Route users to the correct realm after granting Salesforce permissions

IAM-3719: Modals not showing display access review comments and activity

IAM-4116: Don’t let access review users add reviewers with greater privileges than they themselves have

IAM-4134: User pop-up is visible in "Entitlement" tab

IAM-4200: Last certified date, decision, and actor displaying incorrectly in Governance account details

IAM-4051: Improved ADA accessibility for drop-down boxes

IAM-4053: Improved ADA accessibility when NVDA readers are used on pages that use the Page node

FRAAS-15974: Unable to promote empty configuration to reset staging environment

IAM-2826: Filter the "Assignments" tab for identities so that it does not show overrides, entitlements, or resources

IAM-3677: Remove increment/decrement arrows from numeric input fields

IAM-3982: Let users filter risk activity using distributed attack as a risk reason

IAM-3983: Show distributed attack as a risk reason in the risk dashboard

IAM-4136: Use the tab key to move focus and remove tags in multi-select components

FRAAS-14262: Include changes to group privileges in the configuration promotions report

IAM-2713: Prohibit editing of managed application objects

IAM-3594: Correctly redirect control to the End User UI after authenticating with itsme

IAM-3939: Let end users switch to a different authentication journey

IAM-4013: When using a custom domain, originalLoginRealm is set incorrectly

OPENIDM-17481: Managed object schema can now describe a field as a nullable array and specify a default value for this field if not provided in a create request

OPENIDM-17771: Processing of a large number of scheduled jobs no longer causes all scheduled tasks to continuously misfire

OPENIDM-18192: Updating a relationship-defined virtual property (RDVP) on a managed object by signal receipt no longer causes other RDVP state within that object to be lost

OPENIDM-18360: Use the full object state when validating requests made by a delegated administrator to modify a relationship

OPENIDM-18613: Provide the ability to remove the userPassword attribute

OPENIDM-18644: Correctly determine whether it’s possible to configure clustered reconciliation

OPENIDM-18895: Fixes support for multi-version concurrency control on managed object patches and updates

FRAAS-14706: Improve the detection of changes to complex configuration files and IDM script hooks in promotion reports

FRAAS-14897: Improve the rate limiting behavior of the /monitoring/logs endpoint

FRAAS-14214: Changing an existing ESV type is now denied by the API and new ESVs always require an explicit type