PingOne Advanced Identity Cloud

Regular channel changelog archive

2024

22 Apr 2024

Version 13019.10

Key features

Additional cloud connectors

The following connectors are now bundled with Advanced Identity Cloud:

  • Dropbox connector (OPENIDM-19838)

  • PingOne connector (OPENIDM-19736)

  • Webex connector (OPENIDM-19920)

For more information, refer to the ICF documentation.

Enhancements

  • OPENIDM-19921: The following connectors included with Advanced Identity Cloud were upgraded to 1.5.20.21:

    • Google Apps connector

    • Microsoft Graph API connector

    • AWS connector

    For details, refer to 1.5.20.21 Connector changes.

16 Apr 2024

Version 13019.8

Enhancements

  • FRAAS-19414: You can now configure custom domains directly in all environments without needing to create ESVs or promote configurations. Existing custom domains will be migrated automatically.

  • FRAAS-19566: Add _sortKeys query parameter to ESV API

  • IAM-4585[1]: Request and approvals page now shows the current and past approvers, their decisions, and the dates

  • IAM-4968: Expose additional top-level parameters in the advanced section of mapping pages

  • IAM-5674: Target application can use ONBOARD action for FOUND situation

  • IAM-5769: Add grouping logic to journey node items

Fixes

  • IAM-3927[1]: Identity Governance now enforces mandatory comments (if configured) for revoke and allow exceptions

  • IAM-4309[1]: Access reviews no longer display the internal lastSync user attribute

  • IAM-4762: Authoritative apps are now requestable

  • IAM-4986: Platform UI can now determine whether to use a pagedResultsCookie or offset for paging results

  • IAM-5076[1]: "Abstain from action" option no longer displays when a campaign has expired

  • IAM-5362: Marking a property as an authoritative app entitlement no longer causes target app config to be generated

  • IAM-5413: Account deprovisioning now works in AD/LDAP after deleting a user identity

  • IAM-5794: Border color of sign-in input fields in hosted pages can now be overridden in themes

  • IAM-5810: Add option for email configuration to specify UTF-8 address support

  • IAM-5814: Allow fixed application usernames to be chosen for custom SAML apps

  • IAM-5875: Journey editor no longer orphans deleted nodes

12 Apr 2024

Version 12820.8

No customer-facing issues released.[2]

09 Apr 2024

Version 12820.7

No customer-facing issues released.[2]

04 Apr 2024

Version 12820.5

Key features

HTTP Client node (TNTP-136)

The HTTP Client node lets you make HTTP(S) requests to APIs and services external to Advanced Identity Cloud from within a journey.

Use the HTTP Client node to simplify the integration with a broad range of external services by making direct HTTP(S) requests.

For more information, refer to HTTP Client node.

PingOne Service (TNTP-148)

The PingOne Service lets you set up the PingOne service in your Advanced Identity Cloud tenant so you can add Ping Identity nodes to your authentication journeys.

For more information, refer to PingOne Service.

03 Apr 2024

Version 12820.5

Enhancements

26 Mar 2024

Version 12589.7

Key features

Implemented "remember me" functionality

You can now display a checkbox on the end user sign-in card that makes it remember and pre-populate the username.

Enhancements

  • FRAAS-15371: Added ability to prevent search engines from indexing end user login pages

  • IAM-4257: Updated Azure AD app template to accommodate the latest changes

  • IAM-4342: Updated MSGraphAPI Connector with a new configuration property

  • IAM-4892: Updated Salesforce app template to accommodate the latest changes

  • IAM-4900: Added build number and next release cycle date range to user interface

  • IAM-5334: Exposed guarded string as an object type property in scripted template

  • IAM-5459: KBA answer field should contain question context

  • IAM-5461: Custom login error not read with priority

  • IAM-5503: Rename "Orchestrations" to "Workflows"

  • IAM-5563: Updated Google Apps app template to accommodate the latest changes

  • IAM-5603: Added ability to view device details for managed user identities

  • IAM-5606: Added "POWERED BY" metadata to journey nodes

  • IAM-5748: Made 'PingOne' a special case on the federation providers page

Fixes

  • IAM-4918: Check that user has correct permissions when requesting access for other users

  • IAM-5287: Make username, password, and KBA fields H3 elements

  • IAM-5598: Prevent styled terms and conditions included in a journey from making authenticate call fail

  • IAM-5611: Correct ability to revoke custom apps from roles, or edit them from the role view

  • IAM-5641: Custom Endpoints search returned endpoints created by other areas of the UI

  • IAM-5692: Remove console errors when opening the "Add Bravo user" modal

  • IAM-5767: SAML SSO was not remembered when app is saved from another tab after SSO setup

  • IAM-5873: Fix .getTranslation call in Vue

  • OPENIDM-19405: Special non-ascii characters in emails sent from Advanced Identity Cloud would fail

25 Mar 2024

Notices

ForgeRock deprecated the option to let Advanced Identity Cloud tenant administrators skip 2-step verification on Friday, February 3, 2023.

This is a reminder that the end-of-life date for this deprecation is Tuesday, April 2, 2024, when the skip option functionality will be removed from Advanced Identity Cloud.

You have until this date to update your tenants to make 2-step verification mandatory for all tenant administrators. For more information, refer to Tenant administrator mandatory 2-step verification FAQ.

13 Mar 2024

Enhancements

05 Mar 2024

Version 12455.3

Enhancements

  • FRAAS-18788: Add AWS, GCP, and SAP S/4HANA connectors to Advanced Identity Cloud

Fixes

  • FRAAS-18693: Validation bug prevents use of the base64encodedinlined and keyvaluelist ESV expression types

05 Mar 2024

Deprecations

Duo authentication node (FRAAS-19062)

ForgeRock has deprecated the Duo authentication node because Duo has deprecated Traditional Duo Prompt that is used by the Duo node.

ForgeRock created Duo Universal Prompt node in anticipation of this depreciation. You should use Duo Universal Prompt node instead of Duo node (Deprecated).

28 Feb 2024

Notices

ForgeRock deprecated the option to let Advanced Identity Cloud tenant administrators skip 2-step verification on Friday, February 3, 2023.

The end-of-life date for this deprecation has been moved to Tuesday, April 2, 2024, when the skip option functionality will be removed from Advanced Identity Cloud.

You have until this date to update your tenants to make 2-step verification mandatory for all tenant administrators. For more information, refer to Tenant administrator mandatory 2-step verification FAQ.

20 Feb 2024

Fixes

  • FRAAS-18414: Changes to an out-of-the-box journey can be incorrectly displayed against both realms in a promotion report

16 Feb 2024

Notices

ForgeRock deprecated the option to let Advanced Identity Cloud tenant administrators skip 2-step verification on Friday, February 3, 2023.

The end-of-life date for this deprecation is Friday, March 1, 2024, when the skip option functionality will be removed from Advanced Identity Cloud. You have until this date to update your tenants to make 2-step verification mandatory for all tenant administrators. For more information, refer to Tenant administrator mandatory 2-step verification FAQ.

08 Feb 2024

Key features

Advanced Identity Cloud security guide update

ForgeRock has updated the Advanced Identity Cloud security guide to advise caution with using the X-Forwarded-For HTTP header to identify the originating IP address of a client due to security and privacy concerns.

Instead, you should consider using the X-Real-IP or X-Trusted-Forwarded-For HTTP headers as trusted replacements. Refer to Identify originating client IP addresses.

06 Feb 2024

Key features

Create and manage custom relationship properties (OPENIDM-19106, OPENIDM-19109)

You can now create and manage custom relationship properties using the Advanced Identity Cloud admin UI.

Schema API improvements (OPENIDM-19107)

You can now directly modify managed object schemas over REST using the schema API. This capability includes configuring custom relationship properties.

Password timestamps (OPENIDM-19262)

Enabling this new feature lets you view or query when a user password was last changed and when it is set to expire.

Fingerprint Profiler and Fingerprint Response nodes (TNTP-130)

The Fingerprint nodes nodes let you integrate your Advanced Identity Cloud environment with the Fingerprint platform to help reduce fraud and improve customer experience.

iProov Authentication node (TNTP-131)

The iProov authentication node integrates Advanced Identity Cloud authentication journeys with the Genuine Presence Assurance and Liveness Assurance products from iProov.

RSA SecurID node (FRAAS-18037)

The RSA SecurID node lets you use the RSA Cloud Authentication Service (RSA ID Plus) or RSA Authentication Manager from within an authentication journey on your Advanced Identity Cloud environment.

Enhancements

  • OPENIDM-17878: Allow access to operational attributes in the Advanced Identity Cloud data store

  • OPENIDM-19674: The relationship-defined virtual property (RDVP) schema editor allows you to edit the flattenProperties property. The anaged object schema editor allows you to edit the notifyRelationships property.

Fixes

  • FRAAS-18398: Allow the HTTP OPTIONS method on calls to /openidm/config/* endpoints for CORS preflight checks

  • FRAAS-18526: Script library functionality can’t be used in the UI in certain environments

  • IAM-5656: Fix alignment of text, buttons, and links in Message nodes

  • IAM-5660: Hosted pages not displaying list of themes

  • OPENIDM-18743: Attempts to use connectors fail with null pointer exceptions when operationOptions is defined in the provisioner configuration

  • OPENIDM-18957: The scheduler now attempts to release any triggers it attempted to acquire during a timeout due to an unresponsive repository

  • OPENIDM-19141: Workflow engine queries now properly honor tablePrefix and tablePrefixIsSchema configuration options

  • OPENIDM-19279: Resource collection is required to create a relationship

22 Jan 2024

Key features

Advanced Identity Cloud use case catalog

Introducing the release of the Advanced Identity Cloud use case catalog, a collection of guides that focus on tenant administrator use cases and third-party integrations.

19 Jan 2024

Key features

New Identity Governance capabilities[1][3] (IAM-4617, IGA-1664)

The Workflow UI lets you define custom workflow definitions for all access request types.

Role membership certification, a new certification type for access reviews, lets you review and certify roles and the users who have access to roles. Primary reviewers are role owners, a single user, or users assigned to a role.

09 Jan 2024

Key features

Schedule jobs directly in the Advanced Identity Cloud admin UI (IAM-3489)

You can now schedule the following jobs directly in the Advanced Identity Cloud admin UI without using the IDM admin UI (native console):

  • Scripts: Execute a script at a regular interval.

  • Task scanner: Execute a scan of identities using a complex query filter at a regular interval. The scan can then execute a script on the identities returned by the query filter.

Enhancements

  • FRAAS-7382: Add ability to include JavaScript snippets in login and end-user UIs

  • IAM-4514[1]: Allow reviewers to add user, entitlement, and role columns to an access review

  • IAM-4739: Add read schema option to SCIM application template to discover custom schemas/attributes

  • IAM-5138[4]: Add ability to view reports to end-user UI

  • IAM-5201: Focus on first input field or button automatically upon page load

  • IAM-5268: Add source-missing situation rule to authoritative applications

Fixes

  • IAM-4810: Custom endpoint UI missing context option

  • IAM-5072: Inbound mapping tab shows in target applications

  • IAM-5171: Azure Active Directory application template doesn’t return a user’s role membership

  • IAM-5187: LDAP v2.1 application template doesn’t clear dc=example,dc=com base DN

  • IAM-5238: LDAP application template is missing the group object classes property

  • IAM-5422[1]: Entitlement owner doesn’t show in the entitlement list

  • OPENAM-21856: Introspecting stateless token with IG/Web agents will cause OAuth2ChfException

2023

12 Dec 2023

Key features

Duo Universal Prompt node (FRAAS-15675)

The Duo Universal Prompt node lets you provide two-factor authentication using Duo’s Universal Prompt authentication interface. You can integrate Universal Prompt with your web applications using the Duo Web v4 SDK.

For details, refer to Duo Universal Prompt node.

Enhancements

  • AME-22326: The httpClient available in scripts now automatically adds the current transactionId as an HTTP header. This lets you correlate caller and receiver logs to make requests to other ForgeRock products and services.

  • AME-25392: Add org.forgerock.openam.scripting.api.PrefixedScriptPropertyResolver, used for accessing ESVs from scripts, to the allowlist for SAML2_SP_ADAPTER and SAML2_IDP_ADAPTER script types

  • AME-25433: Add com.sun.crypto.provider.PBKDF2KeyImpl, javax.crypto.SecretKeyFactory, and javax.crypto.spec.PBEKeySpec to the allowlists for Scripted Decision nodes and Configuration Provider nodes

  • AME-25608: Add auditing for opening and closing connections for the LDAP decision node, ID Repo service, and Policy Configuration service

  • AME-25630: Add java.security.spec.InvalidKeySpecException to the allowlist for the Scripted Decision and Configuration Provider nodes

  • FRAAS-17939: Some connectors included with Advanced Identity Cloud were upgraded to the following versions:

    1.5.20.19

    For details, refer to 1.5.20.19 Connector changes.

    • Microsoft Graph API connector

    • SCIM connector

    1.5.20.18

    For details, refer to 1.5.20.18 Connector changes.

    • Google Apps connector

    • Microsoft Graph API connector

    • Salesforce connector

    • SCIM connector

    • Workday connector

  • IAM-4511: Hide fields in the Users & Roles tab when editing and creating unreadable properties

  • IAM-4615: Add a "Skip to main content" link to page headers

  • OPENAM-16897: The OAuth 2.0 Device grant flow can now return either JSON or HTML

  • OPENIDM-19037: Update property value substitution to reflect boolean value in the UI

Fixes

  • COMMONS-1397: Audit event log entries not logged due to thread contention

  • FRAAS-17686: Add org.forgerock.json.jose.jwe.JweHeader to the allowlists for the AUTHENTICATION_TREE_DECISION_NODE and CONFIG_PROVIDER_NODE script types

  • IAM-4401: Disabling Clear-Site-Data header breaks realm login

  • IAM-4991: When a suspendedId is in use, redirect to failureUrl fails

  • IAM-5075: Login messages are read twice by screen readers

  • IAM-5186: User identity related values aren’t saved after removal

  • OPENAM-17331: Disabled SNS endpoints can now be re-enabled

  • OPENAM-17816: OAuth 2.0 requests without a Content-Type header fail with a 500 error

  • OPENAM-19282: Recovery Code Display node only works immediately after a registration node

  • OPENAM-19889: Policy evaluation fails when subject is agent access token JWT

  • OPENAM-20026: Social IDP with trailing whitespace in the name can’t be deleted using the UI

  • OPENAM-20329: Issuer missing from OAuth 2.0 JARM response

  • OPENAM-21053: Missing userId from access audit log when org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false in JWT client authentication flow

  • OPENAM-21421: Scripting logger name isn’t based on logging hierarchy convention

  • OPENAM-21476: Persistent cookie is not created when using Configuration Provider node

  • OPENAM-21484: Introspection of a stateful refresh token for claims field for known OAuth2 fields is now a string and not nested in a list

  • OPENIDM-19328: Fix queued sync to recover following node restart

30 Nov 2023

Fixes

  • IAM-5275: Advanced Identity Cloud admin UI doesn’t add query parameters to the logout URL

  • IAM-5289: Fix warning message when maxidletime is greater than 24.8 days

Notices

ForgeRock deprecated the option to let Advanced Identity Cloud tenant administrators skip 2-step verification on Friday, February 3, 2023.

The end-of-life date for this deprecation is Friday, March 1, 2024, when the skip option functionality will be removed from Advanced Identity Cloud. You have until this date to update your tenants to make 2-step verification mandatory for all tenant administrators. For more information, refer to Tenant administrator mandatory 2-step verification FAQ.

14 Nov 2023

Key features

Next generation scripting enhancements (AME-25928)

The next generation scripting engine for journey decision node scripts lets you:

  • Reduce the need to allowlist Java classes with a stable set of enhanced bindings.

  • Simplify scripts with fewer imports and more intuitive return types that require less code.

  • Debug efficiently with clear log messages and a simple logging interface based on SLF4J.

  • Make requests to other APIs from within scripts with a more intuitive HTTP client.

  • Modularize your scripts by reusing common code snippets, including external libraries such as CommonJS, with library scripts.

  • Access identity management information seamlessly through the openidm binding.

The next generation engine can’t use legacy scripts.

If your Scripted Decision node uses legacy scripts, you must convert them to use updated bindings to take advantage of the benefits of the next generation scripting engine.

Where possible, you should migrate legacy scripts to take advantage of next generation stability.

For more information, refer to Next-generation scripts.

Gateway Communication node (FRAAS-17380)

Lets Advanced Identity Cloud authentication journeys communicate directly with the PingGateway (PingGateway).

This secure communication channel extends the Advanced Identity Cloud capabilities with PingGateway features, such as validating a Kerberos ticket and performing other certificate handshakes.

For details, refer to Gateway Communication overview.

Enhancements

  • FRAAS-3841: Activate and deactivate journeys in the Advanced Identity Cloud admin UI. Refer to Deactivate journeys.

  • IAM-4191: Allow tenant session cookie name to be configured. Refer to Session cookie name.

  • IAM-4735: Add support for schema discovery in application templates

  • IAM-4806: Show outbound tenant IP addresses in Advanced Identity Cloud admin UI. Refer to Access global settings.

  • IAM-4853: Add AS400 application template. Refer to the AS400 section in Provision an application.

Fixes

  • FRAAS-16785: Incorrect positioning of reCAPTCHA v2 elements

  • FRAAS-17883: Tenant administrators cannot save edits to their personal information

  • IAM-2936: Journeys hang indefinitely when using a State Metadata node within a Page node

  • IAM-4521: Screen readers announce field labels twice

  • IAM-4956: Advanced Identity Cloud admin UI doesn’t use the current realm when logging out

  • IAM-5113: Unable to remove an NAO assignment from a user in Advanced Identity Cloud admin UI

  • IAM-5226: Tenant administrator security questions should not be shown when editing personal information

  • IAM-5240: No error message displays when a tenant administrator fails to save edits to their personal information

31 Oct 2023

Key features

New Autonomous Access capabilities[5] (DATASCI-1269)

Autonomous Access User access behavior and tenant access behavior UI pages let administrators understand the typical authentication behavior for a selected user or for all users in the tenant for the past six months by displaying key metrics. Administrators can filter the UI to show certain login metrics, like time of day, city, country, day of week, device used for login, operating system, and browser type. Administrators can also compare a selected user’s authentication behavior to that of the authentication attempts for all other users in the tenant.

Enhancements

  • FRAAS-17373[6]: The following connectors included with Advanced Identity Cloud were upgraded from 1.5.20.15 to 1.5.20.17:

    • Adobe Marketing Cloud connector

    • Google Apps connector

    • Microsoft Graph API connector

    • Salesforce connector

    • SCIM connector

    Some highlights include:

    • OPENICF-900: SCIM connector: Add support for dynamically generated SCIM schemas

    • OPENICF-2453: SCIM connector: Persist optional refresh token upon successful access token renewal

    For a complete list of enhancements and fixes, refer to Connector changes.

  • IAM-4211: Display disaster recovery region in the Advanced Identity Cloud admin UI

  • IAM-4369: Remove AM applications from application list view

  • IAM-5045: Display pop-up warning when an end user is about to be logged out of an Advanced Identity Cloud hosted page

Fixes

  • ANALYTICS-311: The USER-LAST-LOGIN report doesn’t show results if the last journey failed

  • FRAAS-17413: Improve IDM service reliability during upgrades and routine maintenance

  • IAM-4698: Fix accessibility issues with messages in page nodes

  • IAM-4812: Correctly save array ESVs containing newline characters

  • IAM-4863: Display ESV buttons properly when the user gives them focus

  • IAM-4877: Display ESV selection button properly while user is modifying a script associated with a Scripted Decision node

17 Oct 2023

Key features

OneSpan Identity Verification node (FRAAS-13738)

Sends request to OneSpan to analyze the image and determine whether the document is genuine or fraudulent.

For details, refer to OneSpan Identity Verification node.

OneSpan Get User Authenticator (FRAAS-13160)

Retrieves the authenticators assigned to a user and helps enable user’s authentication and security levels.

For details, refer to OneSpan Get User Authenticator node.

New Identity Governance capabilities[1] (IGA-1691)

Access requests let end users request access to resources and let managers request that access be removed from their delegates. The list of resources an end user can request access to is referred to as the access catalog.

Manage access request workflows is a new feature that lets you optionally define flows to include business logic, decisions, and approvals. For example, decide what happens when an approver rejects an access request for an application. Workflows currently only supports access request-related features.

New options in the Advanced Identity Cloud end-user UI let end users submit access requests, submit requests to remove access, and review assigned request items:

  • The My Requests option lets you view and create access requests to resources (applications, roles, entitlements) for yourself or on behalf of others.

  • The My Directory > Direct Reports option lets managers submit access removal requests.

  • The Inbox > Approvals option lists request items (requests an end user submits) for an approver (designated owner) to act on.

Enhancements

  • IAM-3648: ESV placeholders can now be entered from a drop-down list

  • IAM-3651: ESV placeholders can now be entered from key-value input fields

  • IAM-4236: Improve layout of the applications reconciliation tab

  • IAM-4367: Separate the connection status of OAuth 2.0 client applications into a dedicated list

  • IAM-4662: ESV placeholders can now be entered from tag input fields

  • IAM-4717: Added date, datetime, and time fields to the login UI

  • IAM-4789: Grant roles now show temporal constraints

  • OPENAM-20847: Sanitized HTML can now be added into messages for the Email Suspend node

Fixes

  • FRAAS-17235: Validate ESV values correctly when they are wrapped in white space

  • FRAAS-17283: Tenant status pages not automatically updated during downtime

  • IAM-4235: Passthrough authentication using AD connector fails if set up in UI and user DN includes a space

  • IAM-4418: Fix accessibility issues with multi-select input fields

  • IAM-4489: Align checkbox color with other form elements

  • IAM-4491: Correctly label sidebar buttons when expanded or collapsed

  • IAM-4492: Make navigation bars in end-user UI accessible for screen readers

  • IAM-4528: Outbound reconciliation mapping preview shows generated password value

  • IAM-4798: The aria-label is now correctly displayed for all component types on sidebar buttons

  • OPENIDM-19192: Personal information is still editable by end users when User Editable is set to false

03 Oct 2023

Key features

Query Parameter node (AME-24069)

Allows you to insert query parameter values from a journey URL into configurable node state properties. This lets you customize journeys based on the query parameter values.

For details, refer to Query Parameter node.

Enhancements

  • IAM-3650: Add a drop-down menu to checkbox inputs for selecting ESV placeholders

  • IAM-3826: Add the ability to specify a source and transformation script when mapping application properties.

  • IAM-4515: Include autocomplete attribute with login form fields

  • IAM-4525: Update profile picture modal with accessibility improvements for screen readers

  • IAM-4567: Add a warning when running reconciliations and selecting the persistAssociations option. For details, refer to View a report about the last reconciliation.

  • IAM-4576: Increase time on screen for loading spinner so that screen readers can announce it

  • IAM-4616: Include contextual information with the show/hide buttons for improved accessibility

  • OPENAM-21073: Request headers are now accessible in OAuth 2.0/OIDC scripts for OIDC_CLAIMS, OAUTH2_ACCESS_TOKEN_MODIFICATION, and OAUTH2_MAY_ACT script contexts using the requestProperties binding

  • OPENAM-21346: Add classes java.util.concurrent.TimeUnit, java.util.concurrent.ExecutionException, and java.util.concurrent.TimeoutException to the scripting allowlist

  • OPENAM-21355: Jakarta AWS region (ap-southeast-3) enabled for the PingAM push notification service

  • OPENAM-21416: Canada Central AWS region (ca-central-1) enabled for the PingAM push notification service

Fixes

  • IAM-4366: Provide browser-specific logic to handle alternative CSS for accessibility

  • IAM-4409: Require at least three characters before running identity searches when there are more than 1000 identities of that type

  • IAM-4460: Screen readers read show/hide buttons for security questions as show/hide password

  • IAM-4478: Only allow certain combinations of properties in a mapping transformation script

  • IAM-4493: Fix the heading hierarchy in the UI

  • IAM-4523: Screen readers read avatar alt text when tabbing to action menu

  • IAM-4524: Two buttons with different labels open the same dialog

  • IAM-4568: Do not enable the option to change a user association in the UI

  • IAM-4584: Drop-down boxes fail ADA compliance

  • IAM-4639: String/password field button is highlighted in the UI

  • IAM-4703: Fix display of password fields in some themes

  • IAM-4710: Fix rounded border of password fields in hosted pages

  • IAM-4829: Eye icon displays over the password field highlight box in the UI

  • OPENAM-18599: Allow customization of the error message that displays to end users when their account is locked or inactive using .withErrorMessage() in a Scripted Decision node

  • OPENAM-18685: Use the OAuth2 Provider service in the AM admin UI to specify if tokens issued should contain the subname claim

  • OPENAM-19261: Errors are incorrectly logged when triggered by introspection of tokens using OAuth 2.0 client credentials grant

  • OPENAM-20451: The WebAuthn Registration node now displays an end user’s userName when registering a device when the identity’s name isn’t human-readable

  • OPENAM-21158: Add support for trusted platform module (TPM) attestation using elliptic curve cryptography (ECC) unique parameter validation starting with Windows 11 version 22H2

  • OPENAM-21304: The request_uris field does not populate when OAuth 2.0 clients register using dynamic client registration

26 Sep 2023

Fixes

  • FRAAS-17278: Health status reports for AM, IDM, and Admin services incorrectly reported as available in some situations

  • IAM-4843: The user column in the certification task list now shows a user’s full name instead of only the first name

  • IAM-4903[7]: Fix IGA calls that are not working in a custom domain

  • IAM-4915[7]: Fix Access Review UI that shows the JSON object of the manager relationship in the User Details modal

19 Sep 2023

Fixes

  • OPENAM-21390: Fix caching error to correctly provide data to nodeState when a journey switches server instances

05 Sep 2023

Key features

Salesforce Community User application template (IAM-4340)

Provision, reconcile, and synchronize Salesforce, Salesforce Portal, and Salesforce Community accounts.

OneSpan Auth VDP User Register node (FRAAS-15426)

Registers end users to authenticate using the virtual one-time password (VOTP).

For details, refer to OneSpan Auth VDP User Register node.

OneSpan Auth Assign Authenticator node (FRAAS-15426)

Assigns a VIR10 authenticator to an end user if the end user isn’t already assigned to one. Requires a VIR10 authenticator to be available in the tenant.

OneSpan Auth Generate VOTP node (FRAAS-15426)

Generates a virtual one-time password (VOTP) and delivers it to an end user through the node’s configured delivery method. Requires the end user to be assigned to a VIR10 authenticator.

For details, refer to OneSpan Auth Generate VOTP node.

28 Aug 2023

Key features

Add preference-based provisioning to Privacy and Consent settings (IAM-4243)

End users in target applications can share their data with other applications. After the end user configures a preference to share data with other applications, data from the target application is synchronized with Advanced Identity Cloud.

For details, refer to End-user data sharing.

Enhancements

  • AME-25061: Provide additional context information in Marketplace authentication nodes to enable UI improvements

  • IAM-3502: Add the ability to set and reset a sync token for identity management account object type. For details, refer to Reset the last reconciliation job.

  • IAM-3678: Update error messages and labels in login and signup pages

  • IAM-3962: Improve design of push number challenge page for Push Wait node

  • IAM-4248: Add three additional non-account objects to ServiceNow page

  • IAM-4326: Improve onLink script to handle mapped properties of type array and object

  • IAM-4334: Update SuccessFactors application templates to support Advanced Identity Cloud built-in SuccessFactors connector

Fixes

  • IAM-3877: UI loader spins indefinitely when realm is deactivated

  • IAM-4093: Replace Google Fonts in the login UI to meet GDPR compliancy requirements

  • IAM-4176: Advanced setting query filter does not show all available properties

  • IAM-4240: Accessibility issues in Page node when NVDA readers are used

  • IAM-4261: Accessing end-user UI with query parameter "code" displays empty page

  • IAM-4371: Unable to create applications due to userpassword property set

  • IAM-4384: Platform UI does not resume journeys with custom redirect logic

  • IAM-4427: Platform UI does not show assignments for tenants running deprecated application management

  • IAM-4475: Platform UI does not load after tenant administrator signs into an upper tenant during promotion

  • IAM-4533: Journeys do not resume correctly when returning from a social identity provider without a realm identifier

  • IAM-4534: Redirect callbacks for journeys not working correctly

  • OPENAM-18004: Audit logging does not specify transaction IDs correctly for internal requests to certain APIs

  • OPENAM-18709: Calls to the nodeState.get() method in Scripted Decision nodes do not return values in shared state when a variable is stored in both shared state and secure state

  • OPENAM-20230: Calls to classes in the allowlist fail occasionally with access prohibited messages

  • OPENAM-20682: Unable to encrypt id_token error when there are multiple JWKs with the same key ID but different encryption algorithms

  • OPENAM-20691: Session quota reached when oldest session is not destroyed due to race condition

  • OPENAM-20783: Logging is incorrect when the authorization code grant flow is used successfully

  • OPENAM-20920: Null pointer exceptions when a SAML v2.0 binding is null and the SSO endpoint list contains non-SAML v2.0 entries

  • OPENAM-20953: Policy evaluation with a subject type JwtClaim returns HTTP response code 500

  • OPENAM-21001: Custom scripted SAML v2.0 IDP account mappers are determined incorrectly

  • OPENAM-21004: Invalid session ID error when session management is disabled in an OIDC provider

  • OPENAM-21046: The Create Object and Patch Object nodes do not log exception stack traces when they can’t retrieve the object schema

  • OPENAM-21164: XML string formatted incorrectly when using a custom adapter to get the assertion from a SAML v2.0 response

9 Aug 2023

Fixes

  • FRAAS-16471: ESV variables and secrets API endpoints slow for large result sets

  • FRAAS-16271: ESV secrets could be incorrectly marked as "not loaded" when tenant has many ESVs

19 Jul 2023

Deprecations

Introspect endpoint GET requests and URL query string parameters (FRAAS-10638)

ForgeRock has deprecated the following behaviors of the OAuth 2.0 introspect endpoint in Advanced Identity Cloud:

  • Accept GET requests

  • Accept data in POST requests from URL query string parameters

You can continue to use these behaviors, but they will be removed on July 19, 2024. Instead, when using the OAuth 2.0 introspect endpoint, you should use POST requests and pass data in the POST request body.

Refer to /oauth2/introspect.

17 Jul 2023

Fixes

  • OPENIDM-19245[4]: Fix IDM version qualifier to prevent ForgeRock REST proxy error

11 Jul 2023

Fixes

  • FRAAS-15974: Unable to promote empty configuration to reset staging environment

07 Jul 2023

Fixes

  • FRAAS-16041: Support Basic Authentication for Identity Cloud logging endpoints

  • OPENIDM-19240[4]: Fix the "internal server error" message when configuring reconciliation mappings

27 Jun 2023

Key features

New Identity Governance capabilities[1] (IGA-1592)

Entitlements are specific permissions given to an account in an onboarded target application. Each entitlement correlates to a permission. Pull in entitlements from all onboarded target applications into Advanced Identity Cloud for use in certifications.

Entitlement assignment certification, a new certification type for access reviews, lets you review and certify entitlements and the users who have access to entitlements on some or all applications. Primary reviewers are entitlement owners, a single user, or users assigned to a role.

The governance glossary lets you attach business-friendly attributes to applications, entitlements, and roles to add more specificity to the data you review in access certifications.

New options in the Advanced Identity Cloud end-user UI let you view your access, your direct reports, and the access your direct reports have:

  • The My Access option lets you view your access in Advanced Identity Cloud and onboarded target applications. This includes accounts from onboarded target applications, roles you are assigned in Advanced Identity Cloud, and entitlements or privileges you have in onboarded target applications.

  • The Direct Reports option lets you get access information for individuals you manage. This includes their profile information, accounts from onboarded target applications, roles they are assigned in Advanced Identity Cloud, and entitlements or privileges they have in onboarded target applications.

Lexis-Nexis ThreatMetrix Authentication nodes (FRAAS-15325)

Integrate Lexis-Nexis ThreatMetrix decision tools and enable device intelligence and risk assessment in Advanced Identity Cloud.

For details, refer to ThreatMetrix Authentication nodes.

Filter log results (FRAAS-15378)

Use the _queryFilter parameter to filter log results on any field or combination of fields in a payload. For details, refer to Filter log results.

Microsoft Graph API email client (OPENIDM-17899)

Configure the email client to use the MS Graph API Client for sending email.

For more information, refer to Microsoft Graph API email client.

Included connectors and framework upgraded to OpenICF 1.5.20.15

The connectors included with Advanced Identity Cloud have been upgraded from version 1.5.20.12 to 1.5.20.15. Some highlights include:

  • MS Graph API Connector: Add the ability to read application and servicePrincipal object (OPENICF-2208)

  • MS Graph API Connector: Implement application role assignments (OPENICF-2269)

  • SCIM Connector: Support for throttling (OPENICF-1916)

For a complete list of enhancements and fixes, refer to Connector changes.

Enhancements

  • IAM-2826: Filter the "Assignments" tab for identities so that it does not show overrides, entitlements, or resources

  • IAM-3408: Let provisioners use a range of connector versions

  • IAM-3677: Remove increment/decrement arrows from numeric input fields

  • IAM-3678[4]: Improved ADA accessibility for error messages associated with input fields

  • IAM-3982: Let users filter risk activity using distributed attack as a risk reason

  • IAM-3983: Show distributed attack as a risk reason in the risk dashboard

  • IAM-4051: Improved ADA accessibility for drop-down boxes

  • IAM-4053: Improved ADA accessibility when NVDA readers are used on pages that use the Page node

  • IAM-4074: Add a loading animation to the pie chart component

  • IAM-4136: Use the tab key to move focus and remove tags in multi-select components

Fixes

  • FRAAS-5756[4]: Journeys don’t resume after authentication in downstream identity provider

  • FRAAS-9230: Sanitize aria-hidden fields

  • FRAAS-14214: Changing an existing ESV type is now denied by the API and new ESVs always require an explicit type

  • FRAAS-14262: Include changes to group privileges in the configuration promotions report

  • FRAAS-14706: Improve the detection of changes to complex configuration files and IDM script hooks in promotion reports

  • FRAAS-14897: Improve the rate limiting behavior of the /monitoring/logs endpoint

  • IAM-2026: Support versioning of the application and connector templates

  • IAM-2713: Prohibit editing of managed application objects

  • IAM-2972: Route users to the correct realm after granting Salesforce permissions

  • IAM-3089: Unable to exit a social provider and select a different social provider in a journey

  • IAM-3594: Correctly redirect control to the End User UI after authenticating with itsme

  • IAM-3719: Modals not showing display access review comments and activity

  • IAM-3939: Let end users switch to a different authentication journey

  • IAM-4013: When using a custom domain, originalLoginRealm is set incorrectly

  • IAM-4116: Don’t let access review users add reviewers with greater privileges than they themselves have

  • IAM-4134: User pop-up is visible in "Entitlement" tab

  • IAM-4200: Last certified date, decision, and actor displaying incorrectly in Governance account details

  • IAM-4242: Add "Conflicting changes" category to reconciliation summary

  • IAM-4289: Unable to assign non-account object properties to roles

  • IAM-4293: Access reviews and line items not shown for staged campaigns

  • IAM-4295: Reviewer not redirected back to pending reviews after access review sign off

  • OPENIDM-17481: Managed object schema can now describe a field as a nullable array and specify a default value for this field if not provided in a create request

  • OPENIDM-17771: Processing of a large number of scheduled jobs no longer causes all scheduled tasks to continuously misfire

  • OPENIDM-18192: Updating a relationship-defined virtual property (RDVP) on a managed object by signal receipt no longer causes other RDVP state within that object to be lost

  • OPENIDM-18292[4]: Add support for the _fields request parameter to the sync getTargetPreview endpoint.

  • OPENIDM-18360: Use the full object state when validating requests made by a delegated administrator to modify a relationship

  • OPENIDM-18613: Provide the ability to remove the userPassword attribute

  • OPENIDM-18644: Correctly determine whether it’s possible to configure clustered reconciliation

  • OPENIDM-18807[4]: Update user provisioning workflow sample to check for empty manager strings

  • OPENIDM-18895: Fixes support for multi-version concurrency control on managed object patches and updates

  • OPENIDM-18898[4]: Add support for the _countOnly parameter in identity management scripts

  • OPENIDM-18980[4]: Add a new metric to measure the duration of a LiveSync event

  • OPENIDM-19098[4]: Enable ES6 support for identity management scripts

13 Jun 2023

Key features

Administrator federation enhancements (FRAAS-12097)
Groups support

The new groups feature allows you to add and remove administrators depending on group membership in your identity provider. Using administration groups lets you automate the granting and removing of access for administrators that are being on-boarded, switching roles, or leaving your organization.

OIDC Federation

OIDC is now supported as a federation identity provider, along with Microsoft ADFS and Microsoft Azure.

OIDC ID Token Validator node (OPENAM-13293)

The new OIDC ID Token Validator node lets Advanced Identity Cloud rely on an OIDC provider’s ID token to authenticate an end user. The node evaluates whether the ID token is valid according to the OIDC specification.

For details, refer to OIDC ID Token Validator node.

Scripted SAML 2.0 SP adapter (AME-21638)

Customize the SAML 2.0 SP adapter using a script.

For details, refer to SP adapter.

Enhancements

  • AME-24073: Expose the prompt_values_supported parameter of the provider configuration at the OIDC .well-known endpoint

  • AME-24175: Provide additional classes in the allowlist that scripts used in the Scripted Decision node

  • FRAAS-13293: Provide more accurate and granular information in promotion reports

  • FRAAS-14063: Remove orphaned unused scripts during promotion

  • FRAAS-15022: Improve promotion reports

  • IAM-2561: Allow adding applications to a user or role from the Identities > Manage page

  • IAM-3666: Add alternative text to QR code image

  • IAM-3676: Add keyboard controls to UI to select multiple values in multivalued lists

  • IAM-4030: Improve handling of identity provider and groups claims

  • IAM-4031: Generic OIDC configuration returns HTTP 400 Bad Request

  • OPENAM-18692: Set the minimum value for the Default Max Age property to 0

  • OPENAM-19745: Add support for EdDSA signing algorithm to WebAuthn Registration node

  • OPENAM-20541: Add additional inner classes to scripting allowlist to support RSA keypair generation

Fixes

  • AME-24026: Allow specifying inputs required by the provider scripts in the Configuration Provider node

  • IAM-3550: When attempting to validate Office 365 applications, a blank screen appears

  • IAM-3580: Improve service accounts UI including error handling

  • IAM-4032: Federation enforcement is missing from the UI

  • FRAAS-10816: Include thread ID and remove control characters from some Identity Cloud log files for easier log correlation

  • FRAAS-14956: Promotion preview and report not showing all configuration changes

  • FRAAS-15188: Ensure environments can be recreated after deletion

  • OPENAM-12030: Authentication node instances are deleted when journeys containing them are deleted

  • OPENAM-13329: Display journeys with spaces in their name in the Authentication Configuration drop-down menu

  • OPENAM-13766: Route user session based on whether policy evaluation is requested or not

  • OPENAM-17179: Correctly delete a script if its referring journey is deleted

  • OPENAM-17566: Display account name instead of UUID in the ForgeRock Authenticator when using MFA

  • OPENAM-18488: Support certificate-based attestation in certificate chains terminating at an intermediate CA

  • OPENAM-20082: Show correct error message to locked out users

  • OPENAM-20104: Fix the fragment response mode for the OAuth 2.0 authorize endpoint

  • OPENAM-20187: Fix the "waiting for response" page so that it fails authentication as configured in the authentication journey

  • OPENAM-20230: Prevent class allowlist from failing for classes already on the allowlist

  • OPENAM-20318: Allow a restricted set of HTML tags to be rendered in page node headers and descriptions

  • OPENAM-20360: Fix default URL encoding to ensure ampersand characters are not double encoded in a SAML assertion

  • OPENAM-20386: Fix authentication node state reconciliation in some complex journeys

  • OPENAM-20451: Fix WebAuthn registration node to return a human-readable username

  • OPENAM-20457: Device Location Match node routes to "Unknown Device" outcome instead of failing the authentication journey when the previously stored location of the device is not provided

  • OPENAM-20479: Enhance OIDC authentication to handle unsecured JWS requests

Deprecations

Deprecate health check endpoints (FRAAS-15623)

ForgeRock has deprecated the following Advanced Identity Cloud health check endpoints:

  • /am/isAlive.jsp

  • /am/json/health/live

  • /am/json/health/ready

  • /openidm/info/ping

You can continue to use the endpoints, but they will be removed on June 13, 2024.

You should update any external monitoring to use the Advanced Identity Cloud /monitoring/health endpoint instead.

07 Jun 2023

Key features

UAT environment (FRAAS-13196)

You can now add one additional environment to your standard promotion group of development, staging, and production tenant environments. A UAT environment has the same capabilities as your staging environment, which allows your organization an additional production-like environment in which to test your development changes.

A UAT environment is an add-on capability.

For details, refer to UAT environments.

Secure Connect (FRAAS-15187)

You can now use ForgeRock Secure Connect to create dedicated, direct, and secure communication between your Advanced Identity Cloud network and your private network, such as an on-premises data center or IaaS provider. Secure Connect bypasses the public internet, improving latency, throughput, and security.

Secure Connect is a limited availability feature.

For details, refer to Secure Connect.

31 May 2023

Enhancements

  • DATASCI-1267[8]: Autonomous Access dashboard is now realm-based

  • DATASCI-1330[8]: Autonomous Access can use blocklists and allowlists of IP addresses

  • DATASCI-1336[8]: Autonomous Access can avoid putting users in double jeopardy

30 May 2023

Fixes

  • FRAAS-12469: Automatically create a status page account for new tenants

16 May 2023

Key features

PowerShell connector

Use the PowerShell Connector Toolkit to register a connector that can provision any Microsoft system.

For details, refer to PowerShell.

SAP SuccessFactors Account or SAP SuccessFactors HR connector

Use the SAP SuccessFactors connectors to synchronize SAP SuccessFactors users with Advanced Identity Cloud users.

Bookmark application

You can now register a bookmark application - for example, OneNote, Evernote, Google Bookmarks, or raindrop.io - to direct users to specific URLs. A bookmark application displays shortcut links on dashboards. When you click one of the links, the browser opens a new tab.

For details, refer to Bookmark.

Microsoft Intune node

Integrates Microsoft Intune to control features and settings on Android, Android Enterprise, iOS/iPadOS, macOS, and Windows 10/11 devices in your organization.

For details, refer to Microsoft Intune node.

Secret Double Octopus (SDO) nodes

PingOne Advanced Identity Cloud integrates with Secret Double Octopus (SDO) to provide high-assurance, passwordless authentication systems that address the diverse authentication needs of a real-world, working enterprise.

For details, refer to Secret Double Octopus (SDO) nodes.

Fixes

Issue ID Summary

IAM-2911

Add support for bookmark apps in application management

IAM-3472

Update promotions UI to set tenant color dynamically based on the tenant name

IAM-3518

Make Auto Access dashboard data realm specific

IAM-3560

Add new default SCIM object types and mappings

IAM-3563

Access review progress tooltip not working in end-user UI

IAM-3630

Add SuccessFactors template and connector configuration

IAM-3656

Display sign-off button in access review page in admin UI

IAM-3666

Add alt text to QR code

IAM-3667

Add visual indication of keyboard focus on input fields

IAM-3681

Improve accessibility of the Edit personal info profile dialog

IAM-3682

Line items not showing for completed access reviews

IAM-3688

Validate campaign deadline dates in admin UI

IAM-3703

Campaign owner is duplicated in user drop-down after reconciliation run

IAM-3734

Ensure relationship resource collection grids filter based on managed object settings

IAM-3778

Allow login UI to work when browser session storage is unavailable

IAM-3792

Prevent login UI rendering extra whitespace character in front of text on suspended nodes

IAM-3806

Remove beta indicator from the trends chart in admin UI dashboard

IAM-3840

Change color of radio button changed in Choice Collector node

IAM-3879

Ensure global variable assignmentResCollection is not overwritten when editing scripts

IAM-3887

Enhance onLink script to correctly verify inputs

IAM-3910

New PowerShell configuration properties

IAM-3922

Risk score definition on autonomous decision node is not working

IAM-3937

Risky events are not shown in the risk dashboard

IAM-3964

Risk reasons do not display in the risk dashboard

OPENAM-18895

Fix API request timeout errors for slow connections

OPENAM-20815

Add missing footer to Page node when session expired

OPENIDM-18917

Display last name instead of user ID on user profile when no first name is provided

TNTP-42

Microsoft Intune marketplace node

TNTP-45

Secret Double Octopus marketplace node

02 May 2023

Key features

Support for all Google Fonts for hosted pages

Meet your organization’s brand guidelines by using any Google Font in your hosted pages.

Fixes

Issue ID Summary

FRAAS-13247

Set the log API key creation date correctly

IAM-1686

Allow any Google Font to be used on hosted pages

IAM-3164

Prevent table columns from stacking vertically on smaller viewports

IAM-3313[1]

Additional Options section missing from Identity Certification campaign template

IAM-3950

End-user UI fails to load when accessing Advanced Identity Cloud in a new tab

OPENIDM-18988

Prevent repository reads when anonymous users make requests to info and ping endpoints

21 Apr 2023

Resolved issues

Issue ID Summary

OPENIDM-18967[9]

RelationshipArray grid queries use unnecessary &_sortKeys=_id when getting data

18 Apr 2023

Key features

IP allowlisting

Enterprises often need to ensure that requests entering their network come from trusted sources. PingOne Advanced Identity Cloud now offers outbound static IP addresses for all environments.

Outbound static IP addresses let you implement network security policies by setting up allowlists of IPs originating from Advanced Identity Cloud. This adds an extra layer of security to outbound calls to your APIs or SMTP servers.

For more information, refer to Outbound static IP addresses.

Resolved issues

Issue ID Summary

FRAAS-5995

Outbound request static IP allows IP allowlisting for new customers

FRAAS-9376

Provide the ability to display a login journey in an iframe for specific custom domains. To implement this feature, you need to open a support ticket.

FRAAS-13522

Promotion report does not include changes to custom email provider

FRAAS-14097

Promotion report should identify journeys by their name

FRAAS-14187

Updated user registration cloud logging to capture events from identity providers

FRAAS-14260

UI displays "Resource 'managed/alpha_application' not found" message

FRAAS-14265

Cannot access ESVs in sandbox tenants

FRAAS-14353

Configuration placeholder replacement assumes a string value

FRAAS-14475

Certain searches cause NoSuchElementException errors

OPENIDM-18957

Update the scheduler to attempt to release any triggers it previously attempted to acquire from a timeout due to an unresponsive repository

11 Apr 2023

Key features

PingOne® Identity Governance (add-on capability)

PingOne Identity Governance is a new add-on capability that allows you to centrally administer and manage user access to applications and data across your organization to support regulatory compliance.

With Identity Governance you can:

  • Work with onboarded target applications when reviewing user data. This allows you to review user data for onboarded applications.

  • Define and launch reviews of data using certification campaigns.

  • Review and manage user access to applications. This includes managers reviewing the access their direct reports have.

For more information, refer to About Identity Governance.

To purchase an Identity Governance subscription, contact your ForgeRock representative.

Administrator federation

Administrator federation allows administrators to use single sign-on (SSO) to log in to an Advanced Identity Cloud tenant.

By using federation to authenticate your administrators to Advanced Identity Cloud, you can quickly and easily deprovision an administrator by removing their access from your centralized identity provider.

Resolved issues

Issue ID Summary

IGA-1433

Initial release of Identity Governance with identity certifications

FRAAS-5416

Administrators can access Advanced Identity Cloud using single sign-on from another identity provider

OPENDJ-9295[4]

Search with BigIndex throws a NoSuchElementException error

29 Mar 2023

Key features

OneSpan authentication journey nodes

The new OneSpan authentication journey nodes integrate OneSpan Intelligent Adaptive Authentication (IAA) scoring for identity proofing, continuous authentication, and fraud protection.

For details about OneSpan authentication integration set up, refer to OneSpan.

Jumio identity verification

The new Jumio identity verification integrates with Jumio’s NetVerify service to easily and securely verify identity by using facial recognition to authenticate against government issued IDs.

For details about Jumio identity verification, refer to Jumio identity verification.

Logout for all server-side sessions for a user or set of users

Administrators can now invalidate (log out) all server-side sessions for a user by sending a POST request to the json/sessions endpoint with the logoutByUser action, specifying the username in the request payload.

Composite advice with an AuthLevelCondition in journeys

Composite advice gives AM hints about which authentication services to use when logging in a user. Journeys now take into account the AuthLevelCondition composite advice.

For example, you can now use AuthLevelCondition composite advice so that AM uses a journey that provides an authentication level of 10 or higher.

Promotions API documentation

The promotions API documentation is now publicly available at https://apidocs.id.forgerock.io/#tag/Promotion.

SCIM built-in connector

You can now use the SCIM built-in connector to manage user and group accounts on any SCIM-compliant resource provider.

Support for REST connector applications

Application management now lets you create, provision, and manage REST connector applications.

For details, refer to Scripted REST connector.

Resolved issues

Issue ID Summary

AME-21638

Scripted plugin for SAML 2.0 SP Adapter

AME-22942

Log out all server-side sessions for a user or set of users so that they have to reauthenticate

FRAAS-5416

Let administrators access Identity Cloud using single sign-on from another identity provider

FRAAS-8225

The promotions API documentation is now publicly available at https://apidocs.id.forgerock.io/#tag/Promotion

FRAAS-8709

Include the log sources in the logged events

FRAAS-12402

Add /platform/oauthReturn route to support authentication for Salesforce and Google Apps

FRAAS-12413

OIDC login from a custom domain results in blank page

FRAAS-13454

Integrate Jumio identity verification journey nodes

FRAAS-13555

Integrate OneSpan authentication nodes

FRAAS-13478

Promotions report shows changes that it shouldn’t

FRAAS-13597

Remove unexpected changes from promotion reports

FRAAS-13866

Let Identity Cloud administrators access policy configuration

FRAAS-13933

Make managed groups visible in the AM admin UI

FRAAS-13974

Add class sun.security.ec.ECPrivateKeyImpl to scripting allowlist

FRAAS-13983

Remove OneSpan nodes from the Basic Authentication journey node list

FRAAS-14030

Add inner classes from java.security and java.crypto packages to scripting allowlist

FRAAS-14069

Add IdPCallback class to scripting allowlist

FRAAS-14260

UI displays "Resource 'managed/alpha_application' not found" message

FRAAS-14265

Cannot access ESVs in sandbox tenants

IAM-662

Fixed agent logout in platform UI

IAM-2879

Allow properties in forms to be reordered

IAM-2921

In the Dashboard, the total number of applications that display in the Applications box now includes those applications registered using the new app catalog in tenants created on or after January 12, 2023.

IAM-3089

Unable to exit a social provider and select a different social provider in a journey

IAM-3094

Add support for enumerated values in array attributes

IAM-3156

Update the descriptive text in the "Add Property" modal to be more accurate

IAM-3160

Added ability to configure the scripted Groovy connector

IAM-3180

Hide the SSO tab when an application is authoritative

IAM-3193

Updated SCIM app template to only show the refresh token property for OAuth authentication

IAM-3261

Adjust Autonomous Access risk filter to better handle scoring edge cases

IAM-3262

Adjust menu width on the Autonomous Access Risk Administration page

IAM-3303

Enable clicking a row to edit entries on the service accounts page

IAM-3304

Added breadcrumbs to the service accounts page

IAM-3305

Added a search field to the service accounts page

IAM-3461

Fix display of OAuth 2.0 applications with a UUID for a name

IAM-3462

Corrected AD template property from ENABLED to ENABLE

IAM-3478

Addressed accessibility concerns when displaying password policy validation

IAM-3492

Fix objects ending in application or assignment not appearing in the Privileges tab

IAM-3642

Fixed an issue with unselected applications being imported when promoting, and improved the user experience for selecting and deselecting applications in the promotions UI

IAM-3694

Added ability to customize the success color in hosted pages

IAM-3760

Apple social authentication works with other authentication methods

OPENAM-16374

Add support in journeys for composite advices that use an AuthLevelCondition

OPENAM-18270

Don’t raise errors when calls to the access_token endpoint specify the scope parameter in OAuth2 authorization_code exchange

OPENAM-18488

Handle the CA certificate correctly for Windows Hello attestations

OPENICF-400

The LDAP connector now correctly reads the AD Account tokenGroups attribute

OPENICF-1762

IBM RACF API connector

OPENICF-1858

Add group owners management support to the Microsoft Graph API connector

OPENICF-2033

PeopleSoft connector v2.0

OPENICF-2039

Add archived, languages, isEnrolledIn2Sv, and isEnforcedIn2Sv fields to the Google Apps connector

OPENICF-2067

Adjust license assignments as part of the user creation and update operations in the Google Apps connector

OPENICF-2068

The Microsoft Graph API connector now lets you assign and revoke directory roles to an Azure AD user account and query the target instance for roles

OPENICF-2088

The Microsoft Graph API connector now lets you assign and revoke custom roles to an Azure AD user account and query the target instance for roles

OPENICF-2102

Assign and revoke PermissionSets and Groups to Salesforce user accounts in the Salesforce connector

OPENICF-2110

Expose groups and roles through user object in the ServiceNow connector

OPENICF-2111

View, update, and remove a group’s roles through the role object in the ServiceNow connector

OPENICF-2129

The LDAP connector now includes a parameter to use isMemberOf by ldapGroups

OPENICF-2192

In the Google Apps connector, don’t throw an NPE when updating a user with a change to license assignments if _NAME_ is not specified

OPENICF-2194

In the GoogleApps connector, the PATCH remove operation doesn’t update the object when both the field and value are provided

OPENIDM-17876

Query filter editor no longer removes double quotes from all properties that aren’t of type string

OPENIDM-17936

Saving changes to the authzRoles field on users no longer overrides the field type

OPENIDM-18001

Country codes in locales are no longer ignored when sending emails

OPENIDM-18077

Added new default policy, cannot-contain-others-case-insensitive

OPENIDM-18153

Custom script exception messages are no longer incorrectly truncated in REST responses

OPENIDM-18216

IDM admin UI should query recon association data instead of audit data

OPENIDM-18238

Improved resiliency of clustered reconciliations

OPENIDM-18243

Validate that connector names are alphanumeric

OPENIDM-18260

New sync mapping fields, defaultSourceFields and defaultTargetFields, let you specify which fields to use for read and query requests

OPENIDM-18261

Endpoints within /system now support specifying additional fields when using wildcards

OPENIDM-18275

The groups' name field is now searchable

OPENIDM-18319

An up-to-date target object state is now provided in sync script bindings and sync audit mechanisms

OPENIDM-18336

The default assignment object schema now contains a "condition" field

OPENIDM-18476

The IDM admin UI now defaults identity object number fields to 0 instead of an empty value

OPENIDM-18498

Queued sync not triggered if target is a CREST proxy endpoint

OPENIDM-18501

Tenant administrator password policy no longer restricts passwords to a maximum length

OPENIDM-18629

Reconciliation job identifiers now use a more precise timestamp

OPENIDM-18650

Add new SCIM connector; applications now support creating connections to SCIM services

OPENIDM-18865

Script changes cannot be saved unless you click outside the Inline Script box

OPENIDM-18868

Inability to save a schedule when you add or remove a passed variable

OPENIDM-18870

Inability to delete an inline reconciliation or schedule script

15 Mar 2023

Key features

Improved access to reconciliation logs in Advanced Identity Cloud

You can now view IDM reconciliation logs in your tenant by updating your audit configurations and specifying the log source idm-recon in a call to the logging API endpoint.

For more information, refer to Update audit configuration.

Resolved issues

Issue ID Summary

FRAAS-14276

Let administrators add idm-recon as a log source for pulling reconciliation audit activity

IAM-3669

Adjust drop-down lists to show the value of the selected option in the form

14 Feb 2023

Key features

Application promotions

You can now use the UI to promote applications between tenant environments. Promoted applications are recreated in the upper environment with any associated static configuration (connectors, mappings, or SAML configuration) and any associated dynamic configuration (OAuth 2.0 clients).

Resolved issues

Issue ID Summary

FRAAS-7542

Control access to hosted account and journey pages

FRAAS-11599

Don’t allow changes to scripts in staging and production environments

FRAAS-13464

Adjust sandbox environment migration to not use development environment migration steps

FRAAS-13809

Autonomous log filters fail in connected environments

IAM-2725

Adjust input field placeholders to clear properly when a user starts typing

IAM-3084

Only allow unique values when adding application owners

IAM-3141

Add the ability to promote dynamic configuration attached to application

IAM-3151

Remove redirect to global settings during administrator login

IAM-3183

Let users filter the trends dashboard by date without resetting the journeys dashboard

IAM-3339

After refreshing the realm settings page, set the current tab using the identifier specified in the URL fragment

IAM-3512

Access Management native console incorrect redirect URL

OPENIDM-16640

Changes to identity objects by onUpdate scripts not triggering relationship property onRetrieve hooks

03 Feb 2023

Key features

Deprecate skip option for tenant administrator MFA

ForgeRock has deprecated the option to let Advanced Identity Cloud tenant administrators skip 2-step verification. Customers can continue to use the skip option in their tenants, but this functionality will be removed from Advanced Identity Cloud on February 3, 2024.

Resolved issues

Issue ID Summary

FRAAS-9679

Deprecate skip option for tenant administrator MFA

31 Jan 2023

Key features

Service accounts

You can now use service accounts to request access tokens for most Advanced Identity Cloud REST API endpoints without relying on a particular identity in your system:

  • Call Identity Cloud APIs programmatically without needing a human identity.

  • Access AM or IDM APIs in the same way using a signed JWT.

  • Set scopes on each service account to assign only necessary permissions to access tokens.

  • Use for automation and CI/CD tooling.

For details, refer to Service accounts.

Resolved issues

Issue ID Summary

FRAAS-13478

Remove unrelated AM root realm changes from promotion reports

FRAAS-13519

Remove unexpected file changes from self-service promotion reports

FRAAS-13620

Improve performance of promotion report generation by removing unrelated data

FRAAS-8477

Service accounts

IAM-1939

Fix hCaptcha support in Platform UI

IAM-2025[4]

Add Uncategorized to the journey category filter

IAM-2224

Replace bullets with checkmarks when validating password policy

IAM-2305[4]

Add support for localized logos in end-user UI

IAM-2847

Increase the size of the terms and conditions modal window

IAM-2912

Enable promotions UI to ignore encrypted secrets

IAM-3011

Update risk configuration UI to show only user-modifiable configuration

IAM-3012

Add new userConfig endpoint to the riskConfig API

IAM-3015

Update risk configuration evaluation UI so that updates use the new APIs

IAM-3016

Fix the gotoOnFail query parameter to redirect in case of failure

IAM-3041

Prevent proceeding from the Active Directory modal window without entering base DNs

IAM-3076

Fix Salesforce provisioning connection

IAM-3079

Fix single sign-on (SSO) setup when app name has a space

IAM-3088

Enable suppression of the login failure message from the failure node

IAM-3091[4]

Fix localized headers rendering as [object Object]

IAM-3107[4]

Remove bitwise filter on Active Directory page

IAM-3108[4]

Update Maintain LDAP Group Membership option to not be selected by default

IAM-3109[4]

Update cn property to be optional in Active Directory target mode

IAM-3110[4]

Update ldapGroups property to be available by default in Active Directory target mode

IAM-3111[4]

Fix password hash algorithm

IAM-3122

Fix font weight of the title text on provisioning tab

IAM-3139[4]

Fix Revoke button in Users & Roles to revoke users, and not be clickable when there are no users to revoke

IAM-3142[4]

Fix Active Directory user filter anomaly when deleting a row

IAM-3145

Fix Active Directory assignment on array attributes to be a merge and not replace

IAM-3146[4]

Update user-specific attributes to be editable by administrators

IAM-3177

Add paging back to application list view if workforce feature is not enabled

IAM-3257[4]

Fix escaping of ESV placeholders in the advanced email editor

IAM-3335

Fixed display of localized favicon

19 Jan 2023

Key features

BioCatch authentication nodes

The new BioCatch authentication nodes integrate BioCatch scoring for identity proofing, continuous authentication, and fraud protection.

For details, refer to Marketplace.

Resolved issues

Issue ID Summary

AME-22948[4]

Create endpoint to log out sessions based on user identifier

FRAAS-11964

Avoid potential performance degradation when removing expired token state

FRAAS-12140

Integrate BioCatch authentication journey nodes

FRAAS-13242

Improve invalid page size error message

OPENAM-13766[4]

No configuration found for log in with session condition advice deny

OPENIDM-17392

Prevent script typos that cause services to fail from being introduced into the system

OPENIDM-17664

LDAP connector has invalid configuration when whitespace added to Base DN

OPENIDM-17953

Support email addresses that contain non-ASCII UTF-8 characters

12 Jan 2023

Key features

Workforce application and connector management

In new tenants created on or after January 12, 2023, you can use the improved applications page to integrate Advanced Identity Cloud with external data stores or identity providers. The applications page acts as a one-stop location where you can:

  • Register and provision popular federation-capable applications quickly and easily by choosing from a library of templates, such as Salesforce and Workday.

  • Register and provision your organization’s custom applications.

  • Manage data, properties, rules, SSO, provisioning, users, and groups for an application.

  • View the connection status of each application.

  • Activate and deactivate an application.

For details, refer to Application management.

Event hooks

Event hooks let you trigger scripts during various stages of the lifecycle of users, roles, assignments, and organizations.

You can trigger scripts when one of these identity objects is created, updated, retrieved, deleted, validated, or stored in the repository. You can also trigger a script when a change to an identity object triggers an implicit synchronization operation.

Post-action scripts let you manipulate identity objects after they are created, updated, or deleted.

For details, refer to Event hooks.

Daon IdentityX authentication nodes

The new Daon authentication nodes let you integrate with the Daon IdentityX platform for MFA with mobile authentication or out-of-band authentication using a separate, secure channel.

For details, refer to Marketplace.

Onfido authentication nodes

The new Onfido authentication nodes let you use Onfido’s solution for collecting and sending document identification and, optionally, biometrics to the Onfido backend for verification.

For details, refer to Marketplace.

Resolved issues

Issue ID Summary

DATASCI-1548

Update the filter text on the Autonomous Access dashboard from "All Risk Scores" to "Risk Score"

DATASCI-1550

Update text on the Autonomous Access dashboard’s Copy on User Detail page

FRAAS-11158[4]

AM cache outdated during restart of Identity Cloud services

FRAAS-11574

Integrate Daon authentication journey nodes

FRAAS-11575

Integrate Onfido authentication journey nodes

FRAAS-11964

Avoid potential performance degradation when removing expired token state

FRAAS-12477

Add list of encrypted secrets to promotion reports

FRAAS-12492[4]

Add classes to the scripting allow list

FRAAS-12494

Unlock the environment and stop checking progress after successfully promoting an environment

FRAAS-12545

Remove the option to keep orphaned configuration nodes from the promotions API

FRAAS-12552

Add redirect for custom domain login screen

FRAAS-12713

Promotions API failed to generate a report

FRAAS-12917[4]

Email invites to sandbox tenant administrators sometimes do not work

FRAAS-12939

Add proxy state to output of lock state endpoint for promotions API

FRAAS-12988

Prevent placeholder support being enabled unless a specific migration flag value is set

FRAAS-13057

Add only standard placeholders (not user-defined placeholders) prior to enabling placeholder management

FRAAS-13082[4]

Provisional report endpoint can return 500 if requested repeatedly before cache is built

FRAAS-13121

Provisional reports can cause promotion service to run out of memory and restart

FRAAS-13244

Unable to log into tenant to perform self-service promotion

IAM-2658

Application management improvements

OPENAM-19485

Access multi-tenant social providers without requiring multiple secondary configurations

OPENIDM-17556

Ensure RDVPs are not erased for all types of managed objects for all types of PUT operations

OPENIDM-17616[4]

Add support for direct assignments

OPENIDM-18024[4]

Implement weighted assignments

OPENIDM-18037[4]

Create endpoint for aggregating effective assignments and user identity object type outbound mapping values

OPENIDM-18063[4]

Include Google Apps connector in bundled connectors

OPENIDM-18388[4]

Do not schedule clustered-recon-resilience jobs for reconById invocations

2022

14 Dec 2022

Resolved issues

Issue ID[10] Summary

FRAAS-8589

Promotion hangs when waiting for Identity Cloud services

FRAAS-9155

Promotion reports not showing changes for all connectors

FRAAS-11830

Promotion reports rendering new line characters inside JSON strings

FRAAS-11158

Restart of AM can lead to outdated cache

FRAAS-12049

Promotion reports not showing changes to custom endpoint scripts

IAM-2465

Password policy to force password expiry not working

IAM-2706

Embedding images in the theme editor only displays alternative text

IAM-2739

Email suspend message displayed without line breaks

IAM-2939

Add translation configuration key for "Passwords do not match" message

IAM-2973

Self-service promotions migration UI flow should enable promotions UI features

OPENIDM-16830

Speed up search for organizations

OPENIDM-18388

Do not flag reconById invocations as clustered

OPENIDM-18483

Add name field to resourceCollection query fields for group identity objects

02 Dec 2022

Resolved issues

Issue ID Summary

IAM-3102

Validation fails for ESV list type

29 Nov 2022

Key features

Group management

You can now create and manage groups that are shared across AM and IDM within your Advanced Identity Cloud instance. New tenants have group management enabled by default, and existing tenants can follow an upgrade path to enable it.

For more information, refer to Group management.

ID Cloud Analytics Dashboard enhancements

You can now take advantage of the following enhancements to the analytics dashboard:

  • The journey chart now lets users drill down at specific points on a trend line to view individual journey outcomes for that date/hour. Journeys are sorted by a ranking of percentage failures, but can also be sorted based on number ranking.

  • Two new widgets — Top Five Journeys by Outcome and Top Five Journeys by Usage — that rank trending journeys based on outcomes and usages are now available.

    For more information, refer to Advanced Identity Cloud analytics dashboard.

Resolved issues

Issue ID Summary

FRAAS-12379

Add support for groups and assigning users to groups

ANALYTICS-25

Add journey ranking and ability to drill down into journey outcomes to the analytics dashboard

09 Nov 2022

Key features

Self-service promotions

Self-service promotions let you promote configuration between environments without raising a support ticket. You can perform self-service promotions from development to staging tenant environments, and from staging to production tenant environments. You cannot promote sandbox environments.

For more information, refer to Introduction to self-service promotions.

Configuration placeholders visible in all APIs

Configuration placeholders let you set ESVs in your configuration.

For more information, refer to Configure placeholders to use with ESVs.

Duo authentication node

The new Duo authentication node lets you use Duo’s solution for adaptive authentication, bring your own device security, cloud security, endpoint security, mobile security, and two-factor authentication.

Twilio authentication node

The new Twilio authentication node allows you to use Twilio for two-factor authentication during account setup, sign-on, and other scenarios. The node lets you integrate Twilio’s APIs to build solutions for SMS and WhatsApp messaging, voice, video, and email. The node uses Twilio’s latest Lookup API, which uses real-time risk signals to detect fraud and trigger step-up authentication when needed.

For details, refer to Marketplace.

Resolved issues

Issue ID Summary

ANALYTICS-52

Correct the value in the All Journeys field

DATASCI-1437

Correct prefilled username fields in Filters window

DATASCI-1474

Don’t show explainability if not specified in response after applying Unusual Day of Week filter

DATASCI-1497

Let users see previously selected risk reasons after closing the Filter window

DATASCI-1504

Prevent the truncation of text on the right side of pages

FRAAS-10979

Configuration placeholders visible in all APIs in new customer environments

FRAAS-11570

Add Duo authentication node

FRAAS-11571

Add Twilio authentication node

FRAAS-11825

Add translation configuration key for no search results message

FRAAS-12219

Self-service promotions available in new customer environments

FRAAS-12301

Add Marketplace nodes to journey editor menu

FRAAS-12413

Remove blank page shown when user returns to login page following successful login to custom domain

FRAAS-12625

Handle ESVs as string type if no type is set

IAM-1935

Expose ESV variable type in the UI

IAM-2038

Prevent theme styles rendering in the hosted pages editor

IAM-2066

Show the entire answer to a long security question after clicking the visibility icon

IAM-2259

Do not let users save email templates that contain JavaScript

IAM-2312

Render SVG images correctly

IAM-2411

ForgeRock favicon displays briefly before the customer’s favicon

IAM-2502

Remove flashing red text from security questions window

IAM-2633

Support localization for radio display fields in Choice Collector node

IAM-2696

Remove legend from Risk Score window

IAM-2869

Update UI regex validation for ESV list type

18 Oct 2022

Resolved issues

Issue ID Summary

FRAAS-12373

Fix Choice Collector nodes so that they can show more than two options

07 Oct 2022

Resolved issues

Issue ID Summary

IAM-2846

Fix login issues caused by allowing non-mandatory login journey attributes to have empty values (reverts IAM-1678)

05 Oct 2022

Resolved issues

Issue ID Summary

AME-22684

Include grace period configuration in the OAuth2 provider settings

DATASCI-1165

Remove Automated User Agent from the list of risk reasons filters

DATASCI-1358

Let users filter dashboards by date, risk scores and features

DATASCI-1365

Update the Risk Activity page when applying a filter without requiring users to refresh the page

DATASCI-1394

Show the times that events occurred correctly without requiring users to refresh the display

DATASCI-1395

Let users see their last five risky authentication attempts

DATASCI-1397

Remove risk administration options from end users' navigation menus

DATASCI-1406

When filtering activities using a date range, include the activities that occur on the end date

IAM-1678

Allow login journey attributes that are not required to have empty values

IAM-1682

When editing email templates, cut text correctly

IAM-1932

When placeholders are used, display read-only strings in the Platform UI

IAM-1933

Alter AM XUI to display readonly strings wherever placeholders are in use

IAM-2028

Remove excess space from journey editor fields that do not require floating labels

IAM-2064

Replace fields for specifying numeric thresholds with a risk score definition slider in Autonomous Access Decision nodes

IAM-2080

Let users create customized footers on Page nodes

IAM-2141

Add option to customize Page node background color

IAM-2142

Add option to customize Page node button width

IAM-2143

Add option to customize label text for Page node fields

IAM-2227

Remove spurious "No configuration exists for id external.email" pop-up warning

IAM-2249

Add option to display Message node as a link

IAM-2250

After importing journeys, let user delete all imported journeys with a single delete action

IAM-2251

Provide a value when the object.password variable is specified in an email template

IAM-2258

Remove tenant information from the Realm menu

IAM-2285

Make H2, H3, and H4 HTML headings bigger when there’s no higher-level predecessor heading

IAM-2290

Show the correct number of events per country on the Activity Risk dashboard

IAM-2294

Show previous authentication attempts when doing anomaly lookups

IAM-2320

Change the default navigation background color of Account pages without changing the dashboard color

IAM-2329

Change the color of the Autonomous Access event log indicator to red

IAM-2351

Correct pagination on the Autonomous Access Risk page

IAM-2373

Make dashboard analytics pipeline logs in Autonomous Access work as expected

IAM-2468

Wrap long security questions

IAM-2521

Don’t reuse authId during password validation

OPENAM-18112

Provide better error message when an LDAP authentication node encounters a TLS connection issue

OPENAM-18933

Do not override the Success URL node’s value

OPENAM-19196

Do not wait for cache timeout before OAuth2 clients reflect changes to Javascript origins

OPENAM-19868

Correctly handle multi-line text in Email Suspend nodes

OPENIDM-16420

Update the default email validation policy to conform with RFC 5322

OPENIDM-17533

Allow configuration changes to the repo.ds.json file to take effect without restarting IDM

OPENIDM-17720

Fix null pointer exception when the repo.ds.json file is misconfigured

OPENIDM-17836

Fix for startup error message caused by ObjectMapping constructor exception

OPENIDM-17911

Fix email validation errors in the IDM admin UI (native console)

OPENIDM-18272

Save managed object properties correctly in Identity Management native console

SDKS-1720

Point developers to the ForgeRock SDKs when they create an OAuth2.0 client in the Platform UI

SDKS-1721

Point developers to the ForgeRock SDKs when they configure CORS in the Platform UI

15 Sep 2022

Platform release (hotfix)

Resolved issues
Issue ID Summary

FRAAS-11861

Allow maximum content length property for SAML 2 entities to be increased

12 Sep 2022

Platform release (hotfix)

Resolved issues
Issue ID Summary

FRAAS-11836

Add filtering to dedupe HELP and TYPE text in Prometheus monitoring endpoint

FRAAS-11963

Add TTL to AM HTTP connections

01 Sep 2022

Platform release: 2022.6.7 (hotfix)

Resolved issues
Issue ID Summary

OPENAM-19557

Correctly handle username in shared state for Identity Store Decision nodes

24 Aug 2022

Platform release: 2022.6.6 (hotfix)

Resolved issues

Issue ID Summary

OPENAM-19427

Display security questions in the correct default language

OPENIDM-17644

Release scheduled tasks after all failures so they are rerun

OPENIDM-17858

Process job completion instructions when a trigger is not found

OPENIDM-18123

Correctly load scripts that use ISO 8859-1 encoding

18 Aug 2022

UI release (hotfix)

Resolved issues

Issue ID Summary

IAM-2282

Do not ignore the noSession=true parameter in journeys that do not have Email Suspend nodes

IAM-2412

Left-align long security questions

IAM-2473

Control redirection precedence with AlignGoToPrecedence environment variable

OPENAM-19631

Prevent end users from defining their own security questions in the KBA Definition node (UI fix)

05 Aug 2022

Platform release: 2022.6.4 (hotfix)

Resolved issues
Issue ID Summary

OPENAM-19631

Prevent end users from defining their own security questions in the KBA Definition node

28 Jul 2022

UI release (hotfix)

Resolved issues
Issue ID Summary

IAM-2051

Turn off autocomplete for select and multi-select field components

IAM-2091

Fix unstyled content flashing

IAM-2232

Fix Platform Password node validation when allowlisting is enabled for trees

IAM-2348

Localize label text used for confirming passwords

IAM-2452

Fix issue with login callback components mounting twice

12 Jul 2022

Platform release: 2022.6.3 (hotfix)

Resolved issues
Issue ID Summary

OPENAM-19623

OAuth 2.0 client not using overridden OIDC claims script

07 Jul 2022

Platform release: 2022.6.2 (hotfix)

Resolved issues
Issue ID Summary

OPENAM-19011

QR code message in MFA Authentication nodes should be customizable

06 Jul 2022

Platform release: 2022.6.1 (hotfix)

Resolved issues
Issue ID Summary

OPENAM-19479

Delegation privileges can become stale

OPENIDM-17783

Cull reconById state if recon association amendment is not specified

OPENIDM-17498

LiveSync stops working with RCS after sync failures

21 Jun 2022

Platform release: 2022.6

Key features
Workday built-in connector

You can now use the Workday built-in connector to synchronize Advanced Identity Cloud easily with a datastore in the Workday cloud service.

Resolved issues
Issue ID Summary

AME-22011

Allow OAuth 2.0 clients to override plugin configuration

OPENAM-13557

Add support for JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)

OPENAM-18223

Return 400 Bad Request error code if the id_token_hint is invalid

OPENAM-18252

Allow nodes to update the universal ID for use cases like impersonation and peer authentication

OPENAM-19028

Support social identity providers that provide IDs that are not returned as strings

OPENAM-19119

Provide localization for the URL links on the GetAuthenticatorApp node

OPENIDM-17659

Add the Workday connector as a built-in Identity Cloud connector

15 Jun 2022

Key features

Remove log sources for internal services

The following log sources are no longer available in the /monitoring/logs REST API endpoint:

  • ctsstore

  • ctsstore-access

  • userstore

  • userstore-access

These sources are for internal services that are managed by ForgeRock, so have been removed to simplify the API.

Resolved issues

Issue ID Summary

FRAAS-8384

Remove log sources for internal services

09 Jun 2022

Key features

Import and export journeys

You can now import and export journeys from the Advanced Identity Cloud admin UI, making it easier to back up and restore journeys in your environment. You can also import and export associated assets, such as themes and scripts, along with journeys.

Email template editor enhancements

The email template editor now takes better advantage of available space on the the screen. A new preview panel shows you what your template looks like without the need to scroll. A new option in the editor lets you use HTML with CSS, giving you more control over the look and feel of your email templates.

Journey configuration enhancements

You can now take advantage of the following enhancements when you configure journeys:

  • Configure a Choice Collector node to let end users select from a set of radio buttons or a drop-down field.

  • Add a password confirmation field to a Platform Password node by simply selecting a checkbox.

  • Configure a Message node to have a single button instead of two buttons, so that end users can simply acknowledge messages.

  • Customize text in the Next button text on a Page node.

Resolved issues

Issue ID Summary

ANALYTICS-8

Clarify the tool tip shown with the user engagement graph

IAM-1649

Enhance email template editor

IAM-1167

Add UI for importing and exporting journeys, nodes, and scripts

IAM-1981

Increase use of landmarks across all journeys to improve accessibility

IAM-1997

Make full recovery question visible on password reset page

IAM-2144

Allow confirmation callbacks to have a single outcome and message nodes to show a single button

IAM-2145

Let choice collector nodes show choices as radio buttons

IAM-2146

Add option to require password confirmation

IAM-2147

Make text displayed in the Next button configurable

IAM-2151

Remove text that inadvertently appears in the theme editor

08 Jun 2022

Resolved issues

Hotfix release:

Issue ID Summary

OPENAM-19265

Passthrough Authentication Node throws an exception instead of taking the "Failed" exit

20 May 2022

Resolved issues

Issue ID Summary

IAM-2059

Add UI support for Autonomous Access

IAM-1343

Add duplicate option to email templates list

IAM-1899

Convert page node from string to object to support additional feature specifications

IAM-1962

Double password reveal icon in Edge browser in non-login pages

IAM-1972

Changing tenant administrator status resets list sort

IAM-1980

Add font weight slider to themes

IAM-2004

Realms not deleting

IAM-2010

Platform Admin UI rendering with horizontal scroll

IAM-2050

Ensure date inputs include Zulu timezone

IAM-2065

Wrong months order in calendar history of analytics UI date picker

IAM-2075

Make spinner component color inherit from theme primary color

IAM-2085

Allow users to be created without a password in Platform Admin UI

11 May 2022

Key features

ForgeRock® Autonomous Access (add-on capability)

Autonomous Access is a new add-on capability that provides your Advanced Identity Cloud tenant with significant threat protection capabilities. Autonomous Access helps to prevent account takeover and fraud at the identity perimeter. It leverages artificial intelligence and machine learning techniques to analyze threat signals and anomalous behavior patterns. It speeds and simplifies access decisions, enabling your organization to block threats and deliver personalized journeys that enhance the digital experience of legitimate users.

ForgeRock Autonomous Access includes:

  • ForgeRock Autonomous Access journey nodes:

    • The Autonomous Access Prediction node produces a risk score based on anomalous user behavior, credential stuffing, suspicious IP’s, automated user agents (bots), impossible travelers, and brute force attacks.

    • The Autonomous Access Decision node lets you control users' journeys based on their risk scores.

    • The Autonomous Access Results node, when added to your journeys, provides data that lets Autonomous Access populate the activity dashboard, learn, and make its AI models more accurate.

  • The activity dashboard, which shows you risky access activity. It lets you drill down to investigate risky activity across time, risk reason, and risk score.

For more information, see About Autonomous Access.

Interested in adding Autonomous Access to your Advanced Identity Cloud subscription? Contact your ForgeRock account executive.

Resolved issues

Issue ID Summary

FRAAS-10341

Deploy Autonomous Access in ForgeRock Identity Cloud

10 May 2022

Resolved issues

Issue ID Summary

AME-21573

Add set custom cookie node

AME-22248

Provide option to mandate that clients must use pushed authorization requests

OPENAM-17698

Let users request specific claims from a social identity provider as part of an OIDC request

OPENAM-18533

Distinguish between standard OIDC and JAR OIDC request parameters

OPENAM-19089

Return to user’s UI after completion of a login journey with SAML federation

OPENDJ-8503

Populate the total paged results counter for query responses with an estimate when possible

02 May 2022

Key features

New identity store decision node

The new Identity Store Decision node lets you make authentication decisions based on user information in Advanced Identity Cloud. You can configure identity store decision nodes to control authentication flow based on any of the following conditions:

  • A username and password exists in Advanced Identity Cloud.

  • The profile associated with a user is locked.

  • A user’s password has expired.

  • A user needed to change their password on first login, but canceled the password change form.

Resolved issues

Issue ID Summary

OPENAM-17211

Add identity store decision node

19 Apr 2022

Resolved issues

Hotfix release:

Issue ID Summary

DATASCI-1020

Correct the times at the bottom of the analytics dashboard charts after clicking Today

DATASCI-1040

Filter journeys correctly in the analytics dashboard

DATASCI-1041

Display months before January 2022 correctly in the analytics dashboard filter

FRAAS-10342

Remove inadvertent popups after administrator signouts

IAM-2031

Fix Platform UI errors during navigation within the UI and resizing the UI window

11 Apr 2022

Key features

Dynamic configuration in journey nodes

Many nodes have static configuration, which forces you to have a new node for each use case. With dynamic configuration, you can now pass dynamic information to any static node during a journey’s execution.

Better control over device codes used in the OAuth 2.0 device flow

You can now specify the length of generated user codes, and the set of characters that’s used to generate the user codes.

Resolved issues

Issue ID Summary

AME-22015

Dynamically resolve configuration in node tree execution

AME-22247

Make request URI single time use for pushed authorization requests

OPENAM-17756

Provide better control over the list of characters used in device codes

OPENIDM-16774

Provide full details of schedules in the IDM admin UI

OPENIDM-17029

Allow IDM string properties to have formats, such as date and time

OPENIDM-17065

Return idm_sync_queue_failed error in Prometheus when an implicit sync fails

OPENIDM-17116

Don’t force persistAssociations=true in a URL that starts a reconciliation operation

OPENIDM-17204

Improve IDM REST API query performance

OPENIDM-17410

Allow time and datetime policies to specify +-00:00 locale

OPENIDM-17420

Allow any number of digits of precision for fractions of seconds when specifying time policy

SDKS-1329

Make push notification compatible with iOS 15 focus mode

31 Mar 2022

Key features

Advanced Identity Cloud analytics dashboard

The Advanced Identity Cloud analytics dashboard will be the new landing page for tenant administrators. The dashboard gives tenant administrators a snapshot of Ping Identity service usage, including views of the latest metrics and trends for:

  • User engagements

  • New users

  • Total users

  • Applications

  • Organizations

  • Successful and failed journey outcomes

Resolved issues

Issue ID Summary

FRAAS-10064

Add analytics dashboard to Identity Cloud admin UI

FRAAS-1446

Provide regional disaster recovery from Sydney to Melbourne

25 Mar 2022

Hotfix release:

Issue ID Summary

IAM-1902

Extend the Login UI to set transaction IDs for authentication sessions

IAM-2005

Display debug pop-up windows correctly after trees with debug mode enabled fail and are auto-restarted

24 Mar 2022

Resolved issues

Issue ID Summary

FRAAS-9031

Allow valid characters in "From Name" during Platform UI validation

IAM-1482

Display Internal Role permission dialog correctly

IAM-1594

Eliminate doubled password reveal icon in Microsoft Edge

IAM-1834

Support new Config Provider script type, Config Provider Node, in journey editor

IAM-1942

Don’t throw console error reading filter

IAM-1945

Support undo in email template markdown and style editor

IAM-1955

Enable saving changes to existing email templates

IAM-1958

Improve page load time when there are multiple journeys in one category

IAM-1964

Correct Highlander theme enduser footer

IAM-1973

Clear journey tags when user closes modal window

IAM-1977

Don’t overlay User Name and Password fields in the Login UI when highlighting saved login details

15 Mar 2022

Key features

Extend the user identity schema

You can now extend the user identity schema by adding your own custom attributes. This lets you store more useful information about each user such as the user’s department, cost centers, application preferences, device lists, and so on.

Resolved issues

Issue ID Summary

FRAAS-8630

Implement hybrid user schema in Identity Cloud

11 Mar 2022

Key features

Set categories for end-user journeys

You can now set up categories for your end-user journeys in the UI. This helps you manage your trees by grouping them in the list view. For example, you may want to group all your registration journeys together so that you can find them in the list more easily.

Ability to debug end-user journeys

You now have the ability to debug end-user journeys in your development environment, as you create them. By setting a journey to debug mode, you can view information stored in shared, transient, and secure state, as you navigate the journey. This lets you confirm that information is being passed correctly from node to node in the journey.

Resolved issues

Issue ID Summary

FRAAS-8289

Add ability to set categories for a journey

FRAAS-9382

Trailing space after the T&C link on the self registration journey

IAM-1711

Invited tenant administrators have doubled usernames

IAM-1536

Add debug controls to journey editor

IAM-1896

Creating consecutive applications with a different type shows the wrong logo and headline

IAM-1903

Unable to localize the display of 2FA and push authentication device names

OPENIDM-17479

Recognize IDM static role naming convention when assigning UI roles

11 Mar 2022

Resolved issues

Hotfix release:

Issue ID Summary

IAM-1877

Long security questions are truncated in UI drop-down lists

02 Mar 2022

Key features

Scripted Plugin for SAML 2.0 IdP adapter

The new scripted SAML 2.0 IdP adapter lets you introduce your own business logic during a SAML 2.0 authentication flow. You can use it to look up session, policy, or identity related information, and make routing decisions before sending the SAML 2 assertion to the service provider. Refer to Customize SAML 2.0.

Support for OAuth 2.0 Pushed Authorization Requests (PAR)

The OAuth 2.0 Pushed Authorization Request (PAR) is an RFC specification that allows a secure way of initiating an OAuth or OIDC authorization flow. PAR enables you to move the authorization request data from the URL query string to the request object. This protects the authorization request from any potential tampering. Confidential clients are also authenticated when registering the PAR and this enables the platform to refuse any unauthorized or malformed requests early in the process, reducing the load from any malicious attacks. Refer to Authorization code grant with PAR.

Resolved issues

Issue ID Summary

AME-21830

Remove feature flag for PAR endpoint

AME-21943

Add OAuth2 Provider config options for plugin types

AME-21947

OAuth2 scripted plugin selection improvements

AME-22060

OAuth2 authorize endpoint throws NPE for a query parameter without a value

AME-22066

Scripted plugin for SAML 2.0 IDP adapter

OPENAM-17590

OIDC login hint cookie using deprecated Set-Cookie2 header

OPENAM-18185

Add support for PKCE to OAuth2 device code grant

OPENAM-18264

Update Apple profile normalization script template for sign-in with Apple

OPENAM-18459

IdTokenInfo endpoint fails when using client ID in POST

OPENAM-18527

Add ability to track suspended authentication session

OPENAM-18918

Unable to add scopes in the modification script when using OAuth2 with Grant Set storage scheme

OPENIDM-16833

Implement conditionally assigned relationships dependent on RDVPs

OPENIDM-17002

Can’t tune hash settings from openidm.hash script invocations

OPENIDM-17007

Security questions with multiple answers can only be created in Latin charset

OPENIDM-17051

Implement a mechanism to derive grantor RDVP dependencies

23 Feb 2022

Key features

Custom endpoints UI

A single UI now lets you create custom endpoints, edit their scripts within a syntax highlighting editor, and then run and test them directly. You can consume custom endpoints within Advanced Identity Cloud, or integrate them into your external UIs or system applications.

Resolved issues

Issue ID Summary

IAM-1428

Add support for custom endpoint scripts to the Platform Admin UI.

17 Feb 2022

Resolved issues

Hotfix release:

Issue ID Summary

FRAAS-9525

Increase maximum header size to support JWT encryption

10 Feb 2022

Resolved issues

Hotfix release:

Issue ID Summary

IAM-1818

End User UI for delegated admin cannot be fully translated

IAM-1873

Add support to Login UI for WebView browser

Hotfix release:

Issue ID Summary

OPENAM-18952

Security questions are not always falling back to the default locale

OPENIDM-17367

Target phase is running for reconciliation to a specific ID when using clustered reconciliation

08 Feb 2022

  • Added dashboard counts to let you quickly view the number of users, applications, and organizations in each realm.

  • Added UI improvements to date and time input fields.

  • Added language localization for headers and footers in hosted pages.

Issue ID Summary

IAM-1513

Allow customers to localize header and footer in Hosted Pages

IAM-1596

Implement simple dashboard counts

IAM-1597

Add tenant region information to tenant settings page

IAM-1716

Tenant administrator account details not loaded correctly after refresh

IAM-1725

Add date-time chooser to date-time fields

IAM-1726

Add time chooser to time fields

IAM-1808

Preview URL should be scrollable inside preview input

IAM-1844

PollingWaitCallback not always returning a callback

IAM-1848

Journeys with large themes cause a refresh loop

07 Feb 2022

Hotfix release:

Issue ID Summary

OPENAM-18341

Importing entity IDs from an external SP can cause invalid request URIs

OPENAM-18661

Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted

OPENAM-18764

API incompatibility in systemEnv.getProperty

OPENAM-18887

Security questions password reset causes login failure

OPENAM-18915

Unable to add scopes in the modification script when using OAuth2 with Grant Set storage scheme

04 Feb 2022

Hotfix release:

Issue ID Summary

FRAAS-9295

Prevent initial loading of identities in UI when a minimum search string length is configured

03 Feb 2022

Hotfix release:

Issue ID Summary

FRAAS-9045

Add account lockout for tenant administrators

25 Jan 2022

  • Updated the staging environment information on the tenant status page. Individual service statuses are now combined into a single status.

21 Jan 2022

Issue ID Summary

IAM-1687

Use the first populated locale when duplicating Terms and Conditions

IAM-1723

Add datepicker to date fields

IAM-1724

Add duration chooser to duration fields

IAM-1747

Optional node attributes default to empty strings in request JSON when saving journey

IAM-1757

Adding security question translation causes KbaCreateNode to loop

IAM-1762

Show all available page numbers in pagination for application and script list views

IAM-1764

Default starter theme UI in security question picker is too dark

IAM-1769

Policy list has console scrollIntoView error

IAM-1774

Add translated values to alt text entries and aria-label entries

IAM-1788

Incorrect URL is copied for journeys after search filtering

IAM-1792

Goto param in start over link is not URL encoded

IAM-1813

Journey list page flashes empty state instead of loading state

IAM-1825

Show user avatar and name for user identities

19 Jan 2022

Issue ID Summary

AME-22153

Default client-side authentication script is incorrect

OPENAM-18241

Permit OAuth2 Modification Script to return scopes as space-delimited string

2021

22 Dec 2021

Issue ID Summary

IAM-1757

Adding security question translation causes KbaCreateNode to loop

IAM-1792

Goto param in start over link is not URL encoded

17 Dec 2021

Issue ID Summary

FRAAS-4765

Tenant administrators should not have the option in the UI to delete or disable themselves

FRAAS-8290

Tenant administrator list needs to show if MFA is activated

FRAAS-8437

Admin UI encoding IDM system property specifiers in email templates

FRAAS-8584

Cannot apply dark theme on security question picker

FRAAS-8754

Display preview URL in the journey editor

IAM-1592

User is redirected to error page after trying to invite already invited admin

IAM-1621

Add security questions configuration to Admin UI

IAM-1685

WCAG 2.2 UI Compliance

IAM-1690

Remove ghost in Not Found page

IAM-1697

Theme transition flickering between journeys

IAM-1699

End user profile picture is not shown in top navigation bar

IAM-1716

Tenant administrator account details not loaded correctly after refresh

IAM-1739

Allow subsequent login attempts to enable next button

IAM-1740

Default provider setup should keep 'Use my own provider' toggled off

IAM-1753

Allow login theme to be set properly for URLs with both query parameters and route parameters

IAM-1765

Paging error on tenant administrator list

OPENAM-18511

Missing navigation options when an expired link from "Email Suspend" node is used

15 Dec 2021

Issue ID Summary

AME-21617

Create Scripted implementation for SAML 2.0 IDP Attribute Mapper

AME-21303

Create Scripted implementation of ScopeValidator#additionalDataToReturnFromEndpoint methods

AME-21265

Scope Implementation Class per Client not just per Provider

AME-21262

OAuth2 Scripts per Client not just per Provider

OPENAM-18167

OIDC requests with request parameter fail with 500 error when there is no session using POST

OPENAM-18154

Wrong AMR returned with prompt=login and force authn setting enabled

OPENAM-18121

Slow loading in Authentication Tree

OPENAM-18120

Audit logging service does not correctly reflect the "prompt" URL parameter

OPENAM-18119

Audit log no longer shows the userID of session being invalidated by amadmin

OPENAM-18043

Device Match module not setting correct AuthLevel

OPENAM-17979

Backchannel authentication - auth_req_id can be used to obtain multiple access tokens

OPENAM-17968

Scripting engine breaks when you create script with empty name

OPENAM-17923

Retry Limit Decision Should Not Have User Involvement when Save Retry Limit to User is Disabled

OPENAM-17783

Language tag limited to 5 characters instead of 8

OPENAM-17826

Introspect endpoint returns a static value for "expires_in" when using client based tokens

OPENAM-17610

OTP Email Sender node does not allow to specify connect timeout and IO/read timeout for underlying transport.

OPENAM-17458

Enable access to hasResumedFromSuspend within a script

OPENAM-16560

OAuth2 scope validation using policy engine should be configurable per OAuth2 client

OPENAM-16149

Allow JWT bearer client authn unreasonable lifetime limit to be configurable

OPENAM-15877

Support for Google reCAPTCHA v3

OPENAM-15340

OAuth2 RT - Ability to obtain original custom claim when regenerate the token

OPENIDM-16677

Cannot retrieve entries from /recon endpoint when using DS as a repo if reconprogressstate size exceeds index limits

10 Dec 2021

22 Nov 2021

Issue ID Summary

FRAAS-4276

Social Provider Handler node should default to "Normalized Profile to Managed User" transformation script

FRAAS-6275

During registration the "Next" button should be greyed out until all mandatory fields are completed

FRAAS-7827

Hyperlinks cannot link to header elements in T&Cs

FRAAS-8288

Add ability to search for a journey by name

FRAAS-8317

Hard browser cache reset required when switching default theme in realm

FRAAS-8367

Platform UI doesn’t allow "from name" to be configured in email templates

FRAAS-8613

Social IDP CSS is overridden by themes

FRAAS-8683

Stage field not showing on page nodes when value set to "themeId=name" prior to the new theme selector UI enhancement

IAM-1548

Enduser UI not hiding side menu and nav bar

IAM-1644

Create multiple locales at same time when adding a new T&C

IAM-1650

Update Gateway and Agents page when in no data state

IAM-1652

Use journey name to set page title in Login UI

IAM-1689

Text from push authentication node cannot be overriden via config translation override

IAM-1695

Clicking column header with no sorting enabled throws error

IAM-1713

Hosted Pages tenant settings view has incorrect description

OPENAM-18511

Missing navigation options when an expired link from "Email Suspend" node is used

11 Nov 2021

Issue ID Summary

AME-21261

Allow configuring "Issue Refresh Token" at OAuth client level

AME-21263

Overridable Id_Token claims per client not just per provider

IAM-1074

Provide Javascript defaults for AM scripts in Identity Cloud

OPENAM-12995

Allow configuration of 'Custom Login URL Template' at client level

OPENAM-14159

OAuth2 token storage to be configured per client

OPENAM-15381

Allow configuring "Issue Refresh Tokens on Refreshing Access Tokens" per client

OPENAM-16418

Client auth using private_key_jwt fails with 500 if claim format is wrong

OPENAM-17185

Need ability to configure Remote Consent Service at the client level

OPENAM-17262

Subname claim inconsistences

OPENAM-17548

Can’t go back to login page after invoking Social Authentication Nodes

OPENAM-17663

Improve the error response code for "Failed to revoke access token"

OPENAM-17669

Ability to encrypt or sign access tokens based on client IDs

OPENAM-17773

The acr_values parameter is mandatory on CIBA bc-authorize endpoint

OPENAM-17782

Policy evaluation fails with 400 error when user does not exist

OPENAM-17784

Session timeouts (maximum session time, maximum idle timeout) set incorrectly if username is dynamically created in a tree.

OPENAM-17801

OIDC userinfo subname claim returns incorrect value

OPENAM-17813

Allow /userinfo endpoint to include 'aud' claim in response

OPENAM-17814

Auth Tree step-up fails if username case does not match

OPENAM-17863

Authorization code is not issued when nonce is not supplied when using OpenID Hybrid profile

OPENAM-17912

Account lockout count is not reset correctly

04 Nov 2021

Issue ID Summary

FRAAS-8502

Unable to set default theme to a theme not on the first page of themes in Hosted Pages

IAM-673

Identity tabs in Platform UI not correctly positioned on small screens

IAM-1495

Platform admin theme editor has confusing modal behaviour

IAM-1499

Add theming to Platform UI to control color of login card: background, input, text...

IAM-1501

Add ability to configure theme on a page node in journey editor

IAM-1517

Terms and Conditions published version should just display rendered text

IAM-1529

Links from non authorized page do not redirect user

29 Oct 2021

Issue ID Summary

FRAAS-8497

Alt text is being stripped from Hosted Pages custom header

21 Oct 2021

Issue ID Summary

FRAAS-7669

Page unresponsive message shown in End User UI when an organisation admin selects the password reset button for an organisation user

FRAAS-7960

Terms and Conditions UI does not list the locales already created

FRAAS-8048

Applications created without status don’t show default active status

FRAAS-8050

Allow Platform Admin UI to display all application types

FRAAS-8089

Theme layout overlays login box in theme designer

FRAAS-8138

Discovery URI missing from OAuth client

IAM-1117

Display data from linked systems when editing a user in Platform Admin UI

IAM-1204

Journey editor lines too light

IAM-1495

Platform admin theme editor has confusing modal behaviour

IAM-1498

Add font family drop-down to theme editor

IAM-1525

Application URL text is curtailed

12 Oct 2021

Issue ID Summary

IAM-1435

Add ability to create Java/Web Agents in Platform Admin UI

IAM-1613

Allow configuration and display of password policy where at least 1–4 of 4 character sets are required

06 Oct 2021

Issue ID Summary

AME-21058

Roll the config option for signing Request Object and Private Key JWT into one

AME-21411

Create an IDM passthrough authentication node

OPENAM-17405

Token introspection response not spec compliant

OPENAM-17515

Sub attribute in access token can be in wrong casing

OPENAM-17591

Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session

OPENAM-17595

Calling endSession endpoint should fail gracefully instead of Unknown JWT error

OPENAM-17666

Update Scripted Decision Node bindings to deprecate "sharedState" and "transientState" and add new "state"

OPENAM-17683

Selfservice user registration auto login fails for a sub-realm

OPENAM-17828

Apostrophe in username breaks Push/OATH device registration

OPENAM-18233

Social Provider Configuration for Google (Native iOS) does not work without a client secret

OPENDJ-8178

Change of data format in date fields: trailing zeros on milliseconds are now truncated

OPENIDM-15951

Support additional mime types for CSV bulk import

OPENIDM-16081

Prevent users saving managed objects with invalid names

OPENIDM-16089

Enhance error message for failed config property substitution in email templates

OPENIDM-16473

Task scanner job fails on null top level objects

29 Sep 2021

Issue ID Summary

FRAAS-8110

Spinning wheel displayed when using an expired link from email suspend node

FRAAS-8133

Login UI flashes with ForgeRock logo before loading the End User UI

IAM-1398

Accessing platform UI with old token redirects user

22 Sep 2021

Issue ID Summary

FRAAS-5860

Table markup issue in email templates

IAM-1409

Password Policy on Self-Service Registration page does not reset when blanking entered text

IAM-1544

Platform UI allows creating scripts without any name

IAM-1558

Assignment console errors caused by deleted managed object mapping

IAM-1576

Cannot delete email template from preview page

IAM-1577

Styles not being shown on edit email template page

15 Sep 2021

Issue ID Summary

IAM-1150

Remove data table component in favor of adding cell specific components

IAM-1547

End-User Password Update changes session cookie and breaks logout

IAM-1559

Admin and Enduser UIs not loading in IE11

IAM-1562

Sanitize postLogoutUrlClaim on redirection after Logout

IAM-1563

403 when attempting to read password policy for delgated admin reset password

10 Sep 2021

Issue ID Summary

FRAAS-7890

Validation of custom domains allows upper case domain names

FRAAS-8064

OATH Device not shown in End-User Profile Dashboard

IAM-1475

Issue with enduser platform-ui when compiled from source

IAM-1542

End users are unable to update their KBA info

IAM-1545

KBA Create node does not send custom question as part of payload

08 Sep 2021

Issue ID Summary

AME-20499

Using Social Identity Provider Selector node and having disabled social IDPs causes massive amounts of exceptions and errors in the logs

AME-20895

Request Object Encryption

AME-21056

Make request object 'aud' configurable

AME-21133

Apple Sign In Form POST Endpoint Compatibility with Custom Login Apps

OPENAM-16314

Create OAuth2/OIDC Node to allow same authentication methods used and supported by our own OpenID Connect provider and clients

OPENAM-17286

Add additional configuration options required for private key jwt feature

OPENAM-17494

Other ways to allow OTP SMS Sender and OTP Email Sender nodes to send custom message

OPENAM-17527

Support KMS/AM-encryption of PEM-format secrets

OPENAM-17581

Scripted decision node on /authentication/authenticationtrees/trees PUT breaks tree save

OPENAM-17625

No trees shown in inner tree selection box when another tree is misconfigured

OPENAM-17672

Page Node does not expose inner nodes inputs or outputs

OPENAM-17673

Nodes within a Page node do not have access to secure state

OPENIDM-16113

rsFilter is case sensitive, which triggers authentication errors

OPENIDM-16191

New live sync schedule created from UI is missing invokeContext.source

OPENIDM-16275

UI does not display Progressive Profile Query Filter Condition properly

OPENIDM-16322

Unable to create new LDAP connector through admin UI

OPENIDM-16335

NPE on org model children endpoint when making a request that contains an error

OPENIDM-16343

Unable to save powershell connector config through admin UI

OPENIDM-16388

LDAP Connector created through Admin UI not setting credentials and baseContexts

02 Sep 2021

Issue ID Summary

FRAAS-7996

Cannot remove org members when logged in as org admin

IAM-1421

Application Token lifetime input textbox not visible in some ID Cloud environments

IAM-1424

Platform UI application list page shows errors when viewed from a sub-sub-realm

IAM-1441

Custom Domain previous button is misplaced

IAM-1442

Too much space between realm avatar on realm title

IAM-1496

Platform admin theme editor missing default values for logo url/alt text

IAM-1514

In a list view, clicking directly on checkbox does not select row

IAM-1533

UI labels missing from ID Cloud registration UI

IAM-1537

Platform UI: Not able to update user when email is an optional attribute

IAM-1538

After changing password on a user in the admin ui any subsequent changes to the object results in an error on save

30 Aug 2021

Issue ID Summary

IAM-1531

UI submits string values for NumberAttributeInputCallback

23 Aug 2021

Issue ID Summary

IAM-1473

Unable to access links to native consoles if platform dashboard page not large enough

IAM-1492

Using 'reset to defaults' on theme admin wipes out theme name

IAM-1508

Edit managed user page has bad formatting when ListField inputs contain long entries

IAM-1509

Social login failure does not return to initial journey step

IAM-1515

Ensure login theme background covers entire height

17 Aug 2021

Issue ID Summary

FRAAS-7936

Email templates missing from console

IAM-1476

Change Consent menu item and related text to Terms & Conditions

16 Aug 2021

  • Updated End User UI to support WCAG accessibility best practices.

  • Updated End User UI and Login UI to support localization.

  • Updated End User UI theming and customization for user journeys:

    • Added ability to apply a different theme and logo to each user journey.

    • Added ability to provide a different user journey to each brand.

    • Added ability to add custom footers to end-user login and account management pages.

    • Added ability to configure the layout of the end-user account management page by adding and removing sections.

  • Updated End User UI terms and conditions management:

    • Added versioning and localization.

    • Added ability to track end-user version history.

Issue ID Summary

IAM-1259

EndUser-UI WCAG updates

IAM-1264

End user stored state returns different user to previous users page

IAM-1289

Platform-ui not rendering in IE11 because Postcss v8+ only serves ES6+ sources

IAM-1291

End user delegated admin should not display raw JSON option

30 Jul 2021

Issue ID Summary

FRAAS-7721

Unable to save a new LDAP connector configuration in the Platform UI

15 Jul 2021

Issue ID Summary

AME-20475

OpenID Connect Back-Channel Logout

AME-20499

Using Social Identity Provider Selector node and having disabled social IDPs causes massive amounts of exceptions and errors in the logs

AME-20600

Grant Types UI field the OAuth2 Provider shows as supportedGrantTypes

AME-20994

Rename StoreOps tokens to OIDC Session Management

IAM-1096

Scripted decision node description has a typo

OPENAM-14402

Access/ID tokens only include short username for "sub" claim

OPENAM-15214

Auth Tree - Clicking save with no changes causes render problem with node attributes inside page node

OPENAM-16314

Create OAuth2/OIDC Node to allow same authentication methods used and supported by our own OpenID Connect provider and clients

OPENAM-16653

Identity using fr-idm-uuid has wrong account ID in FR Authenticator

OPENAM-16959

Failed to authenticate with Twitter as Social Login Provider

OPENAM-17297

HOTP Generator Node adds cleartext OTP to sharedState

OPENAM-17436

JS version of the OIDC Claims script does not work due to a casting error.

OPENAM-17489

Add new form_post endpoint

OPENAM-17494

Other ways to allow OTP SMS Sender and OTP Email Sender nodes to send custom message

OPENAM-17517

JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error.

OPENAM-17595

endSession should fail gracefully instead of Unknown JWT error

OPENAM-17625

No trees shown in inner tree selection box when another tree is misconfigured

OPENAM-17659

Select Identity Provider Node does not load social IDPs that do not define a client secret

OPENAM-17672

Page Node does not expose inner nodes inputs or outputs

OPENAM-17828

Apostrophe in username breaks Push/OATH device registration

OPENIDM-14525

Customer would like to define a default value for a property on a managed object.

OPENIDM-15220

Temporal constraints on internal role grants with privileges are not reflected in the end-user UI

OPENIDM-16192

Under certain conditions it is possible to generate two users with the same userName

OPENIDM-16206

TaskScanner tries to read object after deletion

OPENIDM-16266

ICF service retry during livesync network failures

OPENIDM-16326

SchemaService does not allow filtering on _id

OPENIDM-16334

Managed object schema editor fails on properties with "pattern : null"

28 Jun 2021

Issue ID Summary

OPENIDM-16678

Clustered recon fails with "Schedule does not exist"

23 Jun 2021

Issue ID Summary

FRAAS-4877

Attempting to Import a CSV file that contains a number in an frUnindexedInteger field fails

15 Jun 2021

Issue ID Summary

FRAAS-7322

Common passwords policy errors now show in bulleted list below password field

IAM-1264

Logging out and logging back in now returns user to dashboard instead of last route visited

IAM-1319

Allow disabling of sorting and searching on relationship array grids

IAM-1321

Allow UI to use post_logout_url claim from id_token for redirection after logout

10 Jun 2021

Issue ID Summary

FRAAS-6504

Terms and Conditions do not render correctly when using HTML formatting directives

IAM-1081

Using the back button in some UI contexts causes an session termination

OPENAM-17297

HOTP Generator Node adds cleartext OTP to sharedState

OPENAM-17343

Access token call returns 500 error if password needs to be changed or has expired

OPENAM-17349

OIDC Refresh token - Ops token is deleted from the CTS during refresh EDISON

OPENAM-17352

OAuth Introspection Endpoint can be accessed by public clients providing an empty client secret

OPENAM-17359

Unfriendly error message displayed when an expired link from "email suspend" node is used

OPENAM-17396

Terms of Service URI Link does not Display in Consent Page

OPENAM-17426

No validation for attribute collector node

OPENAM-17436

JS version of the OIDC Claims script does not work due to a casting error.

OPENAM-17494

Other ways to allow OTP SMS Sender and OTP Email Sender nodes to send custom message

OPENAM-17517

JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error

OPENAM-17595

endSession should fail gracefully instead of Unknown JWT error

OPENAM-17625

No trees shown in inner tree selection box when another tree is misconfigured

OPENAM-17672

Page Node does not expose inner nodes inputs or outputs

OPENAM-17673

Nodes within a Page node do not have access to secure state

OPENAM-17828

Apostrophe in username breaks Push/OATH device registration

OPENIDM-15953

Connector Config Disappears from UI in IDCloud for RCS Connectors

OPENIDM-15903

Grant Type not shown in the Grant Column for Assigned Roles

OPENIDM-16134

/system?_action=createFullConfig unexpectedly replaces variables

OPENIDM-16150

Identity Connect UI - Manage Admin Groups modal does not have cancel button after adding new Group Base Contexts

OPENIDM-16180

Removed Properties cannot be Re-Added Until Page Refresh in User Registration

04 Jun 2021

Issue ID Summary

IAM-1219

JS error when assigning multiple relationships

IAM-1261

Adding relationship via UI fails when large user populations

IAM-1263

Need some default data in managed object lists when search filter on UI

IAM-1290

Managed identities configuration cosmetic improvements

20 May 2021

Issue ID Summary

FRAAS-6854

When the commonly-used passwords option is selected for password policy...option unusable

FRAAS-6012

Remove Restriction in UI of Only Allowing One Domain

FRAAS-5525

Add CORs Settings to New Platform UI

FRAAS-4017

On all journey drag-and-drop UIs, links to SDK/API Docs are broken

IAM-1242

SDK config for CORS settings doesn’t properly set allowCredentials

IAM-1240

Fix styling of multiselect drop-down and tags

IAM-1228

Platform ui scripting issues seen in ID cloud testing

IAM-1227

remove dependency that requires 'parent required' for UI to handle orgs properly

IAM-1213

Input Label and Placeholder doubling up on all input fields

IAM-1212

Unable to use Webauth TouchID or FaceID on Safari MacOS/iOS

IAM-1205

Update copyright bot copyright message GoodFirstIssue

IAM-1195

Adding a temporal constraint to a role member relationship does not work

IAM-1181

IDM policies not displayed in policy panel for password

IAM-1177

Update grids to handle large datasets based on managed object schema flag

IAM-1160

Server list doesn’t update on new server cluster modal

IAM-1155

Improve code coverage display in PR testing

IAM-1151

Multiselect Does Not Remove Entry If Removed When Entering New Value GoodFirstIssue

IAM-1148

Remove JEST snapshot testing

IAM-1105

Disable save button on new connector server modal after first click GoodFirstIssue

IAM-1076

When in cloud env hide bravo_user, bravo_role, and bravo_assignment when realm is alpha and vice versa

IAM-1065

E2E Tests - Admin - Import Identities

IAM-1039

Platform Scripting Usability (UI Only)

IAM-1024

Adjust app detail header top margin

IAM-375

Refreshing Page on Alias Doesn’t Highlight Side Menu Item

28 Apr 2021

Issue ID Summary

FRAAS-6503

Turn Off The End User Hosted hosted profile page

IAM-1001

Remove extra padding on login error

IAM-1144

Email Templates - Create Email Provider View

IAM-996

Remove extra spacing on Agent profile status button

12 Apr 2021

Issue ID Summary

FRAAS-6573

SAML 2.0 login flow ends with error: “No mapping organization found for organization identifier”

FRAAS-6465

Social login seems to break expected goto URL behavior when protecting apps with IG

IAM-1165

Sidebar-shim Does not Dynamically Change on Resolution Change

IAM-1120

End user account controls throwing invalid argument error on profile page load

IAM-1080

Convert switches to checkboxes in journey editor

OPENAM-17625

No trees shown in inner tree selection box when another tree is misconfigured

OPENAM-17517

JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error

OPENAM-17494

Other ways to allow OTP SMS Sender and OTP Email Sender nodes to send custom message

OPENAM-17436

JS version of the OIDC Claims script does not work due to a casting error

01 Apr 2021

Issue ID Summary

FRAAS-6504

Updated terms callback to sanitize html from backend

FRAAS-6431

End User UI calls ../authenticate endpoint switch at login

FRAAS-6399

ID Cloud UI Multiselect spinner

FRAAS-6255

Tenant Admin List does not always Show Entire List of Admins

FRAAS-5968

End User Profile Page Displays "ForgeRock" Specific Information

FRAAS-5585

Custom Domain - UI Re-Verify Flow

IAM-1179

Fix issue with managed identities table not displaying properly

IAM-1171

Drag selection in the journey editor can cause console errors cause saving to hang

IAM-1165

Sidebar-shim Does not Dynamically Change on Resolution Change

IAM-1142

Duplicate Journey modal breaks if initially dismissed

IAM-1141

Update password policy messages to a more user friendly format in the Platform-UI.

IAM-1128

Resource view cutting off drop-down menu

IAM-1126

Login-UI doesn’t change locale language to browser default

IAM-1109

Realm theme logo preview doesn’t update

IAM-1104

Not possible to change or remove the default locale of email templates.

IAM-1083

Email template "From" input field limited to email addresses while label suggests otherwise

IAM-1080

Swap toggle w/ checkbox in journey editor

IAM-1040

Journey list page displays javascript errors when expanding a journey

OPENIDM-15019

End-user UI displays user name without accents (umlaut etc)

11 Mar 2021

  • Added Salted SHA-256 support.

Issue ID Summary

FRAAS-6209

Theme Editor popover() does not display using Firefox on MacOS

FRAAS-6199

Ugly Error Messaging in UI when Password Policy Fails

FRAAS-6099

AM Authorization with Advices broken

FRAAS-6013

When you enter a domain in the Domain Modal, and it Fails Validation, you cannot add a Domain that is Valid

FRAAS-5968

End User Profile Page Displays “ForgeRock” Specific Information

FRAAS-5938

Platform UI generates forbidden Journey title and cannot be deleted

FRAAS-5843

Current password policy limits passwords to a maximum of 64 characters

FRAAS-5756

Authentication Trees Don’t Respect reentry Cookie

FRAAS-5340

Hashed passwords synchronization fails

IAM-794

Platform login UI has hard-coded “/am” path assumed for default path behavior

IAM-1124

Can’t save Agent type RCS on edit page

IAM-1103

Password policy shows ‘must be less than 0 characters long’ when max length is 0

IAM-1097

Incorrect instruction link for RCS in IDCloud docs

IAM-1088

Add show columns, sort, and search capability to relationship array grid

IAM-1087

Admin create resource modal should handle required relationship array properties

IAM-1081

Using the back button in some UI contexts causes an session termination

IAM-1021

Ability to copy and paste values from multiselect component

IAM-1017

Force Use SSL option for Connector Servers in Cloud

OPENAM-16949

Cannot create a policy for subject type group

17 Feb 2021

Issue ID Summary

IAM-1066

Links for delegated admin objects not showing in end-user UI when a user has correct privileges

IAM-1064

Incomplete provisioner file makes it impossible to create clusters

IAM-887

Admin UI does not display in the Firefox web browser when Private Browsing is enabled. (Will not fix)

04 Feb 2021

Issue ID Summary

OPENAM-17289

Generated id_token does not contain any of the requested claims, other than "sub".

OPENIDM-15892

Persisted schedules not being displayed in IDM Native UI

29 Jan 2021

13 Jan 2021

Issue ID Summary

AME-20719

RelayState Not Being Used on Identity Cloud with SAML tree node

AME-13690

Create an OATH authentication node

FRAAS-5257

Cannot disconnect social identity provider

IAM-1003

IE11 does not search for user on End User page

IAM-989

Update connection status for servers on server cluster pages

IAM-988

Platform UI error for end users when resizing in IE 11

IAM-978

ConnectorServers generates browser console errors when connector servers are present

IAM-958

Backend scripts updating hiddenValueCallback values don’t propagate to step requests

IAM-952

ID cloud new server cluster modal allows going back to select adding servers when it should not

IAM-947

Platform UI: support 'default' values in Managed Object create/edit screens

IAM-907

Adding IG Agent with non-unique name breaks UI

OPENAM-16965

Alignment of shared state with self-service object nodes

OPENAM-16961

OIDC Claims Script - /userinfo to access clientProperties

OPENAM-16919

SAML JSP Flows not working

OPENIDM-15686

Cannot delete a mapping in an Identity Cloud tenant

OPENIDM-15576

Unable to save the 'Reconciliation Query Filters' under Mappings in the Admin UI.

OPENIDM-15511

IDM Admin console - Paging controls in managed objects are disabled

OPENIDM-15507

Paging controls in connector data tab are disabled and should not be

OPENIDM-15368

Value of ldapGroups isn’t visible in the admin UI as an assignement attribute

OPENIDM-15150

IE11 script error in End-User UI

OPENIDM-14750

Managed Object schema editor scripts tab not saving scripts on relationship type properties

OPENIDM-14411

Unable to create a user with a previously used password

2020

08 Nov 2020

Issue ID Summary

AME-20500

Users cannot authenticate using local authentication and the Social IDP Selector node

FRAAS-4856

Cannot create API keys using Safari 14.0

FRAAS-4767

Identity Cloud UI does not display user properties according to managed object settings

FRAAS-4699

Connector server (RCS) connection status inaccurate

FRAAS-4481

Enduser UI - Password required in Edit Personal Info

FRAAS-4070

Update tenant naming convention

IAM-906

Cannot create an assignment when the mapping target is a system object

IAM-885

ID cloud journeys list has visual errors for journeys created in AM native console

IAM-882

Breadcrumb needs to update upon navigating away from page

IAM-881

End-user profile doesn’t render multi-value fields

IAM-862

Footer has wrong logo

IAM-861

Change managed object toggle to show object value instead of entire schema

IAM-795

Bulk Import: improve error messages in Advanced Identity Cloud admin UI

IAM-784

Add dynamic theme for end user

IAM-759

Incorrect URL for legacy AM admin console

IAM-697

Platform-admin Unit tests: Applications

IAM-606

Allow Password entry in 'New Identity' Modal

IAM-589

Accessibility: CardRadioInput is not navigable and doesn’t report as a radio input correctly

13 Oct 2020

02 Oct 2020

  • Improved IDM debug logging.

  • Custom attributes can be used in scripts.

  • Added Gateways & Agents list and profile page.

  • Journey edit page indicates required fields.

  • Updated dark theme.

  • Added the ability to theme the login UI from config.

Issue ID Summary

FRAAS-4610

Filename with a space gets converted to an null pointer

FRAAS-4558

Admin invite doesn’t work

FRAAS-4550

User profile attributes are inaccessible to token modification scripts

FRAAS-4549

Base URL Source service should be part of quickstart config

FRAAS-4522

Cannot save "Generic Indexed String" attributes in user profile

FRAAS-4520

Cannot save "Address 1" field in user profile properties

FRAAS-4477

Password-related failures at onboarding

FRAAS-4459

Make createResource behave more consistently with repeat use.

FRAAS-4440

Broken create assignment functionality

FRAAS-4379

UI issues with OAuth 2.0 related interfaces (Consent page, OAuth 2.0 client error pages, and the device code grant page

FRAAS-4319

Alpha/Bravo Realm Users cannot edit personal info in the Enduser UI

FRAAS-4277

Hide incompatible tree nodes

FRAAS-3928

Remove on-prem connectors from PaaS IDM instance

IAM-789

Password policy rules should display in platform-admin password reset UI

IAM-603

403/404 errors in platform-admin when user has insufficient privileges


1. This issue applies to a feature only available in ForgeRock Identity Governance, which must be purchased separately.
2. This release focuses on internal improvements and technical updates to enhance the overall stability, performance, and maintainability of the platform. While there are no direct customer-facing changes, these updates lay the groundwork for future feature releases and improvements.
3. This issue was released on January 9, 2024 but inadvertently excluded from the regular changelog.
4. This issue was inadvertently excluded from the Rapid changelog.
5. This change applies to a feature only available in PingOne Autonomous Access, which is an add-on capability and must be purchased separately.
6. The updated connectors for FRAAS-17373 were originally listed as: Database Table connector, Microsoft Graph API connector, Oracle EBS connector, Salesforce connector, SCIM connector, ScriptedSQL connector.
7. This issue was released as a hotfix but inadvertently excluded from the rapid changelog.
8. This issue was released on May 30, 2023 but inadvertently excluded from the changelog.
9. This issue was released on March 18, 2023 but inadvertently excluded from the changelog.
10. The issues listed in this table were released on November 29, 2022 but inadvertently excluded from the changelog.