PingOne Advanced Identity Cloud

Rapid channel changelog archive

2024

30 Apr 2024

Versions 13300.0, 13310.0, 13313.0

No customer-facing issues released.[1]

29 Apr 2024

Version 13293.0, 13294.0

No customer-facing issues released.[1]

26 Apr 2024

Version 13291.0, 13289.0

No customer-facing issues released.[1]

25 Apr 2024

Version 13283.0

No customer-facing issues released.[1]

24 Apr 2024

Version 13281.0

Fixes

  • TNTP-166:

    • Add configuration options to P1 Verify Authentication nodes.

    • Verify code not visible when using QR option.

    • Set claim mapping only in shared state in P1 Proofing node.

23 Apr 2024

Version 13277.0, 13265.0

No customer-facing issues released.[1]

22 Apr 2024

Version 13239.0

Fixes

  • FRAAS-19593: The promotion API incorrectly reports as ready, resulting in a blocking promotion failure when trying to promote. (FORGEROCK-1319)

18 Apr 2024

Version 13237.0

Fixes

  • OPENIDM-19879: Identity Management reconciliation service processes additional source query pages whenever a query returns a pagedResultsCookie.

  • OPENIDM-19924: Unnecessary quotes not being removed from email addresses.

17 Apr 2024

Version 13218.0

Key features

Event-based certification[2] (IAM-5148)

Identity Governance now allows tenant administrators to configure certifications that are triggered by specific governance events, a process referred to as event-based certification. This method offers faster certification resolution compared to scheduled—​and often lengthy—​campaigns spanning weeks or months and involving numerous applications, intricate rules, and hundreds of reviewers.

The event-based certifications feature kicks off an identity certification for the following events:

  • User create. Advanced Identity Cloud detects when a user account has been created.

  • User modify. Advanced Identity Cloud detects when an existing user account has been modified or updated.

  • Attribute change. Advanced Identity Cloud detects changes in the attributes of an existing user account.

  • User delete/deactivate. Advanced Identity Cloud detects if a user account has been deleted or deactivated.

For more information, refer to Certify access by event.

Grant entitlements to users and roles[2] (IAM-5146)

Identity Governance now allows tenant administrators to carry out more fine-grained entitlement grants for their user accounts. Tenant administrators can now:

  • Create a role and grant entitlements to the role.

  • Revoke entitlements in a role.

  • Grant entitlements to a user account.

  • Revoke entitlements from a user account.

For more information, refer to Manage entitlements.

Identity Assertion node (AME-26821)

The new Identity Assertion node provides a secure communication channel for authentication journeys to communicate directly with PingGateway.

PingOne application template (IAM-5232)

The PingOne application lets you manage and synchronize data between PingOne and Advanced Identity Cloud.

Authenticate gateway and agent profiles with a shared secret (IAM-5833)

The Advanced Identity Cloud admin UI for gateways and agents now lets you authenticate with a shared secret instead of a password. Use this to set the label for the shared secret.

Authenticate OAuth 2.0 applications with a shared secret (IAM-6028)

The Advanced Identity Cloud admin UI for OAuth 2.0 applications now lets you authenticate with a shared secret instead of a password. Use this to set the label for the shared secret.

Enhancements

  • OPENAM-21031: The performance of Google KMS has been improved by the introduction of caching.

  • AME-27126: A SAML SP can now authenticate to IDPs using mutual TLS (mTLS) when making an artifact resolution request.

  • IAM-3199: HTML styling in the Message node journey editor allows you to left justify text.

Fixes

  • FRAAS-19334: Failure to look up service account names following changes applied through the ESV API.

  • IAM-5079[2]: End-user roles page sometimes shows role grants as conditional even when the grants are direct.

  • IAM-5363[2]: Show the total number of approvals and access reviews in the inbox.

  • IAM-5858[2]: Missing support for access request global configuration options.

  • IAM-6138[2]: The governance events filter builder incorrectly validates before and after properties in the user created state.

  • IAM-6176[2]: The end-user access request rejection is missing a justification message.

  • IAM-6203[2]: The governance events filter doesn’t use after temporal values for user created flows.

  • IAM-6209: The Advanced Identity Cloud admin UI navigation panel text appears when the panel is collapsed.

  • OPENAM-21473: If you set the collection method of a Certificate Collector node to REQUEST, HEADER, or EITHER, and the certificate is not provided in the request or in the header, the node now returns a status of Not collected.

    This node is currently not supported in PingOne Advanced Identity Cloud.
  • SDKS-2935: The Device Binding node now gracefully handles the case of a user being set to inactive.

12 Apr 2024

Version 13162.0

Fixes

  • FRAAS-19596: Configuration promotion report should include changes to realm authentication settings.

11 Apr 2024

Version 13149.0

Enhancements

  • AME-26085: SAML v2.0 NameID mapping can be configured per SP

  • AME-27133: "Secret ID" has been renamed to "Secret Label" for secret mappings

  • The following services now support configuration using the Secrets API:

    • AME-16536: The OAuth 2.0 provider hash salt secret

    • AME-25885: The persistent cookie core authentication attribute

    • AME-26110: The client-side session signing key

    • AME-26134: The social provider service

    • AME-26441: The new CAPTCHA node (replaces the legacy CAPTCHA node)

    • AME-26442: The OIDC Token Validator node now lets you store the client secret in any type of secret store

    • AME-26633: The OAuth 2.0 client clientJwtPublicKey

    • AME-26637: The OAuth 2.0 client idTokenPublicEncryptionKey

    • AME-26639: OAuth 2.0 client mTLS self-signed certificates

    • AME-26668: The post authentication process (PAP) replay password

    • AME-26670: The web agents replay password key

    • AME-26998: The OAuth 2.0 client secret

  • The following services now support rotation of secrets using secret versions:

    • AME-25988: The persistent cookie encryption secret

    • AME-26999: OAuth 2.0 client secrets

    • AME-27000: OAuth 2.0 client clientJwtPublicKey

    • AME-27001: OAuth 2.0 client mTLS self-signed certificates

09 Apr 2024

Version 13122.0

Key features

PingOne Verify service (TNTP-118)

The PingOne Verify service lets you configure and use PingOne Verify nodes (PingOne Verify Authentication node and PingOne Verify Proofing node) in your authentication journeys.

For more information, refer to PingOne Verify service.

08 Apr 2024

Version 12666.0

No customer-facing issues released.[1]

04 Apr 2024

Version 12589.0

No customer-facing issues released.[1]

02 Apr 2024

Version 13009.0

Enhancements

  • FRAAS-19566: Add _sortKeys query parameter to ESV API

01 Apr 2024

Version 12988.0

No customer-facing issues released.[1]

29 Mar 2024

Versions 12974.0, 12960.0, 12957.0

No customer-facing issues released.[1]

28 Mar 2024

Versions 12957.0

No customer-facing issues released.[1]

27 Mar 2024

Versions 12957.0, 12934.0

No customer-facing issues released.[1]

26 Mar 2024

Versions 12899.0

Key features

Social Provider Handler node[3] (OPENAM-20924)

The new Social Provider Handler node adds an outcome to better handle interruptions in a social authentication journey after requesting profile information.

Event-based certification[2] (IGA-2357)

Identity Governance now allows tenant administrators to configure certifications that are triggered by specific governance events, a process referred to as event-based certification. This method offers faster certification resolution compared to scheduled—​and often lengthy—​campaigns spanning weeks or months and involving numerous applications, intricate rules, and hundreds of reviewers.

The event-based certifications feature kicks off an identity certification for the following events:

  • User create. Advanced Identity Cloud detects when a user account has been created.

  • User modify. Advanced Identity Cloud detects when an existing user account has been modified or updated.

  • Attribute change. Advanced Identity Cloud detects changes in the attributes of an existing user account.

  • User delete/deactivate. Advanced Identity Cloud detects if a user account has been deleted or deactivated.

    For more information, refer to Certify access by event.

Grant entitlements to users and roles[2] (IAM-5146)

Identity Governance now allows tenant administrators to carry out more fine-grained entitlement grants for their user accounts. Tenant administrators can now:

  • Create a role and grant entitlements to the role.

  • Revoke entitlements in a role.

  • Grant entitlements to a user account.

  • Revoke entitlements from a user account.

    For more information, refer to Manage entitlements.

Enhancements

  • AME-26130[3]: Updated the PUSH Notification service to store access keys as a secret

  • AME-25906[3]: Updated Identity Gateway agents to store credentials as a secret

  • IAM-4585: Request and approvals page now shows the current and past approvers, their decisions, and the dates

  • IAM-4968: Expose additional top-level parameters in the advanced section of mapping pages

  • IAM-5769: Add grouping logic to journey node items

  • IAM-5674: Target application can use ONBOARD action for FOUND situation

  • IAM-5814: Allow fixed application usernames to be chosen for custom SAML apps

  • OPENAM-21575[3]: Added org.forgerock.json.jose.jwe.JweHeader to the allowlist for Scripted Decision nodes

Fixes

  • AME-25915[3]: Assertion consumer processing fails if NameID format not present in the assertion response

  • IAM-3927[2]: Identity Governance now enforces mandatory comments (if configured) for revoke and allow exceptions

  • IAM-4309: Access reviews no longer display the internal lastSync user attribute

  • IAM-4762: Authoritative apps are now requestable

  • IAM-4986: Platform UI can now determine whether to use a pagedResultsCookie or offset for paging results

  • IAM-5076: "Abstain from action" option no longer displays when a campaign has expired

  • IAM-5362: Marking a property as an authoritative app entitlement no longer causes target app config to be generated

  • IAM-5413: Account deprovisioning now works in AD/LDAP after deleting a user identity

  • IAM-5794: Border color of sign-in input fields in hosted pages can now be overridden in themes

  • IAM-5875: Journey editor no longer orphans deleted nodes

25 Mar 2024

Versions 12899.0, 12894.0

No customer-facing issues released.[1]

22 Mar 2024

Version 12878.0

Enhancements

  • FRAAS-19414: You can now configure custom domains directly in all environments without needing to create ESVs or promote configurations. Existing custom domains will be migrated automatically.

21 Mar 2024

Versions 12899.0, 12863.0, 12855.0

Key features

Additional cloud connectors

The following connectors are now bundled with Advanced Identity Cloud:

  • Dropbox connector (OPENIDM-19838)

  • PingOne connector (OPENIDM-19736)

  • Webex connector (OPENIDM-19920)

For more information, refer to the ICF documentation.

Enhancements

  • OPENIDM-19921: The following connectors included with Advanced Identity Cloud were upgraded to 1.5.20.21:

    • Google Apps connector

    • Microsoft Graph API connector

    • AWS connector

    For details, refer to 1.5.20.21 Connector changes.

19 Mar 2024

Versions 12820.0, 12815.0

No customer-facing issues released.[1]

18 Mar 2024

Versions 12873.0, 12784.0

Enhancements

  • FRAAS-19341: ESV support for AES keys through the base64aes encoding type

    For more information, refer to Encoding format.

15 Mar 2024

Versions 12754.0

Key features

PingOne Service (TNTP-148)

The PingOne Service lets you set up the PingOne service in your Advanced Identity Cloud tenant so you can add Ping Identity nodes to your authentication journeys.

For more information, refer to PingOne Service.

PingOne nodes (TNTP-119)
PingOne node

The PingOne node node establishes trust between PingOne and Advanced Identity Cloud by leveraging a federated connection. For more information, refer to PingOne node.

PingOne DaVinci API node

The PingOne DaVinci API node node lets an Advanced Identity Cloud journey trigger a PingOne DaVinci flow through the API integration method. For more information, refer to PingOne DaVinci API node.

PingOne Protect nodes (TNTP-127)

Ping Identity’s PingOne Protect is a centralized identity threat protection service, for securing your digital assets against online fraud attempts.

For more information, refer to PingOne Protect > How it Works.

14 Mar 2024

Versions 12736.0

No customer-facing issues released.[1]

13 Mar 2024

Version 12714.0

Key features

HTTP Client node (TNTP-136)

The HTTP Client node lets you make HTTP(S) requests to APIs and services external to Advanced Identity Cloud from within a journey.

Use the HTTP Client node to simplify the integration with a broad range of external services by making direct HTTP(S) requests.

For more information, refer to HTTP Client node.

Enhancements

  • IAM-5602: Add functionality for viewing and deleting user’s trusted devices in Advanced Identity Cloud admin UI

08 Mar 2024

Versions 12666.0

No customer-facing issues released.[1]

04 Mar 2024

Versions 12589.0

No customer-facing issues released.[1]

02 Mar 2024

Version 12580.0

Enhancements

  • The following services now support setting secrets using the secrets API rather than setting secrets in the service configuration:

    • AME-25709: AuthId signing key

    • AME-25907: Java agents

    • AME-25908: Web agents

    • AME-26014: Rotatable secrets for agents

    • AME-26301: SAML remote entities

    • AME-26241: OATH, Push, Web AuthN devices and the device binding, device ID, and Device profile services

  • The following nodes now support setting their secrets using the secrets API rather than setting secrets in the node configuration:

    • AME-26117: OTP SMS Sender and OTP SMTP Sender nodes

    • AME-16535: Set Persistent Cookie node

  • AME-26041: Enhanced handling of agents secret mappings – if you update or delete a secret label identifier, any corresponding secret mapping for the previous identifier is updated or deleted, provided no other agent shares that secret mapping

  • AME-25434: New Request Header node lets you inject values into shared state based on request header values

  • AME-26039: Added LDAP Affinity Level configuration option to the LDAP Decision node, to enable affinity-based load balancing for BIND requests

  • OPENAM-21768: Added org.forgerock.opendj.ldap.Rdn and org.forgerock.opendj.ldap.Dn classes to the allowlist for all script contexts

Fixes

  • AME-24760: Inner nodes of a PageNode don’t independently audit node-login-complete events

  • AME-26158: Exception thrown when generating a Signed JWT with no encryption within a next-gen script called by a Scripted Journey node

  • OPENAM-17315: Scripts used to call 'response.getEntity()' in the past should now use 'response.getEntity().getString()' instead

  • OPENAM-21856: Introspecting stateless token with IG/Web agents causes OAuth2ChfException

01 Mar 2024

Versions 12560.0

No customer-facing issues released.[1]

29 Feb 2024

Version 12560.0

Enhancements

  • IAM-4257: Azure AD app template updates

  • IAM-4342: MSGraphAPI connector includes a new optional licenseCacheExpiryTime configuration property

  • IAM-4892: Salesforce app template updates

  • IAM-4900: UI has been updated to show the Advanced Identity Cloud build number

  • IAM-5033: Added new "Remember my username" checkbox to authentication trees

  • IAM-5287: Updated username, password, and KBA heading size on the profile page to improve accessibility

  • IAM-5334: Expose "Guarded String" as an object type property for Scripted Groovy, ScriptedREST, ScriptedSQL, CSV, Database table, and SCIM connectors

  • IAM-5459: KBA answer field now contains question context

  • IAM-5461: Custom errors sent as TextOutputCallback.ERROR are now rendered as primary login errors, improving screen reader accessibility feature

  • IAM-5503: Rename Orchestrations to Workflows

  • IAM-5563: Google Apps app template updates

  • IAM-5603: Create device details modal for managed user identities

  • IAM-5606: Add "POWERED BY" metadata to marketplace nodes

  • IAM-5748: Make "PingOne" a special case on the federation providers page

Fixes

  • IAM-5598: Styled terms and conditions included in a journey causes authenticate calls to fail

  • IAM-5611: Can’t revoke custom apps from roles or edit them from the role view

  • IAM-5641: Custom endpoints search returns endpoints created by other areas of the UI

  • IAM-5692: Console errors when opening the Add user modal for Bravo realm

  • IAM-5767: SAML SSO is not used when an application is saved from another tab after SSO setup

  • IAM-5873: Hosted page may fail to match user locale

28 Feb 2024

Version 12547.0

Enhancements

15 Feb 2024

Fixes

  • FRAAS-18455: Prevent the latest version of a secret from being deleted

12 Feb 2024

Enhancements

  • FRAAS-18788: Add AWS, GCP, and SAP S/4HANA connectors to Advanced Identity Cloud

07 Feb 2024

Fixes

  • FRAAS-18693: Validation bug prevents use of the base64encodedinlined and keyvaluelist ESV expression types

06 Feb 2024

Fixes

  • FRAAS-18414: Changes to an out-of-the-box journey can be incorrectly reported against both realms

25 Jan 2024

Fixes

  • FRAAS-18526: Script library functionality can’t be used in the UI in certain environments

24 Jan 2024

Enhancements

  • OPENIDM-17878[4]: Allow access to operational attributes in the Advanced Identity Cloud data store

  • OPENIDM-18645[4]: Add ESV support to oauthProxy script

Fixes

  • OPENIDM-18743[4]: Attempts to use connectors fail with null pointer exceptions when operationOptions is defined in the provisioner configuration

23 Jan 2024

Key features

iProov Authentication node (TNTP-131)

The iProov authentication node integrates Advanced Identity Cloud authentication journeys with the Genuine Presence Assurance and Liveness Assurance products from iProov.

22 Jan 2024 (supplementary)

Key features

Fingerprint Profiler and Fingerprint Response nodes (TNTP-130)

The Fingerprint nodes nodes let you integrate your Advanced Identity Cloud environment with the Fingerprint platform to help reduce fraud and improve customer experience.

Enhancements

  • AME-25906: Add the ability to configure the password for authenticating to an Identity Gateway agent as an ESV secret

  • AME-26130: Add the ability to configure the SNS access key secret for the push notification service to use an ESV secret

  • OPENAM-21575: Add org.forgerock.json.jose.jwe.JweHeader to the class allowlist for Scripted Decision node

Fixes

  • AME-25915: SAML flow fails if a NameIDFormat element is not present in an assertion response

  • FRAAS-18464: Sandbox debug logging level set to WARN instead of DEBUG

  • IAM-5656: Fix alignment of text, buttons, and links in Message nodes

  • IAM-5660: Hosted pages not displaying list of themes

  • OPENAM-20924: Social Provider Handler node does not let end user switch to a different IdP

22 Jan 2024

Enhancements

Fixes

  • FRAAS-18271: Added the org.forgerock.opendj.ldap.Dn and org.forgerock.opendj.ldap.Rdn classes to all script contexts

19 Jan 2024

Key features

RSA SecurID node (FRAAS-18037)

The RSA SecurID lets you use the RSA Cloud Authentication Service (RSA ID Plus) or RSA Authentication Manager from within an authentication journey on your Advanced Identity Cloud environment.

Advanced Identity Cloud use case catalog

Introducing the release of the Advanced Identity Cloud use case catalog, a collection of guides that focus on tenant administrator use cases and third-party integrations.

18 Jan 2024

Key features

Create and manage custom relationship properties (OPENIDM-19106, OPENIDM-19109)

You can now create and manage custom relationship properties using the Advanced Identity Cloud admin UI.

Schema API improvements (OPENIDM-19107)

You can now directly modify managed object schemas over REST using the schema API. This capability includes configuring custom relationship properties.

Password timestamps (OPENIDM-19262)

Enabling this new feature lets you view or query when a user password was last changed and when it is set to expire.

Enhancements

  • OPENIDM-19674: The relationship-defined virtual property (RDVP) schema editor allows you to edit the flattenProperties property. The managed object schema editor allows you to edit the notifyRelationships property.

Fixes

  • OPENIDM-18957: The scheduler now attempts to release any triggers it attempted to acquire during a timeout due to an unresponsive repository

  • OPENIDM-19141: Workflow engine queries now properly honor tablePrefix and tablePrefixIsSchema configuration options

  • OPENIDM-19279: Resource collection is required to create a relationship

  • OPENIDM-19565: The default apiVersion configuration has been updated with additional resource paths

17 Jan 2024

Fixes

  • FRAAS-18398: Allow the HTTP OPTIONS method on calls to /openidm/config/* endpoints for CORS preflight checks

09 Jan 2024

Fixes

  • OPENAM-21856: Introspecting stateless token with IG/Web agents will cause OAuth2ChfException

2023

19 Dec 2023

Key features

Schedule jobs directly in the Advanced Identity Cloud admin UI (IAM-3489)

You can now schedule the following jobs directly in the Advanced Identity Cloud admin UI without using the IDM admin UI (native console):

  • Scripts: Execute a script at a regular interval.

  • Task scanner: Execute a scan of identities using a complex query filter at a regular interval. The scan can then execute a script on the identities returned by the query filter.

New Identity Governance capabilities[2] (IAM-4617, IGA-1664)

The Workflow UI lets you define custom workflow definitions for all access request types.

Role membership certification, a new certification type for access reviews, lets you review and certify roles and the users who have access to roles. Primary reviewers are role owners, a single user, or users assigned to a role.

Enhancements

  • FRAAS-7382: Add ability to include JavaScript snippets in login and end-user UIs

  • IAM-4514[2]: Allow reviewers to add user, entitlement, and role columns to an access review

  • IAM-4739: Add read schema option to SCIM application template to discover custom schemas/attributes

  • IAM-5201: Focus on first input field or button automatically upon page load

  • IAM-5268: Add source-missing situation rule to authoritative applications

Fixes

  • FRAAS-16659: ESV mapping updates aren’t captured in promotions report

  • IAM-4810: Custom endpoint UI missing context option

  • IAM-5072: Inbound mapping tab shows in target applications

  • IAM-5171: Azure Active Directory application template doesn’t return a user’s role membership

  • IAM-5187: LDAP v2.1 application template doesn’t clear dc=example,dc=com base DN

  • IAM-5238: LDAP application template is missing the group object classes property

  • IAM-5422[2]: Entitlement owner doesn’t show in the entitlement list

15 Dec 2023

Fixes

  • TNTP-125: Gateway Communication node returns claim values wrapped in double quotes

12 Dec 2023

Enhancements

  • AME-22326[5]: The httpClient available in scripts now automatically adds the current transactionId as an HTTP header. This lets you correlate caller and receiver logs to make requests to other ForgeRock products and services.

  • AME-25392[5]: Add org.forgerock.openam.scripting.api.PrefixedScriptPropertyResolver, used for accessing ESVs from scripts, to the allowlist for SAML2_SP_ADAPTER and SAML2_IDP_ADAPTER script types

  • AME-25433[5]: Add com.sun.crypto.provider.PBKDF2KeyImpl, javax.crypto.SecretKeyFactory, and javax.crypto.spec.PBEKeySpec to the allowlists for Scripted Decision nodes and Configuration Provider nodes

  • AME-25608[5]: Add auditing for opening and closing connections for the LDAP decision node, ID Repo service, and Policy Configuration service

  • AME-25630[5]: Add java.security.spec.InvalidKeySpecException to the allowlist for the Scripted Decision and Configuration Provider nodes

  • OPENAM-16897[5]: The OAuth 2.0 Device grant flow can now return either JSON or HTML

Fixes

  • COMMONS-1397[5]: Audit event log entries not logged due to thread contention

  • FRAAS-17686[6]: Add org.forgerock.json.jose.jwe.JweHeader to the allowlists for the AUTHENTICATION_TREE_DECISION_NODE and CONFIG_PROVIDER_NODE script types

  • IAM-4401[5]: Disabling Clear-Site-Data header breaks realm login

  • OPENAM-17331[5]: Disabled SNS endpoints can now be re-enabled

  • OPENAM-17816[5]: OAuth 2.0 requests without a Content-Type header fail with a 500 error

  • OPENAM-19282[5]: Recovery Code Display node only works immediately after a registration node

  • OPENAM-19889[5]: Policy evaluation fails when subject is agent access token JWT

  • OPENAM-20026[5]: Social IDP with trailing whitespace in the name can’t be deleted using the UI

  • OPENAM-20329[5]: Issuer missing from OAuth 2.0 JARM response

  • OPENAM-21053[5]: Missing userId from access audit log when org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false in JWT client authentication flow

  • OPENAM-21421[5]: Scripting logger name isn’t based on logging hierarchy convention

  • OPENAM-21476[5]: Persistent cookie is not created when using Configuration Provider node

  • OPENAM-21484[5]: Introspection of a stateful refresh token for claims field for known OAuth2 fields is now a string and not nested in a list

11 Dec 2023

Fixes

  • FRAAS-18108: Add warning to the Set up 2-step verification screen to indicate that 2-step verification will be enforced as of March 1, 2024

30 Nov 2023

Fixes

  • IAM-5275[5]: Advanced Identity Cloud admin UI doesn’t add query parameters to the logout URL

Notices

ForgeRock deprecated the option to let Advanced Identity Cloud tenant administrators skip 2-step verification on Friday, February 3, 2023.

The end-of-life date for this deprecation is Friday, March 1, 2024, when the skip option functionality will be removed from Advanced Identity Cloud. You have until this date to update your tenants to make 2-step verification mandatory for all tenant administrators. For more information, refer to Tenant administrator mandatory 2-step verification FAQ.

28 Nov 2023

Key features

Duo Universal Prompt node (FRAAS-15675)

The Duo Universal Prompt node lets you provide two-factor authentication using Duo’s Universal Prompt authentication interface. You can integrate Universal Prompt with your web applications using the Duo Web v4 SDK.

For details, refer to Duo Universal Prompt node.

27 Nov 2023

Enhancements

  • FRAAS-17939[7]: Some connectors included with Advanced Identity Cloud were upgraded to the following versions:

    1.5.20.19

    For details, refer to 1.5.20.19 Connector changes.

    • Microsoft Graph API connector

    • SCIM connector

    1.5.20.18

    For details, refer to 1.5.20.18 Connector changes.

    • Google Apps connector

    • Microsoft Graph API connector

    • Salesforce connector

    • SCIM connector

    • Workday connector

  • OPENIDM-19037: Update property value substitution to reflect boolean value in the UI

Fixes

  • IAM-5289: Fix warning message when maxidletime is greater than 24.8 days

  • OPENIDM-19328: Fix queued sync to recover following node restart

17 Nov 2023

Enhancements

  • IAM-4511: Hide fields in the Users & Roles tab when editing and creating unreadable properties

  • IAM-4615: Add a "Skip to main content" link to page headers

Fixes

  • IAM-4991: When a suspendedId is in use, redirect to failureUrl fails

  • IAM-5075: Login messages are read twice by screen readers

  • IAM-5186: User identity related values aren’t saved after removal

13 Nov 2023

Fixes

  • FRAAS-17883: Tenant administrators cannot save edits to their personal information

  • IAM-5226: Tenant administrator security questions should not be shown when editing personal information

  • IAM-5240: No error message displays when a tenant administrator fails to save edits to their personal information

31 Oct 2023

Key features

next-generation scripting enhancements (AME-25928)

The next-generation scripting engine for journey decision node scripts lets you:

  • Reduce the need to allowlist Java classes with a stable set of enhanced bindings.

  • Simplify scripts with fewer imports and more intuitive return types that require less code.

  • Debug efficiently with clear log messages and a simple logging interface based on SLF4J.

  • Make requests to other APIs from within scripts with a more intuitive HTTP client.

  • Modularize your scripts by reusing common code snippets, including external libraries such as CommonJS, with library scripts.

  • Access identity management information seamlessly through the openidm binding.

The next-generation engine can’t use legacy scripts.

If your Scripted Decision node uses legacy scripts, you must convert them to use updated bindings to take advantage of the benefits of the next-generation scripting engine.

Where possible, you should migrate legacy scripts to take advantage of next-generation stability.

For more information, refer to Next-generation scripts.

Enhancements

  • FRAAS-3841: Activate and deactivate journeys in the Advanced Identity Cloud admin UI. Refer to Deactivate journeys.

  • IAM-4191: Allow tenant session cookie name to be configured. Refer to Session cookie name.

  • IAM-4735: Add support for schema discovery in application templates

  • IAM-4806: Show outbound tenant IP addresses in Advanced Identity Cloud admin UI. Refer to Access global settings.

  • IAM-4853: Add AS400 application template. Refer to the AS400 section in Provision an application.

Fixes

  • FRAAS-16785: Incorrect positioning of reCAPTCHA v2 elements

  • IAM-2936: Journeys hang indefinitely when using a State Metadata node within a Page node

  • IAM-4521: Screen readers announce field labels twice

  • IAM-4956: Advanced Identity Cloud admin UI doesn’t use the current realm when logging out

  • IAM-5113: Unable to remove an NAO assignment from a user in Advanced Identity Cloud admin UI

19 Oct 2023

Key features

Gateway Communication node (FRAAS-17380)

Lets Advanced Identity Cloud authentication journeys communicate directly with the PingGateway (PingGateway).

This secure communication channel extends the Advanced Identity Cloud capabilities with PingGateway features, such as validating a Kerberos ticket and performing other certificate handshakes.

For details, refer to Gateway Communication overview.

16 Oct 2023

Key features

New Autonomous Access capabilitiesfootnote:fn-aa[This change applies to a feature only available in PingOne Autonomous Access, which is an (DATASCI-1269)

Autonomous Access User access behavior and tenant access behavior let end users understand their "normal" login behavior for the past six months by graphically displaying key access metrics on a UI. Users can filter the UI to show certain login metrics, like time of day, city, country, day of week, device used for login, operating system, and browser type. Users can also compare an individual user’s login behavior to that of the access attempts for all other users.

Enhancements

  • IAM-4211: Display disaster recovery region in the Advanced Identity Cloud admin UI

  • IAM-4369: Remove AM applications from application list view

  • IAM-5045: Display pop-up warning when an end user is about to be logged out of an Advanced Identity Cloud hosted page

Fixes

  • IAM-4812: Correctly save array ESVs containing newline characters

  • IAM-4863: Display ESV buttons properly when the user gives them focus

  • IAM-4877: Display ESV selection button properly while user is modifying a script associated with a Scripted Decision node

  • IAM-4698: Fix accessibility issues with messages in page nodes

13 Oct 2023

Enhancements

  • FRAAS-17373[8]: The following connectors included with Advanced Identity Cloud were upgraded from 1.5.20.15 to 1.5.20.17:

    • Adobe Marketing Cloud connector

    • Google Apps connector

    • Microsoft Graph API connector

    • Salesforce connector

    • SCIM connector

    Some highlights include:

    • OPENICF-900: SCIM connector: Add support for dynamically generated SCIM schemas

    • OPENICF-2453: SCIM connector: Persist optional refresh token upon successful access token renewal

    For a complete list of enhancements and fixes, refer to Connector changes.

Fixes

  • ANALYTICS-311: The USER-LAST-LOGIN report doesn’t show results if the last journey failed

  • FRAAS-17413: Improve IDM service reliability during upgrades and routine maintenance

  • OPENICF-1723: Salesforce connector: Clarify usage of proxyUri configuration property

  • OPENICF-2297: SCIM connector: Roles attribute should be a list of Strings, not a list of Objects

  • OPENICF-2482: SCIM connector: Dynamic schema doesn’t default to static schema on all exceptions

  • OPENICF-2483: SCIM connector: Creating a user with special attributes fails with dynamically generated schema

  • OPENICF-2484: SCIM connector: PUT with schemas attribute fails for providers that support PATCH

  • OPENICF-2448: SCIM connector: HTTP client fails to handle OAuth 2.0 errors

12 Oct 2023

Key features

OneSpan Get User Authenticator node (FRAAS-17378)

Retrieves the authenticators assigned to a user and helps enable user’s authentication and security levels.

For details, refer to OneSpan Get User Authenticator node.

OneSpan Identity Verification node (FRAAS-17378)

Sends request to OneSpan to analyze the image and determine whether the document is genuine or fraudulent.

For details, refer to OneSpan Identity Verification node.

03 Oct 2023

Fixes

  • FRAAS-17283: Tenant status pages not automatically updated during downtime

  • IAM-4235: Passthrough authentication using AD connector fails if set up in UI and user DN includes a space

  • IAM-4903: API calls to IGA endpoints not working with custom domain

  • IAM-4915: User details modal for IGA access review shows manager details as JSON object

  • OPENIDM-19192: Personal information is still editable by end users when User Editable is set to false

25 Sep 2023

Enhancements

  • IAM-4515[9]: Include autocomplete attribute with login form fields

  • IAM-4525[9]: Update profile picture modal with accessibility improvements for screen readers

  • IAM-4576[9]: Increase time on screen for loading spinner so that screen readers can announce it

  • IAM-4616[9]: Include contextual information with the show/hide buttons for improved accessibility

Fixes

  • FRAAS-17278: Health status reports for AM, IDM, and platform-admin services incorrectly reported as available in some situations

  • IAM-4460[9]: Screen readers read show/hide buttons for security questions as show/hide password

  • IAM-4523[9]: Screen readers read avatar alt text when tabbing to action menu

  • IAM-4524[9]: Two buttons with different labels open the same dialog

22 Sep 2023

Fixes

  • FRAAS-17235: Validate ESV values correctly when they are wrapped in white space

20 Sep 2023

Key features

New Identity Governance capabilities[2] (IGA-1691)

Access requests let end users request access to resources and let managers request that access be removed from their delegates. The list of resources an end user can request access to is referred to as the access catalog.

Manage access request workflows is a new feature that lets you optionally define flows to include business logic, decisions, and approvals. For example, decide what happens when an approver rejects an access request for an application. Workflows currently only supports access request-related features.

New options in the Advanced Identity Cloud end-user UI let end users submit access requests, submit requests to remove access, and review assigned request items:

  • The My Requests option lets you view and create access requests to resources (applications, roles, entitlements) for yourself or on behalf of others.

  • The My Directory > Direct Reports option lets managers submit access removal requests.

  • The Inbox > Approvals option lists request items (requests an end user submits) for an approver (designated owner) to act on.

Enhancements

  • IAM-3648: ESV placeholders can now be entered from a drop-down list

  • IAM-3651: ESV placeholders can now be entered from key-value input fields

  • IAM-4236: Improve layout of the applications reconciliation tab

  • IAM-4367: Separate the connection status of OAuth 2.0 client applications into a dedicated list

  • IAM-4662: ESV placeholders can now be entered from tag input fields

  • IAM-4717: Added date, datetime, and time fields to the login UI

  • IAM-4789: Grant roles now show temporal constraints

  • OPENAM-20847: Sanitized HTML can now be added into messages for the Email Suspend node

Fixes

  • IAM-4418: Fix accessibility issues with multi-select input fields

  • IAM-4489: Align checkbox color with other form elements

  • IAM-4491: Correctly label sidebar buttons when expanded or collapsed

  • IAM-4492: Make navigation bars in end-user UI accessible for screen readers

  • IAM-4798: The aria-label is now correctly displayed for all component types on sidebar buttons

  • IAM-4843: The user column in the certification task list now shows a user’s full name instead of only the first name

  • IAM-4528: Outbound reconciliation mapping preview shows generated password value

19 Sep 2023

Enhancements

  • OPENAM-21416: Canada Central AWS region (ca-central-1) enabled for the PingAM push notification service

15 Sep 2023

Key features

Query Parameter node (AME-24069)

Allows you to insert query parameter values from a journey URL into configurable node state properties. This lets you customize journeys based on the query parameter values.

For details, refer to Query Parameter node.

Enhancements

  • OPENAM-21073: Request headers are now accessible in OAuth 2.0/OIDC scripts for OIDC_CLAIMS, OAUTH2_ACCESS_TOKEN_MODIFICATION, and OAUTH2_MAY_ACT script contexts using the requestProperties binding

  • OPENAM-21355: Jakarta AWS region (ap-southeast-3) enabled for the PingAM push notification service

Fixes

  • IAM-4639: String/password field button is highlighted in the UI

  • IAM-4829: Eye icon displays over the password field highlight box in the UI

  • OPENAM-18599: Allow customization of the error message that displays to end users when their account is locked or inactive using .withErrorMessage() in a Scripted Decision node

  • OPENAM-18685: Use the OAuth2 Provider service in the AM admin UI to specify if tokens issued should contain the subname claim

  • OPENAM-19261: Errors are incorrectly logged when triggered by introspection of tokens using OAuth 2.0 client credentials grant

  • OPENAM-20451: The WebAuthn Registration node now displays an end user’s userName when registering a device when the identity’s name isn’t human-readable

  • OPENAM-21158: Add support for trusted platform module (TPM) attestation using elliptic curve cryptography (ECC) unique parameter validation starting with Windows 11 version 22H2

  • OPENAM-21304: The request_uris field does not populate when OAuth 2.0 clients register using dynamic client registration

  • OPENAM-21390: Fix caching error to correctly provide data to nodeState when a journey switches server instances

11 Sep 2023

Enhancements

Fixes

  • IAM-4366: Provide browser-specific logic to handle alternative CSS for accessibility

  • IAM-4409: Require at least three characters before running identity searches when there are more than 1000 identities of that type

  • IAM-4478: Only allow certain combinations of properties in a mapping transformation script

  • IAM-4493: Fix the heading hierarchy in the UI

  • IAM-4568: Do not enable the option to change a user association in the UI

  • IAM-4703: Fix display of password fields in some themes

  • IAM-4710: Fix rounded border of password fields in hosted pages

06 Sep 2023

Enhancements

  • OPENAM-21346: Add classes java.util.concurrent.TimeUnit, java.util.concurrent.ExecutionException, and java.util.concurrent.TimeoutException to the scripting allowlist

22 Aug 2023

Key features

Salesforce Community User application template (IAM-4340)

Provision, reconcile, and synchronize Salesforce, Salesforce Portal, and Salesforce Community accounts.

Add preference-based provisioning to Privacy and Consent settings (IAM-4243)

End users in target applications can share their data with other applications. After the end user configures a preference to share data with other applications, data from the target application is synchronized with Advanced Identity Cloud.

For details, refer to End-user data sharing

18 Aug 2023

Key features

OneSpan Auth VDP User Register node (FRAAS-15426)

Registers users to authenticate using the virtual one-time password (VOTP). For details, refer to OneSpan Auth VDP User Register node.

OneSpan Auth Assign Authenticator node (FRAAS-15426)

Assigns VIR10 authenticator to the user when there’s a VIR10 authenticator available in the tenant and the user isn’t assigned a VIR10 authenticator. For details, refer to OneSpan Auth Assign Authenticator node.

OneSpan Auth Generate VOTP node (FRAAS-15426)

Generates and delivers a virtual one-time password (VOTP) through the delivery method configured in the node if there’s a VIR10 authenticator assigned to the user. For details, refer to OneSpan Auth Generate VOTP node.

14 Aug 2023

Fixes

  • IAM-4533: Journeys do not resume correctly when returning from a social identity provider without a realm identifier

  • IAM-4534: Redirect callbacks for journeys not working correctly

09 Aug 2023

Enhancements

  • AME-25061[10]: Provide additional context information in Marketplace authentication nodes to enable UI improvements

  • OPENAM-20772[10]: Add new option to the CAPTCHA node to let the submit button be disabled until CAPTCHA verification is successful

Fixes

  • OPENAM-18004[10]: Audit logging does not specify transaction IDs correctly for internal requests to certain APIs

  • OPENAM-18709[10]: Calls to the nodeState.get() method in Scripted Decision nodes do not return values in shared state when a variable is stored in both shared state and secure state

  • OPENAM-20230[10]: Calls to classes in the allowlist fail occasionally with access prohibited messages

  • OPENAM-20682[10]: Unable to encrypt id_token error when there are multiple JWKs with the same key ID but different encryption algorithms

  • OPENAM-20691[10]: Session quota reached when oldest session is not destroyed due to race condition

  • OPENAM-20783[10]: Logging is incorrect when the authorization code grant flow is used successfully

  • OPENAM-20920[10]: Null pointer exceptions when a SAML v2.0 binding is null and the SSO endpoint list contains non-SAML v2.0 entries

  • OPENAM-20953[10]: Policy evaluation with a subject type JwtClaim returns HTTP response code 500

  • OPENAM-20980[10]: The OIDC social provider is unable to use an issuer’s comparison check regex

  • OPENAM-21001[10]: Custom scripted SAML v2.0 IDP account mappers are determined incorrectly

  • OPENAM-21004[10]: Invalid session ID error when session management is disabled in an OIDC provider

  • OPENAM-21046[10]: The Create Object and Patch Object nodes do not log exception stack traces when they can’t retrieve the object schema

  • OPENAM-21164[10]: XML string formatted incorrectly when using a custom adapter to get the assertion from a SAML v2.0 response

31 Jul 2023

Enhancements

  • IAM-3502: Add the ability to set and reset a sync token for identity management account object type. For details, refer to Reset the last reconciliation job.

  • IAM-3678: Update error messages and labels in login and signup pages

  • IAM-3962: Improve design of push number challenge page for Push Wait node

  • IAM-4248: Add three additional non-account objects to ServiceNow page

  • IAM-4326: Improve onLink script to handle mapped properties of type array and object

  • IAM-4334: Update SuccessFactors application templates to support Advanced Identity Cloud built-in SuccessFactors connector

Fixes

  • IAM-3877: UI loader spins indefinitely when realm is deactivated

  • IAM-4093: Replace Google Fonts in the login UI to meet GDPR compliancy requirements

  • IAM-4176: Advanced setting query filter does not show all available properties

  • IAM-4240: Accessibility issues in Page node when NVDA readers are used

  • IAM-4261: Accessing end-user UI with query parameter "code" displays empty page

  • IAM-4371: Unable to create applications due to userpassword property set

  • IAM-4384: Platform UI does not resume journeys with custom redirect logic

  • IAM-4427: Platform UI does not show assignments for tenants running deprecated application management

  • IAM-4475: Platform UI does not load after tenant administrator signs into an upper tenant during promotion

25 Jul 2023

Fixes

  • FRAAS-16471: ESV variables and secrets API endpoints slow for large result sets

17 Jul 2023

Fixes

  • OPENIDM-18292[11]: Add support for the _fields request parameter to the sync getTargetPreview endpoint

  • OPENIDM-18898[11]: Add support for the _countOnly parameter in identity management scripts

  • OPENIDM-18980[11]: Add a new metric to measure the duration of a LiveSync event

  • OPENIDM-19098[11]: Enable ES6 support for identity management scripts

13 Jul 2023

Fixes

  • FRAAS-16271: ESV secrets could be incorrectly marked as "not loaded" when tenant has many ESVs

26 Jun 2023

Fixes

  • IAM-4289: Unable to assign non-account object properties to roles

  • IAM-4293: Access reviews and line items not shown for staged campaigns

  • IAM-4295: Reviewer not redirected back to pending reviews after access review sign off

22 Jun 2023

Enhancements

  • DATASCI-1331[12]: Distributed attack heuristics

  • DATASCI-1677[12]: Support the right to access or be forgotten (GDPR compliance)

  • IAM-2026: Support versioning of the application and connector templates

  • IAM-3408: Let provisioners use a range of connector versions

  • IAM-4074: Add a loading animation to the pie chart component

  • IAM-4242: Add "Conflicting changes" category to reconciliation summary

Fixes

  • FRAAS-9230: Sanitize aria-hidden fields

  • FRAAS-16041: Users can choose Basic Auth for Identity Cloud logging endpoints

  • IAM-2972: Route users to the correct realm after granting Salesforce permissions

  • IAM-3719: Modals not showing display access review comments and activity

  • IAM-4116: Don’t let access review users add reviewers with greater privileges than they themselves have

  • IAM-4134: User pop-up is visible in "Entitlement" tab

  • IAM-4200: Last certified date, decision, and actor displaying incorrectly in Governance account details

19 Jun 2023

Enhancements

  • IAM-4051: Improved ADA accessibility for drop-down boxes

  • IAM-4053: Improved ADA accessibility when NVDA readers are used on pages that use the Page node

16 Jun 2023

Fixes

  • FRAAS-15974: Unable to promote empty configuration to reset staging environment

14 Jun 2023

Key features

New Identity Governance capabilities[2] (IGA-1592)

Entitlements are specific permissions given to an account in an onboarded target application. Each entitlement correlates to a permission. Pull in entitlements from all onboarded target applications into Advanced Identity Cloud for use in certifications.

Entitlement assignment certification, a new certification type for access reviews, lets you review and certify entitlements and the users who have access to entitlements on some or all applications. Primary reviewers are entitlement owners, a single user, or users assigned to a role.

The governance glossary lets you attach business-friendly attributes to applications, entitlements, and roles to add more specificity to the data you review in access certifications.

New options in the Advanced Identity Cloud end-user UI let you view your access, your direct reports, and the access your direct reports have:

  • The My Access option lets you view your access in Advanced Identity Cloud and onboarded target applications. This includes accounts from onboarded target applications, roles you are assigned in Advanced Identity Cloud, and entitlements or privileges you have in onboarded target applications.

  • The Direct Reports option lets you get access information for individuals you manage. This includes their profile information, accounts from onboarded target applications, roles they are assigned in Advanced Identity Cloud, and entitlements or privileges they have in onboarded target applications.

Microsoft Graph API email client (OPENIDM-17899)

Configure the email client to use the MS Graph API Client for sending email.

For more information, refer to Microsoft Graph API email client.

Enhancements

  • IAM-2826: Filter the "Assignments" tab for identities so that it does not show overrides, entitlements, or resources

  • IAM-3677: Remove increment/decrement arrows from numeric input fields

  • IAM-3982: Let users filter risk activity using distributed attack as a risk reason

  • IAM-3983: Show distributed attack as a risk reason in the risk dashboard

  • IAM-4136: Use the tab key to move focus and remove tags in multi-select components

Fixes

  • FRAAS-14262: Include changes to group privileges in the configuration promotions report

  • IAM-2713: Prohibit editing of managed application objects

  • IAM-3594: Correctly redirect control to the End User UI after authenticating with itsme

  • IAM-3939: Let end users switch to a different authentication journey

  • IAM-4013: When using a custom domain, originalLoginRealm is set incorrectly

  • OPENIDM-17481: Managed object schema can now describe a field as a nullable array and specify a default value for this field if not provided in a create request

  • OPENIDM-17771: Processing of a large number of scheduled jobs no longer causes all scheduled tasks to continuously misfire

  • OPENIDM-18192: Updating a relationship-defined virtual property (RDVP) on a managed object by signal receipt no longer causes other RDVP state within that object to be lost

  • OPENIDM-18360: Use the full object state when validating requests made by a delegated administrator to modify a relationship

  • OPENIDM-18613: Provide the ability to remove the userPassword attribute

  • OPENIDM-18644: Correctly determine whether it’s possible to configure clustered reconciliation

  • OPENIDM-18895: Fixes support for multi-version concurrency control on managed object patches and updates

13 Jun 2023

Fixes

  • FRAAS-14706: Improve the detection of changes to complex configuration files and IDM script hooks in promotion reports

  • FRAAS-14897: Improve the rate limiting behavior of the /monitoring/logs endpoint

08 Jun 2023

Key features

Lexis-Nexis ThreatMetrix Authentication nodes (FRAAS-15325)

Integrate Lexis-Nexis ThreatMetrix decision tools and enable device intelligence and risk assessment in Advanced Identity Cloud.

For details, refer to ThreatMetrix Authentication nodes.

Fixes

  • FRAAS-14214: Changing an existing ESV type is now denied by the API and new ESVs always require an explicit type

05 Jun 2023

Key features

Filter log results

Use the _queryFilter parameter to filter log results on any field or combination of fields in a payload. For details, refer to Filter log results.

Fixes

  • FRAAS-15378: Add _queryFilter support to /monitoring/logs and /monitoring/logs/tail endpoints

30 May 2023

Key features

Scripted SAML 2.0 SP adapter

Customize the SAML 2.0 SP adapter using a script.

For details, refer to SP adapter.

OIDC ID Token Validator node

The new OIDC ID Token Validator node lets Advanced Identity Cloud rely on an OIDC provider’s ID token to authenticate an end user. The node evaluates whether the ID token is valid according to the OIDC specification.

For details, refer to OIDC ID Token Validator node.

Fixes

  • AME-21638: Customize an SP adapter by using a script

  • AME-24026: Allow specifying inputs required by the provider scripts in the Configuration Provider node

  • AME-24073: Expose the prompt_values_supported parameter of the provider configuration at the OIDC well-known endpoint

  • AME-24175: Provide additional classes in the allowlist that scripts used in the Scripted Decision node

  • OPENAM-12030: Authentication node instances are deleted when journeys containing them are deleted

  • OPENAM-13293: New OIDC ID Token Validator node evaluates whether the ID token is valid according to the OIDC specification

  • OPENAM-13329: Display journeys with spaces in their name in the Authentication Configuration drop-down menu

  • OPENAM-13766: Route user session based on whether policy evaluation is requested or not

  • OPENAM-17179: Correctly delete a script if its referring journey is deleted

  • OPENAM-17566: Display account name instead of UUID in the ForgeRock Authenticator when using MFA

  • OPENAM-18488: Support certificate-based attestation in certificate chains terminating at an intermediate CA

  • OPENAM-18692: Set the minimum value for the Default Max Age property to 0

  • OPENAM-19745: Add support for EdDSA signing algorithm to WebAuthn Registration node

  • OPENAM-20082: Show correct error message to locked out users

  • OPENAM-20104: Fix the fragment response mode for the OAuth 2.0 authorize endpoint

  • OPENAM-20187: Fix the "waiting for response" page so that it fails authentication as configured in the authentication journey

  • OPENAM-20230: Prevent class allowlist from failing for classes already on the allowlist

  • OPENAM-20318: Allow a restricted set of HTML tags to be rendered in page node headers and descriptions

  • OPENAM-20360: Fix default URL encoding to ensure ampersand characters are not double encoded in a SAML assertion

  • OPENAM-20386: Fix authentication node state reconciliation in some complex journeys

  • OPENAM-20396: Preserve ordering of ACR to chain mapping configuration of OIDC provider after a restart

  • OPENAM-20451: Fix WebAuthn registration node to return a human-readable username

  • OPENAM-20457: Route Device Location Match node to "Unknown Device" outcome when the previously stored location of the device is not provided

  • OPENAM-20479: Enhance OIDC authentication to handle unsecured JWS requests

  • OPENAM-20541: Add additional inner classes to scripting allowlist to support RSA keypair generation

24 May 2023

Fixes

  • FRAAS-14956: Promotion preview and report not showing all configuration changes

23 May 2023

Fixes

  • FRAAS-10816: Include thread ID and remove control characters from some Identity Cloud log files for easier log correlation

18 May 2023

Key features

Administrator federation enhancements

Groups support: The new groups feature allows you to add and remove administrators depending on group membership in your identity provider. Using administration groups lets you automate the granting and removing of access for administrators that are being on-boarded, switching roles, or leaving your organization.

OIDC Federation: OIDC is now supported as a federation identity provider, along with Microsoft ADFS and Microsoft Azure.

Enhancements

  • DATASCI-1267[13]: Autonomous Access dashboard is now realm-based

  • DATASCI-1330[13]: Autonomous Access can use blocklists and allowlists of IP addresses

  • DATASCI-1336[13]: Autonomous Access can avoid putting users in double jeopardy

17 May 2023

Fixes

  • FRAAS-13293: Provide more accurate and granular information in promotion reports

  • FRAAS-14063: Remove orphaned unused scripts during promotion

  • FRAAS-15022: Improve promotion reports

  • FRAAS-15188: Ensure environments can be recreated after deletion

  • IAM-2561: Allow adding applications to a user or role from the Identities > Manage page

  • IAM-3550: When attempting to validate Office 365 applications, a blank screen appears

  • IAM-3580: Improve service accounts UI including error handling

  • IAM-3666: Add alternative text to QR code image

  • IAM-3676: Add keyboard controls to UI to select multiple values in multivalued lists

  • IAM-4030: Improve handling of identity provider and groups claims

  • IAM-4031: Generic OIDC configuration returns HTTP 400 Bad Request

  • IAM-4032: Federation enforcement is missing from the UI

  • IAM-4058: Admin UI routing for locked tenants is no longer working correctly

15 May 2023

Fixes

Issue ID Summary

FRAAS-12469

Automatically create a status page account for new tenants

05 May 2023

Fixes

Issue ID[14] Summary

IAM-3043

CAPTCHA node not behaving properly when false

04 May 2023

Fixes

Issue ID Summary

OPENAM-20815

Auth session timeout causes missing login page footer

03 May 2023

Fixes

Issue ID Summary

IAM-3937

Risky events are not shown in the risk dashboard

IAM-3964

Risk reasons do not display in the risk dashboard

26 Apr 2023

Key features

PowerShell connector

Use the PowerShell Connector Toolkit to register a connector that can provision any Microsoft system.

For details, refer to PowerShell.

SAP SuccessFactors Account or SAP SuccessFactors HR connector

Use the SAP SuccessFactors connectors to synchronize SAP SuccessFactors users with Advanced Identity Cloud users.

Bookmark application

You can now register a bookmark application - for example, OneNote, Evernote, Google Bookmarks, or raindrop.io - to direct users to specific URLs. A bookmark application displays shortcut links on dashboards. When you click one of the links, the browser opens a new tab.

For details, refer to Bookmark.

Resolved issues

Issue ID Summary

IAM-2911

Add support for bookmark apps in application management

IAM-3472

Update promotions UI to set tenant color dynamically based on the tenant name

IAM-3630

Add SuccessFactors template and connector configuration

IAM-3666

Add alt text to QR code

IAM-3667

Add visual indication of keyboard focus on input fields

IAM-3681

Improve accessibility of the Edit personal info profile dialog

IAM-3778

Allow login UI to work when browser session storage is unavailable

IAM-3792

Prevent login UI rendering extra whitespace character in front of text on suspended nodes

IAM-3806

Remove beta indicator from the trends chart in admin UI dashboard

IAM-3840

Change color of radio button changed in Choice Collector node

IAM-3879

Ensure global variable assignmentResCollection is not overwritten when editing scripts

IAM-3910

New PowerShell configuration properties

OPENAM-18895

Fix API request timeout errors for slow connections

OPENIDM-18917

Display last name instead of user ID on user profile when no first name is provided

OPENAM-20815

Add missing footer to Page node when session expired

25 Apr 2023

Resolved issues

Issue ID Summary

OPENIDM-18967

Remove unnecessary &_sortKeys=_id parameter from dataRelationshipArray grid queries

OPENIDM-18988

Prevent repository reads when anonymous users make requests to info and ping endpoints

24 Apr 2023

Key features

Microsoft Intune node

Integrates Microsoft Intune to control features and settings on Android, Android Enterprise, iOS/iPadOS, macOS, and Windows 10/11 devices in your organization.

For details, refer to Microsoft Intune node.

Secret Double Octopus (SDO) nodes

PingOne Advanced Identity Cloud integrates with Secret Double Octopus (SDO) to provide high-assurance, passwordless authentication systems that address the diverse authentication needs of a real-world, working enterprise.

For details, refer to Secret Double Octopus (SDO) nodes.

Resolved issues

Issue ID Summary

IAM-3950

End-user UI fails to load when accessing Advanced Identity Cloud in a new tab

12 Apr 2023

Resolved issues

Issue ID Summary

FRAAS-13247

Set the log API key creation date correctly

06 Apr 2023

Key features

Support for all Google Fonts for hosted pages

Meet your organization’s brand guidelines by using any Google Font in your hosted pages.

Resolved issues

Issue ID Summary

IAM-1686

Allow any Google Font to be used on hosted pages

IAM-3164

Prevent table columns from stacking vertically on smaller viewports

IAM-3313[2]

Additional Options section missing from Identity Certification campaign template

30 Mar 2023

Key features

IP allowlisting

Enterprises often need to ensure that requests entering their network come from trusted sources. PingOne Advanced Identity Cloud now offers outbound static IP addressess for sandbox environments.

Outbound static IP addresses let you implement network security policies by setting up allowlists of IPs originating from Advanced Identity Cloud. This adds an extra layer of security to outbound calls to your APIs or SMTP servers.

For more information, refer to Outbound static IP addresses.

Resolved issues

Issue ID Summary

FRAAS-5995

Outbound request static IP allows IP allowlisting for new customers

29 Mar 2023

Resolved issues

Issue ID Summary

FRAAS-14187

Updated user registration cloud logging to capture events from identity providers

FRAAS-14593

The Configuration Provider node was unable to retrieve ESVs

27 Mar 2023

Resolved issues

Issue ID Summary

FRAAS-14475

Certain searches cause NoSuchElementException errors

20 Mar 2023

Resolved issues

Issue ID Summary

OPENIDM-18476

The IDM admin UI now defaults identity object number fields to 0 instead of an empty value

OPENIDM-18216

IDM admin UI should query recon association data instead of audit data

OPENIDM-18870

Inability to delete an inline reconciliation or schedule script

OPENIDM-18868

Inability to save a schedule when you add or remove a passed variable

OPENIDM-18865

Script changes cannot be saved unless you click outside the Inline Script box

FRAAS-14097

Promotion report should identify journeys by their name

FRAAS-13522

Promotion report does not include changes to custom email provider

FRAAS-14353

Configuration placeholder replacement assumes a string value

17 Mar 2023

Resolved issues

Issue ID Summary

FRAAS-14260

UI displays "Resource 'managed/alpha_application' not found" message

FRAAS-14265

Cannot access ESVs in sandbox tenants

16 Mar 2023

Key features

PingOne® Identity Governance (add-on capability)

PingOne Identity Governance is a new add-on capability of PingOne Advanced Identity Cloud. Identity Governance allows you to centrally administer and manage user access to applications and data across your organization to support regulatory compliance.

With Identity Governance you can:

  • Work with onboarded target applications when reviewing user data. This allows you to review user data for onboarded applications.

  • Define and launch reviews of data using certification campaigns.

  • Review and manage user access to applications. This includes managers reviewing the access their direct reports have.

For more information, refer to About Identity Governance.

To purchase an Identity Governance subscription, contact your ForgeRock representative.

Resolved issues

Issue ID Summary

IGA-1433

Initial release of Identity Governance with identity certifications

15 Mar 2023

Resolved issues

Issue ID Summary

FRAAS-9376

Provide the ability to display a login journey in an iframe for specific custom domains. To implement this feature, you need to open a support ticket.

13 Mar 2023

Resolved issues

Issue ID Summary

FRAAS-14265

Enable access to ESVs in sandbox and demo environments

FRAAS-14276

Add idm-recon as a log source

10 Mar 2023

Key features

Support for Scripted Groovy connector applications

Application management now lets you register, provision, and manage Scripted Groovy connector applications.

For details, refer to Scripted Groovy connector.

Resolved issues

Issue ID[15] Summary

IAM-662

Fixed agent logout in platform UI

IAM-3160

Added ability to configure the scripted Groovy connector

IAM-3180

Hide the SSO tab when an application is authoritative

IAM-3193

Updated SCIM app template to only show the refresh token property for OAuth authentication

IAM-3303

Enable clicking a row to edit entries on the service accounts page

IAM-3304

Added breadcrumbs to the service accounts page

IAM-3305

Added a search field to the service accounts page

IAM-3462

Corrected AD template property from ENABLED to ENABLE

IAM-3478

Addressed accessibility concerns when displaying password policy validation

IAM-3642

Fixed an issue with unselected applications being imported when promoting, and improved the user experience for selecting and deselecting applications in the promotions UI

IAM-3669

Fixed drop-down lists to show the value of the selected option in the form

IAM-3694

Added ability to customize the success color in hosted pages

08 Mar 2023

Key features

Administrator federation

Administrator federation allows administrators to use single sign-on (SSO) to log in to an Advanced Identity Cloud tenant.

By using federation to authenticate your administrators to Advanced Identity Cloud, you can quickly and easily deprovision an administrator by removing their access from your centralized identity provider.

Resolved issues

Issue ID Summary

FRAAS-5416

Administrators can access Advanced Identity Cloud using single sign-on from another identity provider

06 Mar 2023

Resolved issues

Issue ID Summary

IAM-2921

In the Dashboard, the total number of applications that display in the Applications box now includes those applications registered using the new app catalog in tenants created on or after January 12, 2023.

IAM-3760

Apple social authentication works with other authentication methods

03 Mar 2023

Key features

SCIM built-in connector

You can now use the SCIM built-in connector to manage user and group accounts on any SCIM-compliant resource provider.

Promotions API documentation

The promotions API documentation is now publicly available at https://apidocs.id.forgerock.io/#tag/Promotion.

Resolved issues

Issue ID Summary

FRAAS-8225

The promotions API documentation is now publicly available at https://apidocs.id.forgerock.io/#tag/Promotion

FRAAS-8709

Include the log sources in the logged events

FRAAS-12402

Add /platform/oauthReturn route to support authentication for Salesforce and Google Apps

FRAAS-12413

OIDC login from a custom domain results in blank page

OPENICF-400

The LDAP connector now correctly reads the AD Account tokenGroups attribute

OPENICF-1858

Add group owners management support to the Microsoft Graph API connector

OPENICF-2039

Add archived, languages, isEnrolledIn2Sv, and isEnforcedIn2Sv fields to the Google Apps connector

OPENICF-2067

Adjust license assignments as part of the user creation and update operations in the Google Apps connector

OPENICF-2068

The Microsoft Graph API connector now lets you assign and revoke directory roles to an Azure AD user account and query the target instance for roles

OPENICF-2088

The Microsoft Graph API connector now lets you assign and revoke custom roles to an Azure AD user account and query the target instance for roles

OPENICF-2102

Assign and revoke PermissionSets and Groups to Salesforce user accounts in the Salesforce connector

OPENICF-2110

Expose groups and roles through user object in the ServiceNow connector

OPENICF-2111

View, update, and remove a group’s roles through the role object in the ServiceNow connector

OPENICF-2129

The LDAP connector now includes a parameter to use isMemberOf by ldapGroups

OPENICF-2192

In the Google Apps connector, don’t throw an NPE when updating a user with a change to license assignments if _NAME_ is not specified

OPENIDM-17876

Query filter editor no longer removes double quotes from all properties that aren’t of type string

OPENIDM-17936

Saving changes to the authzRoles field on users no longer overrides the field type

OPENIDM-18001

Country codes in locales are no longer ignored when sending emails

OPENIDM-18077

Added new default policy, cannot-contain-others-case-insensitive

OPENIDM-18153

Custom script exception messages are no longer incorrectly truncated in REST responses

OPENIDM-18238

Improved resiliency of clustered reconciliations

OPENIDM-18243

Validate that connector names are alphanumeric

OPENIDM-18260

New sync mapping fields, defaultSourceFields and defaultTargetFields, let you specify which fields to use for read and query requests

OPENIDM-18261

Endpoints within /system now support specifying additional fields when using wildcards

OPENIDM-18275

The groups' name field is now searchable

OPENIDM-18319

An up-to-date target object state is now provided in sync script bindings and sync audit mechanisms

OPENIDM-18336

The default assignment object schema now contains a "condition" field

OPENIDM-18498

Queued sync not triggered if target is a CREST proxy endpoint

OPENIDM-18501

Tenant administrator password policy no longer restricts passwords to a maximum length

OPENIDM-18629

Reconciliation job identifiers now use a more precise timestamp

OPENIDM-18650

Add new SCIM connector; applications now support creating connections to SCIM services

01 Mar 2023

Issue ID Summary

IAM-3089[16]

Unable to exit a social provider and select a different social provider in a journey

28 Feb 2023

Resolved issues

Issue ID Summary

FRAAS-13933

Make managed groups visible in the AM admin UI

FRAAS-13983

Remove OneSpan nodes from the Basic Authentication journey node list

22 Feb 2023

Resolved issues

Issue ID Summary

FRAAS-14069

Add IdPCallback class to scripting allowlist

FRAAS-14030

Add inner classes from java.security and java.crypto packages to scripting allowlist

FRAAS-13974

Add class sun.security.ec.ECPrivateKeyImpl to scripting allowlist

FRAAS-13597

Remove unexpected changes from promotion reports

16 Feb 2023

Resolved issues

Issue ID Summary

FRAAS-13597

Fix inconsistencies between provisional and promotion reports

14 Feb 2023

Key features

Support for REST connector applications

Application management now lets you register, provision, and manage REST connector applications.

For details, refer to Scripted REST connector.

Resolved issues

Issue ID Summary

IAM-2879

Allow properties in forms to be reordered

IAM-3094

Add support for enumerated values in array attributes

IAM-3156

Update the descriptive text in the "Add Property" modal to be more accurate

IAM-3261

Adjust Autonomous Access risk filter to better handle scoring edge cases

IAM-3262

Adjust menu width on the Autonomous Access Risk Administration page

IAM-3461

Fix display of OAuth 2.0 applications with a UUID for a name

IAM-3492

Fix objects ending in application or assignment not appearing in the Privileges tab

13 Feb 2023

Resolved issues

Issue ID Summary

FRAAS-13478

Promotions report shows changes that it shouldn’t

FRAAS-13866

Let Identity Cloud administrators access policy configuration

IAM-3512

Access Management native console incorrect redirect URL

09 Feb 2023

Key features

OneSpan authentication journey nodes

The new OneSpan authentication journey nodes integrate OneSpan Intelligent Adaptive Authentication (IAA) scoring for identity proofing, continuous authentication, and fraud protection.

For details about OneSpan authentication integration set up, refer to OneSpan.

Jumio identity verification

The new Jumio identity verification integrates with Jumio’s NetVerify service to easily and securely verify identity by using facial recognition to authenticate against government issued IDs.

For details about Jumio identity verification, refer to Jumio identity verification.

Logout for all server-side sessions for a user or set of users

Administrators can now invalidate (log out) all server-side sessions for a user by sending a POST request to the json/sessions endpoint with the logoutByUser action, specifying the username in the request payload.

Composite advice with an AuthLevelCondition in journeys

Composite advice gives AM hints about which authentication services to use when logging in a user. Journeys now take into account the AuthLevelCondition composite advice.

For example, you can now use AuthLevelCondition composite advice so that AM uses a journey that provides an authentication level of 10 or higher.

Resolved issues

Issue ID Summary

AME-22942

Log out all server-side sessions for a user or set of users so that they have to reauthenticate

FRAAS-13454

Integrate Jumio identity verification journey nodes

FRAAS-13555

Integrate OneSpan authentication nodes

FRAAS-13809

Autonomous log filters fail in connected environments

OPENAM-11319

Add description key to the JSON response from OAuth2UserApplications#getResourceResponse

OPENAM-16374

Add support for composite advices with a AuthLevelCondition to journeys

OPENAM-18270

Don’t raise errors when calls to the access_token endpoint specify the scope parameter in OAuth2 authorization_code exchange

OPENAM-18488

Handle the CA certificate correctly for Windows Hello attestations

31 Jan 2023

Resolved issues

Issue ID[17] Summary

FRAAS-13011

Security improvements

IAM-2025

Add Uncategorized to the journey category filter

IAM-3107

Remove bitwise filter on Active Directory page

IAM-3108

Update Maintain LDAP Group Membership option to not be selected by default

IAM-3109

Update cn property to be optional in Active Directory target mode

IAM-3110

Update ldapGroups property to be available by default in Active Directory target mode

IAM-3111

Fix password hash algorithm

IAM-3139

Fix Revoke button in users and roles to revoke users, and not be clickable when there are no users to revoke

IAM-3142

Fix Active Directory user filter anomaly when deleting a row

IAM-3146

Update user-specific attributes to be editable by administrators

IAM-3257

Fix escaping of ESV placeholders in the advanced email editor

30 Jan 2023

Resolved issues

Issue ID Summary

FRAAS-13519

Remove unexpected file changes from self-service promotion reports

27 Jan 2023

Resolved issues

Issue ID Summary

FRAAS-13464

Adjust sandbox environment migration to not use development environment migration steps

FRAAS-13478

Remove unrelated AM root realm changes from promotion reports

FRAAS-13620

Improve performance of promotion report generation by removing unrelated data

IAM-2305[17]

Add support for localized logos in end-user UI

IAM-3091[17]

Fix localized headers rendering as [object Object]

26 Jan 2023

Resolved issues

Issue Summary

OPENIDM-16640

Changes to identity objects by onUpdate scripts not triggering relationship property onRetrieve hooks

25 Jan 2023

Key features

Improved access control for hosted pages

You can now block access separately for hosted end user account and journey pages:

  • Advanced Identity Cloud displays account pages after authentication for user profile and delegated administration details.

  • Advanced Identity Cloud displays journey pages during authentication for login, registration, password reset, and more.

By default, Advanced Identity Cloud hosted pages are active and accessible for accounts and journeys.

To disable access through the Advanced Identity Cloud admin UI, go to Tenant Settings > Global Settings > End User UI and select the pages to disable.

Resolved issues

Issue ID Summary

IAM-2735

SAML application improvements, including adding ability to update metadata without recreating application and adding ability to download IdP certificate from application

IAM-3044

Applications list overflows when screen size is reduced

IAM-3084

Only allow unique values when adding application owners

IAM-3141

Add the ability to promote dynamic configuration attached to application

IAM-3151

Remove redirect to global settings during administrator login

IAM-3183

Let users filter the trends dashboard by date without resetting the journeys dashboard

IAM-3339

After refreshing the realm settings page, set the current tab using the identifier specified in the URL fragment

FRAAS-7542

Control access to hosted account and journey pages

FRAAS-11599

Don’t allow changes to scripts in staging and production environments

13 Jan 2023

Key features

Service accounts

You can now use service accounts to request access tokens for most Advanced Identity Cloud REST API endpoints without relying on a particular identity in your system:

  • Call Identity Cloud APIs programmatically without needing a human identity.

  • Access AM or IDM APIs in the same way using a signed JWT.

  • Set scopes on each service account to assign only necessary permissions to access tokens.

  • Use for automation and CI/CD tooling.

For details, refer to Service accounts.

Resolved issues

Issue ID Summary

FRAAS-8477

Service accounts

IAM-1939

Fix hCaptcha support in Platform UI

IAM-2224

Replace bullets with checkmarks when validating password policy

IAM-2847

Increase the size of the terms and conditions modal window

IAM-2912

Enable promotions UI to ignore encrypted secrets

IAM-3011

Update risk configuration UI to show only user-modifiable configuration

IAM-3012

Add new userConfig endpoint to the riskConfig API

IAM-3015

Update risk configuration evaluation UI so that updates use the new APIs

IAM-3016

Fix the gotoOnFail query parameter to redirect in case of failure

IAM-3041

Prevent proceeding from the Active Directory modal window without entering base DNs

IAM-3076

Fix Salesforce provisioning connection

IAM-3079

Fix single sign-on (SSO) setup when app name has a space

IAM-3088

Enable suppression of the login failure message from the failure node

IAM-3122

Fix font weight of the title text on provisioning tab

IAM-3145

Fix Active Directory assignment on array attributes to be a merge and not replace

IAM-3177

Add paging back to application list view if workforce feature is not enabled

IAM-3335

Fixed display of localized favicon

11 Jan 2023

Resolved issues

Issue ID Summary

FRAAS-13121

Provisional reports can cause promotion service to run out of memory and restart

FRAAS-13244

Unable to log into tenant to perform self-service promotion

04 Jan 2023

Resolved issues

Issue ID Summary

FRAAS-13242

Improve invalid page size error message

OPENAM-19485[18]

Access multi-tenant social providers without requiring multiple secondary configurations

OPENIDM-17392

Prevent script typos that cause services to fail from being introduced into the system

OPENIDM-17953

Support email addresses that contain non-ASCII UTF-8 characters

2022

21 Dec 2022

Resolved issues

Issue ID Summary

FRAAS-13057

Add only standard placeholders (not user-defined placeholders) prior to enabling placeholder management

20 Dec 2022

Key features

BioCatch authentication nodes

The new BioCatch authentication nodes integrate BioCatch scoring for identity proofing, continuous authentication, and fraud protection.

For details, refer to Marketplace.

Resolved issues

Issue ID Summary

FRAAS-12140

Integrate BioCatch authentication journey nodes

FRAAS-12713

Promotions API failed to generate a report

16 Dec 2022

Resolved issues

Issue ID Summary

FRAAS-11964

Avoid potential performance degradation when removing expired token state

FRAAS-12939

Add proxy state to output of lock state endpoint for promotions API

15 Dec 2022

Resolved issues

Issue ID Summary

FRAAS-12545

Remove the option to keep orphaned configuration nodes from the promotions API

09 Dec 2022

Key features

Event hooks

Event hooks let you trigger scripts during various stages of the lifecycle of users, roles, assignments, and organizations.

You can trigger scripts when one of these identity objects is created, updated, retrieved, deleted, validated, or stored in the repository. You can also trigger a script when a change to an identity object triggers an implicit synchronization operation.

Post-action scripts let you manipulate identity objects after they are created, updated, or deleted.

For details, refer to Event hooks.

Resolved issues

Issue ID Summary

IAM-2941

Add the event hooks user interface

08 Dec 2022

Resolved issues

Issue ID Summary

FRAAS-12477

Add list of encrypted secrets to promotion reports

07 Dec 2022

Resolved issues

Issue ID Summary

FRAAS-12494

Unlock the environment and stop checking progress after successfully promoting an environment

FRAAS-12988

Prevent placeholder support being enabled unless a specific migration flag value is set

OPENIDM-17556

Ensure RDVPs are not erased for all types of managed objects for all types of PUT operations

06 Dec 2022

Key features

Workforce application and connector management

In new tenants created on or after January 12, 2023, you can use the improved applications page to integrate Advanced Identity Cloud with external data stores or identity providers. The applications page acts as a one-stop location where you can:

  • Register and provision popular federation-capable applications quickly and easily by choosing from a library of templates, such as Salesforce and Workday.

  • Register and provision your organization’s custom applications.

  • Manage data, properties, rules, SSO, provisioning, users, and groups for an application.

  • View the connection status of each application.

  • Activate and deactivate an application.

Daon IdentityX authentication nodes

The new Daon authentication nodes let you integrate with the Daon IdentityX platform for MFA with mobile authentication or out-of-band authentication using a separate, secure channel.

For details, refer to Marketplace.

Resolved issues

Issue ID Summary

FRAAS-11574

Integrate Daon authentication journey nodes

IAM-2658

Application management improvements

DATASCI-1548

Update the filter text on the Autonomous Access dashboard from "All Risk Scores" to "Risk Score"

DATASCI-1550

Update text on the Autonomous Access dashboard’s Copy on User Detail page

29 Nov 2022

Key features

Onfido authentication nodes

The new Onfido authentication nodes let you use Onfido’s solution for collecting and sending document identification and, optionally, biometrics to the Onfido backend for verification.

For details, refer to Marketplace.

Resolved issues

Issue ID Summary

FRAAS-11575

Add Onfido authentication node

23 Nov 2022

Resolved issues

Issue ID Summary

IAM-2354

Add system notification capability to UI

IAM-2355

Self-service promotions migration UI

IAM-2465

Password policy to force password expiry not working

IAM-2706

Embedding images in the theme editor only displays alternative text

IAM-2739

Email suspend message displayed without line breaks

IAM-2939

Add translation configuration key for "Passwords do not match" message

IAM-2973

Self-service promotions migration UI flow should enable promotions UI features

22 Nov 2022

Resolved issues

Issue ID Summary

FRAAS-12552

Add redirect for custom domain login screen

18 Nov 2022

Resolved issues

Addressed a security issue.

10 Nov 2022

Resolved issues

Addressed a security issue.

08 Nov 2022

Key features

Group management

You can now create and manage groups that are shared across AM and IDM within your Advanced Identity Cloud instance. New tenants have group management enabled by default, and existing tenants can follow an upgrade path to enable it.

For more information, refer to Group management.

Resolved issues

Issue ID Summary

FRAAS-12379

Add support for groups and assigning users to groups

FRAAS-12625

Handle ESVs as string type if no type is set

02 Nov 2022

Key features

ID Cloud Analytics Dashboard enhancements

You can now take advantage of the following enhancements to the analytics dashboard:

  • The journey chart now lets users drill down at specific points on a trend line to view individual journey outcomes for that date/hour. Journeys are sorted by a ranking of percentage failures, but can also be sorted based on number ranking.

  • Two new widgets — Top Five Journeys by Outcome and Top Five Journeys by Usage — that rank trending journeys based on outcomes and usages are now available.

For more information, refer to Advanced Identity Cloud analytics dashboard.

Resolved issues

Issue ID Summary

ANALYTICS-25

Add journey ranking and ability to drill down into journey outcomes to the analytics dashboard

25 Oct 2022

Key features

Self-service promotions

Self-service promotions let you promote configuration between environments without raising a support ticket. You can perform self-service promotions from development to staging tenant environments, and from staging to production tenant environments. You cannot promote sandbox environments.

For more information, refer to Introduction to self-service promotions.

Configuration placeholders visible in all APIs

Configuration placeholders let you set ESVs in your configuration.

For more information, refer to Manage configuration placeholders using the API.

Resolved issues

Issue ID Summary

FRAAS-10979

Configuration placeholders visible in all APIs in new customer environments

FRAAS-12219

Self-service promotions available in new customer environments

19 Oct 2022

Key features

Duo authentication node

The new Duo authentication node lets you use Duo’s solution for adaptive authentication, bring your own device security, cloud security, endpoint security, mobile security, and two-factor authentication.

Twilio authentication node

The new Twilio authentication node allows you to use Twilio for two-factor authentication during account setup, sign-on, and other scenarios. The node lets you integrate Twilio’s APIs to build solutions for SMS and WhatsApp messaging, voice, video, and email. The node uses Twilio’s latest Lookup API, which uses real-time risk signals to detect fraud and trigger step-up authentication when needed.

For details, refer to Marketplace.

Resolved issues

Issue ID Summary

ANALYTICS-52

Correct the value in the All Journeys field

DATASCI-1437

Correct prefilled username fields in Filters window

DATASCI-1474

Don’t show explainability if not specified in response after applying Unusual Day of Week filter

DATASCI-1497

Let users see previously selected risk reasons after closing the Filter window

DATASCI-1504

Prevent the truncation of text on the right side of pages

FRAAS-11570

Add Duo authentication node

FRAAS-11571

Add Twilio authentication node

FRAAS-11825

Add translation configuration key for no search results message

FRAAS-12301

Add Marketplace nodes to journey editor menu

FRAAS-12413

Remove blank page shown when user returns to login page following successful login to custom domain

IAM-1935

Expose ESV variable type in the UI

IAM-2038

Prevent theme styles rendering in the hosted pages editor

IAM-2066

Show the entire answer to a long security question after clicking the visibility icon

IAM-2259

Do not let users save email templates that contain JavaScript

IAM-2312

Render SVG images correctly

IAM-2411

ForgeRock favicon displays briefly before the customer’s favicon

IAM-2502

Remove flashing red text from security questions window

IAM-2633

Support localization for radio display fields in Choice Collector node

IAM-2696

Remove legend from Risk Score window

IAM-2869

Update UI regex validation for ESV list type

18 Oct 2022

Resolved issues

Issue ID Summary

FRAAS-12373

Fix Choice Collector nodes so that they can show more than two options

07 Oct 2022

Resolved issues

Issue ID Summary

IAM-2846

Fix login issues caused by allowing non-mandatory login journey attributes to have empty values (reverts IAM-1678)

03 Oct 2022

Resolved issues

Issue ID Summary

IAM-1933

Alter AM XUI to display readonly strings wherever placeholders are in use

OPENAM-19868

Correctly handle multi-line text in Email Suspend nodes

OPENIDM-18272

Save managed object properties correctly in Identity Management native console

22 Sep 2022

Resolved issues

Issue ID Summary

AME-22684

Include grace period configuration in the OAuth2 provider settings

OPENAM-18112

Provide better error message when an LDAP authentication node encounters a TLS connection issue

OPENAM-19196

Do not wait for cache timeout before OAuth2 clients reflect changes to Javascript origins

OPENIDM-16420

Update the default email validation policy to conform with RFC 5322

OPENIDM-17533

Allow configuration changes to the repo.ds.json file to take effect without restarting IDM

OPENIDM-17720

Fix null pointer exception when the repo.ds.json file is misconfigured

OPENIDM-17836

Fix for startup error message caused by ObjectMapping constructor exception

OPENIDM-17911

Fix email validation errors in the IDM admin UI (native console)

20 Sep 2022

Resolved issues

Issue ID Summary

DATASCI-1165

Remove Automated User Agent from the list of risk reasons filters

DATASCI-1358

Let users filter dashboards by date, risk scores and features

DATASCI-1365

Update the Risk Activity page when applying a filter without requiring users to refresh the page

DATASCI-1394

Show the times that events occurred correctly without requiring users to refresh the display

DATASCI-1395

Let users see their last five risky authentication attempts

DATASCI-1397

Remove risk administration options from end users' navigation menus

DATASCI-1406

When filtering activities using a date range, include the activities that occur on the end date

IAM-1678

Allow login journey attributes that are not required to have empty values

IAM-1682

When editing email templates, cut text correctly

IAM-1932

When placeholders are used, display read-only strings in the Platform UI

IAM-2028

Remove excess space from journey editor fields that do not require floating labels

IAM-2064

Replace fields for specifying numeric thresholds with a risk score definition slider in Autonomous Access Decision nodes

IAM-2080

Let users create customized footers on Page nodes

IAM-2141

Add option to customize Page node background color

IAM-2142

Add option to customize Page node button width

IAM-2143

Add option to customize label text for Page node fields

IAM-2227

Remove spurious "No configuration exists for id external.email" pop-up warning

IAM-2249

Add option to display Message node as a link

IAM-2250

After importing journeys, let user delete all imported journeys with a single delete action

IAM-2251

Provide a value when the object.password variable is specified in an email template

IAM-2258

Remove tenant information from the Realm menu

IAM-2285

Make H2, H3, and H4 HTML headings bigger when there’s no higher-level predecessor heading

IAM-2290

Show the correct number of events per country on the Activity Risk dashboard

IAM-2294

Show previous authentication attempts when doing anomaly lookups

IAM-2320

Change the default navigation background color of Account pages without changing the dashboard color

IAM-2329

Change the color of the Autonomous Access event log indicator to red

IAM-2351

Correct pagination on the Autonomous Access Risk page

IAM-2373

Make dashboard analytics pipeline logs in Autonomous Access work as expected

IAM-2468

Wrap long security questions

IAM-2521

Don’t reuse authId during password validation

OPENAM-18933

Do not override the Success URL node’s value

SDKS-1720

Point developers to the ForgeRock SDKs when they create an OAuth2.0 client in the Platform UI

SDKS-1721

Point developers to the ForgeRock SDKs when they configure CORS in the Platform UI


1. This release focuses on internal improvements and technical updates to enhance the overall stability, performance, and maintainability of the platform. While there are no direct customer-facing changes, these updates lay the groundwork for future feature releases and improvements.
2. This change applies to a feature only available in ForgeRock Identity Governance, which is an add-on capability and must be purchased separately.
3. This issue was released on January 22, 2024 but inadvertently excluded from the changelog.
4. This issue was released on January 18, 2024 but inadvertently excluded from the changelog.
5. This issue was released on November 27, 2023 but inadvertently excluded from the changelog.
6. This issue was released on November 6, 2023 but inadvertently excluded from the changelog.
7. The updated connectors for FRAAS-17939 originally listed connectors not included with Advanced Identity Cloud.
8. The updated connectors for FRAAS-17373 were originally listed as: Database Table connector, Microsoft Graph API connector, Oracle EBS connector, Salesforce connector, SCIM connector, ScriptedSQL connector.
9. This issue was released on September 11, 2023 but inadvertently excluded from the changelog.
10. This issue was released on August 2, 2023 but inadvertently excluded from the changelog.
11. This issue was released on June 14, 2023 but inadvertently excluded from the changelog.
12. This issue was released on June 19, 2023 but inadvertently excluded from the changelog.
13. This issue was released on May 5, 2023 but inadvertently excluded from the changelog.
14. This issue was released on May 2, 2023 but inadvertently excluded from the changelog.
15. The issues listed in this table were released on March 6, 2023 but inadvertently excluded from the changelog.
16. This issue was released on February 14, 2023 but inadvertently excluded from the changelog.
17. This issues listed in this table, except FRAAS-13011, were released on January 13, 2023 but inadvertently excluded from the changelog.
18. This issue was released on November 24, 2022 but inadvertently excluded from the changelog.