Regular channel changelog
Subscribe to get automatic updates: Regular channel changelog RSS feed
Refer to the Changelog archive for release notes published before 16 Sep 2022.
September 2023
26 September 2023
Fixes
-
FRAAS-17278: Health status reports for AM, IDM, and Admin services incorrectly reported as available in some situations
-
IAM-4843: The user column in the certification task list now shows a user’s full name instead of only the first name
-
IAM-4903[1]: Fix IGA calls that are not working in a custom domain
-
IAM-4915[1]: Fix Access Review UI that shows the JSON object of the manager relationship in the User Details modal
05 September 2023
Key features
- Salesforce Community User application template (IAM-4340)
-
Provision, reconcile, and synchronize Salesforce, Salesforce Portal, and Salesforce Community accounts.
For details, refer to Salesforce application template or Salesforce Community User application template.
- OneSpan Auth VDP User Register node (FRAAS-15426)
-
Registers end users to authenticate using the virtual one-time password (VOTP).
For details, refer to OneSpan Auth VDP User Register node.
- OneSpan Auth Assign Authenticator node (FRAAS-15426)
-
Assigns a VIR10 authenticator to an end user if the end user isn’t already assigned to one. Requires a VIR10 authenticator to be available in the tenant.
For details, refer to OneSpan Auth Assign Authenticator node.
- OneSpan Auth Generate VOTP node (FRAAS-15426)
-
Generates a virtual one-time password (VOTP) and delivers it to an end user through the node’s configured delivery method. Requires the end user to be assigned to a VIR10 authenticator.
For details, refer to OneSpan Auth Generate VOTP node.
August 2023
28 August 2023
Key features
- Add preference-based provisioning to Privacy and Consent settings (IAM-4243)
-
End users in target applications can share their data with other applications. After the end user configures a preference to share data with other applications, data from the target application is synchronized with Identity Cloud.
For details, refer to End-user data sharing.
Enhancements
-
AME-25061: Provide additional context information in Marketplace authentication nodes to enable UI improvements
-
IAM-3502: Add the ability to set and reset a sync token for identity management account object type. For details, refer to Reset the last reconciliation job.
-
IAM-3678: Update error messages and labels in login and signup pages
-
IAM-3962: Improve design of push number challenge page for Push Wait node
-
IAM-4248: Add three additional non-account objects to ServiceNow page
-
IAM-4326: Improve onLink script to handle mapped properties of type array and object
-
IAM-4334: Update SuccessFactors application templates to support Identity Cloud built-in SuccessFactors connector
Fixes
-
IAM-3877: UI loader spins indefinitely when realm is deactivated
-
IAM-4093: Replace Google Fonts in the login UI to meet GDPR compliancy requirements
-
IAM-4176: Advanced setting query filter does not show all available properties
-
IAM-4240: Accessibility issues in Page node when NVDA readers are used
-
IAM-4261: Accessing end-user UI with query parameter "code" displays empty page
-
IAM-4371: Unable to create applications due to
userpassword
property set -
IAM-4384: Platform UI does not resume journeys with custom redirect logic
-
IAM-4427: Platform UI does not show assignments for tenants running deprecated application management
-
IAM-4475: Platform UI does not load after tenant administrator signs into an upper tenant during promotion
-
IAM-4533: Journeys do not resume correctly when returning from a social identity provider without a realm identifier
-
IAM-4534: Redirect callbacks for journeys not working correctly
-
OPENAM-18004: Audit logging does not specify transaction IDs correctly for internal requests to certain APIs
-
OPENAM-18709: Calls to the
nodeState.get()
method in Scripted Decision nodes do not return values in shared state when a variable is stored in both shared state and secure state -
OPENAM-20230: Calls to classes in the allowlist fail occasionally with access prohibited messages
-
OPENAM-20682: Unable to encrypt
id_token
error when there are multiple JWKs with the same key ID but different encryption algorithms -
OPENAM-20691: Session quota reached when oldest session is not destroyed due to race condition
-
OPENAM-20783: Logging is incorrect when the authorization code grant flow is used successfully
-
OPENAM-20920: Null pointer exceptions when a SAML v2.0 binding is null and the SSO endpoint list contains non-SAML v2.0 entries
-
OPENAM-20953: Policy evaluation with a subject type
JwtClaim
returns HTTP response code 500 -
OPENAM-21001: Custom scripted SAML v2.0 IDP account mappers are determined incorrectly
-
OPENAM-21004: Invalid session ID error when session management is disabled in an OIDC provider
-
OPENAM-21046: The Create Object and Patch Object nodes do not log exception stack traces when they can’t retrieve the object schema
-
OPENAM-21164: XML string formatted incorrectly when using a custom adapter to get the assertion from a SAML v2.0 response
July 2023
19 July 2023
Deprecations
- Introspect endpoint GET requests and URL query string parameters (FRAAS-10638)
-
ForgeRock has deprecated the following behaviors of the OAuth 2.0
introspect
endpoint in Identity Cloud:-
Accept GET requests
-
Accept data in POST requests from URL query string parameters
You can continue to use these behaviors, but they will be removed on July 19, 2024. Instead, when using the OAuth 2.0
introspect
endpoint, you should use POST requests and pass data in the POST request body.Refer to /oauth2/introspect.
-
17 July 2023
Fixes
-
OPENIDM-19245[2]: Fix IDM version qualifier to prevent ForgeRock REST proxy error
07 July 2023
Fixes
-
FRAAS-16041: Support Basic Authentication for Identity Cloud logging endpoints
-
OPENIDM-19240[2]: Fix the "internal server error" message when configuring reconciliation mappings
June 2023
27 June 2023
Key features
- New Identity Governance capabilities[3] (IGA-1592)
-
Entitlements are specific permissions given to an account in an onboarded target application. Each entitlement correlates to a permission. Pull in entitlements from all onboarded target applications into Identity Cloud for use in certifications.
Entitlement assignment certification, a new certification type for access reviews, lets you review and certify entitlements and the users who have access to entitlements on some or all applications. Primary reviewers are entitlement owners, a single user, or users assigned to a role.
The governance glossary lets you attach business-friendly attributes to applications, entitlements, and roles to add more specificity to the data you review in access certifications.
New options in the Identity Cloud End User UI let you view your access, your direct reports, and the access your direct reports have:
-
The My Access option lets you view your access in Identity Cloud and onboarded target applications. This includes accounts from onboarded target applications, roles you are assigned in Identity Cloud, and entitlements or privileges you have in onboarded target applications.
-
The Direct Reports option lets you get access information for individuals you manage. This includes their profile information, accounts from onboarded target applications, roles they are assigned in Identity Cloud, and entitlements or privileges they have in onboarded target applications.
-
- Lexis-Nexis ThreatMetrix Authentication nodes (FRAAS-15325)
-
Integrate Lexis-Nexis ThreatMetrix decision tools and enable device intelligence and risk assessment in Identity Cloud.
For details, refer to ThreatMetrix Authentication nodes.
- Filter log results (FRAAS-15378)
-
Use the
_queryFilter
parameter to filter log results on any field or combination of fields in a payload. For details, refer to Filter log results. - Microsoft Graph API email client (OPENIDM-17899)
-
Configure the email client to use the MS Graph API Client for sending email.
For more information, refer to Microsoft Graph API email client.
- Included connectors and framework upgraded to OpenICF 1.5.20.15
-
The connectors included with Identity Cloud have been upgraded from version 1.5.20.12 to 1.5.20.15. Some highlights include:
-
MS Graph API Connector: Add the ability to read
application
andservicePrincipal
object (OPENICF-2208) -
MS Graph API Connector: Implement application role assignments (OPENICF-2269)
-
SCIM Connector: Support for throttling (OPENICF-1916)
For a complete list of enhancements and fixes, refer to Connector changes.
-
Enhancements
-
IAM-2826: Filter the "Assignments" tab for identities so that it does not show overrides, entitlements, or resources
-
IAM-3408: Let provisioners use a range of connector versions
-
IAM-3677: Remove increment/decrement arrows from numeric input fields
-
IAM-3678[2]: Improved ADA accessibility for error messages associated with input fields
-
IAM-3982: Let users filter risk activity using distributed attack as a risk reason
-
IAM-3983: Show distributed attack as a risk reason in the risk dashboard
-
IAM-4051: Improved ADA accessibility for dropdown boxes
-
IAM-4053: Improved ADA accessibility when NVDA readers are used on pages that use the Page node
-
IAM-4074: Add a loading animation to the pie chart component
-
IAM-4136: Use the tab key to move focus and remove tags in multi-select components
Fixes
-
FRAAS-5756[2]: Journeys don’t resume after authentication in downstream identity provider
-
FRAAS-9230: Sanitize
aria-hidden
fields -
FRAAS-14214: Changing an existing ESV type is now denied by the API and new ESVs always require an explicit type
-
FRAAS-14262: Include changes to group privileges in the configuration promotions report
-
FRAAS-14706: Improve the detection of changes to complex configuration files and IDM script hooks in promotion reports
-
FRAAS-14897: Improve the rate limiting behavior of the
/monitoring/logs
endpoint -
IAM-2026: Support versioning of the application and connector templates
-
IAM-2713: Prohibit editing of managed application objects
-
IAM-2972: Route users to the correct realm after granting Salesforce permissions
-
IAM-3089: Unable to exit a social provider and select a different social provider in a journey
-
IAM-3594: Correctly redirect control to the End User UI after authenticating with itsme
-
IAM-3719: Modals not showing display access review comments and activity
-
IAM-3939: Let end users switch to a different authentication journey
-
IAM-4013: When using a custom domain,
originalLoginRealm
is set incorrectly -
IAM-4116: Don’t let access review users add reviewers with greater privileges than they themselves have
-
IAM-4134: User pop-up is visible in "Entitlement" tab
-
IAM-4200: Last certified date, decision, and actor displaying incorrectly in Governance account details
-
IAM-4242: Add "Conflicting changes" category to reconciliation summary
-
IAM-4289: Unable to assign non-account object properties to roles
-
IAM-4293: Access reviews and line items not shown for staged campaigns
-
IAM-4295: Reviewer not redirected back to pending reviews after access review sign off
-
OPENIDM-17481: Managed object schema can now describe a field as a nullable array and specify a default value for this field if not provided in a create request
-
OPENIDM-17771: Processing of a large number of scheduled jobs no longer causes all scheduled tasks to continuously misfire
-
OPENIDM-18192: Updating a relationship-defined virtual property (RDVP) on a managed object by signal receipt no longer causes other RDVP state within that object to be lost
-
OPENIDM-18292[2]: Add support for the
_fields
request parameter to the syncgetTargetPreview
endpoint. -
OPENIDM-18360: Use the full object state when validating requests made by a delegated administrator to modify a relationship
-
OPENIDM-18613: Provide the ability to remove the
userPassword
attribute -
OPENIDM-18644: Correctly determine whether it’s possible to configure clustered reconciliation
-
OPENIDM-18807[2]: Update user provisioning workflow sample to check for empty manager strings
-
OPENIDM-18895: Fixes support for multi-version concurrency control on managed object patches and updates
-
OPENIDM-18898[2]: Add support for the
_countOnly
parameter in identity management scripts -
OPENIDM-18980[2]: Add a new metric to measure the duration of a LiveSync event
-
OPENIDM-19098[2]: Enable ES6 support for identity management scripts
13 June 2023
Key features
- Administrator federation enhancements (FRAAS-12097)
-
- Groups support
-
The new groups feature allows you to add and remove administrators depending on group membership in your identity provider. Using administration groups lets you automate the granting and removing of access for administrators that are being on-boarded, switching roles, or leaving your organization.
- OIDC Federation
-
OIDC is now supported as a federation identity provider, along with Microsoft ADFS and Microsoft Azure.
For more information, refer to Administrator federation.
- OIDC ID Token Validator node (OPENAM-13293)
-
The new OIDC ID Token Validator node lets Identity Cloud rely on an OIDC provider’s ID token to authenticate an end user. The node evaluates whether the ID token is valid according to the OIDC specification.
For details, refer to OIDC ID Token Validator node.
- Scripted SAML 2.0 SP adapter (AME-21638)
-
Customize the SAML 2.0 SP adapter using a script.
For details, refer to Use SP adapter to alter authentication request process.
Enhancements
-
AME-24073: Expose the
prompt_values_supported
parameter of the provider configuration at the OIDC.well-known
endpoint -
AME-24175: Provide additional classes in the allowlist that scripts used in the Scripted Decision node
-
FRAAS-13293: Provide more accurate and granular information in promotion reports
-
FRAAS-14063: Remove orphaned unused scripts during promotion
-
FRAAS-15022: Improve promotion reports
-
IAM-2561: Allow adding applications to a user or role from the Identities > Manage page
-
IAM-3666: Add alternative text to QR code image
-
IAM-3676: Add keyboard controls to UI to select multiple values in multivalued lists
-
IAM-4030: Improve handling of identity provider and groups claims
-
IAM-4031: Generic OIDC configuration returns HTTP 400 Bad Request
-
OPENAM-18692: Set the minimum value for the Default Max Age property to
0
-
OPENAM-19745: Add support for EdDSA signing algorithm to WebAuthn Registration node
-
OPENAM-20541: Add additional inner classes to scripting allowlist to support RSA keypair generation
Fixes
-
AME-24026: Allow specifying inputs required by the provider scripts in the Configuration Provider node
-
IAM-3550: When attempting to validate Office 365 applications, a blank screen appears
-
IAM-3580: Improve service accounts UI including error handling
-
IAM-4032: Federation enforcement is missing from the UI
-
FRAAS-10816: Include thread ID and remove control characters from some Identity Cloud log files for easier log correlation
-
FRAAS-14956: Promotion preview and report not showing all configuration changes
-
FRAAS-15188: Ensure environments can be recreated after deletion
-
OPENAM-12030: Authentication node instances are deleted when journeys containing them are deleted
-
OPENAM-13329: Display journeys with spaces in their name in the Authentication Configuration dropdown menu
-
OPENAM-13766: Route user session based on whether policy evaluation is requested or not
-
OPENAM-17179: Correctly delete a script if its referring journey is deleted
-
OPENAM-17566: Display account name instead of UUID in the ForgeRock Authenticator when using MFA
-
OPENAM-18488: Support certificate-based attestation in certificate chains terminating at an intermediate CA
-
OPENAM-20082: Show correct error message to locked out users
-
OPENAM-20104: Fix the fragment response mode for the OAuth 2.0 authorize endpoint
-
OPENAM-20187: Fix the "waiting for response" page so that it fails authentication as configured in the authentication journey
-
OPENAM-20230: Prevent class allowlist from failing for classes already on the allowlist
-
OPENAM-20318: Allow a restricted set of HTML tags to be rendered in page node headers and descriptions
-
OPENAM-20360: Fix default URL encoding to ensure ampersand characters are not double encoded in a SAML assertion
-
OPENAM-20386: Fix authentication node state reconciliation in some complex journeys
-
OPENAM-20451: Fix WebAuthn registration node to return a human-readable username
-
OPENAM-20457: Device Location Match node routes to "Unknown Device" outcome instead of failing the authentication journey when the previously stored location of the device is not provided
-
OPENAM-20479: Enhance OIDC authentication to handle unsecured JWS requests
Deprecations
- Deprecate health check endpoints (FRAAS-15623)
-
ForgeRock has deprecated the following Identity Cloud health check endpoints:
-
/am/isAlive.jsp
-
/am/json/health/live
-
/am/json/health/ready
-
/openidm/info/ping
You can continue to use the endpoints, but they will be removed on June 13, 2024.
You should update any external monitoring to use the Identity Cloud
/monitoring/health
endpoint instead.Refer to Monitor using health check endpoint.
-
07 June 2023
Key features
- UAT environment (FRAAS-13196)
-
You can now add one additional environment to your standard promotion group of development, staging, and production tenant environments. A UAT environment has the same capabilities as your staging environment, which allows your organization an additional production-like environment in which to test your development changes.
A UAT environment is an add-on capability.
For details, refer to UAT environments.
- Secure Connect (FRAAS-15187)
-
You can now use ForgeRock Secure Connect to create dedicated, direct, and secure communication between your Identity Cloud network and your private network, such as an on-premises data center or IaaS provider. Secure Connect bypasses the public internet, improving latency, throughput, and security.
Secure Connect is a limited availability feature.
For details, refer to Secure Connect.
May 2023
16 May 2023
Key features
- PowerShell connector
-
Use the PowerShell Connector Toolkit to register a connector that can provision any Microsoft system.
For details, refer to PowerShell.
- SAP SuccessFactors Account or SAP SuccessFactors HR connector
-
Use the SAP SuccessFactors connectors to synchronize SAP SuccessFactors users with Identity Cloud users.
For details, refer to SAP SuccessFactors Account or SAP SuccessFactors HR.
- Bookmark application
-
You can now register a bookmark application - for example, OneNote, Evernote, Google Bookmarks, or raindrop.io - to direct users to specific URLs. A bookmark application displays shortcut links on dashboards. When you click one of the links, the browser opens a new tab.
For details, refer to Bookmark.
- Microsoft Intune node
-
Integrates Microsoft Intune to control features and settings on Android, Android Enterprise, iOS/iPadOS, macOS, and Windows 10/11 devices in your organization.
For details, refer to Microsoft Intune node.
- Secret Double Octopus (SDO) nodes
-
ForgeRock Identity Cloud integrates with Secret Double Octopus (SDO) to provide high-assurance, passwordless authentication systems that address the diverse authentication needs of a real-world, working enterprise.
For details, refer to Secret Double Octopus (SDO) nodes.
Fixes
Issue ID | Summary |
---|---|
IAM-2911 |
Add support for bookmark apps in application management |
IAM-3472 |
Update promotions UI to set tenant color dynamically based on the tenant name |
IAM-3518 |
Make Auto Access dashboard data realm specific |
IAM-3560 |
Add new default SCIM object types and mappings |
IAM-3563 |
Access review progress tooltip not working in end-user UI |
IAM-3630 |
Add SuccessFactors template and connector configuration |
IAM-3656 |
Display sign-off button in access review page in admin UI |
IAM-3666 |
Add alt text to QR code |
IAM-3667 |
Add visual indication of keyboard focus on input fields |
IAM-3681 |
Improve accessibility of the |
IAM-3682 |
Line items not showing for completed access reviews |
IAM-3688 |
Validate campaign deadline dates in admin UI |
IAM-3703 |
Campaign owner is duplicated in user dropdown after reconciliation run |
IAM-3734 |
Ensure relationship resource collection grids filter based on managed object settings |
IAM-3778 |
Allow login UI to work when browser session storage is unavailable |
IAM-3792 |
Prevent login UI rendering extra whitespace character in front of text on suspended nodes |
IAM-3806 |
Remove beta indicator from the trends chart in admin UI dashboard |
IAM-3840 |
Change color of radio button changed in Choice Collector node |
IAM-3879 |
Ensure global variable |
IAM-3887 |
Enhance |
IAM-3910 |
New PowerShell configuration properties |
IAM-3922 |
Risk score definition on autonomous decision node is not working |
IAM-3937 |
Risky events are not shown in the risk dashboard |
IAM-3964 |
Risk reasons do not display in the risk dashboard |
OPENAM-18895 |
Fix API request timeout errors for slow connections |
OPENAM-20815 |
Add missing footer to Page node when session expired |
OPENIDM-18917 |
Display last name instead of user ID on user profile when no first name is provided |
TNTP-42 |
Microsoft Intune marketplace node |
TNTP-45 |
Secret Double Octopus marketplace node |
02 May 2023
Key features
- Support for all Google Fonts for hosted pages
-
Meet your organization’s brand guidelines by using any Google Font in your hosted pages.
Fixes
Issue ID | Summary |
---|---|
FRAAS-13247 |
Set the log API key creation date correctly |
IAM-1686 |
Allow any Google Font to be used on hosted pages |
IAM-3164 |
Prevent table columns from stacking vertically on smaller viewports |
IAM-3313[3] |
Additional Options section missing from Identity Certification campaign template |
IAM-3950 |
End-user UI fails to load when accessing Identity Cloud in a new tab |
OPENIDM-18988 |
Prevent repository reads when anonymous users make requests to info and ping endpoints |
April 2023
21 Apr 2023
Resolved issues
Issue ID | Summary |
---|---|
OPENIDM-18967[5] |
RelationshipArray grid queries use unnecessary |
18 Apr 2023
Key features
- IP allowlisting
-
Enterprises often need to ensure that requests entering their network come from trusted sources. ForgeRock Identity Cloud now offers outbound static IP addresses for all environments.
Outbound static IP addresses let you implement network security policies by setting up allowlists of IPs originating from Identity Cloud. This adds an extra layer of security to outbound calls to your APIs or SMTP servers.
For more information, refer to Outbound static IP addresses.
Resolved issues
Issue ID | Summary |
---|---|
FRAAS-5995 |
Outbound request static IP allows IP allowlisting for new customers |
FRAAS-9376 |
Provide the ability to display a login journey in an iframe for specific custom domains. To implement this feature, you need to open a support ticket. |
FRAAS-13522 |
Promotion report does not include changes to custom email provider |
FRAAS-14097 |
Promotion report should identify journeys by their name |
FRAAS-14187 |
Updated user registration cloud logging to capture events from identity providers |
FRAAS-14260 |
UI displays "Resource 'managed/alpha_application' not found" message |
FRAAS-14265 |
Cannot access ESVs in sandbox tenants |
FRAAS-14353 |
Configuration placeholder replacement assumes a string value |
FRAAS-14475 |
Certain searches cause |
OPENIDM-18957 |
Update the scheduler to attempt to release any triggers it previously attempted to acquire from a timeout due to an unresponsive repository |
11 Apr 2023
Key features
- ForgeRock® Identity Governance (add-on capability)
-
ForgeRock Identity Governance is a new add-on capability that allows you to centrally administer and manage user access to applications and data across your organization to support regulatory compliance.
With Identity Governance you can:
-
Work with onboarded target applications when reviewing user data. This allows you to review user data for onboarded applications.
-
Define and launch reviews of data using certification campaigns.
-
Review and manage user access to applications. This includes managers reviewing the access their direct reports have.
For more information, refer to About Identity Governance.
To purchase an Identity Governance subscription, contact your ForgeRock representative.
-
- Administrator federation
-
Administrator federation allows administrators to use single sign-on (SSO) to log in to an Identity Cloud tenant.
By using federation to authenticate your administrators to Identity Cloud, you can quickly and easily deprovision an administrator by removing their access from your centralized identity provider.
For details, refer to Administrator federation.
Resolved issues
Issue ID | Summary |
---|---|
IGA-1433 |
Initial release of Identity Governance with identity certifications |
FRAAS-5416 |
Administrators can access Identity Cloud using single sign-on from another identity provider |
OPENDJ-9295[2] |
Search with |
March 2023
29 Mar 2023
Key features
- OneSpan authentication journey nodes
-
The new OneSpan authentication journey nodes integrate OneSpan Intelligent Adaptive Authentication (IAA) scoring for identity proofing, continuous authentication, and fraud protection.
For details about OneSpan authentication integration set up, refer to OneSpan.
- Jumio identity verification
-
The new Jumio identity verification integrates with Jumio’s NetVerify service to easily and securely verify identity by using facial recognition to authenticate against government issued IDs.
For details about Jumio identity verification, refer to Jumio identity verification.
- Logout for all server-side sessions for a user or set of users
-
Administrators can now invalidate (log out) all server-side sessions for a user by sending a POST request to the
json/sessions
endpoint with thelogoutByUser
action, specifying the username in the request payload.
- Composite advice with an AuthLevelCondition in journeys
-
Composite advice gives AM hints about which authentication services to use when logging in a user. Journeys now take into account the AuthLevelCondition composite advice.
For example, you can now use AuthLevelCondition composite advice so that AM uses a journey that provides an authentication level of 10 or higher.
- Promotions API documentation
-
The promotions API documentation is now publicly available at https://apidocs.id.forgerock.io/#tag/Promotion.
- SCIM built-in connector
-
You can now use the SCIM built-in connector to manage user and group accounts on any SCIM-compliant resource provider.
- Support for REST connector applications
-
Application management now lets you create, provision, and manage REST connector applications.
For details, refer to Scripted REST connector.
Resolved issues
Issue ID | Summary |
---|---|
AME-21638 |
Scripted plugin for SAML 2.0 SP Adapter |
AME-22942 |
Log out all server-side sessions for a user or set of users so that they have to reauthenticate |
FRAAS-5416 |
Let administrators access Identity Cloud using single sign-on from another identity provider |
FRAAS-8225 |
The promotions API documentation is now publicly available at https://apidocs.id.forgerock.io/#tag/Promotion |
FRAAS-8709 |
Include the log sources in the logged events |
FRAAS-12402 |
Add /platform/oauthReturn route to support authentication for Salesforce and Google Apps |
FRAAS-12413 |
OIDC login from a custom domain results in blank page |
FRAAS-13454 |
Integrate Jumio identity verification journey nodes |
FRAAS-13555 |
Integrate OneSpan authentication nodes |
FRAAS-13478 |
Promotions report shows changes that it shouldn’t |
FRAAS-13597 |
Remove unexpected changes from promotion reports |
FRAAS-13866 |
Let Identity Cloud administrators access policy configuration |
FRAAS-13933 |
Make managed groups visible in the AM admin UI |
FRAAS-13974 |
Add class |
FRAAS-13983 |
Remove OneSpan nodes from the Basic Authentication journey node list |
FRAAS-14030 |
Add inner classes from |
FRAAS-14069 |
Add |
FRAAS-14260 |
UI displays "Resource 'managed/alpha_application' not found" message |
FRAAS-14265 |
Cannot access ESVs in sandbox tenants |
IAM-662 |
Fixed agent logout in platform UI |
IAM-2879 |
Allow properties in forms to be reordered |
IAM-2921 |
In the Dashboard, the total number of applications that display in the Applications box now includes those applications registered using the new app catalog in tenants created on or after January 12, 2023. |
IAM-3089 |
Unable to exit a social provider and select a different social provider in a journey |
IAM-3094 |
Add support for enumerated values in array attributes |
IAM-3156 |
Update the descriptive text in the "Add Property" modal to be more accurate |
IAM-3160 |
Added ability to configure the scripted Groovy connector |
IAM-3180 |
Hide the SSO tab when an application is authoritative |
IAM-3193 |
Updated SCIM app template to only show the refresh token property for OAuth authentication |
IAM-3261 |
Adjust Autonomous Access risk filter to better handle scoring edge cases |
IAM-3262 |
Adjust menu width on the Autonomous Access Risk Administration page |
IAM-3303 |
Enable clicking a row to edit entries on the service accounts page |
IAM-3304 |
Added breadcrumbs to the service accounts page |
IAM-3305 |
Added a search field to the service accounts page |
IAM-3461 |
Fix display of OAuth 2.0 applications with a UUID for a name |
IAM-3462 |
Corrected AD template property from |
IAM-3478 |
Addressed accessibility concerns when displaying password policy validation |
IAM-3492 |
Fix objects ending in |
IAM-3642 |
Fixed an issue with unselected applications being imported when promoting, and improved the user experience for selecting and deselecting applications in the promotions UI |
IAM-3694 |
Added ability to customize the success color in hosted pages |
IAM-3760 |
Apple social authentication works with other authentication methods |
OPENAM-16374 |
Add support in journeys for composite advices that use an AuthLevelCondition |
OPENAM-18270 |
Don’t raise errors when calls to the access_token endpoint specify the scope parameter in OAuth2 authorization_code exchange |
OPENAM-18488 |
Handle the CA certificate correctly for Windows Hello attestations |
OPENICF-400 |
The LDAP connector now correctly reads the AD Account tokenGroups attribute |
OPENICF-1762 |
IBM RACF API connector |
OPENICF-1858 |
Add group owners management support to the Microsoft Graph API connector |
OPENICF-2033 |
PeopleSoft connector v2.0 |
OPENICF-2039 |
Add archived, languages, isEnrolledIn2Sv, and isEnforcedIn2Sv fields to the Google Apps connector |
OPENICF-2067 |
Adjust license assignments as part of the user creation and update operations in the Google Apps connector |
OPENICF-2068 |
The Microsoft Graph API connector now lets you assign and revoke directory roles to an Azure AD user account and query the target instance for roles |
OPENICF-2088 |
The Microsoft Graph API connector now lets you assign and revoke custom roles to an Azure AD user account and query the target instance for roles |
OPENICF-2102 |
Assign and revoke PermissionSets and Groups to Salesforce user accounts in the Salesforce connector |
OPENICF-2110 |
Expose groups and roles through user object in the ServiceNow connector |
OPENICF-2111 |
View, update, and remove a group’s roles through the role object in the ServiceNow connector |
OPENICF-2129 |
The LDAP connector now includes a parameter to use isMemberOf by ldapGroups |
OPENICF-2192 |
In the Google Apps connector, don’t throw an NPE when updating a user with a change to license assignments if _NAME_ is not specified |
OPENICF-2194 |
In the GoogleApps connector, the PATCH remove operation doesn’t update the object when both the field and value are provided |
OPENIDM-17876 |
Query filter editor no longer removes double quotes from all properties that aren’t of type string |
OPENIDM-17936 |
Saving changes to the authzRoles field on users no longer overrides the field type |
OPENIDM-18001 |
Country codes in locales are no longer ignored when sending emails |
OPENIDM-18077 |
Added new default policy, cannot-contain-others-case-insensitive |
OPENIDM-18153 |
Custom script exception messages are no longer incorrectly truncated in REST responses |
OPENIDM-18216 |
IDM admin UI should query recon association data instead of audit data |
OPENIDM-18238 |
Improved resiliency of clustered reconciliations |
OPENIDM-18243 |
Validate that connector names are alphanumeric |
OPENIDM-18260 |
New sync mapping fields, defaultSourceFields and defaultTargetFields, let you specify which fields to use for read and query requests |
OPENIDM-18261 |
Endpoints within /system now support specifying additional fields when using wildcards |
OPENIDM-18275 |
The groups' name field is now searchable |
OPENIDM-18319 |
An up-to-date target object state is now provided in sync script bindings and sync audit mechanisms |
OPENIDM-18336 |
The default assignment object schema now contains a "condition" field |
OPENIDM-18476 |
The IDM admin UI now defaults identity object number fields to |
OPENIDM-18498 |
Queued sync not triggered if target is a CREST proxy endpoint |
OPENIDM-18501 |
Tenant administrator password policy no longer restricts passwords to a maximum length |
OPENIDM-18629 |
Reconciliation job identifiers now use a more precise timestamp |
OPENIDM-18650 |
Add new SCIM connector; applications now support creating connections to SCIM services |
OPENIDM-18865 |
Script changes cannot be saved unless you click outside the Inline Script box |
OPENIDM-18868 |
Inability to save a schedule when you add or remove a passed variable |
OPENIDM-18870 |
Inability to delete an inline reconciliation or schedule script |
15 Mar 2023
Key features
- Improved access to reconciliation logs in Identity Cloud
-
You can now view IDM reconciliation logs in your tenant by updating your audit configurations and specifying the log source
idm-recon
in a call to the logging API endpoint.For more information, refer to Update audit configuration.
February 2023
14 Feb 2023
Key features
- Application promotions
-
You can now use the UI to promote applications between tenant environments. Promoted applications are recreated in the upper environment with any associated static configuration (connectors, mappings, or SAML configuration) and any associated dynamic configuration (OAuth 2.0 clients).
For more information, refer to Manage self-service promotion of applications using the UI.
Resolved issues
Issue ID | Summary |
---|---|
FRAAS-7542 |
Control access to hosted account and journey pages |
FRAAS-11599 |
Don’t allow changes to scripts in staging and production environments |
FRAAS-13464 |
Adjust sandbox environment migration to not use development environment migration steps |
FRAAS-13809 |
Autonomous log filters fail in connected environments |
IAM-2725 |
Adjust input field placeholders to clear properly when a user starts typing |
IAM-3084 |
Only allow unique values when adding application owners |
IAM-3141 |
Add the ability to promote dynamic configuration attached to application |
IAM-3151 |
Remove redirect to global settings during administrator login |
IAM-3183 |
Let users filter the trends dashboard by date without resetting the journeys dashboard |
IAM-3339 |
After refreshing the realm settings page, set the current tab using the identifier specified in the URL fragment |
IAM-3512 |
Access Management native console incorrect redirect URL |
OPENIDM-16640 |
Changes to identity objects by onUpdate scripts not triggering relationship property onRetrieve hooks |
03 Feb 2023
Key features
- Deprecate skip option for tenant administrator MFA
-
ForgeRock has deprecated the option to let Identity Cloud tenant administrators skip 2-step verification. Customers can continue to use the skip option in their tenants, but this functionality will be removed from Identity Cloud on February 3, 2024.
January 2023
31 Jan 2023
Key features
- Service accounts
-
You can now use service accounts to request access tokens for most Identity Cloud REST API endpoints without relying on a particular identity in your system:
-
Call Identity Cloud APIs programmatically without needing a human identity.
-
Access AM or IDM APIs in the same way using a signed JWT.
-
Set scopes on each service account to assign only necessary permissions to access tokens.
-
Use for automation and CI/CD tooling.
For details, refer to Service accounts.
-
Resolved issues
Issue ID | Summary |
---|---|
FRAAS-13478 |
Remove unrelated AM root realm changes from promotion reports |
FRAAS-13519 |
Remove unexpected file changes from self-service promotion reports |
FRAAS-13620 |
Improve performance of promotion report generation by removing unrelated data |
FRAAS-8477 |
Service accounts |
IAM-1939 |
Fix hCaptcha support in Platform UI |
IAM-2025[2] |
Add Uncategorized to the journey category filter |
IAM-2224 |
Replace bullets with checkmarks when validating password policy |
IAM-2305[2] |
Add support for localized logos in end-user UI |
IAM-2847 |
Increase the size of the terms and conditions modal window |
IAM-2912 |
Enable promotions UI to ignore encrypted secrets |
IAM-3011 |
Update risk configuration UI to show only user-modifiable configuration |
IAM-3012 |
Add new |
IAM-3015 |
Update risk configuration evaluation UI so that updates use the new APIs |
IAM-3016 |
Fix the |
IAM-3041 |
Prevent proceeding from the Active Directory modal window without entering base DNs |
IAM-3076 |
Fix Salesforce provisioning connection |
IAM-3079 |
Fix single sign-on (SSO) setup when app name has a space |
IAM-3088 |
Enable suppression of the login failure message from the failure node |
IAM-3091[2] |
Fix localized headers rendering as [object Object] |
IAM-3107[2] |
Remove bitwise filter on Active Directory page |
IAM-3108[2] |
Update Maintain LDAP Group Membership option to not be selected by default |
IAM-3109[2] |
Update cn property to be optional in Active Directory target mode |
IAM-3110[2] |
Update ldapGroups property to be available by default in Active Directory target mode |
IAM-3111[2] |
Fix password hash algorithm |
IAM-3122 |
Fix font weight of the title text on provisioning tab |
IAM-3139[2] |
Fix Revoke button in Users & Roles to revoke users, and not be clickable when there are no users to revoke |
IAM-3142[2] |
Fix Active Directory user filter anomaly when deleting a row |
IAM-3145 |
Fix Active Directory assignment on array attributes to be a merge and not replace |
IAM-3146[2] |
Update user-specific attributes to be editable by administrators |
IAM-3177 |
Add paging back to application list view if workforce feature is not enabled |
IAM-3257[2] |
Fix escaping of ESV placeholders in the advanced email editor |
IAM-3335 |
Fixed display of localized favicon |
19 Jan 2023
Key features
- BioCatch authentication nodes
-
The new BioCatch authentication nodes integrate BioCatch scoring for identity proofing, continuous authentication, and fraud protection.
For details, refer to Marketplace.
Resolved issues
Issue ID | Summary |
---|---|
AME-22948[2] |
Create endpoint to log out sessions based on user identifier |
FRAAS-11964 |
Avoid potential performance degradation when removing expired token state |
FRAAS-12140 |
Integrate BioCatch authentication journey nodes |
FRAAS-13242 |
Improve invalid page size error message |
OPENAM-13766[2] |
No configuration found for log in with session condition advice deny |
OPENIDM-17392 |
Prevent script typos that cause services to fail from being introduced into the system |
OPENIDM-17664 |
LDAP connector has invalid configuration when whitespace added to Base DN |
OPENIDM-17953 |
Support email addresses that contain non-ASCII UTF-8 characters |
12 Jan 2023
Key features
- Workforce application and connector management
-
In new tenants created on or after January 12, 2023, you can use the improved applications page to integrate Identity Cloud with external data stores or identity providers. The applications page acts as a one-stop location where you can:
-
Register and provision popular federation-capable applications quickly and easily by choosing from a library of templates, such as Salesforce and Workday.
-
Register and provision your organization’s custom applications.
-
Manage data, properties, rules, SSO, provisioning, users, and groups for an application.
-
View the connection status of each application.
-
Activate and deactivate an application.
For details, refer to Application management.
-
- Event hooks
-
Event hooks let you trigger scripts during various stages of the lifecycle of users, roles, assignments, and organizations.
You can trigger scripts when one of these identity objects is created, updated, retrieved, deleted, validated, or stored in the repository. You can also trigger a script when a change to an identity object triggers an implicit synchronization operation.
Post-action scripts let you manipulate identity objects after they are created, updated, or deleted.
For details, refer to Event hooks.
- Daon IdentityX authentication nodes
-
The new Daon authentication nodes let you integrate with the Daon IdentityX platform for MFA with mobile authentication or out-of-band authentication using a separate, secure channel.
For details, refer to Marketplace.
- Onfido authentication nodes
-
The new Onfido authentication nodes let you use Onfido’s solution for collecting and sending document identification and, optionally, biometrics to the Onfido backend for verification.
For details, refer to Marketplace.
Resolved issues
Issue ID | Summary |
---|---|
DATASCI-1548 |
Update the filter text on the Autonomous Access dashboard from "All Risk Scores" to "Risk Score" |
DATASCI-1550 |
Update text on the Autonomous Access dashboard’s Copy on User Detail page |
FRAAS-11158[2] |
AM cache outdated during restart of Identity Cloud services |
FRAAS-11574 |
Integrate Daon authentication journey nodes |
FRAAS-11575 |
Integrate Onfido authentication journey nodes |
FRAAS-11964 |
Avoid potential performance degradation when removing expired token state |
FRAAS-12477 |
Add list of encrypted secrets to promotion reports |
FRAAS-12492[2] |
Add classes to the scripting allow list |
FRAAS-12494 |
Unlock the environment and stop checking progress after successfully promoting an environment |
FRAAS-12545 |
Remove the option to keep orphaned configuration nodes from the promotions API |
FRAAS-12552 |
Add redirect for custom domain login screen |
FRAAS-12713 |
Promotions API failed to generate a report |
FRAAS-12917[2] |
Email invites to sandbox tenant administrators sometimes do not work |
FRAAS-12939 |
Add proxy state to output of lock state endpoint for promotions API |
FRAAS-12988 |
Prevent placeholder support being enabled unless a specific migration flag value is set |
FRAAS-13057 |
Add only standard placeholders (not user-defined placeholders) prior to enabling placeholder management |
FRAAS-13082[2] |
Provisional report endpoint can return 500 if requested repeatedly before cache is built |
FRAAS-13121 |
Provisional reports can cause promotion service to run out of memory and restart |
FRAAS-13244 |
Unable to log into tenant to perform self-service promotion |
IAM-2658 |
Application management improvements |
OPENAM-19485 |
Access multi-tenant social providers without requiring multiple secondary configurations |
OPENIDM-17556 |
Ensure RDVPs are not erased for all types of managed objects for all types of PUT operations |
OPENIDM-17616[2] |
Add support for direct assignments |
OPENIDM-18024[2] |
Implement weighted assignments |
OPENIDM-18037[2] |
Create endpoint for aggregating effective assignments and user identity object type outbound mapping values |
OPENIDM-18063[2] |
Include Google Apps connector in bundled connectors |
OPENIDM-18388[2] |
Do not schedule clustered-recon-resilience jobs for reconById invocations |
December 2022
14 Dec 2022
Resolved issues
Issue ID[6] | Summary |
---|---|
FRAAS-8589 |
Promotion hangs when waiting for Identity Cloud services |
FRAAS-9155 |
Promotion reports not showing changes for all connectors |
FRAAS-11830 |
Promotion reports rendering new line characters inside JSON strings |
FRAAS-11158 |
Restart of AM can lead to outdated cache |
FRAAS-12049 |
Promotion reports not showing changes to custom endpoint scripts |
IAM-2465 |
Password policy to force password expiry not working |
IAM-2706 |
Embedding images in the theme editor only displays alternative text |
IAM-2739 |
Email suspend message displayed without line breaks |
IAM-2939 |
Add translation configuration key for "Passwords do not match" message |
IAM-2973 |
Self-service promotions migration UI flow should enable promotions UI features |
OPENIDM-16830 |
Speed up search for organizations |
OPENIDM-18388 |
Do not flag reconById invocations as clustered |
OPENIDM-18483 |
Add name field to resourceCollection query fields for group identity objects |
November 2022
29 Nov 2022
Key features
- Group management
-
You can now create and manage groups that are shared across AM and IDM within your Identity Cloud instance. New tenants have group management enabled by default, and existing tenants can follow an upgrade path to enable it.
For more information, refer to Group management.
- ID Cloud Analytics Dashboard enhancements
-
You can now take advantage of the following enhancements to the analytics dashboard:
-
The journey chart now lets users drill down at specific points on a trend line to view individual journey outcomes for that date/hour. Journeys are sorted by a ranking of percentage failures, but can also be sorted based on number ranking.
-
Two new widgets — Top Five Journeys by Outcome and Top Five Journeys by Usage — that rank trending journeys based on outcomes and usages are now available.
For more information, refer to Identity Cloud analytics dashboard.
-
09 Nov 2022
Key features
- Self-service promotions
-
Self-service promotions let you promote configuration between environments without raising a support ticket. You can perform self-service promotions from development to staging tenant environments, and from staging to production tenant environments. You cannot promote sandbox environments.
For more information, refer to Introduction to self-service promotions.
- Configuration placeholders visible in all APIs
-
Configuration placeholders let you set ESVs in your configuration.
For more information, refer to Introduction to configuration placeholders.
- Duo authentication node
-
The new Duo authentication node lets you use Duo’s solution for adaptive authentication, bring your own device security, cloud security, endpoint security, mobile security, and two-factor authentication.
- Twilio authentication node
-
The new Twilio authentication node allows you to use Twilio for two-factor authentication during account setup, sign-on, and other scenarios. The node lets you integrate Twilio’s APIs to build solutions for SMS and WhatsApp messaging, voice, video, and email. The node uses Twilio’s latest Lookup API, which uses real-time risk signals to detect fraud and trigger step-up authentication when needed.
For details, refer to Marketplace.
Resolved issues
Issue ID | Summary |
---|---|
ANALYTICS-52 |
Correct the value in the All Journeys field |
DATASCI-1437 |
Correct prefilled username fields in Filters window |
DATASCI-1474 |
Don’t show explainability if not specified in response after applying Unusual Day of Week filter |
DATASCI-1497 |
Let users see previously selected risk reasons after closing the Filter window |
DATASCI-1504 |
Prevent the truncation of text on the right side of pages |
FRAAS-10979 |
Configuration placeholders visible in all APIs in new customer environments |
FRAAS-11570 |
Add Duo authentication node |
FRAAS-11571 |
Add Twilio authentication node |
FRAAS-11825 |
Add translation configuration key for no search results message |
FRAAS-12219 |
Self-service promotions available in new customer environments |
FRAAS-12301 |
Add Marketplace nodes to journey editor menu |
FRAAS-12413 |
Remove blank page shown when user returns to login page following successful login to custom domain |
FRAAS-12625 |
Handle ESVs as string type if no type is set |
IAM-1935 |
Expose ESV variable type in the UI |
IAM-2038 |
Prevent theme styles rendering in the hosted pages editor |
IAM-2066 |
Show the entire answer to a long security question after clicking the visibility icon |
IAM-2259 |
Do not let users save email templates that contain JavaScript |
IAM-2312 |
Render SVG images correctly |
IAM-2411 |
ForgeRock favicon displays briefly before the customer’s favicon |
IAM-2502 |
Remove flashing red text from security questions window |
IAM-2633 |
Support localization for radio display fields in Choice Collector node |
IAM-2696 |
Remove legend from Risk Score window |
IAM-2869 |
Update UI regex validation for ESV list type |
October 2022
05 Oct 2022
Resolved issues
Issue ID | Summary |
---|---|
AME-22684 |
Include grace period configuration in the OAuth2 provider settings |
DATASCI-1165 |
Remove Automated User Agent from the list of risk reasons filters |
DATASCI-1358 |
Let users filter dashboards by date, risk scores and features |
DATASCI-1365 |
Update the Risk Activity page when applying a filter without requiring users to refresh the page |
DATASCI-1394 |
Show the times that events occurred correctly without requiring users to refresh the display |
DATASCI-1395 |
Let users see their last five risky authentication attempts |
DATASCI-1397 |
Remove risk administration options from end users' navigation menus |
DATASCI-1406 |
When filtering activities using a date range, include the activities that occur on the end date |
IAM-1678 |
Allow login journey attributes that are not required to have empty values |
IAM-1682 |
When editing email templates, cut text correctly |
IAM-1932 |
When placeholders are used, display read-only strings in the Platform UI |
IAM-1933 |
Alter AM XUI to display readonly strings wherever placeholders are in use |
IAM-2028 |
Remove excess space from journey editor fields that do not require floating labels |
IAM-2064 |
Replace fields for specifying numeric thresholds with a risk score definition slider in Autonomous Access Decision nodes |
IAM-2080 |
Let users create customized footers on Page nodes |
IAM-2141 |
Add option to customize Page node background color |
IAM-2142 |
Add option to customize Page node button width |
IAM-2143 |
Add option to customize label text for Page node fields |
IAM-2227 |
Remove spurious "No configuration exists for id external.email" pop-up warning |
IAM-2249 |
Add option to display Message node as a link |
IAM-2250 |
After importing journeys, let user delete all imported journeys with a single delete action |
IAM-2251 |
Provide a value when the object.password variable is specified in an email template |
IAM-2258 |
Remove tenant information from the Realm menu |
IAM-2285 |
Make H2, H3, and H4 HTML headings bigger when there’s no higher-level predecessor heading |
IAM-2290 |
Show the correct number of events per country on the Activity Risk dashboard |
IAM-2294 |
Show previous authentication attempts when doing anomaly lookups |
IAM-2320 |
Change the default navigation background color of Account pages without changing the dashboard color |
IAM-2329 |
Change the color of the Autonomous Access event log indicator to red |
IAM-2351 |
Correct pagination on the Autonomous Access Risk page |
IAM-2373 |
Make dashboard analytics pipeline logs in Autonomous Access work as expected |
IAM-2468 |
Wrap long security questions |
IAM-2521 |
Don’t reuse authId during password validation |
OPENAM-18112 |
Provide better error message when an LDAP authentication node encounters a TLS connection issue |
OPENAM-18933 |
Do not override the Success URL node’s value |
OPENAM-19196 |
Do not wait for cache timeout before OAuth2 clients reflect changes to Javascript origins |
OPENAM-19868 |
Correctly handle multi-line text in Email Suspend nodes |
OPENIDM-16420 |
Update the default email validation policy to conform with RFC 5322 |
OPENIDM-17533 |
Allow configuration changes to the repo.ds.json file to take effect without restarting IDM |
OPENIDM-17720 |
Fix null pointer exception when the repo.ds.json file is misconfigured |
OPENIDM-17836 |
Fix for startup error message caused by ObjectMapping constructor exception |
OPENIDM-17911 |
Fix email validation errors in the IDM admin UI (native console) |
OPENIDM-18272 |
Save managed object properties correctly in Identity Management native console |
SDKS-1720 |
Point developers to the ForgeRock SDKs when they create an OAuth2.0 client in the Platform UI |
SDKS-1721 |
Point developers to the ForgeRock SDKs when they configure CORS in the Platform UI |