Identity Cloud

Regular channel changelog

Subscribe to get automatic updates: Regular channel changelog RSS feed

Refer to the Changelog archive for release notes published before 16 Sep 2022.

April 2024

16 Apr 2024

Version 13019.8


  • FRAAS-19414: You can now configure custom domains directly in all environments without needing to create ESVs or promote configurations. Existing custom domains will be migrated automatically.

  • FRAAS-19566: Add _sortKeys query parameter to ESV API

  • IAM-4585[1]: Request and approvals page now shows the current and past approvers, their decisions, and the dates

  • IAM-4968: Expose additional top-level parameters in the advanced section of mapping pages

  • IAM-5674: Target application can use ONBOARD action for FOUND situation

  • IAM-5769: Add grouping logic to journey node items


  • IAM-3927[1]: Identity Governance now enforces mandatory comments (if configured) for revoke and allow exceptions

  • IAM-4309[1]: Access reviews no longer display the internal lastSync user attribute

  • IAM-4762: Authoritative apps are now requestable

  • IAM-4986: Platform UI can now determine whether to use a pagedResultsCookie or offset for paging results

  • IAM-5076[1]: "Abstain from action" option no longer displays when a campaign has expired

  • IAM-5362: Marking a property as an authoritative app entitlement no longer causes target app config to be generated

  • IAM-5413: Account deprovisioning now works in AD/LDAP after deleting a user identity

  • IAM-5794: Border color of sign-in input fields in hosted pages can now be overridden in themes

  • IAM-5810: Add option for email configuration to specify utf8 address support

  • IAM-5814: Allow fixed application usernames to be chosen for custom SAML apps

  • IAM-5875: Journey editor no longer orphans deleted nodes

12 Apr 2024

Version 12820.8

No customer-facing issues released.[2]

09 Apr 2024

Version 12820.7

No customer-facing issues released.[2]

04 Apr 2024

Version 12820.5

Key features

HTTP Client node (TNTP-136)

The HTTP Client node lets you make HTTP(S) requests to APIs and services external to Identity Cloud from within a journey.

Use the HTTP Client node to simplify the integration with a broad range of external services by making direct HTTP(S) requests.

For more information, refer to HTTP Client node.

PingOne Service (TNTP-148)

The PingOne Service lets you set up the PingOne service in your Identity Cloud tenant so you can add Ping Identity nodes to your authentication journeys.

For more information, refer to PingOne Service.

03 Apr 2024

Version 12820.5


March 2024

26 Mar 2024

Version 12589.7

Key features

Implemented "remember me" functionality

You can now display a checkbox on the end user sign-in card that makes it remember and pre-populate the username.


  • FRAAS-15371: Added ability to prevent search engines from indexing end user login pages

  • IAM-4257: Updated Azure AD app template to accommodate the latest changes

  • IAM-4342: Updated MSGraphAPI Connector with a new configuration property

  • IAM-4892: Updated Salesforce app template to accommodate the latest changes

  • IAM-4900: Added build number and next release cycle date range to user interface

  • IAM-5334: Exposed guarded string as an object type property in scripted template

  • IAM-5459: KBA answer field should contain question context

  • IAM-5461: Custom login error not read with priority

  • IAM-5503: Rename "Orchestrations" to "Workflows"

  • IAM-5563: Updated Google Apps app template to accommodate the latest changes

  • IAM-5603: Added ability to view device details for managed user identities

  • IAM-5606: Added "POWERED BY" metadata to journey nodes

  • IAM-5748: Made 'PingOne' a special case on the federation providers page


  • IAM-4918: Check that user has correct permissions when requesting access for other users

  • IAM-5287: Make username, password, and KBA fields H3 elements

  • IAM-5598: Prevent styled terms and conditions included in a journey from making authenticate call fail

  • IAM-5611: Correct ability to revoke custom apps from roles, or edit them from the role view

  • IAM-5641: Custom Endpoints search returned endpoints created by other areas of the UI

  • IAM-5692: Remove console errors when opening the "Add Bravo user" modal

  • IAM-5767: SAML SSO was not remembered when app is saved from another tab after SSO setup

  • IAM-5873: Fix .getTranslation call in Vue

  • OPENIDM-19405: Special non-ascii characters in emails sent from Identity Cloud would fail

25 Mar 2024


ForgeRock deprecated the option to let Identity Cloud tenant administrators skip 2-step verification on Friday, February 3, 2023.

This is a reminder that the end-of-life date for this deprecation is Tuesday, April 2, 2024, when the skip option functionality will be removed from Identity Cloud.

You have until this date to update your tenants to make 2-step verification mandatory for all tenant administrators. For more information, refer to Tenant administrator mandatory 2-step verification FAQ.

05 Mar 2024

Version 12455.3


  • FRAAS-18788: Add AWS, GCP, and SAP S/4HANA connectors to Identity Cloud


  • FRAAS-18693: Validation bug prevents use of the base64encodedinlined and keyvaluelist ESV expression types

05 Mar 2024


Duo authentication node (FRAAS-19062)

ForgeRock has deprecated the Duo authentication node because Duo has deprecated Traditional Duo Prompt that is used by the Duo node.

ForgeRock created Duo Universal Prompt node in anticipation of this depreciation. You should use Duo Universal Prompt node instead of Duo node (Deprecated).

February 2024

28 Feb 2024


ForgeRock deprecated the option to let Identity Cloud tenant administrators skip 2-step verification on Friday, February 3, 2023.

The end-of-life date for this deprecation has been moved to Tuesday, April 2, 2024, when the skip option functionality will be removed from Identity Cloud.

You have until this date to update your tenants to make 2-step verification mandatory for all tenant administrators. For more information, refer to Tenant administrator mandatory 2-step verification FAQ.

20 Feb 2024


  • FRAAS-18414: Changes to an out-of-the-box journey can be incorrectly displayed against both realms in a promotion report

16 Feb 2024


ForgeRock deprecated the option to let Identity Cloud tenant administrators skip 2-step verification on Friday, February 3, 2023.

The end-of-life date for this deprecation is Friday, March 1, 2024, when the skip option functionality will be removed from Identity Cloud. You have until this date to update your tenants to make 2-step verification mandatory for all tenant administrators. For more information, refer to Tenant administrator mandatory 2-step verification FAQ.

08 Feb 2024

Key features

Identity Cloud security guide update

ForgeRock has updated the Identity Cloud security guide to advise caution with using the X-Forwarded-For HTTP header to identify the originating IP address of a client due to security and privacy concerns.

Instead, you should consider using the X-Real-IP or X-Trusted-Forwarded-For HTTP headers as trusted replacements. Refer to Identify originating client IP addresses.

06 Feb 2024

Key features

Create and manage custom relationship properties (OPENIDM-19106, OPENIDM-19109)

You can now create and manage custom relationship properties using the Identity Cloud admin UI.

Schema API improvements (OPENIDM-19107)

You can now directly modify managed object schemas over REST using the schema API. This capability includes configuring custom relationship properties.

Password timestamps (OPENIDM-19262)

Enabling this new feature lets you view or query when a user password was last changed and when it is set to expire.

Fingerprint Profiler and Fingerprint Response nodes (TNTP-130)

The Fingerprint nodes nodes let you integrate your Identity Cloud environment with the Fingerprint platform to help reduce fraud and improve customer experience.

iProov Authentication node (TNTP-131)

The iProov authentication node integrates Identity Cloud authentication journeys with the Genuine Presence Assurance and Liveness Assurance products from iProov.

RSA SecurID node (FRAAS-18037)

The RSA SecurID node lets you use the RSA Cloud Authentication Service (RSA ID Plus) or RSA Authentication Manager from within an authentication journey on your Identity Cloud environment.


  • OPENIDM-17878: Allow access to operational attributes in the Identity Cloud data store

  • OPENIDM-19674: The relationship-defined virtual property (RDVP) schema editor allows you to edit the flattenProperties property. The anaged object schema editor allows you to edit the notifyRelationships property.


  • FRAAS-18398: Allow the HTTP OPTIONS method on calls to /openidm/config/* endpoints for CORS preflight checks

  • FRAAS-18526: Script library functionality can’t be used in the UI in certain environments

  • IAM-5656: Fix alignment of text, buttons, and links in Message nodes

  • IAM-5660: Hosted pages not displaying list of themes

  • OPENIDM-18743: Attempts to use connectors fail with null pointer exceptions when operationOptions is defined in the provisioner configuration

  • OPENIDM-18957: The scheduler now attempts to release any triggers it attempted to acquire during a timeout due to an unresponsive repository

  • OPENIDM-19141: Workflow engine queries now properly honor tablePrefix and tablePrefixIsSchema configuration options

  • OPENIDM-19279: Resource collection is required to create a relationship

January 2024

22 Jan 2024

Key features

Identity Cloud use case catalog

Introducing the release of the Identity Cloud use case catalog, a collection of guides that focus on tenant administrator use cases and third-party integrations.

19 Jan 2024

Key features

New Identity Governance capabilities[1][3] (IAM-4617, IGA-1664)

The Workflow UI lets you define custom workflow definitions for all access request types.

Role membership certification, a new certification type for access reviews, lets you review and certify roles and the users who have access to roles. Primary reviewers are role owners, a single user, or users assigned to a role.

09 Jan 2024

Key features

Schedule jobs directly in the Identity Cloud admin UI (IAM-3489)

You can now schedule the following jobs directly in the Identity Cloud admin UI without using the IDM admin UI (native console):

  • Scripts: Execute a script at a regular interval.

  • Task scanner: Execute a scan of identities using a complex query filter at a regular interval. The scan can then execute a script on the identities returned by the query filter.


  • FRAAS-7382: Add ability to include JavaScript snippets in login and end-user UIs

  • IAM-4514[1]: Allow reviewers to add user, entitlement, and role columns to an access review

  • IAM-4739: Add read schema option to SCIM application template to discover custom schemas/attributes

  • IAM-5138[4]: Add ability to view reports to end-user UI

  • IAM-5201: Focus on first input field or button automatically upon page load

  • IAM-5268: Add source-missing situation rule to authoritative applications


  • IAM-4810: Custom endpoint UI missing context option

  • IAM-5072: Inbound mapping tab shows in target applications

  • IAM-5171: Azure Active Directory application template doesn’t return a user’s role membership

  • IAM-5187: LDAP v2.1 application template doesn’t clear dc=example,dc=com base DN

  • IAM-5238: LDAP application template is missing the group object classes property

  • IAM-5422[1]: Entitlement owner doesn’t show in the entitlement list

  • OPENAM-21856: Introspecting stateless token with IG/Web agents will cause OAuth2ChfException

December 2023

12 Dec 2023

Key features

Duo Universal Prompt node (FRAAS-15675)

The Duo Universal Prompt node lets you provide two-factor authentication using Duo’s Universal Prompt authentication interface. You can integrate Universal Prompt with your web applications using the Duo Web v4 SDK.

For details, refer to Duo Universal Prompt node.


  • AME-22326: The httpClient available in scripts now automatically adds the current transactionId as an HTTP header. This lets you correlate caller and receiver logs to make requests to other ForgeRock products and services.

  • AME-25392: Add org.forgerock.openam.scripting.api.PrefixedScriptPropertyResolver, used for accessing ESVs from scripts, to the allowlist for SAML2_SP_ADAPTER and SAML2_IDP_ADAPTER script types

  • AME-25433: Add com.sun.crypto.provider.PBKDF2KeyImpl, javax.crypto.SecretKeyFactory, and javax.crypto.spec.PBEKeySpec to the allowlists for Scripted Decision nodes and Configuration Provider nodes

  • AME-25608: Add auditing for opening and closing connections for the LDAP decision node, ID Repo service, and Policy Configuration service

  • AME-25630: Add to the allowlist for the Scripted Decision and Configuration Provider nodes

  • FRAAS-17939: Some connectors included with Identity Cloud were upgraded to the following versions:

    For details, refer to Connector changes.

    • Microsoft Graph API connector

    • SCIM connector

    For details, refer to Connector changes.

    • Google Apps connector

    • Microsoft Graph API connector

    • Salesforce connector

    • SCIM connector

    • Workday connector

  • IAM-4511: Hide fields in the Users & Roles tab when editing and creating unreadable properties

  • IAM-4615: Add a "Skip to main content" link to page headers

  • OPENAM-16897: The OAuth 2.0 Device grant flow can now return either JSON or HTML

  • OPENIDM-19037: Update property value substitution to reflect boolean value in the UI


  • COMMONS-1397: Audit event log entries not logged due to thread contention

  • FRAAS-17686: Add org.forgerock.json.jose.jwe.JweHeader to the allowlists for the AUTHENTICATION_TREE_DECISION_NODE and CONFIG_PROVIDER_NODE script types

  • IAM-4401: Disabling Clear-Site-Data header breaks realm login

  • IAM-4991: When a suspendedId is in use, redirect to failureUrl fails

  • IAM-5075: Login messages are read twice by screen readers

  • IAM-5186: User identity related values aren’t saved after removal

  • OPENAM-17331: Disabled SNS endpoints can now be re-enabled

  • OPENAM-17816: OAuth 2.0 requests without a Content-Type header fail with a 500 error

  • OPENAM-19282: Recovery Code Display node only works immediately after a registration node

  • OPENAM-19889: Policy evaluation fails when subject is agent access token JWT

  • OPENAM-20026: Social IDP with trailing whitespace in the name can’t be deleted using the UI

  • OPENAM-20329: Issuer missing from OAuth 2.0 JARM response

  • OPENAM-21053: Missing userId from access audit log when in JWT client authentication flow

  • OPENAM-21421: Scripting logger name isn’t based on logging hierarchy convention

  • OPENAM-21476: Persistent cookie is not created when using Configuration Provider node

  • OPENAM-21484: Introspection of a stateful refresh token for claims field for known OAuth2 fields is now a string and not nested in a list

  • OPENIDM-19328: Fix queued sync to recover following node restart

November 2023

30 Nov 2023


  • IAM-5275: Identity Cloud admin UI doesn’t add query parameters to the logout URL

  • IAM-5289: Fix warning message when maxidletime is greater than 24.8 days


ForgeRock deprecated the option to let Identity Cloud tenant administrators skip 2-step verification on Friday, February 3, 2023.

The end-of-life date for this deprecation is Friday, March 1, 2024, when the skip option functionality will be removed from Identity Cloud. You have until this date to update your tenants to make 2-step verification mandatory for all tenant administrators. For more information, refer to Tenant administrator mandatory 2-step verification FAQ.

14 Nov 2023

Key features

Next generation scripting enhancements (AME-25928)

The next generation scripting engine for journey decision node scripts lets you:

  • Reduce the need to allowlist Java classes with a stable set of enhanced bindings.

  • Simplify scripts with fewer imports and more intuitive return types that require less code.

  • Debug efficiently with clear log messages and a simple logging interface based on SLF4J.

  • Make requests to other APIs from within scripts with a more intuitive HTTP client.

  • Modularize your scripts by reusing common code snippets, including external libraries such as CommonJS, with library scripts.

  • Access identity management information seamlessly through the openidm binding.

The next generation engine can’t use legacy scripts.

If your Scripted Decision node uses legacy scripts, you must convert them to use updated bindings to take advantage of the benefits of the next generation scripting engine.

Where possible, you should migrate legacy scripts to take advantage of next generation stability.

For more information, refer to Next-generation scripts.

Gateway Communication node (FRAAS-17380)

Lets Identity Cloud authentication journeys communicate directly with the Identity Gateway (IG).

This secure communication channel extends the Identity Cloud capabilities with IG features, such as validating a Kerberos ticket and performing other certificate handshakes.

For details, refer to Gateway Communication overview.


  • FRAAS-3841: Activate and deactivate journeys in the Identity Cloud admin UI. Refer to Deactivate journeys.

  • IAM-4191: Allow tenant session cookie name to be configured. Refer to Session cookie name.

  • IAM-4735: Add support for schema discovery in application templates

  • IAM-4806: Show outbound tenant IP addresses in Identity Cloud admin UI. Refer to Access global settings.

  • IAM-4853: Add AS400 application template. Refer to the AS400 section in Provision an application.


  • FRAAS-16785: Incorrect positioning of reCAPTCHA v2 elements

  • FRAAS-17883: Tenant administrators cannot save edits to their personal information

  • IAM-2936: Journeys hang indefinitely when using a State Metadata node within a Page node

  • IAM-4521: Screen readers announce field labels twice

  • IAM-4956: Identity Cloud admin UI doesn’t use the current realm when logging out

  • IAM-5113: Unable to remove an NAO assignment from a user in Identity Cloud admin UI

  • IAM-5226: Tenant administrator security questions should not be shown when editing personal information

  • IAM-5240: No error message displays when a tenant administrator fails to save edits to their personal information

October 2023

31 Oct 2023

Key features

New Autonomous Access capabilities[5] (DATASCI-1269)

User access behavior and tenant access behavior UI pages let administrators understand the typical authentication behavior for a selected user or for all users in the tenant for the past six months by displaying key metrics. Administrators can filter the UI to show certain login metrics, like time of day, city, country, day of week, device used for login, operating system, and browser type. Administrators can also compare a selected user’s authentication behavior to that of the authentication attempts for all other users in the tenant.


  • FRAAS-17373[6]: The following connectors included with Identity Cloud were upgraded from to

    • Adobe Marketing Cloud connector

    • Google Apps connector

    • Microsoft Graph API connector

    • Salesforce connector

    • SCIM connector

    Some highlights include:

    • OPENICF-900: SCIM connector: Add support for dynamically generated SCIM schemas

    • OPENICF-2453: SCIM connector: Persist optional refresh token upon successful access token renewal

    For a complete list of enhancements and fixes, refer to Connector changes.

  • IAM-4211: Display disaster recovery region in the Identity Cloud admin UI

  • IAM-4369: Remove AM applications from application list view

  • IAM-5045: Display pop-up warning when an end user is about to be logged out of an Identity Cloud hosted page


  • ANALYTICS-311: The USER-LAST-LOGIN report doesn’t show results if the last journey failed

  • FRAAS-17413: Improve IDM service reliability during upgrades and routine maintenance

  • IAM-4698: Fix accessibility issues with messages in page nodes

  • IAM-4812: Correctly save array ESVs containing newline characters

  • IAM-4863: Display ESV buttons properly when the user gives them focus

  • IAM-4877: Display ESV selection button properly while user is modifying a script associated with a Scripted Decision node

17 Oct 2023

Key features

OneSpan Identity Verification node (FRAAS-13738)

Sends request to OneSpan to analyze the image and determine whether the document is genuine or fraudulent.

For details, refer to OneSpan Identity Verification node.

OneSpan Get User Authenticator (FRAAS-13160)

Retrieves the authenticators assigned to a user and helps enable user’s authentication and security levels.

For details, refer to OneSpan Get User Authenticator node.

New Identity Governance capabilities[1] (IGA-1691)

Access requests let end users request access to resources and let managers request that access be removed from their delegates. The list of resources an end user can request access to is referred to as the access catalog.

Manage access request workflows is a new feature that lets you optionally define flows to include business logic, decisions, and approvals. For example, decide what happens when an approver rejects an access request for an application. Workflows currently only supports access request-related features.

New options in the Identity Cloud End User UI let end users submit access requests, submit requests to remove access, and review assigned request items:

  • The My Requests option lets you view and create access requests to resources (applications, roles, entitlements) for yourself or on behalf of others.

  • The My Directory > Direct Reports option lets managers submit access removal requests.

  • The Inbox > Approvals option lists request items (requests an end user submits) for an approver (designated owner) to act on.


  • IAM-3648: ESV placeholders can now be entered from a drop-down list

  • IAM-3651: ESV placeholders can now be entered from key-value input fields

  • IAM-4236: Improve layout of the applications reconciliation tab

  • IAM-4367: Separate the connection status of OAuth 2.0 client applications into a dedicated list

  • IAM-4662: ESV placeholders can now be entered from tag input fields

  • IAM-4717: Added date, datetime, and time fields to the login UI

  • IAM-4789: Grant roles now show temporal constraints

  • OPENAM-20847: Sanitized HTML can now be added into messages for the Email Suspend node


  • FRAAS-17235: Validate ESV values correctly when they are wrapped in white space

  • FRAAS-17283: Tenant status pages not automatically updated during downtime

  • IAM-4235: Passthrough authentication using AD connector fails if set up in UI and user DN includes a space

  • IAM-4418: Fix accessibility issues with multi-select input fields

  • IAM-4489: Align checkbox color with other form elements

  • IAM-4491: Correctly label sidebar buttons when expanded or collapsed

  • IAM-4492: Make navigation bars in end-user UI accessible for screen readers

  • IAM-4528: Outbound reconciliation mapping preview shows generated password value

  • IAM-4798: The aria-label is now correctly displayed for all component types on sidebar buttons

  • OPENIDM-19192: Personal information is still editable by end users when User Editable is set to false

03 Oct 2023

Key features

Query Parameter node (AME-24069)

Allows you to insert query parameter values from a journey URL into configurable node state properties. This lets you customize journeys based on the query parameter values.

For details, refer to Query Parameter node.


  • IAM-3650: Add a drop-down menu to checkbox inputs for selecting ESV placeholders

  • IAM-3826: Add the ability to specify a source and transformation script when mapping application properties.

  • IAM-4515: Include autocomplete attribute with login form fields

  • IAM-4525: Update profile picture modal with accessibility improvements for screen readers

  • IAM-4567: Add a warning when running reconciliations and selecting the persistAssociations option. For details, refer to View a report about the last reconciliation.

  • IAM-4576: Increase time on screen for loading spinner so that screen readers can announce it

  • IAM-4616: Include contextual information with the show/hide buttons for improved accessibility

  • OPENAM-21073: Request headers are now accessible in OAuth 2.0/OIDC scripts for OIDC_CLAIMS, OAUTH2_ACCESS_TOKEN_MODIFICATION, and OAUTH2_MAY_ACT script contexts using the requestProperties binding

  • OPENAM-21346: Add classes java.util.concurrent.TimeUnit, java.util.concurrent.ExecutionException, and java.util.concurrent.TimeoutException to the scripting allowlist

  • OPENAM-21355: Jakarta AWS region (ap-southeast-3) enabled for the Access Management push notification service

  • OPENAM-21416: Canada Central AWS region (ca-central-1) enabled for the Access Management push notification service


  • IAM-4366: Provide browser-specific logic to handle alternative CSS for accessibility

  • IAM-4409: Require at least three characters before running identity searches when there are more than 1000 identities of that type

  • IAM-4460: Screen readers read show/hide buttons for security questions as show/hide password

  • IAM-4478: Only allow certain combinations of properties in a mapping transformation script

  • IAM-4493: Fix the heading hierarchy in the UI

  • IAM-4523: Screen readers read avatar alt text when tabbing to action menu

  • IAM-4524: Two buttons with different labels open the same dialog

  • IAM-4568: Do not enable the option to change a user association in the UI

  • IAM-4584: Drop-down boxes fail ADA compliance

  • IAM-4639: String/password field button is highlighted in the UI

  • IAM-4703: Fix display of password fields in some themes

  • IAM-4710: Fix rounded border of password fields in hosted pages

  • IAM-4829: Eye icon displays over the password field highlight box in the UI

  • OPENAM-18599: Allow customization of the error message that displays to end users when their account is locked or inactive using .withErrorMessage() in a Scripted Decision node

  • OPENAM-18685: Use the OAuth2 Provider service in the AM admin UI to specify if tokens issued should contain the subname claim

  • OPENAM-19261: Errors are incorrectly logged when triggered by introspection of tokens using OAuth 2.0 client credentials grant

  • OPENAM-20451: The WebAuthn Registration node now displays an end user’s userName when registering a device when the identity’s name isn’t human-readable

  • OPENAM-21158: Add support for trusted platform module (TPM) attestation using elliptic curve cryptography (ECC) unique parameter validation starting with Windows 11 version 22H2

  • OPENAM-21304: The request_uris field does not populate when OAuth 2.0 clients register using dynamic client registration

September 2023

26 Sep 2023


  • FRAAS-17278: Health status reports for AM, IDM, and Admin services incorrectly reported as available in some situations

  • IAM-4843: The user column in the certification task list now shows a user’s full name instead of only the first name

  • IAM-4903[7]: Fix IGA calls that are not working in a custom domain

  • IAM-4915[7]: Fix Access Review UI that shows the JSON object of the manager relationship in the User Details modal

19 Sep 2023


  • OPENAM-21390: Fix caching error to correctly provide data to nodeState when a journey switches server instances

05 Sep 2023

Key features

Salesforce Community User application template (IAM-4340)

Provision, reconcile, and synchronize Salesforce, Salesforce Portal, and Salesforce Community accounts.

OneSpan Auth VDP User Register node (FRAAS-15426)

Registers end users to authenticate using the virtual one-time password (VOTP).

For details, refer to OneSpan Auth VDP User Register node.

OneSpan Auth Assign Authenticator node (FRAAS-15426)

Assigns a VIR10 authenticator to an end user if the end user isn’t already assigned to one. Requires a VIR10 authenticator to be available in the tenant.

OneSpan Auth Generate VOTP node (FRAAS-15426)

Generates a virtual one-time password (VOTP) and delivers it to an end user through the node’s configured delivery method. Requires the end user to be assigned to a VIR10 authenticator.

For details, refer to OneSpan Auth Generate VOTP node.

August 2023

28 Aug 2023

Key features

Add preference-based provisioning to Privacy and Consent settings (IAM-4243)

End users in target applications can share their data with other applications. After the end user configures a preference to share data with other applications, data from the target application is synchronized with Identity Cloud.

For details, refer to End-user data sharing.


  • AME-25061: Provide additional context information in Marketplace authentication nodes to enable UI improvements

  • IAM-3502: Add the ability to set and reset a sync token for identity management account object type. For details, refer to Reset the last reconciliation job.

  • IAM-3678: Update error messages and labels in login and signup pages

  • IAM-3962: Improve design of push number challenge page for Push Wait node

  • IAM-4248: Add three additional non-account objects to ServiceNow page

  • IAM-4326: Improve onLink script to handle mapped properties of type array and object

  • IAM-4334: Update SuccessFactors application templates to support Identity Cloud built-in SuccessFactors connector


  • IAM-3877: UI loader spins indefinitely when realm is deactivated

  • IAM-4093: Replace Google Fonts in the login UI to meet GDPR compliancy requirements

  • IAM-4176: Advanced setting query filter does not show all available properties

  • IAM-4240: Accessibility issues in Page node when NVDA readers are used

  • IAM-4261: Accessing end-user UI with query parameter "code" displays empty page

  • IAM-4371: Unable to create applications due to userpassword property set

  • IAM-4384: Platform UI does not resume journeys with custom redirect logic

  • IAM-4427: Platform UI does not show assignments for tenants running deprecated application management

  • IAM-4475: Platform UI does not load after tenant administrator signs into an upper tenant during promotion

  • IAM-4533: Journeys do not resume correctly when returning from a social identity provider without a realm identifier

  • IAM-4534: Redirect callbacks for journeys not working correctly

  • OPENAM-18004: Audit logging does not specify transaction IDs correctly for internal requests to certain APIs

  • OPENAM-18709: Calls to the nodeState.get() method in Scripted Decision nodes do not return values in shared state when a variable is stored in both shared state and secure state

  • OPENAM-20230: Calls to classes in the allowlist fail occasionally with access prohibited messages

  • OPENAM-20682: Unable to encrypt id_token error when there are multiple JWKs with the same key ID but different encryption algorithms

  • OPENAM-20691: Session quota reached when oldest session is not destroyed due to race condition

  • OPENAM-20783: Logging is incorrect when the authorization code grant flow is used successfully

  • OPENAM-20920: Null pointer exceptions when a SAML v2.0 binding is null and the SSO endpoint list contains non-SAML v2.0 entries

  • OPENAM-20953: Policy evaluation with a subject type JwtClaim returns HTTP response code 500

  • OPENAM-21001: Custom scripted SAML v2.0 IDP account mappers are determined incorrectly

  • OPENAM-21004: Invalid session ID error when session management is disabled in an OIDC provider

  • OPENAM-21046: The Create Object and Patch Object nodes do not log exception stack traces when they can’t retrieve the object schema

  • OPENAM-21164: XML string formatted incorrectly when using a custom adapter to get the assertion from a SAML v2.0 response

9 Aug 2023


  • FRAAS-16471: ESV variables and secrets API endpoints slow for large result sets

  • FRAAS-16271: ESV secrets could be incorrectly marked as "not loaded" when tenant has many ESVs

July 2023

19 Jul 2023


Introspect endpoint GET requests and URL query string parameters (FRAAS-10638)

ForgeRock has deprecated the following behaviors of the OAuth 2.0 introspect endpoint in Identity Cloud:

  • Accept GET requests

  • Accept data in POST requests from URL query string parameters

You can continue to use these behaviors, but they will be removed on July 19, 2024. Instead, when using the OAuth 2.0 introspect endpoint, you should use POST requests and pass data in the POST request body.

Refer to /oauth2/introspect.

17 Jul 2023


  • OPENIDM-19245[4]: Fix IDM version qualifier to prevent ForgeRock REST proxy error

11 Jul 2023


  • FRAAS-15974: Unable to promote empty configuration to reset staging environment

07 Jul 2023


  • FRAAS-16041: Support Basic Authentication for Identity Cloud logging endpoints

  • OPENIDM-19240[4]: Fix the "internal server error" message when configuring reconciliation mappings

June 2023

27 Jun 2023

Key features

New Identity Governance capabilities[1] (IGA-1592)

Entitlements are specific permissions given to an account in an onboarded target application. Each entitlement correlates to a permission. Pull in entitlements from all onboarded target applications into Identity Cloud for use in certifications.

Entitlement assignment certification, a new certification type for access reviews, lets you review and certify entitlements and the users who have access to entitlements on some or all applications. Primary reviewers are entitlement owners, a single user, or users assigned to a role.

The governance glossary lets you attach business-friendly attributes to applications, entitlements, and roles to add more specificity to the data you review in access certifications.

New options in the Identity Cloud End User UI let you view your access, your direct reports, and the access your direct reports have:

  • The My Access option lets you view your access in Identity Cloud and onboarded target applications. This includes accounts from onboarded target applications, roles you are assigned in Identity Cloud, and entitlements or privileges you have in onboarded target applications.

  • The Direct Reports option lets you get access information for individuals you manage. This includes their profile information, accounts from onboarded target applications, roles they are assigned in Identity Cloud, and entitlements or privileges they have in onboarded target applications.

Lexis-Nexis ThreatMetrix Authentication nodes (FRAAS-15325)

Integrate Lexis-Nexis ThreatMetrix decision tools and enable device intelligence and risk assessment in Identity Cloud.

For details, refer to ThreatMetrix Authentication nodes.

Filter log results (FRAAS-15378)

Use the _queryFilter parameter to filter log results on any field or combination of fields in a payload. For details, refer to Filter log results.

Microsoft Graph API email client (OPENIDM-17899)

Configure the email client to use the MS Graph API Client for sending email.

For more information, refer to Microsoft Graph API email client.

Included connectors and framework upgraded to OpenICF

The connectors included with Identity Cloud have been upgraded from version to Some highlights include:

  • MS Graph API Connector: Add the ability to read application and servicePrincipal object (OPENICF-2208)

  • MS Graph API Connector: Implement application role assignments (OPENICF-2269)

  • SCIM Connector: Support for throttling (OPENICF-1916)

For a complete list of enhancements and fixes, refer to Connector changes.


  • IAM-2826: Filter the "Assignments" tab for identities so that it does not show overrides, entitlements, or resources

  • IAM-3408: Let provisioners use a range of connector versions

  • IAM-3677: Remove increment/decrement arrows from numeric input fields

  • IAM-3678[4]: Improved ADA accessibility for error messages associated with input fields

  • IAM-3982: Let users filter risk activity using distributed attack as a risk reason

  • IAM-3983: Show distributed attack as a risk reason in the risk dashboard

  • IAM-4051: Improved ADA accessibility for drop-down boxes

  • IAM-4053: Improved ADA accessibility when NVDA readers are used on pages that use the Page node

  • IAM-4074: Add a loading animation to the pie chart component

  • IAM-4136: Use the tab key to move focus and remove tags in multi-select components


  • FRAAS-5756[4]: Journeys don’t resume after authentication in downstream identity provider

  • FRAAS-9230: Sanitize aria-hidden fields

  • FRAAS-14214: Changing an existing ESV type is now denied by the API and new ESVs always require an explicit type

  • FRAAS-14262: Include changes to group privileges in the configuration promotions report

  • FRAAS-14706: Improve the detection of changes to complex configuration files and IDM script hooks in promotion reports

  • FRAAS-14897: Improve the rate limiting behavior of the /monitoring/logs endpoint

  • IAM-2026: Support versioning of the application and connector templates

  • IAM-2713: Prohibit editing of managed application objects

  • IAM-2972: Route users to the correct realm after granting Salesforce permissions

  • IAM-3089: Unable to exit a social provider and select a different social provider in a journey

  • IAM-3594: Correctly redirect control to the End User UI after authenticating with itsme

  • IAM-3719: Modals not showing display access review comments and activity

  • IAM-3939: Let end users switch to a different authentication journey

  • IAM-4013: When using a custom domain, originalLoginRealm is set incorrectly

  • IAM-4116: Don’t let access review users add reviewers with greater privileges than they themselves have

  • IAM-4134: User pop-up is visible in "Entitlement" tab

  • IAM-4200: Last certified date, decision, and actor displaying incorrectly in Governance account details

  • IAM-4242: Add "Conflicting changes" category to reconciliation summary

  • IAM-4289: Unable to assign non-account object properties to roles

  • IAM-4293: Access reviews and line items not shown for staged campaigns

  • IAM-4295: Reviewer not redirected back to pending reviews after access review sign off

  • OPENIDM-17481: Managed object schema can now describe a field as a nullable array and specify a default value for this field if not provided in a create request

  • OPENIDM-17771: Processing of a large number of scheduled jobs no longer causes all scheduled tasks to continuously misfire

  • OPENIDM-18192: Updating a relationship-defined virtual property (RDVP) on a managed object by signal receipt no longer causes other RDVP state within that object to be lost

  • OPENIDM-18292[4]: Add support for the _fields request parameter to the sync getTargetPreview endpoint.

  • OPENIDM-18360: Use the full object state when validating requests made by a delegated administrator to modify a relationship

  • OPENIDM-18613: Provide the ability to remove the userPassword attribute

  • OPENIDM-18644: Correctly determine whether it’s possible to configure clustered reconciliation

  • OPENIDM-18807[4]: Update user provisioning workflow sample to check for empty manager strings

  • OPENIDM-18895: Fixes support for multi-version concurrency control on managed object patches and updates

  • OPENIDM-18898[4]: Add support for the _countOnly parameter in identity management scripts

  • OPENIDM-18980[4]: Add a new metric to measure the duration of a LiveSync event

  • OPENIDM-19098[4]: Enable ES6 support for identity management scripts

13 Jun 2023

Key features

Administrator federation enhancements (FRAAS-12097)
Groups support

The new groups feature allows you to add and remove administrators depending on group membership in your identity provider. Using administration groups lets you automate the granting and removing of access for administrators that are being on-boarded, switching roles, or leaving your organization.

OIDC Federation

OIDC is now supported as a federation identity provider, along with Microsoft ADFS and Microsoft Azure.

OIDC ID Token Validator node (OPENAM-13293)

The new OIDC ID Token Validator node lets Identity Cloud rely on an OIDC provider’s ID token to authenticate an end user. The node evaluates whether the ID token is valid according to the OIDC specification.

For details, refer to OIDC ID Token Validator node.

Scripted SAML 2.0 SP adapter (AME-21638)

Customize the SAML 2.0 SP adapter using a script.


  • AME-24073: Expose the prompt_values_supported parameter of the provider configuration at the OIDC .well-known endpoint

  • AME-24175: Provide additional classes in the allowlist that scripts used in the Scripted Decision node

  • FRAAS-13293: Provide more accurate and granular information in promotion reports

  • FRAAS-14063: Remove orphaned unused scripts during promotion

  • FRAAS-15022: Improve promotion reports

  • IAM-2561: Allow adding applications to a user or role from the Identities > Manage page

  • IAM-3666: Add alternative text to QR code image

  • IAM-3676: Add keyboard controls to UI to select multiple values in multivalued lists

  • IAM-4030: Improve handling of identity provider and groups claims

  • IAM-4031: Generic OIDC configuration returns HTTP 400 Bad Request

  • OPENAM-18692: Set the minimum value for the Default Max Age property to 0

  • OPENAM-19745: Add support for EdDSA signing algorithm to WebAuthn Registration node

  • OPENAM-20541: Add additional inner classes to scripting allowlist to support RSA keypair generation


  • AME-24026: Allow specifying inputs required by the provider scripts in the Configuration Provider node

  • IAM-3550: When attempting to validate Office 365 applications, a blank screen appears

  • IAM-3580: Improve service accounts UI including error handling

  • IAM-4032: Federation enforcement is missing from the UI

  • FRAAS-10816: Include thread ID and remove control characters from some Identity Cloud log files for easier log correlation

  • FRAAS-14956: Promotion preview and report not showing all configuration changes

  • FRAAS-15188: Ensure environments can be recreated after deletion

  • OPENAM-12030: Authentication node instances are deleted when journeys containing them are deleted

  • OPENAM-13329: Display journeys with spaces in their name in the Authentication Configuration drop-down menu

  • OPENAM-13766: Route user session based on whether policy evaluation is requested or not

  • OPENAM-17179: Correctly delete a script if its referring journey is deleted

  • OPENAM-17566: Display account name instead of UUID in the ForgeRock Authenticator when using MFA

  • OPENAM-18488: Support certificate-based attestation in certificate chains terminating at an intermediate CA

  • OPENAM-20082: Show correct error message to locked out users

  • OPENAM-20104: Fix the fragment response mode for the OAuth 2.0 authorize endpoint

  • OPENAM-20187: Fix the "waiting for response" page so that it fails authentication as configured in the authentication journey

  • OPENAM-20230: Prevent class allowlist from failing for classes already on the allowlist

  • OPENAM-20318: Allow a restricted set of HTML tags to be rendered in page node headers and descriptions

  • OPENAM-20360: Fix default URL encoding to ensure ampersand characters are not double encoded in a SAML assertion

  • OPENAM-20386: Fix authentication node state reconciliation in some complex journeys

  • OPENAM-20451: Fix WebAuthn registration node to return a human-readable username

  • OPENAM-20457: Device Location Match node routes to "Unknown Device" outcome instead of failing the authentication journey when the previously stored location of the device is not provided

  • OPENAM-20479: Enhance OIDC authentication to handle unsecured JWS requests


Deprecate health check endpoints (FRAAS-15623)

ForgeRock has deprecated the following Identity Cloud health check endpoints:

  • /am/isAlive.jsp

  • /am/json/health/live

  • /am/json/health/ready

  • /openidm/info/ping

You can continue to use the endpoints, but they will be removed on June 13, 2024.

You should update any external monitoring to use the Identity Cloud /monitoring/health endpoint instead.

07 Jun 2023

Key features

UAT environment (FRAAS-13196)

You can now add one additional environment to your standard promotion group of development, staging, and production tenant environments. A UAT environment has the same capabilities as your staging environment, which allows your organization an additional production-like environment in which to test your development changes.

A UAT environment is an add-on capability.

For details, refer to UAT environments.

Secure Connect (FRAAS-15187)

You can now use ForgeRock Secure Connect to create dedicated, direct, and secure communication between your Identity Cloud network and your private network, such as an on-premises data center or IaaS provider. Secure Connect bypasses the public internet, improving latency, throughput, and security.

Secure Connect is a limited availability feature.

For details, refer to Secure Connect.

May 2023

31 May 2023


  • DATASCI-1267[8]: Autonomous Access dashboard is now realm-based

  • DATASCI-1330[8]: Autonomous Access can use blocklists and allowlists of IP addresses

  • DATASCI-1336[8]: Autonomous Access can avoid putting users in double jeopardy

30 May 2023


  • FRAAS-12469: Automatically create a status page account for new tenants

16 May 2023

Key features

PowerShell connector

Use the PowerShell Connector Toolkit to register a connector that can provision any Microsoft system.

For details, refer to PowerShell.

SAP SuccessFactors Account or SAP SuccessFactors HR connector

Use the SAP SuccessFactors connectors to synchronize SAP SuccessFactors users with Identity Cloud users.

Bookmark application

You can now register a bookmark application - for example, OneNote, Evernote, Google Bookmarks, or - to direct users to specific URLs. A bookmark application displays shortcut links on dashboards. When you click one of the links, the browser opens a new tab.

For details, refer to Bookmark.

Microsoft Intune node

Integrates Microsoft Intune to control features and settings on Android, Android Enterprise, iOS/iPadOS, macOS, and Windows 10/11 devices in your organization.

For details, refer to Microsoft Intune node.

Secret Double Octopus (SDO) nodes

ForgeRock Identity Cloud integrates with Secret Double Octopus (SDO) to provide high-assurance, passwordless authentication systems that address the diverse authentication needs of a real-world, working enterprise.

For details, refer to Secret Double Octopus (SDO) nodes.


Issue ID Summary


Add support for bookmark apps in application management


Update promotions UI to set tenant color dynamically based on the tenant name


Make Auto Access dashboard data realm specific


Add new default SCIM object types and mappings


Access review progress tooltip not working in end-user UI


Add SuccessFactors template and connector configuration


Display sign-off button in access review page in admin UI


Add alt text to QR code


Add visual indication of keyboard focus on input fields


Improve accessibility of the Edit personal info profile dialog


Line items not showing for completed access reviews


Validate campaign deadline dates in admin UI


Campaign owner is duplicated in user dropdown after reconciliation run


Ensure relationship resource collection grids filter based on managed object settings


Allow login UI to work when browser session storage is unavailable


Prevent login UI rendering extra whitespace character in front of text on suspended nodes


Remove beta indicator from the trends chart in admin UI dashboard


Change color of radio button changed in Choice Collector node


Ensure global variable assignmentResCollection is not overwritten when editing scripts


Enhance onLink script to correctly verify inputs


New PowerShell configuration properties


Risk score definition on autonomous decision node is not working


Risky events are not shown in the risk dashboard


Risk reasons do not display in the risk dashboard


Fix API request timeout errors for slow connections


Add missing footer to Page node when session expired


Display last name instead of user ID on user profile when no first name is provided


Microsoft Intune marketplace node


Secret Double Octopus marketplace node

02 May 2023

Key features

Support for all Google Fonts for hosted pages

Meet your organization’s brand guidelines by using any Google Font in your hosted pages.


Issue ID Summary


Set the log API key creation date correctly


Allow any Google Font to be used on hosted pages


Prevent table columns from stacking vertically on smaller viewports


Additional Options section missing from Identity Certification campaign template


End-user UI fails to load when accessing Identity Cloud in a new tab


Prevent repository reads when anonymous users make requests to info and ping endpoints

April 2023

21 Apr 2023

Resolved issues

Issue ID Summary


RelationshipArray grid queries use unnecessary &_sortKeys=_id when getting data

18 Apr 2023

Key features

IP allowlisting

Enterprises often need to ensure that requests entering their network come from trusted sources. ForgeRock Identity Cloud now offers outbound static IP addresses for all environments.

Outbound static IP addresses let you implement network security policies by setting up allowlists of IPs originating from Identity Cloud. This adds an extra layer of security to outbound calls to your APIs or SMTP servers.

For more information, refer to Outbound static IP addresses.

Resolved issues

Issue ID Summary


Outbound request static IP allows IP allowlisting for new customers


Provide the ability to display a login journey in an iframe for specific custom domains. To implement this feature, you need to open a support ticket.


Promotion report does not include changes to custom email provider


Promotion report should identify journeys by their name


Updated user registration cloud logging to capture events from identity providers


UI displays "Resource 'managed/alpha_application' not found" message


Cannot access ESVs in sandbox tenants


Configuration placeholder replacement assumes a string value


Certain searches cause NoSuchElementException errors


Update the scheduler to attempt to release any triggers it previously attempted to acquire from a timeout due to an unresponsive repository

11 Apr 2023

Key features

ForgeRock® Identity Governance (add-on capability)

ForgeRock Identity Governance is a new add-on capability that allows you to centrally administer and manage user access to applications and data across your organization to support regulatory compliance.

With Identity Governance you can:

  • Work with onboarded target applications when reviewing user data. This allows you to review user data for onboarded applications.

  • Define and launch reviews of data using certification campaigns.

  • Review and manage user access to applications. This includes managers reviewing the access their direct reports have.

For more information, refer to About Identity Governance.

To purchase an Identity Governance subscription, contact your ForgeRock representative.

Administrator federation

Administrator federation allows administrators to use single sign-on (SSO) to log in to an Identity Cloud tenant.

By using federation to authenticate your administrators to Identity Cloud, you can quickly and easily deprovision an administrator by removing their access from your centralized identity provider.

Resolved issues

Issue ID Summary


Initial release of Identity Governance with identity certifications


Administrators can access Identity Cloud using single sign-on from another identity provider


Search with BigIndex throws a NoSuchElementException error

March 2023

29 Mar 2023

Key features

OneSpan authentication journey nodes

The new OneSpan authentication journey nodes integrate OneSpan Intelligent Adaptive Authentication (IAA) scoring for identity proofing, continuous authentication, and fraud protection.

For details about OneSpan authentication integration set up, refer to OneSpan.

Jumio identity verification

The new Jumio identity verification integrates with Jumio’s NetVerify service to easily and securely verify identity by using facial recognition to authenticate against government issued IDs.

For details about Jumio identity verification, refer to Jumio identity verification.

Logout for all server-side sessions for a user or set of users

Administrators can now invalidate (log out) all server-side sessions for a user by sending a POST request to the json/sessions endpoint with the logoutByUser action, specifying the username in the request payload.

Composite advice with an AuthLevelCondition in journeys

Composite advice gives AM hints about which authentication services to use when logging in a user. Journeys now take into account the AuthLevelCondition composite advice.

For example, you can now use AuthLevelCondition composite advice so that AM uses a journey that provides an authentication level of 10 or higher.

Promotions API documentation

The promotions API documentation is now publicly available at

SCIM built-in connector

You can now use the SCIM built-in connector to manage user and group accounts on any SCIM-compliant resource provider.

Support for REST connector applications

Application management now lets you create, provision, and manage REST connector applications.

For details, refer to Scripted REST connector.

Resolved issues

Issue ID Summary


Scripted plugin for SAML 2.0 SP Adapter


Log out all server-side sessions for a user or set of users so that they have to reauthenticate


Let administrators access Identity Cloud using single sign-on from another identity provider


The promotions API documentation is now publicly available at


Include the log sources in the logged events


Add /platform/oauthReturn route to support authentication for Salesforce and Google Apps


OIDC login from a custom domain results in blank page


Integrate Jumio identity verification journey nodes


Integrate OneSpan authentication nodes


Promotions report shows changes that it shouldn’t


Remove unexpected changes from promotion reports


Let Identity Cloud administrators access policy configuration


Make managed groups visible in the AM admin UI


Add class to scripting allowlist


Remove OneSpan nodes from the Basic Authentication journey node list


Add inner classes from and java.crypto packages to scripting allowlist


Add IdPCallback class to scripting allowlist


UI displays "Resource 'managed/alpha_application' not found" message


Cannot access ESVs in sandbox tenants


Fixed agent logout in platform UI


Allow properties in forms to be reordered


In the Dashboard, the total number of applications that display in the Applications box now includes those applications registered using the new app catalog in tenants created on or after January 12, 2023.


Unable to exit a social provider and select a different social provider in a journey


Add support for enumerated values in array attributes


Update the descriptive text in the "Add Property" modal to be more accurate


Added ability to configure the scripted Groovy connector


Hide the SSO tab when an application is authoritative


Updated SCIM app template to only show the refresh token property for OAuth authentication


Adjust Autonomous Access risk filter to better handle scoring edge cases


Adjust menu width on the Autonomous Access Risk Administration page


Enable clicking a row to edit entries on the service accounts page


Added breadcrumbs to the service accounts page


Added a search field to the service accounts page


Fix display of OAuth 2.0 applications with a UUID for a name


Corrected AD template property from ENABLED to ENABLE


Addressed accessibility concerns when displaying password policy validation


Fix objects ending in application or assignment not appearing in the Privileges tab


Fixed an issue with unselected applications being imported when promoting, and improved the user experience for selecting and deselecting applications in the promotions UI


Added ability to customize the success color in hosted pages


Apple social authentication works with other authentication methods


Add support in journeys for composite advices that use an AuthLevelCondition


Don’t raise errors when calls to the access_token endpoint specify the scope parameter in OAuth2 authorization_code exchange


Handle the CA certificate correctly for Windows Hello attestations


The LDAP connector now correctly reads the AD Account tokenGroups attribute


IBM RACF API connector


Add group owners management support to the Microsoft Graph API connector


PeopleSoft connector v2.0


Add archived, languages, isEnrolledIn2Sv, and isEnforcedIn2Sv fields to the Google Apps connector


Adjust license assignments as part of the user creation and update operations in the Google Apps connector


The Microsoft Graph API connector now lets you assign and revoke directory roles to an Azure AD user account and query the target instance for roles


The Microsoft Graph API connector now lets you assign and revoke custom roles to an Azure AD user account and query the target instance for roles


Assign and revoke PermissionSets and Groups to Salesforce user accounts in the Salesforce connector


Expose groups and roles through user object in the ServiceNow connector


View, update, and remove a group’s roles through the role object in the ServiceNow connector


The LDAP connector now includes a parameter to use isMemberOf by ldapGroups


In the Google Apps connector, don’t throw an NPE when updating a user with a change to license assignments if _NAME_ is not specified


In the GoogleApps connector, the PATCH remove operation doesn’t update the object when both the field and value are provided


Query filter editor no longer removes double quotes from all properties that aren’t of type string


Saving changes to the authzRoles field on users no longer overrides the field type


Country codes in locales are no longer ignored when sending emails


Added new default policy, cannot-contain-others-case-insensitive


Custom script exception messages are no longer incorrectly truncated in REST responses


IDM admin UI should query recon association data instead of audit data


Improved resiliency of clustered reconciliations


Validate that connector names are alphanumeric


New sync mapping fields, defaultSourceFields and defaultTargetFields, let you specify which fields to use for read and query requests


Endpoints within /system now support specifying additional fields when using wildcards


The groups' name field is now searchable


An up-to-date target object state is now provided in sync script bindings and sync audit mechanisms


The default assignment object schema now contains a "condition" field


The IDM admin UI now defaults identity object number fields to 0 instead of an empty value


Queued sync not triggered if target is a CREST proxy endpoint


Tenant administrator password policy no longer restricts passwords to a maximum length


Reconciliation job identifiers now use a more precise timestamp


Add new SCIM connector; applications now support creating connections to SCIM services


Script changes cannot be saved unless you click outside the Inline Script box


Inability to save a schedule when you add or remove a passed variable


Inability to delete an inline reconciliation or schedule script

15 Mar 2023

Key features

Improved access to reconciliation logs in Identity Cloud

You can now view IDM reconciliation logs in your tenant by updating your audit configurations and specifying the log source idm-recon in a call to the logging API endpoint.

For more information, refer to Update audit configuration.

Resolved issues

Issue ID Summary


Let administrators add idm-recon as a log source for pulling reconciliation audit activity


Adjust drop-down lists to show the value of the selected option in the form

February 2023

14 Feb 2023

Key features

Application promotions

You can now use the UI to promote applications between tenant environments. Promoted applications are recreated in the upper environment with any associated static configuration (connectors, mappings, or SAML configuration) and any associated dynamic configuration (OAuth 2.0 clients).

Resolved issues

Issue ID Summary


Control access to hosted account and journey pages


Don’t allow changes to scripts in staging and production environments


Adjust sandbox environment migration to not use development environment migration steps


Autonomous log filters fail in connected environments


Adjust input field placeholders to clear properly when a user starts typing


Only allow unique values when adding application owners


Add the ability to promote dynamic configuration attached to application


Remove redirect to global settings during administrator login


Let users filter the trends dashboard by date without resetting the journeys dashboard


After refreshing the realm settings page, set the current tab using the identifier specified in the URL fragment


Access Management native console incorrect redirect URL


Changes to identity objects by onUpdate scripts not triggering relationship property onRetrieve hooks

03 Feb 2023

Key features

Deprecate skip option for tenant administrator MFA

ForgeRock has deprecated the option to let Identity Cloud tenant administrators skip 2-step verification. Customers can continue to use the skip option in their tenants, but this functionality will be removed from Identity Cloud on February 3, 2024.

Resolved issues

Issue ID Summary


Deprecate skip option for tenant administrator MFA

January 2023

31 Jan 2023

Key features

Service accounts

You can now use service accounts to request access tokens for most Identity Cloud REST API endpoints without relying on a particular identity in your system:

  • Call Identity Cloud APIs programmatically without needing a human identity.

  • Access AM or IDM APIs in the same way using a signed JWT.

  • Set scopes on each service account to assign only necessary permissions to access tokens.

  • Use for automation and CI/CD tooling.

For details, refer to Service accounts.

Resolved issues

Issue ID Summary


Remove unrelated AM root realm changes from promotion reports


Remove unexpected file changes from self-service promotion reports


Improve performance of promotion report generation by removing unrelated data


Service accounts


Fix hCaptcha support in Platform UI


Add Uncategorized to the journey category filter


Replace bullets with checkmarks when validating password policy


Add support for localized logos in end-user UI


Increase the size of the terms and conditions modal window


Enable promotions UI to ignore encrypted secrets


Update risk configuration UI to show only user-modifiable configuration


Add new userConfig endpoint to the riskConfig API


Update risk configuration evaluation UI so that updates use the new APIs


Fix the gotoOnFail query parameter to redirect in case of failure


Prevent proceeding from the Active Directory modal window without entering base DNs


Fix Salesforce provisioning connection


Fix single sign-on (SSO) setup when app name has a space


Enable suppression of the login failure message from the failure node


Fix localized headers rendering as [object Object]


Remove bitwise filter on Active Directory page


Update Maintain LDAP Group Membership option to not be selected by default


Update cn property to be optional in Active Directory target mode


Update ldapGroups property to be available by default in Active Directory target mode


Fix password hash algorithm


Fix font weight of the title text on provisioning tab


Fix Revoke button in Users & Roles to revoke users, and not be clickable when there are no users to revoke


Fix Active Directory user filter anomaly when deleting a row


Fix Active Directory assignment on array attributes to be a merge and not replace


Update user-specific attributes to be editable by administrators


Add paging back to application list view if workforce feature is not enabled


Fix escaping of ESV placeholders in the advanced email editor


Fixed display of localized favicon

19 Jan 2023

Key features

BioCatch authentication nodes

The new BioCatch authentication nodes integrate BioCatch scoring for identity proofing, continuous authentication, and fraud protection.

For details, refer to Marketplace.

Resolved issues

Issue ID Summary


Create endpoint to log out sessions based on user identifier


Avoid potential performance degradation when removing expired token state


Integrate BioCatch authentication journey nodes


Improve invalid page size error message


No configuration found for log in with session condition advice deny


Prevent script typos that cause services to fail from being introduced into the system


LDAP connector has invalid configuration when whitespace added to Base DN


Support email addresses that contain non-ASCII UTF-8 characters

12 Jan 2023

Key features

Workforce application and connector management

In new tenants created on or after January 12, 2023, you can use the improved applications page to integrate Identity Cloud with external data stores or identity providers. The applications page acts as a one-stop location where you can:

  • Register and provision popular federation-capable applications quickly and easily by choosing from a library of templates, such as Salesforce and Workday.

  • Register and provision your organization’s custom applications.

  • Manage data, properties, rules, SSO, provisioning, users, and groups for an application.

  • View the connection status of each application.

  • Activate and deactivate an application.

For details, refer to Application management.

Event hooks

Event hooks let you trigger scripts during various stages of the lifecycle of users, roles, assignments, and organizations.

You can trigger scripts when one of these identity objects is created, updated, retrieved, deleted, validated, or stored in the repository. You can also trigger a script when a change to an identity object triggers an implicit synchronization operation.

Post-action scripts let you manipulate identity objects after they are created, updated, or deleted.

For details, refer to Event hooks.

Daon IdentityX authentication nodes

The new Daon authentication nodes let you integrate with the Daon IdentityX platform for MFA with mobile authentication or out-of-band authentication using a separate, secure channel.

For details, refer to Marketplace.

Onfido authentication nodes

The new Onfido authentication nodes let you use Onfido’s solution for collecting and sending document identification and, optionally, biometrics to the Onfido backend for verification.

For details, refer to Marketplace.

Resolved issues

Issue ID Summary


Update the filter text on the Autonomous Access dashboard from "All Risk Scores" to "Risk Score"


Update text on the Autonomous Access dashboard’s Copy on User Detail page


AM cache outdated during restart of Identity Cloud services


Integrate Daon authentication journey nodes


Integrate Onfido authentication journey nodes


Avoid potential performance degradation when removing expired token state


Add list of encrypted secrets to promotion reports


Add classes to the scripting allow list


Unlock the environment and stop checking progress after successfully promoting an environment


Remove the option to keep orphaned configuration nodes from the promotions API


Add redirect for custom domain login screen


Promotions API failed to generate a report


Email invites to sandbox tenant administrators sometimes do not work


Add proxy state to output of lock state endpoint for promotions API


Prevent placeholder support being enabled unless a specific migration flag value is set


Add only standard placeholders (not user-defined placeholders) prior to enabling placeholder management


Provisional report endpoint can return 500 if requested repeatedly before cache is built


Provisional reports can cause promotion service to run out of memory and restart


Unable to log into tenant to perform self-service promotion


Application management improvements


Access multi-tenant social providers without requiring multiple secondary configurations


Ensure RDVPs are not erased for all types of managed objects for all types of PUT operations


Add support for direct assignments


Implement weighted assignments


Create endpoint for aggregating effective assignments and user identity object type outbound mapping values


Include Google Apps connector in bundled connectors


Do not schedule clustered-recon-resilience jobs for reconById invocations

December 2022

14 Dec 2022

Resolved issues

Issue ID[10] Summary


Promotion hangs when waiting for Identity Cloud services


Promotion reports not showing changes for all connectors


Promotion reports rendering new line characters inside JSON strings


Restart of AM can lead to outdated cache


Promotion reports not showing changes to custom endpoint scripts


Password policy to force password expiry not working


Embedding images in the theme editor only displays alternative text


Email suspend message displayed without line breaks


Add translation configuration key for "Passwords do not match" message


Self-service promotions migration UI flow should enable promotions UI features


Speed up search for organizations


Do not flag reconById invocations as clustered


Add name field to resourceCollection query fields for group identity objects

02 Dec 2022

Resolved issues

Issue ID Summary


Validation fails for ESV list type

November 2022

29 Nov 2022

Key features

Group management

You can now create and manage groups that are shared across AM and IDM within your Identity Cloud instance. New tenants have group management enabled by default, and existing tenants can follow an upgrade path to enable it.

For more information, refer to Group management.

ID Cloud Analytics Dashboard enhancements

You can now take advantage of the following enhancements to the analytics dashboard:

  • The journey chart now lets users drill down at specific points on a trend line to view individual journey outcomes for that date/hour. Journeys are sorted by a ranking of percentage failures, but can also be sorted based on number ranking.

  • Two new widgets — Top Five Journeys by Outcome and Top Five Journeys by Usage — that rank trending journeys based on outcomes and usages are now available.

    For more information, refer to Identity Cloud analytics dashboard.

Resolved issues

Issue ID Summary


Add support for groups and assigning users to groups


Add journey ranking and ability to drill down into journey outcomes to the analytics dashboard

09 Nov 2022

Key features

Self-service promotions

Self-service promotions let you promote configuration between environments without raising a support ticket. You can perform self-service promotions from development to staging tenant environments, and from staging to production tenant environments. You cannot promote sandbox environments.

For more information, refer to Introduction to self-service promotions.

Configuration placeholders visible in all APIs

Configuration placeholders let you set ESVs in your configuration.

For more information, refer to Configure placeholders to use with ESVs.

Duo authentication node

The new Duo authentication node lets you use Duo’s solution for adaptive authentication, bring your own device security, cloud security, endpoint security, mobile security, and two-factor authentication.

Twilio authentication node

The new Twilio authentication node allows you to use Twilio for two-factor authentication during account setup, sign-on, and other scenarios. The node lets you integrate Twilio’s APIs to build solutions for SMS and WhatsApp messaging, voice, video, and email. The node uses Twilio’s latest Lookup API, which uses real-time risk signals to detect fraud and trigger step-up authentication when needed.

For details, refer to Marketplace.

Resolved issues

Issue ID Summary


Correct the value in the All Journeys field


Correct prefilled username fields in Filters window


Don’t show explainability if not specified in response after applying Unusual Day of Week filter


Let users see previously selected risk reasons after closing the Filter window


Prevent the truncation of text on the right side of pages


Configuration placeholders visible in all APIs in new customer environments


Add Duo authentication node


Add Twilio authentication node


Add translation configuration key for no search results message


Self-service promotions available in new customer environments


Add Marketplace nodes to journey editor menu


Remove blank page shown when user returns to login page following successful login to custom domain


Handle ESVs as string type if no type is set


Expose ESV variable type in the UI


Prevent theme styles rendering in the hosted pages editor


Show the entire answer to a long security question after clicking the visibility icon


Do not let users save email templates that contain JavaScript


Render SVG images correctly


ForgeRock favicon displays briefly before the customer’s favicon


Remove flashing red text from security questions window


Support localization for radio display fields in Choice Collector node


Remove legend from Risk Score window


Update UI regex validation for ESV list type

October 2022

18 Oct 2022

Resolved issues

Issue ID Summary


Fix Choice Collector nodes so that they can show more than two options

07 Oct 2022

Resolved issues

Issue ID Summary


Fix login issues caused by allowing non-mandatory login journey attributes to have empty values (reverts IAM-1678)

05 Oct 2022

Resolved issues

Issue ID Summary


Include grace period configuration in the OAuth2 provider settings


Remove Automated User Agent from the list of risk reasons filters


Let users filter dashboards by date, risk scores and features


Update the Risk Activity page when applying a filter without requiring users to refresh the page


Show the times that events occurred correctly without requiring users to refresh the display


Let users see their last five risky authentication attempts


Remove risk administration options from end users' navigation menus


When filtering activities using a date range, include the activities that occur on the end date


Allow login journey attributes that are not required to have empty values


When editing email templates, cut text correctly


When placeholders are used, display read-only strings in the Platform UI


Alter AM XUI to display readonly strings wherever placeholders are in use


Remove excess space from journey editor fields that do not require floating labels


Replace fields for specifying numeric thresholds with a risk score definition slider in Autonomous Access Decision nodes


Let users create customized footers on Page nodes


Add option to customize Page node background color


Add option to customize Page node button width


Add option to customize label text for Page node fields


Remove spurious "No configuration exists for id" pop-up warning


Add option to display Message node as a link


After importing journeys, let user delete all imported journeys with a single delete action


Provide a value when the object.password variable is specified in an email template


Remove tenant information from the Realm menu


Make H2, H3, and H4 HTML headings bigger when there’s no higher-level predecessor heading


Show the correct number of events per country on the Activity Risk dashboard


Show previous authentication attempts when doing anomaly lookups


Change the default navigation background color of Account pages without changing the dashboard color


Change the color of the Autonomous Access event log indicator to red


Correct pagination on the Autonomous Access Risk page


Make dashboard analytics pipeline logs in Autonomous Access work as expected


Wrap long security questions


Don’t reuse authId during password validation


Provide better error message when an LDAP authentication node encounters a TLS connection issue


Do not override the Success URL node’s value


Do not wait for cache timeout before OAuth2 clients reflect changes to Javascript origins


Correctly handle multi-line text in Email Suspend nodes


Update the default email validation policy to conform with RFC 5322


Allow configuration changes to the repo.ds.json file to take effect without restarting IDM


Fix null pointer exception when the repo.ds.json file is misconfigured


Fix for startup error message caused by ObjectMapping constructor exception


Fix email validation errors in the IDM admin UI (native console)


Save managed object properties correctly in Identity Management native console


Point developers to the ForgeRock SDKs when they create an OAuth2.0 client in the Platform UI


Point developers to the ForgeRock SDKs when they configure CORS in the Platform UI

1. This issue applies to a feature only available in ForgeRock Identity Governance, which must be purchased separately.
2. This release focuses on internal improvements and technical updates to enhance the overall stability, performance, and maintainability of the platform. While there are no direct customer-facing changes, these updates lay the groundwork for future feature releases and improvements.
3. This issue was released on January 9, 2024 but inadvertently excluded from the regular changelog.
4. This issue was inadvertently excluded from the Rapid changelog.
5. This change applies to a feature only available in ForgeRock Autonomous Access, which is an add-on capability and must be purchased separately.
6. The updated connectors for FRAAS-17373 were originally listed as: Database Table connector, Microsoft Graph API connector, Oracle EBS connector, Salesforce connector, SCIM connector, ScriptedSQL connector.
7. This issue was released as a hotfix but inadvertently excluded from the rapid changelog.
8. This issue was released on May 30, 2023 but inadvertently excluded from the changelog.
9. This issue was released on March 18, 2023 but inadvertently excluded from the changelog.
10. The issues listed in this table were released on November 29, 2022 but inadvertently excluded from the changelog.
Copyright © 2010-2024 ForgeRock, all rights reserved.