---
title: New in AM 8.0.x
description: AM 8.0.2 is a maintenance release that introduces functional enhancements and fixes.
component: pingam
version: release-notes
page_id: pingam::whats-new-8.0
canonical_url: https://docs.pingidentity.com/pingam/release-notes/whats-new-8.0.html
section_ids:
  am_8_0_2: AM 8.0.2
  fips-compliance-8: FIPS compliance
  new-private-key-jwt-aud: Private key JWT audience setting
  map-custom-kids-8: Mapping custom key IDs to secrets
  alignment-with-par-and-jar-specs-8: Closer alignment with PAR and JAR specifications
  pd-ldifs: PingDirectory LDIFs
  am_8_0_1: AM 8.0.1
  new-refresh-device-ids: Ability to refresh device IDs
  am_8_0_0: AM 8.0.0
  fbc-in-product: FBC in production deployments
  node-designer: Node Designer
  new-scripted-dcr: Dynamic client registration script
  new-der-certs-for-oauth-clients: Support for DER-formatted certificates for OAuth 2.0 client authentication
  new-radius-property: RADIUS server configuration update
  new-idm-policy-condition: IDM policy condition
  new-backchannel-auth: Backchannel authentication
  new-fido-certified: FIDO certification
  webauthn_metadata_service: WebAuthn Metadata service
  webauthn_nodes: WebAuthn nodes
  device_profile_settings: Device profile settings
  new-distributed-tracing: Ability to trace the request flow through Ping Advanced Identity Software
  new-transaction-auth-api: Improved REST API for transactional authorization
  new-pem-certs-on-cert-collector-node: Certificate Collector node supports DER certificates
  new-oauthapp-journeys: OAuth 2.0 application journeys
  new-samlapp-journeys: SAML 2.0 application journeys
  new-saml-custom-nameid: Customize SAML NameID mapping with a script
  new-httpclient-service: Http Client service
  default-trees: Default trees
  new-config-mustrun: Configure trees to run to completion
  nosession-trees: Configure no session trees
  session-duration-timeouts: Session duration and timeout control
  new-social-provider-line: LINE login support
  new-script-binding-improvements-8: Next-generation script bindings
  common_bindings: Common bindings
  scripted_decision_node_bindings: Scripted decision node bindings
  library_scripts: Library scripts
  next_generation_script_types: Next-generation script types
  access_pingone_verify_transaction_data: Access PingOne Verify transaction data
  new-enable-device-mgmt-node: Enable Device Management node
  new-flow-control-node: Flow Control node
  json-response-authentication: Customize the JSON in the authentication response
  set_success_details_node: Set Success Details node
  set_failure_details_node: Set Failure Details node
  set_error_details_node: Set Error Details node
  new-idtoken-clock-skew: Configurable clock skew for OIDC ID token expiry time
  new-update-cert-sp-metadata: Update signing certificate in remote SP metadata
  new-exclude-cert-sp-metadata: Configure client certificate in SP metadata
  refresh-token-changes: Changes to refresh tokens
  consistent-errors-refreshing-tokens: Consistent errors when refreshing tokens
  refresh-token-grace-period: Refresh token grace period
  config-provider-improvements: Configuration Provider node
  backchannel_logout_token_contains_exp_claim: Backchannel logout token contains exp claim
  new_ssoadm_commands_update_attributes_in_a_realm_service: New ssoadm commands update attributes in a realm service
  system_property_for_social_provider_sub_claim_uniqueness: System property for social provider sub claim uniqueness
---

# New in AM 8.0.x

## AM 8.0.2

AM 8.0.2 is a maintenance release that introduces functional enhancements and fixes.

### FIPS compliance

AM can be configured to run in a FIPS-approved mode of operation with Bouncy Castle FIPS keystores to comply with [FIPS 140-3](https://csrc.nist.gov/pubs/fips/140-3/final).

Find more information in [FIPS 140–3 compliance](https://docs.pingidentity.com/pingam/8/security/fips.html).

### Private key JWT audience setting

You can now configure the audience of the private key JWT when performing social authentication using an OIDC provider.

You can find more information in the [Social identity provider client configuration](https://docs.pingidentity.com/pingam/8/am-authentication/social-idp-client-reference.html).

### Mapping custom key IDs to secrets

You can now map custom `kid` header values for JWTs signed with the signing key to a specific secret alias.

Find more information in [Map custom key IDs to secrets](https://docs.pingidentity.com/pingam/8/am-oidc1/managing-jwk_uri.html#map-custom-kids).

### Closer alignment with PAR and JAR specifications

A new advanced server property, [`am.oauth2.request.object.restrictions.enforced`](https://docs.pingidentity.com/pingam/8/am-reference/deployment-configuration-reference.html#am.oauth2.request.object.restrictions.enforced) aligns AM behavior with the following specifications:

* OAuth 2.0 Pushed Authorization Requests (PAR) ([RFC 9126](https://www.rfc-editor.org/rfc/rfc9126.html))

* OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) ([RFC 9101](https://www.rfc-editor.org/rfc/rfc9101.html#section-5.2)).

These specifications indicate the following:

* The authorization server should ignore authorize parameters outside the `request_uri`.

* When sending a JWT-Secured Authorization Request (JAR), the `request_uri` *must* be an `https` URI.

### PingDirectory LDIFs

LDIF files are now available for PingDirectory, which can be used to create the schemas required by AM.

Learn more in [Set up directory schemas with LDIF](https://docs.pingidentity.com/pingam/8/installation/supported-ldifs.html).

## AM 8.0.1

AM 8.0.1 is a maintenance release that introduces functional enhancements and fixes.

### Ability to refresh device IDs

The Push Notification service and the Ping SDKs now support the ability to refresh device IDs in user device profiles, rather than having to delete and recreate device profiles when a device ID changes.

You can find more information in [Refresh push device IDs](https://docs.pingidentity.com/pingam/8/authentication-guide/authn-mfa-reset-devices.html#refresh-push-device-ids).

## AM 8.0.0

AM 8.0.0 is a major release that introduces new features, functional enhancements, and fixes.

|   |                                                                                                                                                                                                                                                                                                                                                                      |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | AM 8 introduces many new features and changes, but some key changes to be aware of are:- Tomcat 10 is the only supported Tomcat version.

- Authentication modules and chains have been removed.

- Embedded DS has been removed.Make sure you review [Incompatible changes](changes.html) and [Removed](removed.html) in addition to this section before upgrading. |

### FBC in production deployments

Previous versions of AM provided a technology preview of the file-based configuration (FBC) migration utility.

In AM 8, FBC is supported in production deployments.

Learn more in the following topics:

* [Store configuration data in JSON files](https://docs.pingidentity.com/pingam/8/install-guide/fbc.html)

* [Passive install with FBC](https://docs.pingidentity.com/pingam/8/install-guide/passive-install-fbc.html)

* [Migrate to file-based configuration](https://docs.pingidentity.com/pingam/8/upgrade-guide/migrate-to-fbc.html)

### Node Designer

AM 8 introduces a new way to create authentication node types that can be reused and shared across journeys and deployments.

The Node Designer lets you create scripted node types that have the following benefits:

* Configurable bindings

* Access to next-generation script bindings

* Potential for less code repetition

* Easier and quicker to innovate custom node types with scripting

Learn more in [Custom scripted nodes](https://docs.pingidentity.com/pingam/8/authentication-guide/node-designer.html).

### Dynamic client registration script

You can configure AM to run a custom script after dynamic client registration. Create a next-generation script to modify a client profile after a successful create, update, or delete operation.

Learn more in [Customize dynamic client registration](https://docs.pingidentity.com/pingam/8/oidc1-guide/dynamic-client-registration-script.html).

### Support for DER-formatted certificates for OAuth 2.0 client authentication

AM now accepts X.509 certificates in both PEM and DER format to authenticate OAuth 2.0 clients.

Learn more in [Authenticate clients with mutual TLS](https://docs.pingidentity.com/pingam/8/oauth2-guide/client-auth-mtls.html).

### RADIUS server configuration update

The [RADIUS server service](https://docs.pingidentity.com/pingam/8/am-reference/services-configuration.html#global-radiusserverservice) has a new configuration property that enforces the inclusion of the `Message-Authenticator` attribute in requests and responses.

Use this attribute to verify incoming RADIUS access requests to prevent spoofing.

### IDM policy condition

Authorization policies have a new [environment condition type](https://docs.pingidentity.com/pingam/8/authorization-guide/policies-ui.html#environments) named IDM User. This condition type lets you query an IDM resource to form the basis of the policy evaluation. AM must be part of a Ping Advanced Identity Software deployment to use this environment condition.

### Backchannel authentication

Backchannel authentication lets a third-party federation service initiate authentication with AM on behalf of a user. The federation service collects the user data and transmits this data directly to AM. AM redirects the user to complete the authentication process without having to re-enter the collected data.

Learn more in [Backchannel authentication](https://docs.pingidentity.com/pingam/8/authentication-guide/backchannel-authentication.html).

### FIDO certification

PingAM is now a [FIDO Certified Provider](https://fidoalliance.org/certification/fido-certified-products/). PingAM has passed the FIDO Alliance's rigorous testing program and meets their requirements regarding security and interoperability with other FIDO components.

Changes to PingAM in this regard include the new WebAuthn Metadata service and enhancements to the WebAuthn nodes.

Find more information about configuring AM for FIDO in [Web authentication (WebAuthn)](https://docs.pingidentity.com/pingam/8/authentication-guide/authn-mfa-webauthn.html).

#### WebAuthn Metadata service

The WebAuthn Metadata service lets you configure how AM obtains FIDO2 metadata at the journey level.

Use the WebAuthn Registration node's FIDO Certification Level setting to force AM to check the metadata service for the device's accepted certification level.

Learn more in [WebAuthn Metadata service](https://docs.pingidentity.com/pingam/8/reference/services-configuration.html#webauthn-metadata-service).

#### WebAuthn nodes

The following improvements have been made to the WebAuthn nodes:

* [WebAuthn Authentication node](https://docs.pingidentity.com/auth-node-ref/8.1/webauthn-authentication.html)

  * On successful authentication, the WebAuthn Authentication node now adds a `webauthnAssertionInfo` object to transient state that stores [authenticator data](https://www.w3.org/TR/webauthn-1/#sec-authenticator-data).

  * A new node setting, Detect sign count mismatch, lets you compare the authenticator's sign count ([signature counter](https://www.w3.org/TR/webauthn-2/#signcount)) with the sign count stored in the user's profile.

    The sign count is useful for detecting potentially cloned devices.

    If the authenticator sign count is less than or equal to the stored value, evaluation continues to the new `Sign Count Mismatch` outcome.

* [WebAuthn Registration node](https://docs.pingidentity.com/auth-node-ref/8.1/webauthn-registration.html)

  * On successful registration, the WebAuthn Registration node now adds the following objects to transient state:

    * `webauthnAttestationInfo`: Stores [authenticator data](https://www.w3.org/TR/webauthn-1/#sec-authenticator-data).

    * `webauthnDeviceAaguid`: Stores the Authenticator Attestation Global Unique Identifier (AAGUID).

  * The new FIDO Certification Level setting lets you use the configured WebAuthn Metadata service to check the device's FIDO certification level meets a minimum level requirement during registration.

#### Device profile settings

The following attributes are now stored in device profiles:

* WebAuthn device profile

  * `signCount` The device sign count (signature counter).

- Push / WebAuthn / Oath device profiles

  * `createdDate`: The date the device was registered and the profile created.

  * `lastAccessDate`: The date the device was last used to sign in successfully.

### Ability to trace the request flow through Ping Advanced Identity Software

When a user interacts with Ping Advanced Identity Software, the request can travel through multiple services before it completes. *Distributed tracing* lets you monitor the request flow through Ping Advanced Identity Software.

Tracing provides a single view of a request's journey and makes it easier to locate bottlenecks and errors.

Learn more in [Trace incoming and outgoing requests](https://docs.pingidentity.com/pingam/8/maintenance-guide/trace-requests.html).

### Improved REST API for transactional authorization

For [transactional authorization](https://docs.pingidentity.com/pingam/8/authorization-guide/transactional-authorization.html) requests, you can now provide an `authIndexType` of `transaction` and an `authIndexValue` of `transactionId` to the `authenticate` endpoint. This new parameter lets you complete transactional authorization without sending URL-encoded XML over REST.

For example:

```bash
curl \
--cookie "iPlanetDirectoryPro=sso-cookie" \
--request POST \
--header "Content-Type: application/json" \
--header "Accept-API-Version: resource=2.0, protocol=1.0" \
'https://am.example.com:8443/am/json/realms/root/authenticate?authIndexType=transaction&authIndexValue=transactionId'
```

The behavior of the new parameter is identical to the existing parameter:

```bash
…​/authenticate?authIndexType=composite_advice&authIndexValue=URL-encoded-XML,
```

The existing parameter remains supported.

### Certificate Collector node supports DER certificates

For certificates supplied in HTTP headers, the [Certificate Collector node](https://docs.pingidentity.com/auth-node-ref/8.1/certificate-collector.html) now supports certificates in DER format in addition to PEM format. There are no configuration changes in the node itself.

The certificate format is inferred from the encoded certificate contents. The supported DER format encoding is compliant with [RFC 9440](https://www.rfc-editor.org/rfc/rfc9440.html#name-encoding).

### OAuth 2.0 application journeys

You can now associate an OAuth 2.0 client with a specific authentication journey (tree). The associated journey is always run, regardless of existing sessions or configured authentication context class reference (`acr`) values.

You can only associate a tree with OAuth 2.0 applications configured for the `Authorization Code`, `Implicit`, and `Device Code` grant types.

To access information about the incoming OAuth 2.0 request, configure your tree to include a [Scripted Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/scripted-decision.html) that queries the [`oauthApplication`](https://docs.pingidentity.com/pingam/8/scripting-guide/scripting-api-node.html#oauthapp-binding) script binding.

Learn more in [client application registration](https://docs.pingidentity.com/pingam/8/oauth2-guide/oauth2-register-client.html#oauth2-config-treename).

### SAML 2.0 application journeys

Configure the remote SP so that a specific authentication journey (tree) is always run for users authenticating with your SAML 2.0 app. The federation flow invokes the associated journey regardless of any existing sessions or configured authentication context.

You can access the requested authentication context and configured mappings by including a [Scripted Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/scripted-decision.html) in the journey that queries the new [`samlApplication` script binding](https://docs.pingidentity.com/pingam/8/scripting-guide/scripting-api-node.html#samlapp-binding).

Learn more in [Configure a SAML 2.0 application journey](https://docs.pingidentity.com/pingam/8/saml2-guide/saml2-providers-and-cots.html#samlapp-tree).

Additionally, details about the SAML v2.0 app tree flow are added to the [Access log](https://docs.pingidentity.com/pingam/8/security-guide/sec-maint-audit-ref.html#access-log-format) under the `AM-ACCESS-OUTCOME` event.

### Customize SAML NameID mapping with a script

You can now use a script to customize the NameID attribute in the SAML 2.0 assertion per SP. Create a next-generation script of type `Saml2 NameID Mapper` and configure the remote SP entity to use the custom script.

You can find more information in [NameID mapper](https://docs.pingidentity.com/pingam/8/saml2-guide/custom-nameid-mapper.html).

### Http Client service

The new Http Client service lets you create named instances that you can reference from a next-generation script using [the `httpclient` binding](https://docs.pingidentity.com/pingam/8/scripting-guide/script-bindings.html#httpclient-mtls).

On each instance, define secret labels that map to certificates in secret stores and are used during mTLS connections.

The service also provides settings to override connection and response timeouts for HTTP requests and to configure certificate checks per instance.

Learn more in [Http Client service](https://docs.pingidentity.com/pingam/8/reference/services-configuration.html#global-httpclient).

### Default trees

The following new default trees have been added to AM:

* `ldapService`: replaces the `ldapService` authentication chain.

* `Agent`: replaces the `Application` module.

* `amsterService`: replaces the `amsterService` authentication chain.

These trees provide direct replacements for the corresponding default modules and chains. This ensures any authentication processes that rely on them are unaffected by the [removal](changes-8.0.html#modules-and-chains) of modules and chains in this release.

Learn more about these trees in [Default trees](https://docs.pingidentity.com/pingam/8/authentication-guide/authn-introduction-authn.html#default-trees).

### Configure trees to run to completion

Set the `mustRun` property to force trees to always run to completion regardless of the existing user sessions.

Learn more in [Configure an authentication tree to always complete](https://docs.pingidentity.com/pingam/8/authentication-guide/configure-authentication-trees.html#enable-tree-completion).

### Configure no session trees

Set the `noSession` property to create trees that don't result in an authenticated session when they successfully complete.

Learn more in [Configure a no session tree](https://docs.pingidentity.com/pingam/8/authentication-guide/configure-authentication-trees.html#configure-nosession-tree).

### Session duration and timeout control

We've made changes to AM to provide greater control over journey session duration and authenticated session timeouts.

* Journey session duration

  You can now override global and realm level duration values in a tree or a node:

  * For the maximum duration, you can override timeout settings using the new [Update Journey Timeout node](https://docs.pingidentity.com/auth-node-ref/8.1/update-journey-timeout.html) or by setting the `treeTimeout` property in the [tree configuration](https://docs.pingidentity.com/pingam/8/authentication-guide/configure-authentication-trees.html#configure-journey-session-duration-tree).

  * For the suspended duration, you can override the suspended duration in the [Email Suspend node](https://docs.pingidentity.com/auth-node-ref/8.1/email-suspend.html) or in a Scripted Decision node using the `action` object. Learn more in [Suspend and resume journeys](https://docs.pingidentity.com/pingam/8/scripting-guide/scripting-api-node.html#scripting-api-node-suspend).

  Find out how AM derives the journey session duration as a result of these changes in [Configure suspended authentication](https://docs.pingidentity.com/pingam/8/authentication-guide/authn-suspended.html#configure-suspended-auth).

* Authenticated session timeouts

  You can now override global and realm level timeout settings (`maximum session time` and `maximum idle time`) in a tree or a node.

  * In nodes, you can override the session timeouts in the [Set Session Properties node](https://docs.pingidentity.com/auth-node-ref/8.1/set-session-properties.html) or in a Scripted Decision node using the `withMaxIdleTime` and `withMaxSessionTime` methods. Learn more in [Set authenticated session timeouts](https://docs.pingidentity.com/pingam/8/scripting-guide/scripting-api-node.html#scripting-api-node-session-timeouts).

  * In a tree, you can override the session timeouts by setting the `maximumSessionTime` and `maximumIdleTime` properties in the [tree configuration](https://docs.pingidentity.com/pingam/8/authentication-guide/configure-authentication-trees.html#configure-auth-session-timeouts-tree).

  Find out how AM derives the authenticated session timeouts as a result of these changes in [Configure authenticated session timeout settings](https://docs.pingidentity.com/pingam/8/sessions-guide/session-state-session-termination.html#auth-session-termination-config).

### LINE login support

You can now configure a social provider authentication with LINE login. There are two new social provider configuration profiles, LINE (Browser) and LINE (Native), for browser and mobile app integrations.

The LINE (Browser) integration must not reference a well-known endpoint to ensure AM verifies signatures using the client secret instead.

### Next-generation script bindings

The following next-generation script bindings have been improved for this release:

#### Common bindings

* `cookieName`: Access the name of the cookie as a string to perform session actions such as ending all sessions for a user.

* `httpClient`:

  * Use the new `form` attribute to send url-encoded form requests.

  * Reference an instance of the new [Http Client service](#new-httpclient-service) to enable mTLS connections to external services.

* `policy`: Lets you access the policy engine API and evaluate policies from within scripts.

* `secrets`: Reference secrets and credentials stored in secret stores.

* `utils`: Use this new utility binding to perform functions such as:

  * Base64 encode/decode strings

  * Generate random values and UUIDs

  * Encrypt and decrypt values

  * Compute hash values

  * Sign and verify data

|   |                                                                                                                                                                                                                                                                                                                                                                                            |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | Make sure you don't use the same name for a local variable as that of a common binding in your script. These names are reserved for common bindings only.If you have already defined a local variable with the same name as one that's added to common bindings in a more recent version of PingAM; for example, `utils`, you must rename the variable in your scripts before you upgrade. |

Learn more in [Script bindings](https://docs.pingidentity.com/pingam/8/scripting-guide/script-bindings.html).

#### Scripted decision node bindings

* `action`:

  * Use the new `suspend(String message)` and `suspend(String message, SuspensionLogic logic)` methods to suspend the current authentication session and send a message to the user.

    You can also implement custom logic with the resume URI, for example, to send an email or SMS using the HTTP client service.

  * You can now access the following methods through the ActionWrapper object to return additional information to the client:

    * `withHeader(String header)`

    * `withDescription(String description)`

    * `withStage(String stage)`

* `jwtAssertion` and `jwtValuation`:

  * You can now generate JWT assertions with custom non-registered claims.

  * Data fields are more aligned with the JWT specification, so you can now specify separate values for `issuer` and `subject`. These replace the existing `accountId`.

  * The bindings work with `RS256` or `HS256` signed JWTs, and JWTs that are encrypted using the A128CBC-HS256 algorithm.

* `nodeState`: You can now merge data, including `objectAttributes` values, into existing state with the new `mergeShared` and `mergeTransient` methods.

* `oauthApplication`: Access request and application information if the node is part of a journey associated with an OAuth 2.0 client application.

* `requestCookies`: Use this new decision node script binding to access request cookies directly.

* `samlApplication`: Access request and application information if the node is part of a journey associated with a SAML 2.0 client application.

Learn more in the [Scripted Decision node API](https://docs.pingidentity.com/pingam/8/scripting-guide/scripting-api-node.html).

#### Library scripts

Library scripts now have access to all common bindings.

Learn more in [Library scripts](https://docs.pingidentity.com/pingam/8/scripting-guide/library-scripts.html).

#### Next-generation script types

The following existing script types are now enabled for the next-generation script engine:

* [Configuration Provider node](https://docs.pingidentity.com/auth-node-ref/8.1/config-provider.html) scripts

* [Device Match node](https://docs.pingidentity.com/auth-node-ref/8.1/device-match.html) scripts

* [Policy condition](https://docs.pingidentity.com/pingam/8/scripting-guide/policy-condition-scripting-api.html) scripts

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | [Scripted Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/scripted-decision.html) and [Device Match node](https://docs.pingidentity.com/auth-node-ref/8.1/device-match.html) scripts now have different context types depending on the script engine. For legacy scripts, the context is `AUTHENTICATION_TREE_DECISION_NODE`, and for next-generation scripts, the contexts are `SCRIPTED_DECISION_NODE` and `DEVICE_MATCH_NODE` respectively. |

#### Access PingOne Verify transaction data

The `verifyTransactionsHelper` next-generation binding lets you manage [PingOne Verify](https://www.pingidentity.com/en/platform/capabilities/identity-verification/pingone-verify.html) user transactions and PingOne user accounts.

Learn more in [Access PingOne Verify transactions and manage associated user](https://docs.pingidentity.com/pingam/8/scripting-guide/script-bindings.html#common-verifytransactionshelper)

### Enable Device Management node

The [Enable Device Management node](https://docs.pingidentity.com/auth-node-ref/8.1/enable-device-management.html) lets you relax or remove restrictions placed upon users who want to reset or remove registered MFA devices.

Use this node in a journey to change the authentication strategy required for removing registered devices.

### Flow Control node

The [Flow Control node](https://docs.pingidentity.com/auth-node-ref/8.1/flow-control.html) lets you control the authentication flow by randomly sending traffic down different paths of a tree (journey). This means you can use the node to evaluate changes before rolling them out to a production environment.

For example, configure the node to direct a percentage of requests to a new authentication journey to observe the user experience and check for potential failures.

### Customize the JSON in the authentication response

The following nodes are new for this release.

#### Set Success Details node

The [Set Success Details node](https://docs.pingidentity.com/auth-node-ref/8.1/set-success-details.html) lets you add details to the JSON response on successful authentication.

You can add either or both of the following:

* Success Details: Lets you add static `key:value` fields to the JSON response.

* Session Properties: Lets you add `key:value` fields to the JSON response, where `value` corresponds to the value of the specified session property.

#### Set Failure Details node

The [Set Failure Details node](https://docs.pingidentity.com/auth-node-ref/8.1/set-failure-details.html) lets you add details to the JSON response on authentication failure.

You can add either or both of the following:

* Failure Message: Lets you add a custom, localized message to display to the user and return in the JSON response.

* Failure Details: Lets you add `key:value` fields to the JSON response.

#### Set Error Details node

The [Set Error Details node](https://docs.pingidentity.com/auth-node-ref/8.1/set-error-details.html) lets you add details to the JSON response when a journey ends in an error.

You can add either or both of the following:

* Error Message: Lets you add a custom, localized message to display to the user and return in the JSON response.

* Error Details: Lets you add `key:value` fields to the JSON response.

### Configurable clock skew for OIDC ID token expiry time

The [org.forgerock.openam.oauth2.tokenexpiry.skewAllowance](https://docs.pingidentity.com/pingam/8/reference/deployment-configuration-reference.html#org.forgerock.openam.oauth2.tokenexpiry.skewAllowance) advanced server property lets you configure the period, in seconds, during which an OIDC ID token remains valid *after* its expiry time.

This property allows for clock skews between servers.

In previous releases, the clock skew for ID token expiry times was hard coded to 5 minutes. For compatibility purposes, this is the default value of the new property.

### Update signing certificate in remote SP metadata

You can now update the signing or encryption certificate for an existing SP without needing to delete and recreate the entire SP configuration.

Learn more in [Update remote SP certificate](https://docs.pingidentity.com/pingam/8/saml2-guide/saml2-providers-and-cots.html#update-metadata).

### Configure client certificate in SP metadata

You can now configure the hosted SP to exclude the client certificate from metadata.

To override the default behavior, enable the Exclude Client Certificate from Metadata option in the SP's [configuration](https://docs.pingidentity.com/pingam/8/saml2-guide/saml2-reference.html#sp-hosted-client-auth).

### Changes to refresh tokens

#### Consistent errors when refreshing tokens

The following new methods ensure consistent error messages when refreshing tokens:

* `com.sun.identity.idm.IdRepoListener`

  * `objectChanged(String name, String previous, IdType idType, int changeType, Map cMap)`

* `com.sun.identity.idm.IdEventListener`

  * `identityRenamed(String universalId, String previousUniversalId)`

If a token is refreshed but the username has changed since the original refresh token was issued, the following error is now shown with these methods:

```json
{
   "error_description" : "grant is invalid",
   "error" : "invalid_grant"
}
```

#### Refresh token grace period

The refresh token grace period now applies to client-side refresh tokens as well as server-side refresh tokens. You define the grace period in the OAuth 2.0 provider configuration in a realm and can override it for specific OAuth 2.0 clients.

Before this release, an OAuth 2.0 client could have a grace period of `0` (the default), which would mean that the grace period would be inherited from the OAuth 2.0 provider. That inherited value had no effect on client-side refresh tokens, however. From this release, client-side tokens inherit the refresh token grace period set on the OAuth 2.0 provider if no specific grace period is set in the client configuration.

### Configuration Provider node

The following improvements have been made to the [Configuration Provider node](https://docs.pingidentity.com/auth-node-ref/8.1/config-provider.html):

* Previously, you could only use the Configuration Provider node to imitate nodes with fixed outcomes. Now, you can also imitate nodes with variable outcomes from a predefined list.

  This change makes the following nodes available to the Configuration Provider node:

  * [MFA Registration Options node](https://docs.pingidentity.com/auth-node-ref/8.1/mfa-registration-options.html)

  * [OATH Token Verifier node](https://docs.pingidentity.com/auth-node-ref/8.1/oath-token-verifier.html)

  * [Polling Wait node](https://docs.pingidentity.com/auth-node-ref/8.1/polling-wait.html)

  * [Push Sender node](https://docs.pingidentity.com/auth-node-ref/8.1/push-sender.html)

  * [Select Identity Provider node](https://docs.pingidentity.com/auth-node-ref/8.1/select-identity-provider.html)

  * [WebAuthn Authentication node](https://docs.pingidentity.com/auth-node-ref/8.1/webauthn-authentication.html)

  * [WebAuthn Device Storage node](https://docs.pingidentity.com/auth-node-ref/8.1/webauthn-device-storage.html)

  * [WebAuthn Registration node](https://docs.pingidentity.com/auth-node-ref/8.1/webauthn-registration.html)

  To ensure custom nodes are available to the Configuration Provider node, write an outcome provider class that implements the `StaticOutcomeProvider` or `BoundedOutcomeProvider` interfaces.

* The following nodes with fixed outcomes are also now available to the Configuration Provider node:

  * [Enable Device Management node](https://docs.pingidentity.com/auth-node-ref/8.1/enable-device-management.html)

  * [Identity Assertion node](https://docs.pingidentity.com/auth-node-ref/8.1/identity-assertion-node.html)

  * [Push Wait node](https://docs.pingidentity.com/auth-node-ref/8.1/push-wait.html)

* You can now generate configuration provider template scripts with default values.

  Call the node API endpoint with the `configProviderScript` action to generate a JavaScript or Groovy script for the type of node you want to imitate.

  Learn more in the [Configuration Provider node](https://docs.pingidentity.com/auth-node-ref/8.1/config-provider.html).

### Backchannel logout token contains `exp` claim

The logout token generated during backchannel logout now contains an `exp` claim.

Learn more in [Backchannel logout](https://docs.pingidentity.com/pingam/8/oidc1-guide/backchannel-logout.html).

### New `ssoadm` commands update attributes in a realm service

A fix to the deprecated `ssoadm` tool adds the following new commands:

* `add-realm-default-attributes`

* `set-realm-default-attributtes`

* `remove-realm-default-attributes`

* `get-realm-default-attributes`

These commands work on realm defaults from AM 7 onwards.

### System property for social provider `sub` claim uniqueness

A new system property (`org.forgerock.openam.oidc.SocialProvider.sub.claim.is.not.unique`) indicates that the OIDC social provider doesn't return a unique value for the `sub` claim.

This is false by default.