--- title: Documentation updates description: In addition to the changes described elsewhere in these release notes, the published documentation for each AM version includes the following important changes. component: pingam version: release-notes page_id: pingam::doc-updates canonical_url: https://docs.pingidentity.com/pingam/release-notes/doc-updates.html section_ids: am_8_1_x: AM 8.1.x am_8_1_0: AM 8.1.0 am_8_0_x: AM 8.0.x am_8_0_2: AM 8.0.2 am_8_0_1: AM 8.0.1 am_8_0_0: AM 8.0.0 am_7_5_x: AM 7.5.x am_7_5_2: AM 7.5.2 am_7_5_1: AM 7.5.1 am_7_5_0: AM 7.5.0 am_7_4_x: AM 7.4.x am_7_4_2: AM 7.4.2 am_7_4_1: AM 7.4.1 am_7_4_0: AM 7.4.0 --- # Documentation updates In addition to the changes described elsewhere in these release notes, the published documentation for each AM version includes the following important changes. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------- | | | The Amster release notes have been combined into the AM release notes. These release notes now include Amster changes since AM 7.2. | ## AM 8.1.x ### AM 8.1.0 | | | | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------ | | AME-33889 | Document default Config Provider script in platform UI | | AME-33875 | Document new Headers option for success details node | | AME-33874 | Document new Headers option for failure details node | | AME-33842 | Document Allow Radius Node to handle Vendor Specific Attributes | | DF-1047 | Clarify that the percentage of requests must be an integer | | DF-552 | Addressed feedback for suspend and resume journeys | | DOCS-9732 | Update reCAPTCHA Enterprise node documentation | | DOCS-9616 | Add details regarding modes and the variance property to the Device Match node | | DOCS-9523 | Move PingOne nodes to the Auth Nodes reference | | DOCS-9443 | Apply the documentation template to the Select Identity Provider node | | DOCS-9417 | Apply the documentation template to the Polling Wait node | | DOCS-8431 | Include the API version header in the Config Provider node example | | OPENAM-25800 | Add Skew Allowance to Device Binding nodes | | OPENAM-25765 | Document the am.secrets.gsm.stableid.version.only advanced server property to change the default kid value | | OPENAM-25755 | Address Device Binding node feedback and incorporate all device binding nodes into the template | | OPENAM-25741 | Add a Callbacks section to selected nodes | | OPENAM-25736 | Document the Node State Attribute For Username attribute in the PingOne Protect Evaluation node | | OPENAM-25682, OPENAM-25683, OPENAM-24932 | Address feedback on the OATH Token Verifier node | | OPENAM-25678 | Add callback information to the Push nodes | | OPENAM-25668 | Document new locales binding | | OPENAM-25660 | Document automatic redirects in the PingOne Verify Evaluation node | | OPENAM-25641 | Document the addition of redirectUris to OAuth 2.0 script bindings | | OPENAM-25623 | Documentation for the RSA SecurID node | | OPENAM-25615 | Document support for custom CTS DN during FBC installation | | OPENAM-25599 | Document sending groups with the PingOne Protect Evaluation node | | OPENAM-25593 | Document the new JWT Password Replay node | | OPENAM-25584 | Address feedback for the Social Provider Handler node | | OPENAM-25551 | Remove note regarding the inability to rename OATH and Push devices | | OPENAM-25548, OPENAM-25549 | Address feedback for the Device Profile Collector and Device Match nodes | | OPENAM-25538 | Clarify documentation for the Set Persistent Cookie node | | OPENAM-25532 | Update FBC upgrade instructions | | OPENAM-25528 | Document support for the android-key attestation type | | OPENAM-25513 | Address feedback on the Device Profile Save node | | OPENAM-25509 | Correct the path to the external identity store in the upgrade documentation | | OPENAM-25505 | Address feedback and improve documentation for the HOTP Generator and OTP Collector Decision nodes | | OPENAM-25485 | Document new PingID Agent fields on the PingOne Protect Initialize node | | OPENAM-25477 | Document the new SameSite configuration option for Persistent Cookie nodes | | OPENAM-25471 | Document targeted risk policies sent to PingOne | | OPENAM-25465 | Create a migration guide for moving from chains/modules to trees/nodes | | OPENAM-25464 | Deprecation notices for Marketplace versions of PingOne nodes | | OPENAM-25459 | Document the new Set Logout Details node | | OPENAM-25458 | Document Logout Hooks in the Node Developer guide | | OPENAM-25445 | Clarify that attributes collected by the Attribute Collector node must be viewable | | OPENAM-25439, OPENAM-25446 | Clarify next-generation session binding and Node Designer threading | | OPENAM-25430 | Provide an example of using the IDMUser condition with multivalued fields | | OPENAM-25409 | Document additional device context information in the PingOne Protect Evaluation node | | OPENAM-25402 | Document the `Accepted JWT Issuers` OAuth 2.0 client attribute | | OPENAM-25401 | Validate steps for SAML SSO in integrated mode | | OPENAM-24583 | Clarify that a backchannel transaction never results in a DENIED status | | OPENAM-24576 | Correct the state variable name in the Device Binding node | | OPENAM-24540 | Document the private key JWT audience attribute in the social authentication client configuration | | OPENAM-24538 | Document the expiry claim required attribute in the social provider client configuration | | OPENAM-24536 | Document the `Allow same device verification` configuration | | OPENAM-24525 | Note that changing AWS credentials in the Push Notification service requires devices to be re-registered | | OPENAM-24491 | Clarify Node Designer script capabilities | | OPENAM-24438 | Clarify the Scalable Clients setting | | OPENAM-24435 | Note that in FBC deployments, the default Stateless Session AES Encryption Key must be set post-installation | | OPENAM-24399 | Document the new FACIAL\_COMPARISON\_REFERENCE\_SELFIE data type in PingOne Verify Evaluation node metadata | | OPENAM-24396 | Update Authenticator app documentation to reflect PingID as the default supported app | | OPENAM-24395 | Address feedback regarding importing and exporting policies | | OPENAM-24374 | Correct documentation regarding validator classes in the Node Developer guide | | OPENAM-24357 | Fix an error in the documentation for hiddenValueCallback | | OPENAM-24345 | Update the list of supported SNS regions for the Push Notification Service | | OPENAM-24329 | Correct inaccurate documentation for the OIDC ID Token Validator node | | OPENAM-24324, OPENAM-23678 | Address feedback for validating id\_token and identifying users | | OPENAM-24320 | Indicate support for third-party authenticator apps | | OPENAM-24300 | Update AM documentation regarding PKCS12 keystore support | | OPENAM-24296 | Document node state biographic matching in the PingOne Verify Evaluation node | | OPENAM-24236 | Improve Meter node documentation | | OPENAM-24225 | Fully integrate Amster documentation into the AM documentation | | OPENAM-24196, OPENAM-21662 | SAML documentation improvements | | OPENAM-24163 | Update Amster documentation to reflect user store configuration changes | | OPENAM-24158 | Address feedback regarding the ForgeRock Authenticator app | | OPENAM-24151 | OIDC session management improvements | | OPENAM-24094 | Remove product name change notices throughout AM documentation | | OPENAM-24092 | Note that transactional authorization policies are not supported for the JwtClaim subject type | | OPENAM-24070 | Document support for ECDSA in next-generation scripting signing algorithms | | OPENAM-24067, AME-30093 | Add documentation on renaming MFA devices and update the Push diagram | | OPENAM-24036 | Update steps in the Verify Evaluation guide | | OPENAM-24018 | Improve the IdP adapter custom script documentation | | OPENAM-24014 | Fix the encoding for the HTTP Basic Authorization header example | | OPENAM-23997 | Correct the invalid value for the backchannel authentication type parameter | | OPENAM-23982 | Add relevant endpoints to the Auth Nodes guide for node versioning | | OPENAM-23979 | Update Amster documentation for node versioning | | OPENAM-23959 | Fix an error in the default secret alias name | | OPENAM-23955 | Update the Config Provider node for node versioning | | OPENAM-23929 | Note that the Configuration Cache Duration default value should be non-zero | | OPENAM-23921 | Document policy cache properties | | OPENAM-23920 | Clarify requirements for environment conditions and differences from subject conditions | | OPENAM-23907 | Correct the URL in Step 5 of the PingAM Evaluation guide | | OPENAM-23900 | Fix an error in the Success URL node documentation | | OPENAM-23881 | Add AAGUID to transient state and incorporate WebAuthn changes into the release notes | | OPENAM-23874 | Specify that the ForceAuth parameter is case-sensitive | | OPENAM-23872 | Address feedback for /users/user/oauth2/applications | | OPENAM-23861 | Add missing descriptions to the SAML Fedlet reference | | OPENAM-23855 | Update the JDBC Audit log table note regarding VARCHAR limits | | OPENAM-23828 | Correct parameters for the amUpgrade command when migrating to FBC | | OPENAM-23819 | Improve documentation for setting up AM in JBoss and WildFly application containers | | OPENAM-23792 | Fix an issue with the Policy Condition script example | | OPENAM-23755 | Update Retry Limit Decision node documentation | | OPENAM-23746 | Correct the sub value in the mayAct script for delegation | | OPENAM-23735 | Specify where recovery codes are stored for the OATH Registration node | | OPENAM-23714 | Indicate that only one secret can be active for any secret label mapping | | OPENAM-23616 | Clarify that a client secret is not required for OAuth 2.0 client update requests | | OPENAM-23485 | Add information on how the locale is utilized | | OPENAM-23393 | Remove legacy ClientType from Success and Failure redirection URLs | | OPENAM-23281 | Document bindings for the Social IdP Profile transformation script type | | OPENAM-23271 | Update scripted policy condition documentation with a working example | | OPENAM-23263 | Improve the Set Success Details node documentation | | OPENAM-23126 | Correct guidance regarding setSessionProperty | | OPENAM-23113, OPENAM-23123 | Update JWT profile configuration documentation | | OPENAM-22853 | Add a description for Token Endpoint Authentication Method = none | | OPENAM-22849 | Note that the DS rebuild-index command does not include a --useSsl option | | OPENAM-22828 | Document the recommended setting for MaxMetaspaceSize | | OPENAM-22823 | Update Device Profile node documentation | | OPENAM-22576 | Rework Push nodes documentation | | OPENAM-22433 | Add details regarding Page Node limitations | | OPENAM-22173 | Provide additional detail for the httpClient script binding | | OPENAM-22124 | Document outbound connections via proxy | | OPENAM-21858 | Document the fields available for SAML Name ID mapping | | OPENAM-21849 | Install guide: Configure the same key for two AM instances using AES key wrap encryption | | OPENAM-21817 | Update recommendations for the default scripting service denylist | | OPENAM-21779 | Fix errors in legacy OAuth 2.0 endpoint documentation | | OPENAM-21669 | Improve documentation for SAML attribute mapping | | OPENAM-21655 | Update documentation to reflect the correct default setting for HTTP-only cookies | | OPENAM-21638 | Clarify valid values for the default lockout attribute | | OPENAM-21455, OPENAM-20849 | Add information regarding SAML 2.0 algorithms | | OPENAM-21454 | Provide sample SAML metadata files | | OPENAM-19503 | Fix the idRepoClass() method name in CustomIdRepoConfig | | OPENIG-9374 | Add PingGateway instructions and routes for the Microsoft Intune node | | SDKS-3803 | Document error codes and messages for the PingOne Verify Evaluation node | | SDKS-2793 | Add bound devices to the list of upgrade LDIF files | ## AM 8.0.x ### AM 8.0.2 | | | | --------------- | ----------------------------------------------------------------------------------- | | AME-32653 | Document support for PingDirectory as an identity store | | AME-32274 | Restrict `ldapdelete` to just registered applications | | AME-31765 | Add details about thread state to scripting metrics documentation | | AME-31355 | Change in behavior for device authorization grant | | AME-31189 | Update docs after removal of modules and chains from XUI | | AME-30047 | Document Logback Exception Length Configuration | | AME-27064 | Clarify directory settings for failover | | DOCS-9078 | Add use case for AM as Tenemos OIDC identity provider | | DF-552 Feedback | Suspend and resume journeys | | OPENAM-25333 | Update documentation for implicit grant flow | | OPENAM-25318 | Feedback: Identity stores | | OPENAM-24540 | Document private key JWT audience attribute in social auth client configuration | | OPENAM-24438 | Clarify scalable clients setting | | OPENAM-24395 | Address feedback for import and export policies | | OPENAM-24374 | Correct docs for validators in Auth Node dev guide | | OPENAM-24357 | Fix an error in the docs for getting `hiddenValueCallback` | | OPENAM-24320 | Indicate support for other 3rd party authenticator apps | | OPENAM-24300 | Update AM docs regarding PKCS12 keystore support | | OPENAM-24225 | Fully integrate Amster docs into AM docs | | OPENAM-24196 | SAML documentation improvements | | OPENAM-24163 | Update Amster docs to reflect user store configuration changes | | OPENAM-24158 | Address feedback on the ForgeRock Authenticator app | | OPENAM-24151 | OIDC Session management improvements | | OPENAM-24092 | Transactional authorization policies aren't supported for the JwtClaim subject type | | OPENAM-24067 | Add documentation on how to rename MFA devices and update push diagram | | OPENAM-24036 | Verify evaluation guide steps | | OPENAM-24018 | Improve IdP adapter custom script | | OPENAM-24014 | Fix encoding for auth header example | | OPENAM-23997 | Backchannel authentication: Invalid value for type parameter | | OPENAM-23959 | Fix error in default secret alias name | | OPENAM-23920 | Clarify policy environment and subject conditions descriptions | | OPENAM-23907 | Incorrect URL in Step 5 of PingAM Evaluation guide | | OPENAM-23881 | Add missing WebAuthn changes to AM 8.0 release notes | | OPENAM-23874 | Specify that the ForceAuth parameter is case-sensitive | | OPENAM-23861 | Add descriptions to Fedlet reference | | OPENAM-23855 | Add note about VARCHAR limits for JDBC Audit log table | | OPENAM-23828 | Migrate to FBC amUpgrade command has incorrect parameters | | OPENAM-23819 | Improve documentation on setting up AM in JBoss and WildFly application containers | | OPENAM-23792 | Fix issue with Policy Condition script example | | OPENAM-23746 | Incorrect sub value in mayAct script for delegation | | OPENAM-23485 | Add more info on how locale is used | | OPENAM-23393 | Remove legacy ClientType from Success and Failure redirection URLs | | OPENAM-23281 | Document bindings for Social IdP Profile transformation script type | | OPENAM-23126 | Incorrect guidance on setSessionProperty | | OPENAM-23113 | Update section on configuring JWT profile | | OPENAM-22853 | Add description for Token Endpoint Authentication Method = none | | OPENAM-22849 | The DS rebuild-index command doesn't have a `--useSsl` option | | OPENAM-22576 | Update MFA related screenshots | | OPENAM-22173 | Provide more detail for `httpClient` script binding | | OPENAM-22124 | Outbound connection via proxy | | OPENAM-21858 | Document the fields available to SAML Name ID Mapping | | OPENAM-21849 | Configure same key for two AMs using AES key wrap encryption | | OPENAM-21817 | Update recommendation on the default scriptingservice denylist | | OPENAM-21779 | Fixed errors in legacy OAuth 2.0 endpoint docs | | OPENAM-21669 | Improve documentation for SAML attribute mapping | | OPENAM-21655 | Update docs to reflect the correct default setting for HTTP only cookies | | OPENAM-21638 | Clarified the valid values for the default lockout attribute | | OPENAM-21455 | Added more info around SAML 2.0 algorithms | | OPENAM-21454 | Provide sample SAML metadata files | | OPENAM-19503 | Fixed CustomIdRepoConfig idRepoClass() method name | | SDKS-2793 | Add bound devices to list of upgrade LDIF files | ### AM 8.0.1 | | | | ------------ | -------------------------------------------------------------------------- | | AME-31340 | Document ability of Push Notification service to reset device ID | | AME-31138 | Document removal of library scripts from custom scripted nodes | | OPENAM-23714 | Indicate that only one secret can be *active* for any secret label mapping | | OPENAM-23616 | Client secret not required for OAuth 2.0 client update request | ### AM 8.0.0 | | | | --------------------------------------------------- | ----------------------------------------------------------------------------------------------- | | AME-31026 | Deprecate audit event handlers | | AME-30978 | Add the Set Error Details node to nodes list and add details about the acceptException() method | | AME-30936 | Mark legacy monitoring as deprecated | | AME-30901 | Document dynamic client registration scripting | | AME-30890 OPENAM-23637 | Add documentation for No Session Trees and update session text where necessary | | AME-30857 | Config Provider node script enabled for next-generation scripting engine | | AME-30819 | Upgrade instructions for Tomcat 10 | | AME-30789 | Remove SNMP properties from the documentation | | AME-30457 | Document updated TLS Client Certificate Header Format option value | | AME-30442 OPENAM-22904 | Overhaul STS guide - remove SOAP STS and modules and chains | | AME-30393 | Document new next-generation cookieName binding | | AME-30392 | Document next-generation context for policy condition scripts | | AME-30344 | Document DER-formatted certificates for OAuth2 Client authentication | | AME-30333 | Document IDM Environment Condition | | AME-30291 | SAML certificate metadata update | | AME-30249 | Document backchannel authentication | | AME-30229 | Document the Message-Authenticator attribute config for RADIUS servers | | AME-30173 | Update Evaluation guide to use external DS | | AME-30154 | Document prevent use of mustRun trees as realm default | | AME-30046 | Document the Flow Control node | | AME-30026 | Document new next-generation scripting utils.crypto.subtle binding | | AME-29963 AME-30155 | Document OIDC application journeys | | AME-29951 | Document back-channel logout exp claim | | AME-29759 | Document new next-generation script method to get random values | | AME-29757 | Document removal of custom Social IdP UI configuration properties | | AME-29754 | Document new suspend and resume functionality in Scripted Decision node | | AME-29685 | Revise the section about post-authentication tree hooks | | AME-29619 | Add navigation for the new Success Details node | | AME-29538 | Update next-generation scripting documentation with exception handling scenarios | | AME-29511 | Document the WebAuthn metadata service and related secret label for FIDO certification | | AME-29485 | Document `samlApplication` script binding | | AME-29415 | Document the Failure Details node | | AME-29406 AME-29431 | Document new prometheus endpoints | | AME-29326 | Document property to indicate OIDC provider doesn't return unique value for the `sub` claim | | AME-29179 | Document additional Config Provider node options | | AME-29168 | Add section on node security | | AME-29165 | Added "Send an HTTP request" section | | AME-29164 | Update Maintain Authentication nodes | | AME-29163 | Update Plugin Class | | AME-29162 | Update Handle Errors | | AME-29161 AME-29141 | Reorganise node developer guide | | AME-29160 | Update Action Class | | AME-29159 | Update Inject Objects into a node | | AME-29155 | Document new NodeState merge state methods | | AME-29133 | Config Interface @Attribute Improvements | | AME-29132 | Node Metadata Improvements | | AME-29131 | Node Class Improvements | | AME-29129 AME-29127 AME-29130 | Updates to nodes 'Prepare for development' page | | AME-29072 | Document change in behavior for self-signed root CA provided in WebAuthN attestation | | AME-28883 | Document grace period for client-side sessions in one-to-one storage scheme | | AME-28726 | Documentation for custom LINE OIDC config | | AME-28682 | Outdated options in DS command-line examples | | AME-28614 | Documentation of fix for validateJwtClaims failing when using a RS256 Alg signature | | AME-28596 | Document add entity configuration to enable journey association | | AME-28322 | Document new scripting monitoring metrics | | AME-28264 | Document new advanced server property for configurable ID token clock skew time | | AME-28256 | Document configure journey to always run to completion | | AME-28057 | Document Distributed Tracing | | AME-27982 | Add Customize account lockout message example from KB | | AME-27965 | Add KB content from How do I add a roles claim to the OIDC Claims Script in AM? | | AME-27964 | Add KB content from How do I add a session property claim to the OIDC Claims Script? | | AME-27963 | Adding salient info from How do I add custom claims to the OIDC Claims Script in AM? | | AME-27962 | Add content from How do I override claims in the OIDC ID token in Identity Cloud or AM? | | AME-27953 | Documentation for enabling mTLS for HTTP Client script binding | | AME-27930 | Docs on preparing a truststore should use DS 7.x security model | | AME-27878 | Document customizing SAML NameID with a script | | AME-27846 | Document the addition of encodeURI form body for `httpClient` | | AME-27845 | Document the Scripted Decision node access to `context.request.cookies` | | AME-27844 | Document new functions added to ActionWrapper next-generation script binding | | AME-27843 | Document rotation of the http proxy password without server restart | | AME-27841 | Document availability of utility classes in library scripts | | AME-27840 | Documentation for new utility class script bindings | | AME-27838 | Document `secrets` binding for all next-generation scripts | | AME-27834 | Client certificate in SP metadata is configurable | | AME-27774 AME-27792 | Document audit logging changes for trees | | AME-27726 | Add more information for activity audit log events | | AME-27697 | Document jwtAssertion and jwtValidator next-generation scripting improvements | | AME-27609 | Document renaming of OAuth2 Client ID Token Public Encryption Key property | | DOCS-7931 | Rename ForgeRock SDKs to Ping SDKs | | OPENAM-28565 | Add note to docs about reserved binding names | | OPENAM-23662 | Document the Amster Jwt Decision node | | OPENAM-23660 | Update docs to include info on default trees that exist in AM 8 | | OPENAM-23620 | Update REST version messages | | OPENAM-23558 | Provide more info on the am\_authentication\_count metric | | OPENAM-23549 | Error in documentation on scope validation | | OPENAM-23547 | Remove deprecated openam-legacy-debug-slf4j module from docs | | OPENAM-23513 | Update supported directory stores | | OPENAM-23463 | Docs for Journey Timeout settings for authenticated sessions | | OPENAM-23461 | Docs for Journey Timeout settings for pre-authentication sessions | | OPENAM-23411 | Document changes to default denylist poll interval | | OPENAM-23410 | Document changes to mergeShared and mergeTransient nodeState methods | | OPENAM-23407 | Updated Localize AM section to make it clearer that you have to download the UI first | | OPENAM-23362 | Success Redirect order is incorrect | | OPENAM-23278 | Clarify docs on CTS token types | | OPENAM-23277 | Update Amster upgrade section to include 7.5 | | OPENAM-23188 | Correct steps for accessing am-external in auth node developer guide | | OPENAM-23171 | Errors in SAML 2.0 profile OAuth 2 Grant docs | | OPENAM-23104 | authLib script context missing from docs | | OPENAM-23081 | Document improvements to transactional authorization | | OPENAM-23078 | Update steps for letting DS manage CTS tokens | | OPENAM-23066 | Update amr claims section to use OIDC claims script instead of module mapping | | OPENAM-23036 | Incorrect example used in Configure scr claims | | OPENAM-23005 | Add section on creating trees using REST | | OPENAM-22887- 22906 | Remove deprecated modules and chains from the documentation | | OPENAM-22899 | Add notes to the Radius guide about reenabling modules and chains | | OPENAM-22878 | Document the settings for OCSP verification | | OPENAM-22871 | Wrong default value for `STS Instance is running as remote instance` | | OPENAM-22841 | Document new OIDC LinkedIn social identity provider configuration | | OPENAM-22813 | Remove AM 6.x references including for supported upgrades | | OPENAM-22741 | Adding missing step in "Configure amr claims" procedure | | OPENAM-22641 | Corrected token terminology per feedback | | OPENAM-22635 | Rework pruning CTS tokens | | OPENAM-22607 | Link to DS docs for appropriate tuning info | | OPENAM-22549 | Add references for Set State node | | OPENAM-22525 | Add HSM support info from KB | | OPENAM-22515 | Document Logout Webhook key WebhookEventType | | OPENAM-22417 | Add link to max length property for goTo URL | | OPENAM-22385 | Document default values for Session properties | | OPENAM-22356 | Include a more useful link in Release Notes for custom auth node secrets enablement | | OPENAM-22343 | Document method return types for the script binding | | OPENAM-22339 | Provide example `systemd` script for AM | | OPENAM-22327 | Remove mention of Internet Explorer from AM docs | | OPENAM-22254 | Update browser support table for WebAuthn | | OPENAM-22157 | Clarify version support in upgrade instructions | | OPENAM-22152 | Additional information required in token exchange impersonation | | OPENAM-22100 OPENAM-22049 OPENAM-22885 OPENAM-21325 | Various improvements to upgrading servers section | | OPENAM-22099 | Remove misleading information about unsupported custom callbacks | | OPENAM-22045 | Corrected default log level | | OPENAM-21935 | Document the maximum JWT token liftime accepted by AM | | OPENAM-21907 | Added a tip to the setup guide for finding server and site IDs | | OPENAM-21857 | Document security hardening for UMA confusable homoglyphs | | OPENAM-21763 | Update terminology around "sessions" to use authenticated and pre-authentication | | OPENAM-21763 | Changed pre-authentication session terminology to journey session | | OPENAM-21744 | Removed incorrect statement about invalidating client-side auth session | | OPENAM-21591 | Document `checkIssuerForIdTokenInfo` advanced server property | | OPENAM-20673 | Clarify device reset with WebAuthn | | OPENAM-20591 | Prevent ClassNotFoundException when removing `click-*` jars | | OPENAM-19899 | Remove all instances of /UI/login | | OPENAM-19575 | Check algorithm statement for `/oauth2/connect/jwk_uri` | | OPENAM-19533 | Remove unnecessary images from installation steps | | OPENAM-19395 | Distinguish between general mail server and self-service mail service | | SDKS-3759 | Added `verifyTransactionsHelper` script binding docs from AIC | | SDKS-3173 | The PingOne Worker service requires a configured OAuth2 provider service | | SDKS-2959 | Document PingOne Protect-related callbacks | | SDKS-2953 | Document PingOne Worker service | | SDKS-2864 | Adding new nodes to catalog page in AM | | SDKS-2861 | Add PingOne Protect nodes to the list of nodes | ## AM 7.5.x ### AM 7.5.2 > **Collapse: AM 7.5.2** > > | | | > | ------------ | ------------------------------------------------------------------------------------- | > | AME-32653 | Document support for PingDirectory as an identity store | > | OPENAM-24374 | Correct docs for validators in Auth Node dev guide | > | OPENAM-24320 | Indicate support for other third-party authenticator apps | > | OPENAM-24300 | Update AM docs regarding PKCS12 keystore support | > | OPENAM-24225 | Fully integrate Amster docs into AM docs | > | OPENAM-24196 | SAML documentation improvements | > | OPENAM-24158 | Address feedback on the ForgeRock Authenticator app | > | OPENAM-24092 | Transactional authorization policies aren't supported for the JwtClaim subject type | > | OPENAM-24067 | Created a single drawio.png which includes the vector | > | OPENAM-24067 | Add documentation on how to rename MFA devices & update push diagram | > | OPENAM-24018 | Improve IdP adapter custom script | > | OPENAM-24014 | Fix encoding for auth header example | > | OPENAM-23959 | Fix error in default secret alias name | > | OPENAM-23920 | Clarify requirements for environment condition and difference from subject condition | > | OPENAM-23855 | JDBC Audit log table note about VARCHAR limits | > | OPENAM-23746 | Incorrect `sub` value in mayAct script for delegation | > | OPENAM-23714 | Indicate only one secret can be *active* for any secret label mapping | > | OPENAM-23638 | Fix DATA\_STORE setting for silent install should be dirServer | > | OPENAM-23620 | Update docs for error logging in Rest API | > | OPENAM-23616 | Client secret not required for OAuth 2.0 client update request | > | OPENAM-23549 | Error in documentation on scope validation | > | OPENAM-23485 | Add more info on how locale is used | > | OPENAM-23407 | Updated Localize AM section to make it clearer that you have to download the UI first | > | OPENAM-23394 | Clarify usage of FBC at install time | > | OPENAM-23362 | Success redirect order is incorrect | > | OPENAM-23359 | Added note about FBC not being supported | > | OPENAM-23281 | Document bindings for Social IdP Profile transformation script type | > | OPENAM-23126 | Incorrect guidance on setSessionProperty | > | OPENAM-22853 | Add description for Token Endpoint Authentication Method is none | > | OPENAM-22849 | The DS rebuild-index command doesn't have a `--useSsl` option | > | OPENAM-22576 | Updating links for the push auth nodes | > | OPENAM-22576 | Update MFA related screenshots | > | OPENAM-22173 | Provide more detail for `httpClient` script binding | > | OPENAM-22100 | Improvements to upgrading servers section | > | OPENAM-21858 | Document the fields available for SAML Name ID Mapping | > | OPENAM-21849 | Configure same key for two AMs using AES | > | OPENAM-21779 | Fixed errors in legacy OAuth 2.0 endpoint docs | > | OPENAM-21744 | Removed an incorrect statement about invalidating the client-side auth session | > | OPENAM-21655 | Updated docs to reflect correct default setting for HTTP only cookies | > | OPENAM-21638 | Clarified the valid values for the default lockout attribute | > | OPENAM-21455 | Added more info around SAML 2.0 algorithms | > | OPENAM-21454 | Provide sample SAML metadata files | > | OPENAM-21452 | Made AES Keywrap note specific to SOAP STS | > | OPENAM-20974 | Update path to incremental upgrade for amUpgrade tool | > | OPENAM-19503 | Fixed CustomIdRepoConfig `idRepoClass` method name | > | SDKS-2793 | Add bound devices to list of upgrade LDIF files | ### AM 7.5.1 > **Collapse: AM 7.5.1** > > | | | > | ------------- | --------------------------------------------------------------------------------------------------- | > | AME-29538 | Update next-generation scripting documentation with exception handling scenarios | > | AME-28883 | Add info from KB about different token types in the CTS | > | AME-28766 | Documentation for new utility class script binding | > | AME-28682 | Update options in DS command-line examples | > | AME-27982 | Add customize account lockout message example from Knowledge Base | > | AME-27930 | Documentation on preparing a truststore should use DS 7.x security model | > | AME-27726 | Add more information for activity audit log events | > | AME-22545 | `com.sun.identity.sm.filebased_embedded_enabled` must be set to false after migration | > | AMAGENTS-6487 | Update info about web agent and session cookie name in line with changes to web agent docs | > | FRAAS-20042 | Add content from How do I check what MFA devices are registered to a user in Identity Cloud and AM? | > | OPENAM-23277 | Update Amster upgrade section to include 7.5 | > | OPENAM-23188 | Correct steps for accessing `am-external` in auth node developer guide | > | OPENAM-23078 | Update steps for letting DS manage CTS tokens | > | OPENAM-23005 | Add section on creating trees using REST | > | OPENAM-22972 | Request to add a statement on async in doc | > | OPENAM-22931 | Two callbacks are incorrectly named in the documentation | > | OPENAM-22871 | Wrong default value for `STS instance is running as remote instance` | > | OPENAM-22741 | Add missing step in "Configure amr claims" procedure | > | OPENAM-22641 | Correct token terminology per feedback | > | OPENAM-22635 | Rework pruning CTS tokens | > | OPENAM-22607 | Link to DS docs for appropriate tuning info | > | OPENAM-22515 | Document Logout Webhook key WebhookEventType | > | OPENAM-22356 | Include a more useful link in Release Notes for custom auth node secrets enablement | > | OPENAM-22343 | Document method return types for the script binding | > | OPENAM-22339 | Provide example systemd script for AM | > | OPENAM-22327 | Remove mention of Internet Explorer from AM documentation | > | OPENAM-22254 | Update browser support table for WebAuthn | > | OPENAM-22157 | Clarify version support in upgrade instructions | > | OPENAM-22099 | Remove misleading information about unsupported custom callbacks | > | OPENAM-22045 | Correct default log level | > | OPENAM-21935 | Document the maximum JWT token lifetime accepted by AM | > | OPENAM-21907 | Added a tip to the Setup guide for finding server and site IDs | > | OPENAM-21778 | Error in documentation on modifying access tokens | > | OPENAM-20673 | Clarify device reset with WebAuthn | > | OPENAM-20591 | Prevent ClassNotFoundException when removing click-\* jars | > | OPENAM-19899 | Remove all instances of /UI/login | > | OPENAM-19575 | Check algorithm statement for /oauth2/connect/jwk\_uri | > | OPENAM-19533 | Remove unnecessary images from installation steps | > | OPENAM-19395 | Distinguish between general mail server and self-service mail service | > | SDKS-3173 | The PingOne Worker service requires a configured OAuth 2.0 provider service | > | SDKS-2861 | Add PingOne Protect nodes to the list of nodes | ### AM 7.5.0 > **Collapse: AM 7.5.0** > > | | | > | ------------ | ---------------------------------------------------------------------------------------------- | > | OPENAM-22207 | List HiddenValueCallback as interactive not read-only | > | OPENAM-22098 | Additional information required in JWT validation example | > | OPENAM-22065 | Fix Knowledge Base link in documentation | > | OPENAM-22061 | The Get Session Data Node updates the objectAttributes | > | OPENAM-21964 | Update and align documentation for secret default mappings | > | OPENAM-21914 | Clarify deprecation and replacement of shared and transient state bindings | > | OPENAM-21900 | The Identify Existing User Node updates the shared state username | > | OPENAM-21885 | Clarify statement on realms in the API Explorer docs | > | OPENAM-21882 | Document minimum OTP length for HOTP Generator node | > | OPENAM-21851 | Clarify use of setting for the IdP | > | OPENAM-21801 | Next generation scripting: Update nodeState.getObject | > | OPENAM-21798 | Next generation scripting: Document "get" wrapper functions | > | OPENAM-21759 | Clarify use of Java class allowlisting in next-generation scripting | > | OPENAM-21754 | Add warning to library scrips about use of third party libraries | > | OPENAM-21723 | Attribute Present Decision node: Add note about case-sensitivity | > | OPENAM-21711 | Incorrect `acr_values` step in Backchannel request grant | > | OPENAM-21706 | Policy evaluation will succeed for failed transactional authorization under certain conditions | > | OPENAM-21699 | Fix example for authenticating to specific services | > | OPENAM-21696 | Add a note to the Set Custom Cookie node docs around host vs domain cookies | > | OPENAM-21670 | Setup guide: Check and update link to affinity load balancing | > | OPENAM-21667 | Sessions guide: Set JWT token expiry if you update max session TTL | > | OPENAM-21622 | Retry limit decision node: Wrong shared state property name | > | OPENAM-21620 | Node development: Improve and correct Node class documentation | > | OPENAM-21603 | Missing spaces in catalina opts example prevents tomcat starting | > | OPENAM-21504 | List Prometheus output with better description | > | OPENAM-21418 | Fix numbering in JWT profile sequence diagram | > | OPENAM-21413 | Sample script in SAML docs does not work | > | OPENAM-21344 | Update profile data scripting examples with try-catch blocks | > | OPENAM-20906 | Artifact changes in AM 7.3 are not documented in Release Notes | > | OPENAM-20752 | OAuth2 scripted policy condition variables needs updating | > | OPENAM-20522 | State in docs that Sector Identifier URI is needed for Pairwise OAuth2Client profile | > | OPENAM-20349 | Add detail to the Device Match node docs | > | OPENAM-19204 | Customer cannot rely on Transient Node data for WebAuthN Authentication Node | > | OPENAM-18095 | Update documentation with all available audit log fields | ## AM 7.4.x ### AM 7.4.2 > **Collapse: AM 7.4.2** > > | | | > | --------------------------------------------------- | ------------------------------------------------------------------------------------- | > | AME-29951 | Document back-channel logout `exp` claim | > | AME-29538 | Update next-generation scripting documentation with exception handling scenarios | > | AME-27726 | Add more information for activity audit log events | > | AME-27697 | Document `jwtAssertion` and `jwtValidator` next-generation scripting improvements | > | AME-27432 | SAML Artifact flow fails when running AM with JRE 17 | > | AME-22545 | `com.sun.identity.sm.filebased_embedded_enabled` must be set to false after migration | > | OPENAM-23394 | Clarify usage of FBC at install time | > | OPENAM-23362 | Success redirect order is incorrect | > | OPENAM-23359 | Added note about FBC not being supported | > | OPENAM-23188 | Correct steps for accessing am-external in node developer guide | > | OPENAM-23078 | Update steps for letting DS manage CTS tokens | > | OPENAM-22972 | Request to add a statement on async in doc | > | OPENAM-22871 | Wrong default value for `STS instance is running as remote instance` | > | OPENAM-22741 | Adding missing step in "Configure amr claims" procedure | > | OPENAM-22635 | Procedure for enabling the AM reaper is incorrect | > | OPENAM-22515 | Document Logout Webhook key WebhookEventType | > | OPENAM-22327 | Remove mention of Internet Explorer from AM docs | > | OPENAM-22254 | Update browser support table for WebAuthn | > | OPENAM-22207 | List HiddenValueCallback as interactive not read-only | > | OPENAM-22157 | Clarify version support in upgrade instructions | > | OPENAM-22100 OPENAM-22049 OPENAM-22885 OPENAM-21325 | Improvements to upgrading servers section | > | OPENAM-22099 | Remove misleading information about unsupported custom callbacks | > | OPENAM-22045 | Corrected default log level | > | OPENAM-21935 | Document the maximum JWT token liftime accepted by AM | > | OPENAM-21907 | Added a tip to the setup guide for finding server and site IDs | > | OPENAM-21744 | Removed an incorrect statement about invalidating client-side auth session | > | OPENAM-21650 | Updated base DN for AM configuration data | > | OPENAM-21165 | Request for a sample script to be added to the docs | > | OPENAM-20673 | Clarify device reset with WebAuthn | > | OPENAM-20591 | Prevent ClassNotFoundException when removing click-\* jars | > | OPENAM-19899 | Remove all instances of /UI/login | > | OPENAM-19575 | OIDC guide feedback: Check algorithm statement for `/oauth2/connect/jwk_uri` | > | OPENAM-19533 | Remove unnecessary images from install steps | > | OPENAM-19395 | Distinguish between general mail server and self-service mail service | ### AM 7.4.1 > **Collapse: AM 7.4.1** > > | | | > | ------------ | ----------------------------------------------------------------------------------- | > | AME-27930 | Prepare truststore should use 7.x DS security model | > | AME-27531 | Incorrect description for Scripting Engine configuration for Thread pool queue size | > | AME-25385 | Document the HTTP client asynchronous feature | > | OPENAM-22635 | Procedure for enabling the AM reaper is incorrect | > | OPENAM-22207 | List HiddenValueCallback as interactive not read-only | > | OPENAM-22099 | Remove misleading information about unsupported custom callbacks | > | OPENAM-22098 | Additional information required in JWT validation example | > | OPENAM-22066 | Document Social Provider Handler node `nodeState` updates | > | OPENAM-22065 | Fix Knowledge Base link in documentation | > | OPENAM-21914 | Clarify deprecation and replacement of shared and transient state bindings | > | OPENAM-21851 | Clarify use of `Single SignOn Service` setting for the IdP | > | OPENAM-21801 | Next generation scripting: Update `nodeState.getObject` | > | OPENAM-21798 | Next generation scripting: Document "get" wrapper functions | > | OPENAM-21754 | Add warning to library scrips about use of third party libraries | > | OPENAM-21699 | Fix example for authenticating to specific services | > | OPENAM-21696 | Add a note to the Set Custom Cookie node docs around host vs domain cookies | > | OPENAM-21667 | Sessions guide: Set JWT token expiry if you update max session TTL | > | OPENAM-21666 | Security guide: Byte and MB values of request body limit don't match | > | OPENAM-21620 | Node development: Improve and correct Node class documentation | > | OPENAM-21603 | Missing spaces in catalina opts example prevents tomcat starting | > | OPENAM-21457 | Clarify where the Failure node routes a user | > | OPENAM-21419 | Security guide: Attach Java examples for custom secret stores | > | OPENAM-21413 | Fix sample script in SAML docs | > | OPENAM-21344 | Update profile data scripting examples with try-catch blocks | > | OPENAM-20752 | OAuth 2.0 scripted policy condition variables need updating | > | OPENAM-20522 | State that Sector Identifier URI is needed for Pairwise OAuth2Client profile | > | OPENAM-18598 | Clarify account linking in Social Provider Handler Node documentation | > | OPENAM-18095 | List all usable audit log attributes | ### AM 7.4.0 > **Collapse: AM 7.4.0** > > | | > | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | Corrected name of `SSOResponse` binding in SAML SP adapter sample script | > | Added links to Knowledge Base articles about restricting access to endpoints | > | Updated social identity provider [configuration reference](https://docs.pingidentity.com/pingam/7.4/authentication-guide/social-idp-client-reference.html) with more information about transformation scripts and added realm to redirect URL example | > | Provided more detail about [audit log events](https://docs.pingidentity.com/pingam/7.4/security-guide/sec-maint-audit-ref.html) | > | Corrected error in WDSSO REST call in Authentication guide | > | Note added about a `SESSION_BLACKLIST` token that exists for client-side authentication sessions | > | Clarified documentation for the [OIDC user info plugin](https://docs.pingidentity.com/pingam/7.4/oauth2-guide/plugins-user-info-claims.html) that the `/userinfo` retrieves claims from the `profile` scope only | > | Added explanation for audit filtering example in the Security guide | > | Amended wording describing the Amster version used for upgrading exported configuration | > | Updated instructions to [download the UI source](https://docs.pingidentity.com/pingam/7.4/ui-customization-guide/downloading-ui.html) | > | Documented changes to the OAuth 2.0 [device authorization grant](https://docs.pingidentity.com/pingam/7.4/oauth2-guide/oauth2-device-flow-pkce.html) | > | Updated format of scripting logger names | > | Fixed error in [Device Profile Collector node](https://docs.pingidentity.com/auth-node-ref/8.1/device-profile-collector.html) documentation | > | Clarified information around tuning the CTS connection pool | > | Added note to caution that a certificate must exist in the keystore before [mapping secrets to that keystore](https://docs.pingidentity.com/pingam/7.4/security-guide/configuring-keys.html#create-signing-keys-new-keystore) | > | Removed references to unsupported CoreWrapper API from the documentation | > | Improved the information about the bindings available to OAuth 2.0 scripted extensions | > | Added more information for the following authentication nodes- [Configuration Provider node](https://docs.pingidentity.com/auth-node-ref/8.1/config-provider.html) > > - [Data Store Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/data-store-decision.html) > > - [Email Suspend node](https://docs.pingidentity.com/auth-node-ref/8.1/email-suspend.html) > > - [Email Template node](https://docs.pingidentity.com/auth-node-ref/8.1/email-template.html) > > - [Message node](https://docs.pingidentity.com/auth-node-ref/8.1/message.html) > > - [Platform Username node](https://docs.pingidentity.com/auth-node-ref/8.1/platform-username.html) > > - [Push Sender node](https://docs.pingidentity.com/auth-node-ref/8.1/push-sender.html) > > - [Zero Page Login Collector node](https://docs.pingidentity.com/auth-node-ref/8.1/zero-page-login-collector.html) | > | Corrected information about storing device data in shared state for [OATH Registration node](https://docs.pingidentity.com/auth-node-ref/8.1/oath-registration.html) | > | Updated Node development documentation with a note that [OTP Email Sender node](https://docs.pingidentity.com/auth-node-ref/8.1/otp-email-sender.html) supports plain text notifications only | > | Added note to advise installers and upgraders to remove `web.xml` entry to prevent a click-servlet exception | > | Documented the new `org.forgerock.openam.ldap.secure.protocol.version` [advanced property](https://docs.pingidentity.com/pingam/7.4/reference/deployment-configuration-reference.html#org.forgerock.openam.ldap.secure.protocol.version) for defining the protocols AM uses to connect to a secure LDAP server | > | Added new REST STS configuration property, `STS Instance is running as remote instance`. For details, refer to [REST STS configuration](https://docs.pingidentity.com/pingam/7.4/sts-guide/sts-configure-rest-properties.html#sts-remote) | > | Updated [Authentication guide](https://docs.pingidentity.com/pingam/7.4/authentication-guide/about-authentication-modules-and-chains.html) with links to WS-Federation implementation steps in Knowledge Base | > | Clarified supported claims when requesting policy decisions | > | Added a table to list the certificates used in SAML 2.0 flows with their corresponding secret mappings. For details, refer to [Certificates and secrets](https://docs.pingidentity.com/pingam/7.4/saml2-guide/saml2-encryption.html#certificates-and-secrets) | > | Clarified the steps to remove an AM instance in the installation guide | > | Added the default path for audit logs on Windows | > | Added a note about adding urls to Valid WReply List to ensure successful WS-Federation sign-on flow | > | Added Inner Tree Node capabilities and restrictions | > | Corrected an error in the deployment diagram. Refer to [Example deployment topology](https://docs.pingidentity.com/pingam/7.4/deployment-planning-guide/deploy-topologies-onprem.html) | > | Updated module information to refer readers to Knowledge Base articles about certificate authentication | > | Fixed a documentation error relating to OAuth 2.0 email service [configuration values](https://docs.pingidentity.com/pingam/7.4/user-self-service-guide/configuring-email-service.html) | > | Documented authentication session state management scheme differences and concerns. For details, refer to [Server-side sessions](https://docs.pingidentity.com/pingam/7.4/sessions-guide/cts-based-sessions.html) and [Client-side sessions](https://docs.pingidentity.com/pingam/7.4/sessions-guide/client-based-sessions.html) | > | Updated instructions for setting CATALINA\_OPTS on Windows | > | Documented the setting to configure the rotatable amadmin secret cache expiry time. Refer to [`org.forgerock.openam.secrets.special.user.secret.refresh.seconds`](https://docs.pingidentity.com/pingam/7.4/reference/deployment-configuration-reference.html#server-advanced.html#secrets.special.user.secret.refresh.seconds) | > | Documented the new `Enabled` setting for external data stores |