New features

You can configure IDM instances to boot in standby mode, where they don’t process schedules, clustered reconciliation, or queued sync operations. Use the openidm/cluster/active endpoint to transition nodes between active and standby states on demand.

Learn more in:

The openidm.http.client.userAgent property lets you customize the User-Agent header sent with HTTP client requests. If not specified, the default "PingIdentity" value is used. Request-level headers take precedence over both the IDM configuration and the default value. Learn more in External REST configuration properties.

The Flowable embedded workflow engine has been upgraded to version 7.2.0.

If you’re upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts.

The embedded Quartz Scheduler has been upgraded from version 2.3.2 to 2.5.2. This upgrade doesn’t require any configuration change.

A new setting, wantClientAuth, is available for webserver.listener-*.json configuration files to allow the server to request a client certificate during the TLS handshake without requiring it. This enables support for mixed traffic, allowing clients with or without certificates to connect on the same port. If a client provides a certificate, it must be valid; otherwise, the handshake fails.

Learn more:

Support for managed object schema enumerations in string and number attributes. To make an attribute an enumeration, add "enum" : [ "one", "two", "three" ] to the attribute.

IDM now supports OpenTelemetry logging, which allows you to export logs in the OpenTelemetry Protocol (OTLP) to an OpenTelemetry collector. This is an evolving feature ⁽¹⁾. Learn more in OpenTelemetry logging.

IDM now supports the OpenTelemetryAppender in the logback.xml configuration file. This appender writes formatted JSON logs to a collector using the OTLP protocol. Learn more in Log appenders.

The sync/mappings endpoint now supports paging to better display large numbers of mappings. You can retrieve results in manageable chunks by using the _pageSize parameter with either cookie-based (_pagedResultsCookie) or offset-based (_pagedResultsOffset) paging.

Learn more in Paging synchronization mapping results.

If the task scanner encounters a task that results in an exception, it now aborts only that task and continues processing the remaining tasks. Previously, the scanner would abort the entire process when any task caused an exception.

The bc-fips-2.1.2 library is now available. Learn more in Download the Bouncy Castle libraries.

IDM now includes the Jetty QoSHandler to limit the number of active concurrent requests. The handler is configured to use all but two threads to ensure requests to critical endpoints are always handled.

New QoSHandler configuration properties are available in webserver.json to control the maximum number of requests and the amount of time a request can remain in the handler’s queue: maxQueueSize and maxRequestSuspendTime.

Learn more in Jetty QoSHandler and in Jetty property reference.

IDM’s metric collection endpoints now include Jetty QoSHandler metrics. Learn more about the API and Prometheus metrics that track the QoSHandler queue.

A new setting, sniHostCheckEnabled, is available in the webserver.listener-*.json configuration files to control the Jetty SNI host check. Although not recommended for security reasons, disabling this check might be necessary in certain proxy configurations, such as SSL pass-through.

Learn more in Disable SNI host check.

IDM’s metric collection endpoints now include Jetty thread pool and request metrics. Learn more in API Jetty metrics and Prometheus Jetty metrics.

IDM now includes atob (Base64-decode) and btoa (Base64-encode) as global script bindings. This update provides common JavaScript utilities for Base64 operations, mitigating potential class-loading issues associated with using native Java packages or classes for these functions.

Learn more in:

A new liveness endpoint, openidm/health/live, is available to indicate whether the IDM instance is running. This endpoint can be used in containerized environments, such as Kubernetes, to determine when to restart a container.

The endpoint returns a 200 OK status when IDM’s required bundles are installed and started. Otherwise, it returns a 503 Service Unavailable status.

Learn more in Liveness probe.

A new readiness endpoint, openidm/health/ready, is available to indicate whether the IDM instance is ready. This endpoint can be used in containerized environments, such as Kubernetes, to determine when a container is ready to accept traffic.

The endpoint returns an HTTP 503 status code when the health check readiness state is TEMPORARILY_UNAVAILABLE, CRITICAL, or HEALTHCHECK_UNKNOWN.

A new metric is available to monitor the status of connector servers. This metric indicates whether a connector server is running (1) or not running (0), providing a way to track connector server health without making a POST call to the system?_action=testConnectorServers endpoint.

IDM’s metric collection endpoints include a new metric to monitor the number of pending connector requests over the configured limit. The provisioner service also includes connector_type, bundle_version, and location metric tags.

The bc-fips-2.1.2 library is now available. Learn more in Download the Bouncy Castle libraries.

A new setting, sniHostCheckEnabled, is available in the webserver.listener-*.json configuration files to control Jetty’s SNI host check. Although not recommended for security reasons, disabling this check might be necessary in certain proxy configurations, such as SSL pass-through.

Learn more in Disable SNI host check.

You can create stricter RCS authorization and access rules. To enable authorization for RCS, add an appropriate role to the static-user mapping used for the RCS subject and write the appropriate access rules to permit this role to be granted access to the openicf servlet on the path (pattern) corresponding to the RCS name used in the RCS configuration.

Learn more in Secure RCS access.

You can configure PingIDM to meet Federal Information Processing Standard (FIPS) 140-3 compliance standards. Learn more in FIPS 140-3 compliance.

You can run a distributed trace in PingIDM using OpenTelemetry and export the data to an external trace collector for telemetry storage and visualization.

Learn more in Distributed tracing.

The embedded Jetty web server supports Jetty 12. Instead of jetty.xml, the updated configuration uses a webserver.json for global settings and a webserver.listener-*.json to detect changes. Learn more in Embedded Jetty configuration.

You can choose how synchronization detects managed object array changes using unordered or ordered comparison using the configuration property comparison in the schema. Unordered JSON array comparison ignores the order of elements and can negate the need for certain custom scripts within mappings.

Learn more about managed object schema properties and array comparison.

IDM now uses Logback to generate server logs. Learn more in Server logs.

You can run IDM with Java 21. Learn more in Java requirements.

To verify the current server state without generating audit logs, use the new openidm/health endpoint. Learn more in Audit-free health check.

New metrics are available for ICF operations.

You can configure automatic encryption of your filesystem secret store.

You can store credentials for many services as secrets. The list of supported services has been expanded to include:

Learn more in Secret stores.

Requests passing the _api parameter now require authorization. Learn more in Common REST.

If the task scanner encounters a task that results in an exception, it now aborts only that task and continues processing the remaining tasks. Previously, the scanner would abort the entire process when any task caused an exception.

Requests passing the _api parameter now require authorization. Learn more in Common REST.

You can create stricter RCS authorization and access rules. To enable authorization for RCS, add an appropriate role to the static-user mapping used for the RCS subject and write the appropriate access rules to permit this role to be granted access to the openicf servlet on the path (pattern) corresponding to the RCS name used in the RCS configuration.

Learn more in Secure RCS access.

You can choose how synchronization detects managed object array changes using unordered or ordered comparison using the configuration property comparison in the schema. Unordered JSON array comparison ignores the order of elements and can negate the need for certain custom scripts within mappings.

Learn more about managed object schema properties and array comparison.

The embedded Jetty web server supports Jetty 12.

Connectors continue to be updated and released outside of IDM. To stay up-to-date with new features and versions, check out the ICF Release notes.

Although not bundled in this release of IDM, the two newest connectors are available to download from Backstage:

IDM now supports international email addresses. This feature is only available for supporting SMTP providers.

For more information, refer to International email addresses.

You can create custom relationship properties in the admin UI or with the REST API.

You can store credentials for a number of services as secrets. The supported services include:

For more information, refer to Secret stores.

You can have multiple versions of secrets stored in a file system secret store.

For more information, refer to Filesystem secret stores.

Managed objects can now receive relationship graph topology change signals through the SignalPropagationCalculator class that is active by default.

Learn more in Enhanced signal propagation.

The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you are upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.

The customizer script for the Connect to DS with ScriptedREST sample now includes OAuth capabilities for the client_credentials grant type.

Array properties now display in the End User UI.

If the task scanner encounters a task that results in an exception, it now aborts only that task and continues processing the remaining tasks. Previously, the scanner would abort the entire process when any task caused an exception.

IDM now supports international email addresses. This feature is available only for supporting SMTP providers.

For more information, refer to International email addresses.

You can create stricter RCS authorization and access rules. To enable authorization for RCS, add an appropriate role to the static-user mapping used for the RCS subject and write the appropriate access rules to permit this role to be granted access to the openicf servlet on the path (pattern) corresponding to the RCS name used in the RCS configuration.

Learn more in Secure RCS access.

You can choose how synchronization detects managed object array changes using unordered or ordered comparison using the configuration property comparison in the schema. Unordered JSON array comparison ignores the order of elements and can negate the need for certain custom scripts within mappings.

Learn more about managed object schema properties and array comparison.

Requests passing the _api parameter now require authorization. Learn more in Common REST.

The embedded Jetty web server supports Jetty 12.

This IDM release requires Java 17. Learn more in Embedded Jetty configuration.

You can now configure secret stores to use filesystem secret stores. Filesystem secret stores use a directory containing many files, each storing a single secret. For more information, refer to Filesystem secret stores.

In addition to the SMTP client, you can now configure the outbound email service to use the new MS Graph API Client.

For more information, refer to Outbound email service.

New metrics are available for livesync and scheduler functions. For example requests, refer to Scheduler metrics.

Queries within scripts now support the _countOnly parameter.

If you’re using IDM with a DS repository, ForgeRock recommends using mTLS to authenticate to DS to better facilitate credential rotation. Refer to Configure mTLS.

If the task scanner encounters a task that results in an exception, it now aborts only that task and continues processing the remaining tasks. Previously, the scanner would abort the entire process when any task caused an exception.

IDM now supports international email addresses. This feature is available only for supporting SMTP providers.

For more information, refer to International email addresses.

You can create stricter RCS authorization and access rules. To enable authorization for RCS, add an appropriate role to the static-user mapping used for the RCS subject and write the appropriate access rules to permit this role to be granted access to the openicf servlet on the path (pattern) corresponding to the RCS name used in the RCS configuration.

Learn more in Secure RCS access.

You can choose how synchronization detects managed object array changes using unordered or ordered comparison using the configuration property comparison in the schema. Unordered JSON array comparison ignores the order of elements and can negate the need for certain custom scripts within mappings.

Learn more about managed object schema properties and array comparison.

Requests passing the _api parameter now require authorization. Learn more in Common REST.

The embedded Jetty web server supports Jetty 12.

This IDM release requires Java 17. Learn more in Embedded Jetty configuration.

The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you’re upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.

Array properties now display in the End User UI.

IDM now supports the use of Bouncy Castle FIPS as a security provider. Bouncy Castle FIPS is useful when dealing with government data, where meeting the FIPS 140-2 security requirement is necessary for regulatory compliance.

For information on how to configure Bouncy Castle, refer to FIPS 140-3 compliance.

IDM now supports UTF-8 (non-ASCII/international) characters in email addresses, such as zoë@example.com. When sending emails to these type of addresses, the configured SMTP server must also support UTF-8.

You can now disable delegated administrator sort and filter while searching resource collections in the End User UI. For more information, refer to Disable sort and filter for resource collections.

IDM workflows now support JavaScript in addition to Groovy. For more information about scripting workflows, refer to BPMN 2.0 and workflow tools.

It is now possible to patch the root of an object. The only supported patch operations on the root of an object are remove and replace.

/system endpoints now support specifying additional fields when also using *. This allows callers to get fields that are not returned by default.

New sync mapping configuration fields, defaultSourceFields and defaultTargetFields, allow specifying which fields to use for read and query requests made on source and target resource collections.

Upgrading to DS 7.3 is now supported. For more information, refer to Supported repositories.

IDM now supports property-based secret stores and can read keys and trusted certificates from properties that contain keys in Privacy-Enhanced Mail (PEM) format.

For more information, see Property secret stores.

The default IDM configuration now includes two scanning tasks that activate and deactivate a user’s accountStatus, based on their activeDate and inactiveDate. For more information, see Activate and deactivate accounts.

You can now use cc and bcc parameters with the sendTemplate action. For more information, see:

The Flowable embedded workflow engine has been upgraded to version 6.6.0. This upgrade fixes the issue with native email tasks previously mentioned in the Workflow Guide.

You can now validate field removal using the policy action validateProperty.

Relationship-derived Virtual Properties now include reference fields with details of the referenced relationship.

The latest version of the Active Directory password synchronization plugin (v1.7.0) uses UTC timestamps for logs.

Previously, the property openidm.fileinstall.enabled also controlled the configs being loaded on startup. Therefore, to disable file monitoring, you had to first start IDM with it enabled in order to load the configs into the repository, and then restart IDM with it disabled. The new setting openidm.config.bootstrap.enabled (which defaults to true), allows file monitoring to be disabled, and the bootstrap process will load the configuration into the repository.

For more information, see Disable automatic configuration updates.

IDM can now log warnings when API version headers are not specified.

Reconciliation has been enhanced in the following ways:

A new property has been added to synchronization mappings, optimizeAssignmentSync, which determines whether modifications to an assignment’s attributes or relationships should be treated as a synchronization event for members of that assignment or role, or if it should only be treated as a synchronization event for members if the modified assignment is directly relevant to that mapping, or if effectiveAssignments is included in triggerSyncProperties.

Learn more in the Synchronization reference.

For versions of IDM running DS or PostgreSQL as a repository, queryFilter now supports filtering on the contents of arrays. For more information, see Filter objects in arrays.

New metrics are available for workflow and JVM.

The Synchronize data between IDM and Azure Active Directory sample uses the MS Graph API connector to synchronize users between IDM and Azure AD.

Previously, KBA answers were always hashed as SHA-256 upon save, which is still the default setting. However, you can now specify an alternative hashing algorithm.

You can now specify default values for properties in the managed object configuration. For example, the default managed object configuration includes a default value that makes accountStatus:active, which effectively replaces the onCreate script that was previously used to achieve the same result.

You can now perform REST queries on properly configured array fields. Learn more:

The optional waitForCompletion parameter is now available to the config endpoint for create, update, and patch requests. Learn more:

To protect production servers from unauthorized API descriptor requests, IDM now requires admin authentication for the API endpoint.

Queries on explicit tables in JDBC now support bool:, num:, and long: in addition to the previously supported query parameters (strings, list:, and int:).

You can now configure access rules over REST, at the openidm/config/access endpoint. In previous releases, access rules were configured in the access.js file. This script file has been replaced by an access.json configuration file, that performs the same function. Learn more in Authorization and roles.

You can now create privilege dynamic filters for delegated administrators.

You can now configure the temporary storage file size for HTTP I/O requests.

You can use _queryFilter to directly filter expanded relationships from a collection, such as authzRoles. Learn more in Filter expanded relationships.

By default, JWTs are now signed with deterministic Elliptic Curve Digital Signature Algorithm (ECDSA). In order to use this more secure signing method, Bouncy Castle, which is included in the default IDM installation, must be installed. If Bouncy Castle is unavailable or the key is incompatible, IDM falls back to normal ECDSA.

In previous releases, setting javascript.exception.debug.info=true in the boot.properties file enabled additional debug information, including line numbers and file names for JavaScript exceptions. In this release, setting groovy.exception.debug.info=true lets you gather comparable debug information for Groovy scripts.

IDM now supports the ability to specify the REST API version in HTTP calls and scripts. For more information, see REST API Versioning.

The following APIs have been updated in this release:

IDM now supports using AM bearer tokens for authentication, with the rsFilter authentication module. Going forward, this is the only supported method for integrating AM and IDM. Learn more in Authenticate through AM.

Notifications of changes to managed objects are injected into a property in that object type. Previously, the name of this property was always _notifications. In this IDM release, you can customize the name of the notifications property. Learn more in Configure notifications.

The new recon/assoc endpoint can be used to gather detailed information about the associations created between a source and a target object during a reconciliation. This endpoint requires the following tables and views to be added to your repository: reconassoc, reconassocentry, and reconassocentryview. Learn more about reconciliation association details.

For instructions on updating your existing repositories to enable this feature, refer to Upgrade an Existing Repository in the IDM 7.0 documentation.

A new endpoint has been added to self-service, which lets you get a percentage value regarding the completeness of a specified user’s profile.

By default, IDM now safelists fields that are safe to log. Learn more in Use policies to filter audit data.

The in expression clause provides limited support for queries on singleton string properties.

In version 1.5.20.11 of the ICF framework, the framework disposes of idle connector instances in the connection pool (for poolable connectors such as the LDAP connector and the Database Table connector).

A connection pool cleaner thread now runs every minute and removes connections whose lastUsed time is larger than the minEvictableIdleTimeMillis.

This behavior is an improvement on previous releases, where a connection that had been used then returned to the connection pool remained there until the next connector operation. The previous behavior could result in several connections in the pool, that were idle but still connected to the target resource.

This release lets you configure mappings in separate mapping files, instead of, or in addition to one sync.json file. You cannot manage separate mapping configurations through the Admin UI. Learn more in Resource mapping.

This release provides the ability to configure an infinite number of queued synchronization retries. Learn more in Configure queued synchronization.

mat-icon has been added to the schema property of the managed object configuration.

Queries on explicit tables in JDBC now support bool:, num:, and long: in addition to the previously supported query parameters (strings, list:, and int:).

The following content was added to the default config.properties file: