Rapid channel changelog
Subscribe to get automatic updates: Rapid channel changelog RSS feed
For release notes published before August 2023, refer to the Rapid channel changelog archive.
September 2024
09 Sept 2024
Versions 14868.0, 14888.0
Key features
- Scripted SAML v2.0 NameID values(AME-25921)
-
The NameID mapper script lets you customize SAML v2.0 NameID values per application.
- Set State node (AME-26443)
-
The Set State node lets you add attributes to the journey state.
- Http Client service (AME-27936)
-
The new Http Client service lets you create named instances that you can reference from a next-generation script to make mTLS connections to external servics.
- Enable Device Management node
-
The new Enable Device Management node lets end users manage devices from their account.
Enhancements
-
FRAAS-21728: Updated the cookie domain API to add default values for GET requests where cookie domain values haven’t been overridden by a PUT request. The default values are derived from the existing tenant cookie domain configuration, so are backward compatible.
-
AME-26594: Added secrets API binding to all next-generation script contexts.
-
AME-27129: Added option to exclude client certificate from SAML hosted SP metadata.
-
AME-27792: Added
AM-TREE-LOGIN-COMPLETED
audit log event that outputs aresult
ofFAILED
when a journey ends with an error. -
AME-27839: Added the ability to specify connection and response timeouts for Http Client Service instances.
-
AME-27848: Added a new setting for journeys to always run to completion regardless of the existing user sessions.
-
AME-28008: You can now disable certificate revocation checks, or all certificate checks entirely, on your Http Client Service instances.
Fixes
-
OPENAM-15410: Fixed an issue that prevented customization of claims if
profile
andopenid
scopes are requested. -
OPENAM-20609: Fixed inconsistent error message when generating access token using refresh token after changing username.
-
OPENAM-21974: Adds an OAuth 2.0 client configuration for the new version of the LinkedIn provider.
-
OPENAM-22298: Log unretrieved SP and IdP descriptors in SAML2 Authentication node.
August 2024
29 Aug 2024
Version 14741.0
Key features
- DocuSign application template (IAM-6194)
-
The DocuSign application lets you manage DocuSign service accounts and synchronize DocuSign accounts and Advanced Identity Cloud identities.
Enhancements
-
IAM-6493: The PingOne application template now supports specifying an LDAP gateway.
-
IAM-6860: For journey pages, the fallback error heading that displays if there is no heading in the page content now includes a toggle in hosted pages to disable it.
-
IAM-6868: Added screen reader labels to action buttons that only had icons to them.
-
IAM-6870: Added screen reader labels to buttons that only had icons to them.
21 Aug 2024
Version 14626.0
Key features
- BeyondTrust application template (IAM-6492)
-
The BeyondTrust application lets you manage and synchronize data from Advanced Identity Cloud to BeyondTrust.
July 2024
19 Jul 2024
Version 14225.0
Key features
- Adobe Admin Console application template (IAM-6195)
-
The Advanced Identity Cloud Adobe Admin Console application lets you manage users, groups, and user group memberships between Adobe Admin Console and Advanced Identity Cloud.
02 Jul 2024
Version 14013.0
Fixes
-
FRAAS-20970: The
/monitoring/logs
endpoint now returns anX-Ratelimit-Limit
header with a fixed value of 60. Previously, the value was misleading due to the way it was calculated when scaling an environment’s resources. TheX-Ratelimit-Remaining
header continues to report the number of requests that may be sent before receiving a rate limited response.
June 2024
27 Jun 2024
Versions 13964.0, 13966.0
Key features
- Additional cloud connectors
-
The following connectors are now bundled with Advanced Identity Cloud:
-
Adobe Admin Console connector (OPENIDM-19843)
-
DocuSign connector (OPENIDM-20190)
For more information, refer to the ICF documentation.
-
Fixes
-
OPENIDM-20142: Resolved a communication failure between Advanced Identity Cloud and RCS instances that could result in a prolonged failure to activate remote connectors.
Changed functionality
-
OPENIDM-20178: You can’t use scope private fields in query filters. For more information, refer to Security Advisory #202402.
24 Jun 2024
Versions 13937.0
Key features
- Product name change for Identity Cloud (FRAAS-20178)
-
To align ForgeRock products with Ping family names, ForgeRock Identity Cloud has been renamed to PingOne Advanced Identity Cloud. Name and logo changes have been updated throughout the user interfaces, and documentation updates will occur when the UI changes are released to the regular channel.
For more information, refer to the New names for ForgeRock products FAQ.
Enhancements
-
IAM-4785: Synchronize only the modified properties on a target source during reconciliation of applications.
-
IAM-5237: Add ability for B2B business partners to certify access for their users using organizational-based certification[2].
-
IAM-5487: Correlation rules moved to the top of the reconciliation settings page.
-
IAM-5629: Add ability to create scoping rules in Identity Governance[2].
-
IAM-6231: Scripted Decision Node now updates the list of scripts when a script is added or edited.
-
IAM-6544: Add reviewer column to administrator list view of compliance violations[2].
Fixes
-
IAM-6135: ESV values containing accents get corrupted by encoding process.
-
IAM-6562: Label duplicated for OAuth 2.0 access token and ID token endpoints.
-
IAM-6669: Badge count of violations in end-user navigation doesn’t update when an action is performed[2].
18 Jun 2024
Versions 13896.0, 13900.0
Key features
- PingOne Protect nodes[3] (TNTP-180)
-
The new PingOne Protect nodes replace the deprecated PingOne Protect Marketplace nodes.
Fixes
-
FRAAS-20604: Removed superfluous AM metrics related to token store internals:
-
am_cts_connection_count
-
am_cts_connection_seconds
-
am_cts_connection_seconds_total
-
am_cts_connection_state
-
am_cts_reaper_cache_size
-
am_cts_reaper_deletion
-
am_cts_reaper_deletion_count
-
am_cts_reaper_deletion_total
-
-
FRAAS-20786: Fix promotion issue where an attempt was made to delete an already deleted application.
12 Jun 2024
Version 13848.0
Key features
- New utility binding available for scripting (AME-25519)
-
You can now use a new utility binding in your scripts to access several common utility classes. For example, the utility binding includes classes for generating random UUIDs and for base64 encoding and decoding.
Enhancements
-
AME-26199: Added the ability to set additional claims, including non-registered claims, during JWT assertion and generation, as per the specification.
-
AME-26820: Provided library scripts with access to all common script bindings.
-
AME-26993: Enhanced secret mapping for agents. Updating a secret label identifier value now causes any corresponding secret mapping for the previous identifier to also be updated, provided no other agent shares that secret mapping. If another agent shares the secret mapping, PingOne Advanced Identity Cloud creates a new secret mapping for the updated identifier and copies its aliases from the previously shared secret mapping.
-
AME-27346: Renamed Secret ID Identifier to Secret Label Identifier in the SAML remote entity provider configuration.
-
AME-27478: Renamed Client ID Token Public Encryption Key property to ID Token Encryption Public Key in the OAuth 2.0 client configuration.
-
AME-27775: Added scripting thread pool metrics per script context.
-
OPENAM-16564: Enabled next-generation scripts to access the cookies in incoming requests.
-
OPENAM-21800: Added page node functionality to next-generation scripts.
-
OPENAM-21933: Enabled auto-encoding of the
httpClient
form body in next-generation scripts.
Fixes
-
FRAAS-19461: Fixed an issue where large audit logs could be missing from IGA events and processing.
-
OPENAM-21748: Restored the missing
get
wrapper function forHiddenValueCallback
in next-generation scripting. -
OPENAM-21864: Fixed an issue that prevented setting the tracking cookie to resume a journey after returning from a redirect flow.
-
OPENAM-21897: Corrected inconsistent results from the policy
evaluateTree
endpoint. -
OPENAM-21951: Enabled setting of the
selectedIndex
property in aChoiceCallback
in next-generation scripts. -
OPENAM-22181: Corrected an issue with UMA
approve
andapproveAll
requests failing.
05 Jun 2024
Version 13760.0
Enhancements
-
FRAAS-20048: Configuration promotions can now be rolled back using the API. An environment can be rolled back successively to revert as many previous promotion changes as needed.
This feature can’t be used in sandbox environments; a promotion or a rollback can only be run between development, UAT[4], staging, and production environments.
May 2024
22 May 2024
Versions 13570.0
Key features
- Oracle E-Business Suite app template (IAM-6342)
-
The Advanced Identity Cloud Oracle E-Business Suite (EBS) application lets you manage and synchronize accounts between EBS and Advanced Identity Cloud.
Enhancements
-
IAM-6376: In the applications rules tab, you can now configure custom logic to perform specific actions, such as sending an email, when an account is successfully created or updated.
-
IAM-6380: In the applications rules tab, you can now use the provisioning failure rule to configure custom logic to perform specific actions when provisioning fails.
20 May 2024
Version 13528.0
03 May 2024
Key features
- Webex application template (IAM-5234[6])
-
The Advanced Identity Cloud Webex application lets you manage and synchronize data between Webex Control Hub and Advanced Identity Cloud.
- Epic EMP application template (IAM-2407)
-
The Advanced Identity Cloud Epic EMP application lets you manage and synchronize data between Epic EMP and Advanced Identity Cloud.
Enhancements
-
IAM-2653: Configure object properties with user-friendly display names
-
IAM-3857: Application list view displays enabled/disabled status of enterprise apps
-
IAM-5913: Create custom access request workflows[2]
April 2024
17 Apr 2024
Version 13218.0
Key features
- Event-based certification[2] (IAM-5148)
-
Identity Governance now allows tenant administrators to configure certifications that are triggered by specific governance events, a process referred to as event-based certification. This method offers faster certification resolution compared to scheduled—and often lengthy—campaigns spanning weeks or months and involving numerous applications, intricate rules, and hundreds of reviewers.
The event-based certifications feature kicks off an identity certification for the following events:
-
User create. Advanced Identity Cloud detects when a user account has been created.
-
User modify. Advanced Identity Cloud detects when an existing user account has been modified or updated.
-
Attribute change. Advanced Identity Cloud detects changes in the attributes of an existing user account.
-
User delete/deactivate. Advanced Identity Cloud detects if a user account has been deleted or deactivated.
For more information, refer to Certify access by event.
-
- Grant entitlements to users and roles[2] (IAM-5146)
-
Identity Governance now allows tenant administrators to carry out more fine-grained entitlement grants for their user accounts. Tenant administrators can now:
-
Create a role and grant entitlements to the role.
-
Revoke entitlements in a role.
-
Grant entitlements to a user account.
-
Revoke entitlements from a user account.
For more information, refer to Manage entitlements.
-
- Identity Assertion node (AME-26821)
-
The new Identity Assertion node provides a secure communication channel for authentication journeys to communicate directly with ${ig.abbr}.
- PingOne application template (IAM-5232)
-
The PingOne application lets you manage and synchronize data between PingOne and Advanced Identity Cloud.
- Authenticate gateway and agent profiles with a shared secret (IAM-5833)
-
The Advanced Identity Cloud admin UI for gateways and agents now lets you authenticate with a shared secret instead of a password. Use this to set the label for the shared secret.
- Authenticate OAuth 2.0 applications with a shared secret (IAM-6028)
-
The Advanced Identity Cloud admin UI for OAuth 2.0 applications now lets you authenticate with a shared secret instead of a password. Use this to set the label for the shared secret.
Enhancements
-
OPENAM-21031: The performance of Google KMS has been improved by the introduction of caching.
-
AME-27126: A SAML SP can now authenticate to IDPs using mutual TLS (mTLS) when making an artifact resolution request.
-
IAM-3199: HTML styling in the Message node journey editor allows you to left justify text.
Fixes
-
FRAAS-19334: Failure to look up service account names following changes applied through the ESV API.
-
IAM-5079: End-user roles page sometimes shows role grants as conditional even when the grants are direct.[2]
-
IAM-5363: Show the total number of approvals and access reviews in the inbox.[2]
-
IAM-5858: Missing support for access request global configuration options.[2]
-
IAM-6138: The governance events filter builder incorrectly validates
before
andafter
properties in the user created state.[2] -
IAM-6176: The end-user access request rejection is missing a justification message.[2]
-
IAM-6203: The governance events filter doesn’t use
after
temporal values for user created flows.[2] -
IAM-6209: The Advanced Identity Cloud admin UI navigation panel text appears when the panel is collapsed.
-
OPENAM-21473: If you set the collection method of a Certificate Collector node to
REQUEST
,HEADER
, orEITHER
, and the certificate is not provided in the request or in the header, the node now returns a status ofNot collected
.This node is currently not supported in PingOne Advanced Identity Cloud. -
SDKS-2935: The Device Binding node now gracefully handles the case of a user being set to
inactive
.
11 Apr 2024
Version 13149.0
Enhancements
-
AME-26085: SAML v2.0
NameID
mapping can be configured per SP -
AME-27133: "Secret ID" has been renamed to "Secret Label" for secret mappings
-
The following services now support configuration using the Secrets API:
-
AME-16536: The OAuth 2.0 provider hash salt secret
-
AME-25885: The persistent cookie core authentication attribute
-
AME-26110: The client-side session signing key
-
AME-26134: The social provider service
-
AME-26441: The new CAPTCHA node (replaces the legacy CAPTCHA node)
-
AME-26442: The OIDC Token Validator node now lets you store the client secret in any type of secret store
-
AME-26633: The OAuth 2.0 client
clientJwtPublicKey
-
AME-26637: The OAuth 2.0 client
idTokenPublicEncryptionKey
-
AME-26639: OAuth 2.0 client mTLS self-signed certificates
-
AME-26668: The post authentication process (PAP) replay password
-
AME-26670: The web agents replay password key
-
AME-26998: The OAuth 2.0 client secret
-
-
The following services now support rotation of secrets using secret versions:
-
AME-25988: The persistent cookie encryption secret
-
AME-26999: OAuth 2.0 client secrets
-
AME-27000: OAuth 2.0 client
clientJwtPublicKey
-
AME-27001: OAuth 2.0 client mTLS self-signed certificates
-
09 Apr 2024
Version 13122.0
Key features
- PingOne Verify service (TNTP-118)
-
The PingOne Verify service lets you configure and use PingOne Verify nodes (PingOne Verify Authentication node and PingOne Verify Proofing node) in your authentication journeys.
For more information, refer to PingOne Verify service.
March 2024
26 Mar 2024
Versions 12899.0
Key features
- Social Provider Handler node[7] (OPENAM-20924)
-
The new Social Provider Handler node adds an outcome to better handle interruptions in a social authentication journey after requesting profile information.
- Event-based certification[2] (IGA-2357)
-
Identity Governance now allows tenant administrators to configure certifications that are triggered by specific governance events, a process referred to as event-based certification. This method offers faster certification resolution compared to scheduled—and often lengthy—campaigns spanning weeks or months and involving numerous applications, intricate rules, and hundreds of reviewers.
The event-based certifications feature kicks off an identity certification for the following events:
-
User create. Advanced Identity Cloud detects when a user account has been created.
-
User modify. Advanced Identity Cloud detects when an existing user account has been modified or updated.
-
Attribute change. Advanced Identity Cloud detects changes in the attributes of an existing user account.
-
User delete/deactivate. Advanced Identity Cloud detects if a user account has been deleted or deactivated.
For more information, refer to Certify access by event.
-
- Grant entitlements to users and roles[2] (IAM-5146)
-
Identity Governance now allows tenant administrators to carry out more fine-grained entitlement grants for their user accounts. Tenant administrators can now:
-
Create a role and grant entitlements to the role.
-
Revoke entitlements in a role.
-
Grant entitlements to a user account.
-
Revoke entitlements from a user account.
For more information, refer to Manage entitlements.
-
Enhancements
-
AME-26130[7]: Updated the PUSH Notification service to store access keys as a secret
-
AME-25906[7]: Updated Identity Gateway agents to store credentials as a secret
-
IAM-4585: Request and approvals page now shows the current and past approvers, their decisions, and the dates
-
IAM-4968: Expose additional top-level parameters in the advanced section of mapping pages
-
IAM-5769: Add grouping logic to journey node items
-
IAM-5674: Target application can use ONBOARD action for FOUND situation
-
IAM-5814: Allow fixed application usernames to be chosen for custom SAML apps
-
OPENAM-21575[7]: Added
org.forgerock.json.jose.jwe.JweHeader
to the allowlist for Scripted Decision nodes
Fixes
-
AME-25915[7]: Assertion consumer processing fails if NameID format not present in the assertion response
-
IAM-3927[2]: Identity Governance now enforces mandatory comments (if configured) for revoke and allow exceptions
-
IAM-4309: Access reviews no longer display the internal
lastSync
user attribute -
IAM-4762: Authoritative apps are now requestable
-
IAM-4986: Platform UI can now determine whether to use a pagedResultsCookie or offset for paging results
-
IAM-5076: "Abstain from action" option no longer displays when a campaign has expired
-
IAM-5362: Marking a property as an authoritative app entitlement no longer causes target app config to be generated
-
IAM-5413: Account deprovisioning now works in AD/LDAP after deleting a user identity
-
IAM-5794: Border color of sign-in input fields in hosted pages can now be overridden in themes
-
IAM-5875: Journey editor no longer orphans deleted nodes
21 Mar 2024
Versions 12899.0, 12863.0, 12855.0
Key features
- Additional cloud connectors
-
The following connectors are now bundled with Advanced Identity Cloud:
-
Dropbox connector (OPENIDM-19838)
-
PingOne connector (OPENIDM-19736)
-
Webex connector (OPENIDM-19920)
For more information, refer to the ICF documentation.
-
Enhancements
-
OPENIDM-19921: The following connectors included with Advanced Identity Cloud were upgraded to 1.5.20.21:
-
Google Apps connector
-
Microsoft Graph API connector
-
AWS connector
For details, refer to 1.5.20.21 Connector changes.
-
18 Mar 2024
Versions 12873.0, 12784.0
Enhancements
-
FRAAS-19341: ESV support for AES keys through the
base64aes
encoding typeFor more information, refer to Encoding format.
15 Mar 2024
Versions 12754.0
Key features
- PingOne Service (TNTP-148)
-
The PingOne Service lets you set up the PingOne service in your Advanced Identity Cloud tenant so you can add Ping Identity nodes to your authentication journeys.
For more information, refer to PingOne Service.
- PingOne nodes (TNTP-119)
-
- PingOne node
-
The PingOne node node establishes trust between PingOne and Advanced Identity Cloud by leveraging a federated connection. For more information, refer to PingOne node.
- PingOne DaVinci API node
-
The PingOne DaVinci API node node lets an Advanced Identity Cloud journey trigger a PingOne DaVinci flow through the API integration method. For more information, refer to PingOne DaVinci API node.
- PingOne Protect nodes (TNTP-127)
-
Ping Identity’s PingOne Protect is a centralized identity threat protection service, for securing your digital assets against online fraud attempts.
For more information, refer to PingOne Protect > How it Works.
13 Mar 2024
Version 12714.0
Key features
- HTTP Client node (TNTP-136)
-
The HTTP Client node lets you make HTTP(S) requests to APIs and services external to Advanced Identity Cloud from within a journey.
Use the HTTP Client node to simplify the integration with a broad range of external services by making direct HTTP(S) requests.
For more information, refer to HTTP Client node.
02 Mar 2024
Version 12580.0
Enhancements
-
The following services now support setting secrets using the secrets API rather than setting secrets in the service configuration:
-
AME-25709: AuthId signing key
-
AME-25907: Java agents
-
AME-25908: Web agents
-
AME-26014: Rotatable secrets for agents
-
AME-26301: SAML remote entities
-
AME-26241: OATH, Push, Web AuthN devices and the device binding, device ID, and Device profile services
-
-
The following nodes now support setting their secrets using the secrets API rather than setting secrets in the node configuration:
-
AME-26117: OTP SMS Sender and OTP SMTP Sender nodes
-
AME-16535: Set Persistent Cookie node
-
-
AME-26041: Enhanced handling of agents secret mappings – if you update or delete a secret label identifier, any corresponding secret mapping for the previous identifier is updated or deleted, provided no other agent shares that secret mapping
-
AME-25434: New Request Header node lets you inject values into shared state based on request header values
-
AME-26039: Added LDAP Affinity Level configuration option to the LDAP Decision node, to enable affinity-based load balancing for BIND requests
-
OPENAM-21768: Added
org.forgerock.opendj.ldap.Rdn
andorg.forgerock.opendj.ldap.Dn
classes to the allowlist for all script contexts
Fixes
-
AME-24760: Inner nodes of a PageNode don’t independently audit node-login-complete events
-
AME-26158: Exception thrown when generating a Signed JWT with no encryption within a next-gen script called by a Scripted Journey node
-
OPENAM-17315: Scripts used to call 'response.getEntity()' in the past should now use 'response.getEntity().getString()' instead
-
OPENAM-21856: Introspecting stateless token with IG/Web agents causes
OAuth2ChfException
February 2024
29 Feb 2024
Version 12560.0
Enhancements
-
IAM-4257: Azure AD app template updates
-
IAM-4342: MSGraphAPI connector includes a new optional
licenseCacheExpiryTime
configuration property -
IAM-4892: Salesforce app template updates
-
IAM-4900: UI has been updated to show the Advanced Identity Cloud build number
-
IAM-5033: Added new "Remember my username" checkbox to authentication trees
-
IAM-5287: Updated username, password, and KBA heading size on the profile page to improve accessibility
-
IAM-5334: Expose "Guarded String" as an object type property for Scripted Groovy, ScriptedREST, ScriptedSQL, CSV, Database table, and SCIM connectors
-
IAM-5459: KBA answer field now contains question context
-
IAM-5461: Custom errors sent as
TextOutputCallback.ERROR
are now rendered as primary login errors, improving screen reader accessibility feature -
IAM-5503: Rename Orchestrations to Workflows
-
IAM-5563: Google Apps app template updates
-
IAM-5603: Create device details modal for managed user identities
-
IAM-5606: Add "POWERED BY" metadata to marketplace nodes
-
IAM-5748: Make "PingOne" a special case on the federation providers page
Fixes
-
IAM-5598: Styled terms and conditions included in a journey causes authenticate calls to fail
-
IAM-5611: Can’t revoke custom apps from roles or edit them from the role view
-
IAM-5641: Custom endpoints search returns endpoints created by other areas of the UI
-
IAM-5692: Console errors when opening the Add user modal for Bravo realm
-
IAM-5767: SAML SSO is not used when an application is saved from another tab after SSO setup
-
IAM-5873: Hosted page may fail to match user locale
28 Feb 2024
Version 12547.0
Enhancements
-
OPENIDM-19405: Allow email addresses to contain non-ASCII characters for supported SMTP providers
January 2024
24 Jan 2024
Fixes
-
OPENIDM-18743[8]: Attempts to use connectors fail with null pointer exceptions when
operationOptions
is defined in the provisioner configuration
23 Jan 2024
Key features
- iProov Authentication node (TNTP-131)
-
The iProov authentication node integrates Advanced Identity Cloud authentication journeys with the Genuine Presence Assurance and Liveness Assurance products from iProov.
22 Jan 2024 (supplementary)
Key features
- Fingerprint Profiler and Fingerprint Response nodes (TNTP-130)
-
The Fingerprint nodes nodes let you integrate your Advanced Identity Cloud environment with the Fingerprint platform to help reduce fraud and improve customer experience.
Enhancements
-
AME-25906: Add the ability to configure the password for authenticating to an Identity Gateway agent as an ESV secret
-
AME-26130: Add the ability to configure the SNS access key secret for the push notification service to use an ESV secret
-
OPENAM-21575: Add
org.forgerock.json.jose.jwe.JweHeader
to the class allowlist for Scripted Decision node
Fixes
-
AME-25915: SAML flow fails if a
NameIDFormat
element is not present in an assertion response -
FRAAS-18464: Sandbox debug logging level set to
WARN
instead ofDEBUG
-
IAM-5656: Fix alignment of text, buttons, and links in Message nodes
-
IAM-5660: Hosted pages not displaying list of themes
-
OPENAM-20924: Social Provider Handler node does not let end user switch to a different IdP
22 Jan 2024
Enhancements
-
AME-26117: Updated nodes relating to one-time passwords to use secret labels for passwords. Refer to OTP Email Sender node and OTP SMS Sender node.
19 Jan 2024
Key features
- RSA SecurID node (FRAAS-18037)
-
The RSA SecurID lets you use the RSA Cloud Authentication Service (RSA ID Plus) or RSA Authentication Manager from within an authentication journey on your Advanced Identity Cloud environment.
- Advanced Identity Cloud use case catalog
-
Introducing the release of the Advanced Identity Cloud use case catalog, a collection of guides that focus on tenant administrator use cases and third-party integrations.
18 Jan 2024
Key features
- Create and manage custom relationship properties (OPENIDM-19106, OPENIDM-19109)
-
You can now create and manage custom relationship properties using the Advanced Identity Cloud admin UI.
- Schema API improvements (OPENIDM-19107)
-
You can now directly modify managed object schemas over REST using the schema API. This capability includes configuring custom relationship properties.
- Password timestamps (OPENIDM-19262)
-
Enabling this new feature lets you view or query when a user password was last changed and when it is set to expire.
Enhancements
-
OPENIDM-19674: The relationship-defined virtual property (RDVP) schema editor allows you to edit the
flattenProperties
property. The managed object schema editor allows you to edit thenotifyRelationships
property.
Fixes
-
OPENIDM-18957: The scheduler now attempts to release any triggers it attempted to acquire during a timeout due to an unresponsive repository
-
OPENIDM-19141: Workflow engine queries now properly honor
tablePrefix
andtablePrefixIsSchema
configuration options -
OPENIDM-19279: Resource collection is required to create a relationship
-
OPENIDM-19565: The default
apiVersion
configuration has been updated with additional resource paths
December 2023
19 Dec 2023
Key features
- Schedule jobs directly in the Advanced Identity Cloud admin UI (IAM-3489)
-
You can now schedule the following jobs directly in the Advanced Identity Cloud admin UI without using the IDM admin UI (native console):
-
Scripts: Execute a script at a regular interval.
-
Task scanner: Execute a scan of identities using a complex query filter at a regular interval. The scan can then execute a script on the identities returned by the query filter.
-
- New Identity Governance capabilities[2] (IAM-4617, IGA-1664)
-
The Workflow UI lets you define custom workflow definitions for all access request types.
Role membership certification, a new certification type for access reviews, lets you review and certify roles and the users who have access to roles. Primary reviewers are role owners, a single user, or users assigned to a role.
Enhancements
-
FRAAS-7382: Add ability to include JavaScript snippets in login and end-user UIs
-
IAM-4514[2]: Allow reviewers to add user, entitlement, and role columns to an access review
-
IAM-4739: Add read schema option to SCIM application template to discover custom schemas/attributes
-
IAM-5201: Focus on first input field or button automatically upon page load
-
IAM-5268: Add source-missing situation rule to authoritative applications
Fixes
-
FRAAS-16659: ESV mapping updates aren’t captured in promotions report
-
IAM-4810: Custom endpoint UI missing context option
-
IAM-5072: Inbound mapping tab shows in target applications
-
IAM-5171: Azure Active Directory application template doesn’t return a user’s role membership
-
IAM-5187: LDAP v2.1 application template doesn’t clear
dc=example,dc=com
base DN -
IAM-5238: LDAP application template is missing the group object classes property
-
IAM-5422[2]: Entitlement owner doesn’t show in the entitlement list
12 Dec 2023
Enhancements
-
AME-22326[9]: The
httpClient
available in scripts now automatically adds the currenttransactionId
as an HTTP header. This lets you correlate caller and receiver logs to make requests to other ForgeRock products and services. -
AME-25392[9]: Add
org.forgerock.openam.scripting.api.PrefixedScriptPropertyResolver
, used for accessing ESVs from scripts, to the allowlist forSAML2_SP_ADAPTER
andSAML2_IDP_ADAPTER
script types -
AME-25433[9]: Add
com.sun.crypto.provider.PBKDF2KeyImpl
,javax.crypto.SecretKeyFactory
, andjavax.crypto.spec.PBEKeySpec
to the allowlists for Scripted Decision nodes and Configuration Provider nodes -
AME-25608[9]: Add auditing for opening and closing connections for the LDAP decision node, ID Repo service, and Policy Configuration service
-
AME-25630[9]: Add
java.security.spec.InvalidKeySpecException
to the allowlist for the Scripted Decision and Configuration Provider nodes -
OPENAM-16897[9]: The OAuth 2.0 Device grant flow can now return either JSON or HTML
Fixes
-
COMMONS-1397[9]: Audit event log entries not logged due to thread contention
-
FRAAS-17686[10]: Add
org.forgerock.json.jose.jwe.JweHeader
to the allowlists for theAUTHENTICATION_TREE_DECISION_NODE
andCONFIG_PROVIDER_NODE
script types -
IAM-4401[9]: Disabling
Clear-Site-Data
header breaks realm login -
OPENAM-17331[9]: Disabled SNS endpoints can now be re-enabled
-
OPENAM-17816[9]: OAuth 2.0 requests without a
Content-Type
header fail with a 500 error -
OPENAM-19282[9]: Recovery Code Display node only works immediately after a registration node
-
OPENAM-19889[9]: Policy evaluation fails when subject is agent access token JWT
-
OPENAM-20026[9]: Social IDP with trailing whitespace in the name can’t be deleted using the UI
-
OPENAM-20329[9]: Issuer missing from OAuth 2.0 JARM response
-
OPENAM-21053[9]: Missing
userId
from access audit log whenorg.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false
in JWT client authentication flow -
OPENAM-21421[9]: Scripting logger name isn’t based on logging hierarchy convention
-
OPENAM-21476[9]: Persistent cookie is not created when using Configuration Provider node
-
OPENAM-21484[9]: Introspection of a stateful refresh token for claims field for known OAuth2 fields is now a string and not nested in a list
November 2023
30 Nov 2023
Fixes
-
IAM-5275[9]: Advanced Identity Cloud admin UI doesn’t add query parameters to the logout URL
Notices
ForgeRock deprecated the option to let Advanced Identity Cloud tenant administrators skip 2-step verification on Friday, February 3, 2023.
The end-of-life date for this deprecation is Friday, March 1, 2024, when the skip option functionality will be removed from Advanced Identity Cloud. You have until this date to update your tenants to make 2-step verification mandatory for all tenant administrators. For more information, refer to Tenant administrator mandatory 2-step verification FAQ.
28 Nov 2023
Key features
- Duo Universal Prompt node (FRAAS-15675)
-
The Duo Universal Prompt node lets you provide two-factor authentication using Duo’s Universal Prompt authentication interface. You can integrate Universal Prompt with your web applications using the Duo Web v4 SDK.
For details, refer to Duo Universal Prompt node.
27 Nov 2023
Enhancements
-
FRAAS-17939[11]: Some connectors included with Advanced Identity Cloud were upgraded to the following versions:
1.5.20.19For details, refer to 1.5.20.19 Connector changes.
-
Microsoft Graph API connector
-
SCIM connector
1.5.20.18For details, refer to 1.5.20.18 Connector changes.
-
Google Apps connector
-
Microsoft Graph API connector
-
Salesforce connector
-
SCIM connector
-
Workday connector
-
-
OPENIDM-19037: Update property value substitution to reflect boolean value in the UI
17 Nov 2023
13 Nov 2023
Fixes
-
FRAAS-17883: Tenant administrators cannot save edits to their personal information
-
IAM-5226: Tenant administrator security questions should not be shown when editing personal information
-
IAM-5240: No error message displays when a tenant administrator fails to save edits to their personal information
October 2023
31 Oct 2023
Key features
- next-generation scripting enhancements (AME-25928)
-
The next-generation scripting engine for journey decision node scripts lets you:
-
Reduce the need to allowlist Java classes with a stable set of enhanced bindings.
-
Simplify scripts with fewer imports and more intuitive return types that require less code.
-
Debug efficiently with clear log messages and a simple logging interface based on SLF4J.
-
Make requests to other APIs from within scripts with a more intuitive HTTP client.
-
Modularize your scripts by reusing common code snippets, including external libraries such as CommonJS, with library scripts.
-
Access identity management information seamlessly through the
openidm
binding.
The next-generation engine can’t use legacy scripts.
If your Scripted Decision node uses legacy scripts, you must convert them to use updated bindings to take advantage of the benefits of the next-generation scripting engine.
Where possible, you should migrate legacy scripts to take advantage of next-generation stability.
For more information, refer to Next-generation scripts.
-
Enhancements
-
FRAAS-3841: Activate and deactivate journeys in the Advanced Identity Cloud admin UI. Refer to Deactivate journeys.
-
IAM-4191: Allow tenant session cookie name to be configured. Refer to Session cookie name.
-
IAM-4735: Add support for schema discovery in application templates
-
IAM-4806: Show outbound tenant IP addresses in Advanced Identity Cloud admin UI. Refer to Access global settings.
-
IAM-4853: Add AS400 application template. Refer to the AS400 section in Provision an application.
Fixes
-
FRAAS-16785: Incorrect positioning of reCAPTCHA v2 elements
-
IAM-2936: Journeys hang indefinitely when using a State Metadata node within a Page node
-
IAM-4521: Screen readers announce field labels twice
-
IAM-4956: Advanced Identity Cloud admin UI doesn’t use the current realm when logging out
-
IAM-5113: Unable to remove an NAO assignment from a user in Advanced Identity Cloud admin UI
19 Oct 2023
Key features
- Gateway Communication node (FRAAS-17380)
-
Lets Advanced Identity Cloud authentication journeys communicate directly with the PingGateway (${ig.abbr}).
This secure communication channel extends the Advanced Identity Cloud capabilities with ${ig.abbr} features, such as validating a Kerberos ticket and performing other certificate handshakes.
For details, refer to Gateway Communication overview.
16 Oct 2023
Key features
- New Autonomous Access capabilities[12] (DATASCI-1269)
-
User access behavior and tenant access behavior let end users understand their "normal" login behavior for the past six months by graphically displaying key access metrics on a UI. Users can filter the UI to show certain login metrics, like time of day, city, country, day of week, device used for login, operating system, and browser type. Users can also compare an individual user’s login behavior to that of the access attempts for all other users.
Enhancements
-
IAM-4211: Display disaster recovery region in the Advanced Identity Cloud admin UI
-
IAM-4369: Remove AM applications from application list view
-
IAM-5045: Display pop-up warning when an end user is about to be logged out of an Advanced Identity Cloud hosted page
Fixes
-
IAM-4812: Correctly save array ESVs containing newline characters
-
IAM-4863: Display ESV buttons properly when the user gives them focus
-
IAM-4877: Display ESV selection button properly while user is modifying a script associated with a Scripted Decision node
-
IAM-4698: Fix accessibility issues with messages in page nodes
13 Oct 2023
Enhancements
-
FRAAS-17373[13]: The following connectors included with Advanced Identity Cloud were upgraded from 1.5.20.15 to 1.5.20.17:
-
Adobe Marketing Cloud connector
-
Google Apps connector
-
Microsoft Graph API connector
-
Salesforce connector
-
SCIM connector
Some highlights include:
-
OPENICF-900: SCIM connector: Add support for dynamically generated SCIM schemas
-
OPENICF-2453: SCIM connector: Persist optional refresh token upon successful access token renewal
For a complete list of enhancements and fixes, refer to Connector changes.
-
Fixes
-
ANALYTICS-311: The
USER-LAST-LOGIN
report doesn’t show results if the last journey failed -
FRAAS-17413: Improve IDM service reliability during upgrades and routine maintenance
-
OPENICF-1723: Salesforce connector: Clarify usage of
proxyUri
configuration property -
OPENICF-2297: SCIM connector: Roles attribute should be a list of
Strings
, not a list ofObjects
-
OPENICF-2482: SCIM connector: Dynamic schema doesn’t default to static schema on all exceptions
-
OPENICF-2483: SCIM connector: Creating a user with special attributes fails with dynamically generated schema
-
OPENICF-2484: SCIM connector: PUT with
schemas
attribute fails for providers that support PATCH -
OPENICF-2448: SCIM connector: HTTP client fails to handle OAuth 2.0 errors
12 Oct 2023
Key features
- OneSpan Get User Authenticator node (FRAAS-17378)
-
Retrieves the authenticators assigned to a user and helps enable user’s authentication and security levels.
For details, refer to OneSpan Get User Authenticator node.
- OneSpan Identity Verification node (FRAAS-17378)
-
Sends request to OneSpan to analyze the image and determine whether the document is genuine or fraudulent.
For details, refer to OneSpan Identity Verification node.
03 Oct 2023
Fixes
-
FRAAS-17283: Tenant status pages not automatically updated during downtime
-
IAM-4235: Passthrough authentication using AD connector fails if set up in UI and user DN includes a space
-
IAM-4903: API calls to IGA endpoints not working with custom domain
-
IAM-4915: User details modal for IGA access review shows manager details as JSON object
-
OPENIDM-19192: Personal information is still editable by end users when User Editable is set to
false
September 2023
25 Sep 2023
Enhancements
-
IAM-4515[14]: Include autocomplete attribute with login form fields
-
IAM-4525[14]: Update profile picture modal with accessibility improvements for screen readers
-
IAM-4576[14]: Increase time on screen for loading spinner so that screen readers can announce it
-
IAM-4616[14]: Include contextual information with the show/hide buttons for improved accessibility
Fixes
-
FRAAS-17278: Health status reports for
AM
,IDM
, andplatform-admin
services incorrectly reported as available in some situations -
IAM-4460[14]: Screen readers read show/hide buttons for security questions as show/hide password
-
IAM-4523[14]: Screen readers read avatar alt text when tabbing to action menu
-
IAM-4524[14]: Two buttons with different labels open the same dialog
20 Sep 2023
Key features
- New Identity Governance capabilities[2] (IGA-1691)
-
Access requests let end users request access to resources and let managers request that access be removed from their delegates. The list of resources an end user can request access to is referred to as the access catalog.
Manage access request workflows is a new feature that lets you optionally define flows to include business logic, decisions, and approvals. For example, decide what happens when an approver rejects an access request for an application. Workflows currently only supports access request-related features.
New options in the Identity Cloud End User UI let end users submit access requests, submit requests to remove access, and review assigned request items:
-
The My Requests option lets you view and create access requests to resources (applications, roles, entitlements) for yourself or on behalf of others.
-
The My Directory > Direct Reports option lets managers submit access removal requests.
-
The Inbox > Approvals option lists request items (requests an end user submits) for an approver (designated owner) to act on.
-
Enhancements
-
IAM-3648: ESV placeholders can now be entered from a drop-down list
-
IAM-3651: ESV placeholders can now be entered from key-value input fields
-
IAM-4236: Improve layout of the applications reconciliation tab
-
IAM-4367: Separate the connection status of OAuth 2.0 client applications into a dedicated list
-
IAM-4662: ESV placeholders can now be entered from tag input fields
-
IAM-4717: Added date, datetime, and time fields to the login UI
-
IAM-4789: Grant roles now show temporal constraints
-
OPENAM-20847: Sanitized HTML can now be added into messages for the Email Suspend node
Fixes
-
IAM-4418: Fix accessibility issues with multi-select input fields
-
IAM-4489: Align checkbox color with other form elements
-
IAM-4491: Correctly label sidebar buttons when expanded or collapsed
-
IAM-4492: Make navigation bars in end-user UI accessible for screen readers
-
IAM-4798: The
aria-label
is now correctly displayed for all component types on sidebar buttons -
IAM-4843: The user column in the certification task list now shows a user’s full name instead of only the first name
-
IAM-4528: Outbound reconciliation mapping preview shows generated password value
15 Sep 2023
Key features
- Query Parameter node (AME-24069)
-
Allows you to insert query parameter values from a journey URL into configurable node state properties. This lets you customize journeys based on the query parameter values.
For details, refer to Query Parameter node.
Enhancements
-
OPENAM-21073: Request headers are now accessible in OAuth 2.0/OIDC scripts for
OIDC_CLAIMS
,OAUTH2_ACCESS_TOKEN_MODIFICATION
, andOAUTH2_MAY_ACT
script contexts using therequestProperties
binding -
OPENAM-21355: Jakarta AWS region (ap-southeast-3) enabled for the PingAM push notification service
Fixes
-
IAM-4639: String/password field button is highlighted in the UI
-
IAM-4829: Eye icon displays over the password field highlight box in the UI
-
OPENAM-18599: Allow customization of the error message that displays to end users when their account is locked or inactive using
.withErrorMessage()
in a Scripted Decision node -
OPENAM-18685: Use the OAuth2 Provider service in the AM admin UI to specify if tokens issued should contain the
subname
claim -
OPENAM-19261: Errors are incorrectly logged when triggered by introspection of tokens using OAuth 2.0 client credentials grant
-
OPENAM-20451: The WebAuthn Registration node now displays an end user’s
userName
when registering a device when the identity’s name isn’t human-readable -
OPENAM-21158: Add support for trusted platform module (TPM) attestation using elliptic curve cryptography (ECC) unique parameter validation starting with Windows 11 version 22H2
-
OPENAM-21304: The
request_uris
field does not populate when OAuth 2.0 clients register using dynamic client registration -
OPENAM-21390: Fix caching error to correctly provide data to
nodeState
when a journey switches server instances
11 Sep 2023
Enhancements
-
IAM-3650: Add a drop-down menu to checkbox inputs for selecting ESV placeholders
-
IAM-3826: Add the ability to specify a source and transformation script when mapping application properties. For details, refer to app-management:provision-an-application.adoc#apply-a-transformation-script-to-a-mapping.
-
IAM-4567: Add a warning when running reconciliations and selecting the
persistAssociations
option. For details, refer to View a report about the last reconciliation.
Fixes
-
IAM-4366: Provide browser-specific logic to handle alternative CSS for accessibility
-
IAM-4409: Require at least three characters before running identity searches when there are more than 1000 identities of that type
-
IAM-4478: Only allow certain combinations of properties in a mapping transformation script
-
IAM-4493: Fix the heading hierarchy in the UI
-
IAM-4568: Do not enable the option to change a user association in the UI
-
IAM-4703: Fix display of password fields in some themes
-
IAM-4710: Fix rounded border of password fields in hosted pages
August 2023
22 Aug 2023
Key features
- Salesforce Community User application template (IAM-4340)
-
Provision, reconcile, and synchronize Salesforce, Salesforce Portal, and Salesforce Community accounts.
For details, refer to Salesforce application template or Salesforce Community User application template
- Add preference-based provisioning to Privacy and Consent settings (IAM-4243)
-
End users in target applications can share their data with other applications. After the end user configures a preference to share data with other applications, data from the target application is synchronized with Advanced Identity Cloud.
For details, refer to End-user data sharing
18 Aug 2023
Key features
- OneSpan Auth VDP User Register node (FRAAS-15426)
-
Registers users to authenticate using the virtual one-time password (VOTP). For details, refer to OneSpan Auth VDP User Register node.
- OneSpan Auth Assign Authenticator node (FRAAS-15426)
-
Assigns VIR10 authenticator to the user when there’s a VIR10 authenticator available in the tenant and the user isn’t assigned a VIR10 authenticator. For details, refer to OneSpan Auth Assign Authenticator node.
- OneSpan Auth Generate VOTP node (FRAAS-15426)
-
Generates and delivers a virtual one-time password (VOTP) through the delivery method configured in the node if there’s a VIR10 authenticator assigned to the user. For details, refer to OneSpan Auth Generate VOTP node.
09 Aug 2023
Fixes
-
OPENAM-18004[15]: Audit logging does not specify transaction IDs correctly for internal requests to certain APIs
-
OPENAM-18709[15]: Calls to the
nodeState.get()
method in Scripted Decision nodes do not return values in shared state when a variable is stored in both shared state and secure state -
OPENAM-20230[15]: Calls to classes in the allowlist fail occasionally with access prohibited messages
-
OPENAM-20682[15]: Unable to encrypt
id_token
error when there are multiple JWKs with the same key ID but different encryption algorithms -
OPENAM-20691[15]: Session quota reached when oldest session is not destroyed due to race condition
-
OPENAM-20783[15]: Logging is incorrect when the authorization code grant flow is used successfully
-
OPENAM-20920[15]: Null pointer exceptions when a SAML v2.0 binding is null and the SSO endpoint list contains non-SAML v2.0 entries
-
OPENAM-20953[15]: Policy evaluation with a subject type
JwtClaim
returns HTTP response code 500 -
OPENAM-20980[15]: The OIDC social provider is unable to use an issuer’s comparison check regex
-
OPENAM-21001[15]: Custom scripted SAML v2.0 IDP account mappers are determined incorrectly
-
OPENAM-21004[15]: Invalid session ID error when session management is disabled in an OIDC provider
-
OPENAM-21046[15]: The Create Object and Patch Object nodes do not log exception stack traces when they can’t retrieve the object schema
-
OPENAM-21164[15]: XML string formatted incorrectly when using a custom adapter to get the assertion from a SAML v2.0 response