PingOne Advanced Identity Cloud

Regular channel changelog

Subscribe to get automatic updates: Regular channel changelog RSS feed

For release notes published before August 2023, refer to the Regular channel changelog archive.

September 2024

25 Sept 2024

Version 14800.8

No customer-facing issues released.[1]

18 Sep 2024

Version 14800.7

Key features

DocuSign application template (IAM-6194)

The DocuSign application lets you manage DocuSign service accounts and synchronize DocuSign accounts and Advanced Identity Cloud identities.

Enhancements

  • IAM-6493: The PingOne application template now supports specifying an LDAP gateway.

  • IAM-6868: Added screen reader label to end-user access approval button.

  • IAM-6870: Added screen reader label to end-user access request button.

  • IAM-6880: Added a toggle in the hosted pages journey settings to disable the error heading fallback that displays if there is no heading in the page content. (FORGEROCK-1582)

Fixes

  • FRAAS-21713: The promotion process now retries getting an access token from the lower environment, preventing promotion failures.

  • IAM-7033: Unable to save user filter in AD/LDAP app template.

05 Sept 2024

Version 14620.5

No customer-facing issues released.[1]

03 Sep 2024

Version 14620.4

Key features

BeyondTrust application template (IAM-6492)

The BeyondTrust application lets you manage and synchronize data from Advanced Identity Cloud to BeyondTrust.

Enhancements

  • IAM-7011: Older app templates are no longer marked "deprecated".

August 2024

20 Aug 2024

Version 14442.2

Enhancements

  • IAM-5233: Update SAP SuccessFactors app template to support connector version 1.5.20.22.

  • IAM-6874: Update journey analytics to use hourly data.

Fixes

  • FRAAS-21318: Promotion report now categorizes AM session service changes correctly.

06 Aug 2024

Version 14260.4

Key features

Adobe Admin Console application template (IAM-6195)

The Advanced Identity Cloud Adobe Admin Console application lets you manage users, groups, and user group memberships between Adobe Admin Console and Advanced Identity Cloud.

Paris added to data residency regions (FRAAS-20850)

The Paris region (europe-west9) is now available. For more information, refer to:

Enhancements

  • AME-26135[2]: The Advanced Identity Cloud admin UI now lets you configure a secret from a secret store for these features:

    • Identity Gateway agents

    • Web and Java agents

    • OAuth 2.0 agents

    You can now optionally set a secret label identifier for these features instead of a manually entered client secret.

  • IAM-4279: Display available ESV placeholders in Decision Node script editor.

  • IAM-4654: Enable creation of all script types in Advanced Identity Cloud admin UI.

Fixes

  • FRAAS-20397: The promotion process now retries tagging the lower environment after a network interruption, preventing blocking promotion failures.

  • IAM-5356: Session logout warning not displaying when maximum idle time set to a higher value than maximum session time.

  • IAM-6628: New draft option shouldn’t exist for out-of-the-box workflows.

  • IAM-6779: Pagination for list of apps not working when there are over 4000 apps.

July 2024

30 Jul 2024

Version 14077.9

No customer-facing issues released.[1]

29 Jul 2024

Version 14077.8

No customer-facing issues released.[1]

23 Jul 2024

Version 14077.0

Fixes

  • FRAAS-20970: The /monitoring/logs endpoint now returns an X-Ratelimit-Limit header with a fixed value of 60. Previously, the value was misleading due to the way it was calculated when scaling an environment’s resources. The X-Ratelimit-Remaining header continues to report the number of requests that may be sent before receiving a rate limited response.

  • FRAAS-20983: Promotion reports now list changes to the default OAuth 2.0 provider.

22 Jul 2024

Version 13945.13

No customer-facing issues released.[1]

11 Jul 2024

Version 13945.9

Key features

Additional cloud connectors

The following connectors are now bundled with Advanced Identity Cloud:

  • Adobe Admin Console connector (OPENIDM-19843)

  • DocuSign connector (OPENIDM-20190)

For more information, refer to the ICF documentation.

Fixes

  • OPENIDM-20142: Resolved a communication failure between Advanced Identity Cloud and RCS instances that could result in a prolonged failure to activate remote connectors.

Changed functionality

  • OPENIDM-20178: You can’t use scope private fields in query filters. For more information, refer to Security Advisory #202402.

10 Jul 2024

Version 13945.8

Key features

Product name change for Identity Cloud (FRAAS-20178)

To align ForgeRock products with Ping family names, ForgeRock Identity Cloud has been renamed to PingOne Advanced Identity Cloud. Name and logo changes have been updated throughout the user interfaces, and documentation updates will occur when the UI changes are released to the regular channel.

For more information, refer to the New names for ForgeRock products FAQ.

Organization-based certification[3] (IAM-5237)

Advanced Identity Cloud introduces organization-based certification—​a new Identity Governance feature that lets you configure B2B customers and partners as organizations and allow designated organization administrators to certify access for the users in their organization.

For more information, refer to Certify access by organization.

Segregation of duties (SoD) (IAM-5624)

Advanced Identity Cloud introduces a new Identity Governance compliance feature designed to help you create and manage segregation of duties (SoD) policies and rules. SoD is a crucial practice that ensures no single individual has privileges that could lead to a conflict of interest.

For more information, refer to Configure compliance policies.

Scoping rules[3] (IAM-5629)

Advanced Identity Cloud introduces a new Identity Governance feature that lets you create scoping rules to determine what actions an end user can perform and on what resource.

For more information, refer to Configure scoping rules to resources.

Enhancements

  • IAM-4785: Synchronize only the modified properties on a target source during reconciliation of applications.

  • IAM-5487: Correlation rules moved to the top of the reconciliation settings page.

  • IAM-6231: Scripted Decision Node now updates the list of scripts when a script is added or edited.

  • IAM-6544: Add reviewer column to administrator list view of compliance violations.

Fixes

  • FRAAS-20604: Removed superfluous AM metrics related to token store internals:

    • am_cts_connection_count

    • am_cts_connection_seconds

    • am_cts_connection_seconds_total

    • am_cts_connection_state

    • am_cts_reaper_cache_size

    • am_cts_reaper_deletion

    • am_cts_reaper_deletion_count

    • am_cts_reaper_deletion_total

  • IAM-6135: ESV values containing accents get corrupted by encoding process.

  • IAM-6562: Label duplicated for OAuth 2.0 access token and ID token endpoints.

  • IAM-6669[3]: Badge count of violations in end-user navigation doesn’t update when an action is performed.

01 Jul 2024

Version 13848.13

Fixes

  • OPENIDM-18495[4]: Disable sorting in the connector data tab in the IDM admin UI (native console). (FORGEROCK-1582)

June 2024

26 Jun 2024

Version 13848.8

Key features

Certificate API[5] (FRAAS-7319)

You can now use the certificate API to upload SSL certificates to your tenant environments. You can create the certificates in two ways:

Promotion rollback API (FRAAS-20048)

You can now roll back configuration promotions using the API. You can roll back an environment successively to revert as many previous promotion changes as needed.

For more information, refer to Run a rollback.

New utility binding available for scripting (AME-25519)

You can now use a new utility binding in your scripts to access several common utility classes. For example, the utility binding includes classes for generating random UUIDs and for base64 encoding and decoding.

PingOne Protect nodes (TNTP-180)

The following PingOne Protect nodes are now available in the regular channel:

Before using the PingOne Protect nodes, you must:

Enhancements

  • AME-26199: Added the ability to set additional claims, including non-registered claims, during JWT assertion and generation, as per the specification.

  • AME-26820: Provided library scripts with access to all common script bindings.

  • AME-26993: Enhanced secret mapping for agents. Updating a secret label identifier value now causes any corresponding secret mapping for the previous identifier to also be updated, provided no other agent shares that secret mapping. If another agent shares the secret mapping, PingOne Advanced Identity Cloud creates a new secret mapping for the updated identifier and copies its aliases from the previously shared secret mapping.

  • AME-27346: Renamed Secret ID Identifier to Secret Label Identifier in the SAML remote entity provider configuration.

  • AME-27478: Renamed Client ID Token Public Encryption Key property to ID Token Encryption Public Key in the OAuth 2.0 client configuration.

  • AME-27775: Added scripting thread pool metrics per script context.

  • OPENAM-16564: Enabled next-generation scripts to access the cookies in incoming requests.

  • OPENAM-21800: Added page node functionality to next-generation scripts.

  • OPENAM-21933: Enabled auto-encoding of the httpClient form body in next-generation scripts.

Fixes

  • FRAAS-20786: Fixed the case where a promotion attempts to delete the same application more than once.

  • FRAAS-19461: Fixed an issue where large audit logs could be missing from IGA events and processing.

  • FRAAS-20154: ESVs with special characters are now correctly encoded. The workaround of double-encoding ESVs is no longer required.

  • OPENAM-21748: Restored the missing get wrapper function for HiddenValueCallback in next-generation scripting.

  • OPENAM-21830[2]: Unable to get entitlement info hashmap values in SAML IdPAdapter script

  • OPENAM-21864: Fixed an issue that prevented setting the tracking cookie to resume a journey after returning from a redirect flow.

  • OPENAM-21897: Corrected inconsistent results from the policy evaluateTree endpoint.

  • OPENAM-21951: Enabled setting of the selectedIndex property in a ChoiceCallback in next-generation scripts.

  • OPENAM-22181: Corrected an issue with UMA approve and approveAll requests failing.

  • TNTP-166:

    • Add configuration options to P1 Verify Authentication nodes.

    • Verify code not visible when using QR option.

    • Set claim mapping only in shared state in P1 Proofing node.

18 Jun 2024

Version 13664.10

No customer-facing issues released.[1]

11 Jun 2024

Version 13664.8

Key features

Localize the Advanced Identity Cloud admin UI[2] (IAM-6267)

You can now localize static content and server messages in the Advanced Identity Cloud admin UI to support your company’s tenant administrators in different language locales. The localization is implemented in the same way as the existing localization functionality used by the login and end-user UIs. Refer to Configure tenant localization.

Oracle E-Business Suite app template (IAM-6342)

The Advanced Identity Cloud Oracle E-Business Suite (EBS) application lets you manage and synchronize accounts between EBS and Advanced Identity Cloud.

Enhancements

  • FRAAS-15404: When updating ESV secrets, the API saves a new secret version only when it differs from the previous value.

  • FRAAS-19982: Configuration promotion now fails if Advanced Identity Cloud services do not restart successfully with the new configuration.

  • IAM-6376: In the applications rules tab, you can now configure custom logic to perform specific actions, such as sending an email, when an account is successfully created or updated.

  • IAM-6380: In the applications rules tab, you can now use the provisioning failure rule to configure custom logic to perform specific actions when provisioning fails.

Fixes

  • FRAAS-11180: Authentication session whitelisting is now enabled by default for new tenants

  • IAM-5593: Adding roles to certain objects no longer breaks readable titles

  • IAM-6537: Journey import now alerts users if they try to import a file containing missing references

  • IAM-6548[2]: Advanced Identity Cloud admin UI now loads Identity Gateway profile properties

07 Jun 2024

The following issues were released on May 30, 2024 but inadvertently excluded from the changelog.

Version 13465.7

Key features

Improved promotion of applications (FRAAS-19241)

It is now possible to promote applications via the API and not just the UI.

Additionally, the provisional report has been improved to only show applications that have changed, rather than show all applications in the report.

Epic EMP application template (IAM-2407)

The Advanced Identity Cloud Epic EMP application lets you manage and synchronize data between Epic EMP and Advanced Identity Cloud.

Enhancements

  • IAM-2653: Configure object properties with user-friendly display names.

  • IAM-3857: Application list view displays enabled/disabled status of enterprise apps.

  • IAM-5913[3]: Create custom access request workflows.

Fixes

  • IAM-6264: Approval actions display in the UI even when they are not available due to permissions.

  • IAM-6296: UI doesn’t display paginated results on application data and recon tabs.

  • IAM-6409: Logging out of UI generates malformed redirect realm URLs.

04 Jun 2024

Version 13465.8

No customer-facing issues released.[1]

May 2024

20 May 2024

Version 13313.4

No customer-facing issues released.[1]

20 May 2024

The following issues were released on February 6, 2024 but inadvertently excluded from the changelog.

Key features

Social Provider Handler node (OPENAM-20924)

The new Social Provider Handler node adds an outcome to better handle interruptions in a social authentication journey after requesting profile information.

Enhancements

  • OPENAM-21575: Add org.forgerock.json.jose.jwe.JweHeader to the allowlist for the Scripted Decision node

14 May 2024

Version 13313.2

Key features

Event-based certification[3] (IAM-5148)

Identity Governance now allows tenant administrators to configure certifications that are triggered by specific governance events, a process referred to as event-based certification. This method offers faster certification resolution compared to scheduled—​and often lengthy—​campaigns spanning weeks or months and involving numerous applications, intricate rules, and hundreds of reviewers.

The event-based certifications feature kicks off an identity certification for the following events:

  • User create. Advanced Identity Cloud detects when a user account has been created.

  • User modify. Advanced Identity Cloud detects when an existing user account has been modified or updated.

  • Attribute change. Advanced Identity Cloud detects changes in the attributes of an existing user account.

  • User delete/deactivate. Advanced Identity Cloud detects if a user account has been deleted or deactivated.

For more information, refer to Certify access by event.

Grant entitlements to users and roles[3] (IAM-5146)

Identity Governance now allows tenant administrators to carry out more fine-grained entitlement grants for their user accounts. Tenant administrators can now:

  • Create a role and grant entitlements to the role.

  • Revoke entitlements in a role.

  • Grant entitlements to a user account.

  • Revoke entitlements from a user account.

For more information, refer to Manage entitlements.

Authenticate gateway and agent profiles with a shared secret (IAM-5833)

The Advanced Identity Cloud admin UI for gateways and agents now lets you authenticate with a shared secret instead of a password. Use this to set the label for the shared secret.

Authenticate OAuth 2.0 applications with a shared secret (IAM-6028)

The Advanced Identity Cloud admin UI for OAuth 2.0 applications now lets you authenticate with a shared secret instead of a password. Use this to set the label for the shared secret.

Enhancements

  • IAM-3199: HTML styling in the Message node journey editor allows you to left justify text.

Fixes

  • FRAAS-19334: Failure to look up service account names following changes applied through the ESV API.

  • IAM-5079[3]: End-user roles page sometimes shows role grants as conditional even when the grants are direct.

  • IAM-5363[3]: Show the total number of approvals and access reviews in the inbox.

  • IAM-5858[3]: Missing support for access request global configuration options.

  • IAM-6138[3]: The governance events filter builder incorrectly validates before and after properties in the user created state.

  • IAM-6176[3]: The end-user access request rejection is missing a justification message.

  • IAM-6203[3]: The governance events filter doesn’t use after temporal values for user created flows.

  • IAM-6209: The Advanced Identity Cloud admin UI navigation panel text appears when the panel is collapsed.

  • OPENIDM-19879: Identity management reconciliation service processes additional source query pages whenever a query returns a pagedResultsCookie.

  • OPENIDM-19924: Unnecessary quotes not being removed from email addresses.

  • TNTP-166:

    • Add configuration options to P1 Verify Authentication nodes.

    • Verify code not visible when using QR option.

    • Set claim mapping only in shared state in P1 Proofing node.

02 May 2024

Version 13162.12

Fixes

  • FRAAS-19593: The promotion API incorrectly reports as ready, resulting in a blocking promotion failure when trying to promote (FORGEROCK-1319)

01 May 2024

Version 13162.0

Key features

Identity Assertion node (AME-26821)

The new Identity Assertion node provides a secure communication channel for authentication journeys to communicate directly with ${ig.abbr}.

PingOne Verify service (TNTP-118)

The PingOne Verify service lets you configure and use PingOne Verify nodes (PingOne Verify Authentication node and PingOne Verify Proofing node) in your authentication journeys.

For more information, refer to PingOne Verify service.

PingOne nodes (TNTP-119)
PingOne node

The PingOne node node establishes trust between PingOne and Advanced Identity Cloud by leveraging a federated connection. For more information, refer to PingOne node.

PingOne DaVinci API node

The PingOne DaVinci API node node lets an Advanced Identity Cloud journey trigger a PingOne DaVinci flow through the API integration method. For more information, refer to PingOne DaVinci API node.

Enhancements

  • AME-26085: SAML v2.0 NameID mapping can be configured per SP

  • AME-27126: A SAML SP can now authenticate to IDPs using mutual TLS (mTLS) when making an artifact resolution request.

  • AME-27133: "Secret ID" has been renamed to "Secret Label" for secret mappings

  • The following services now support configuration using the Secrets API:

    • AME-16536: The OAuth 2.0 provider hash salt secret

    • AME-25885: The persistent cookie core authentication attribute

    • AME-26110: The client-side session signing key

    • AME-26134: The social provider service

    • AME-26441: The new CAPTCHA node (replaces the legacy CAPTCHA node)

    • AME-26442: The OIDC Token Validator node now lets you store the client secret in any type of secret store

    • AME-26633: The OAuth 2.0 client clientJwtPublicKey

    • AME-26637: The OAuth 2.0 client idTokenPublicEncryptionKey

    • AME-26639: OAuth 2.0 client mTLS self-signed certificates

    • AME-26668: The post authentication process (PAP) replay password

    • AME-26670: The web agents replay password key

    • AME-26998: The OAuth 2.0 client secret

  • The following services now support rotation of secrets using secret versions:

    • AME-25988: The persistent cookie encryption secret

    • AME-26999: OAuth 2.0 client secrets

    • AME-27000: OAuth 2.0 client clientJwtPublicKey

    • AME-27001: OAuth 2.0 client mTLS self-signed certificates

  • OPENAM-21031: The performance of Google KMS has been improved by the introduction of caching.

Fixes

  • FRAAS-19596: Promotion report should include changes to realm authentication settings.

  • OPENAM-21473: If you set the collection method of a Certificate Collector node to REQUEST, HEADER, or EITHER, and the certificate is not provided in the request or in the header, the node now returns a status of Not collected.

April 2024

22 Apr 2024

Version 13019.10

Key features

Additional cloud connectors

The following connectors are now bundled with Advanced Identity Cloud:

  • Dropbox connector (OPENIDM-19838)

  • PingOne connector (OPENIDM-19736)

  • Webex connector (OPENIDM-19920)

For more information, refer to the ICF documentation.

Enhancements

  • OPENIDM-19921: The following connectors included with Advanced Identity Cloud were upgraded to 1.5.20.21:

    • Google Apps connector

    • Microsoft Graph API connector

    • AWS connector

    For details, refer to 1.5.20.21 Connector changes.

16 Apr 2024

Version 13019.8

Enhancements

  • FRAAS-19414: You can now configure custom domains directly in all environments without needing to create ESVs or promote configurations. Existing custom domains will be migrated automatically.

  • FRAAS-19566: Add _sortKeys query parameter to ESV API

  • IAM-4585[3]: Request and approvals page now shows the current and past approvers, their decisions, and the dates

  • IAM-4968: Expose additional top-level parameters in the advanced section of mapping pages

  • IAM-5674: Target application can use ONBOARD action for FOUND situation

  • IAM-5769: Add grouping logic to journey node items

Fixes

  • IAM-3927[3]: Identity Governance now enforces mandatory comments (if configured) for revoke and allow exceptions

  • IAM-4309[3]: Access reviews no longer display the internal lastSync user attribute

  • IAM-4762: Authoritative apps are now requestable

  • IAM-4986: Platform UI can now determine whether to use a pagedResultsCookie or offset for paging results

  • IAM-5076[3]: "Abstain from action" option no longer displays when a campaign has expired

  • IAM-5362: Marking a property as an authoritative app entitlement no longer causes target app config to be generated

  • IAM-5413: Account deprovisioning now works in AD/LDAP after deleting a user identity

  • IAM-5794: Border color of sign-in input fields in hosted pages can now be overridden in themes

  • IAM-5810: Add option for email configuration to specify UTF-8 address support

  • IAM-5814: Allow fixed application usernames to be chosen for custom SAML apps

  • IAM-5875: Journey editor no longer orphans deleted nodes

12 Apr 2024

Version 12820.8

No customer-facing issues released.[1]

09 Apr 2024

Version 12820.7

No customer-facing issues released.[1]

04 Apr 2024

Version 12820.5

Key features

HTTP Client node (TNTP-136)

The HTTP Client node lets you make HTTP(S) requests to APIs and services external to Advanced Identity Cloud from within a journey.

Use the HTTP Client node to simplify the integration with a broad range of external services by making direct HTTP(S) requests.

For more information, refer to HTTP Client node.

PingOne Service (TNTP-148)

The PingOne Service lets you set up the PingOne service in your Advanced Identity Cloud tenant so you can add Ping Identity nodes to your authentication journeys.

For more information, refer to PingOne Service.

03 Apr 2024

Version 12820.5

Enhancements

March 2024

26 Mar 2024

Version 12589.7

Key features

Implemented "remember me" functionality

You can now display a checkbox on the end user sign-in card that makes it remember and pre-populate the username.

Enhancements

  • FRAAS-15371: Added ability to prevent search engines from indexing end user login pages

  • IAM-4257: Updated Azure AD app template to accommodate the latest changes

  • IAM-4342: Updated MSGraphAPI Connector with a new configuration property

  • IAM-4892: Updated Salesforce app template to accommodate the latest changes

  • IAM-4900: Added build number and next release cycle date range to user interface

  • IAM-5334: Exposed guarded string as an object type property in scripted template

  • IAM-5459: KBA answer field should contain question context

  • IAM-5461: Custom login error not read with priority

  • IAM-5503: Rename "Orchestrations" to "Workflows"

  • IAM-5563: Updated Google Apps app template to accommodate the latest changes

  • IAM-5603: Added ability to view device details for managed user identities

  • IAM-5606: Added "POWERED BY" metadata to journey nodes

  • IAM-5748: Made 'PingOne' a special case on the federation providers page

Fixes

  • IAM-4918: Check that user has correct permissions when requesting access for other users

  • IAM-5287: Make username, password, and KBA fields H3 elements

  • IAM-5598: Prevent styled terms and conditions included in a journey from making authenticate call fail

  • IAM-5611: Correct ability to revoke custom apps from roles, or edit them from the role view

  • IAM-5641: Custom Endpoints search returned endpoints created by other areas of the UI

  • IAM-5692: Remove console errors when opening the "Add Bravo user" modal

  • IAM-5767: SAML SSO was not remembered when app is saved from another tab after SSO setup

  • IAM-5873: Fix .getTranslation call in Vue

  • OPENIDM-19405: Special non-ascii characters in emails sent from Advanced Identity Cloud would fail

25 Mar 2024

Notices

ForgeRock deprecated the option to let Advanced Identity Cloud tenant administrators skip 2-step verification on Friday, February 3, 2023.

This is a reminder that the end-of-life date for this deprecation is Tuesday, April 2, 2024, when the skip option functionality will be removed from Advanced Identity Cloud.

You have until this date to update your tenants to make 2-step verification mandatory for all tenant administrators. For more information, refer to Tenant administrator mandatory 2-step verification FAQ.

13 Mar 2024

Enhancements

05 Mar 2024

Version 12455.3

Enhancements

  • FRAAS-18788: Add AWS, GCP, and SAP S/4HANA connectors to Advanced Identity Cloud

Fixes

  • FRAAS-18693: Validation bug prevents use of the base64encodedinlined and keyvaluelist ESV expression types

05 Mar 2024

Deprecations

Duo authentication node (FRAAS-19062)

ForgeRock has deprecated the Duo authentication node because Duo has deprecated Traditional Duo Prompt that is used by the Duo node.

ForgeRock created Duo Universal Prompt node in anticipation of this depreciation. You should use Duo Universal Prompt node instead of Duo node (Deprecated).

February 2024

28 Feb 2024

Notices

ForgeRock deprecated the option to let Advanced Identity Cloud tenant administrators skip 2-step verification on Friday, February 3, 2023.

The end-of-life date for this deprecation has been moved to Tuesday, April 2, 2024, when the skip option functionality will be removed from Advanced Identity Cloud.

You have until this date to update your tenants to make 2-step verification mandatory for all tenant administrators. For more information, refer to Tenant administrator mandatory 2-step verification FAQ.

20 Feb 2024

Fixes

  • FRAAS-18414: Changes to an out-of-the-box journey can be incorrectly displayed against both realms in a promotion report

16 Feb 2024

Notices

ForgeRock deprecated the option to let Advanced Identity Cloud tenant administrators skip 2-step verification on Friday, February 3, 2023.

The end-of-life date for this deprecation is Friday, March 1, 2024, when the skip option functionality will be removed from Advanced Identity Cloud. You have until this date to update your tenants to make 2-step verification mandatory for all tenant administrators. For more information, refer to Tenant administrator mandatory 2-step verification FAQ.

08 Feb 2024

Key features

Advanced Identity Cloud security guide update

ForgeRock has updated the Advanced Identity Cloud security guide to advise caution with using the X-Forwarded-For HTTP header to identify the originating IP address of a client due to security and privacy concerns.

Instead, you should consider using the X-Real-IP or X-Trusted-Forwarded-For HTTP headers as trusted replacements. Refer to Identify originating client IP addresses.

06 Feb 2024

Key features

Create and manage custom relationship properties (OPENIDM-19106, OPENIDM-19109)

You can now create and manage custom relationship properties using the Advanced Identity Cloud admin UI.

Schema API improvements (OPENIDM-19107)

You can now directly modify managed object schemas over REST using the schema API. This capability includes configuring custom relationship properties.

Password timestamps (OPENIDM-19262)

Enabling this new feature lets you view or query when a user password was last changed and when it is set to expire.

Fingerprint Profiler and Fingerprint Response nodes (TNTP-130)

The Fingerprint nodes nodes let you integrate your Advanced Identity Cloud environment with the Fingerprint platform to help reduce fraud and improve customer experience.

iProov Authentication node (TNTP-131)

The iProov authentication node integrates Advanced Identity Cloud authentication journeys with the Genuine Presence Assurance and Liveness Assurance products from iProov.

RSA SecurID node (FRAAS-18037)

The RSA SecurID node lets you use the RSA Cloud Authentication Service (RSA ID Plus) or RSA Authentication Manager from within an authentication journey on your Advanced Identity Cloud environment.

Enhancements

  • OPENIDM-17878: Allow access to operational attributes in the Advanced Identity Cloud data store

  • OPENIDM-19674: The relationship-defined virtual property (RDVP) schema editor allows you to edit the flattenProperties property. The anaged object schema editor allows you to edit the notifyRelationships property.

Fixes

  • FRAAS-18398: Allow the HTTP OPTIONS method on calls to /openidm/config/* endpoints for CORS preflight checks

  • FRAAS-18526: Script library functionality can’t be used in the UI in certain environments

  • IAM-5656: Fix alignment of text, buttons, and links in Message nodes

  • IAM-5660: Hosted pages not displaying list of themes

  • OPENIDM-18743: Attempts to use connectors fail with null pointer exceptions when operationOptions is defined in the provisioner configuration

  • OPENIDM-18957: The scheduler now attempts to release any triggers it attempted to acquire during a timeout due to an unresponsive repository

  • OPENIDM-19141: Workflow engine queries now properly honor tablePrefix and tablePrefixIsSchema configuration options

  • OPENIDM-19279: Resource collection is required to create a relationship

January 2024

22 Jan 2024

Key features

Advanced Identity Cloud use case catalog

Introducing the release of the Advanced Identity Cloud use case catalog, a collection of guides that focus on tenant administrator use cases and third-party integrations.

19 Jan 2024

Key features

New Identity Governance capabilities[3][6] (IAM-4617, IGA-1664)

The Workflow UI lets you define custom workflow definitions for all access request types.

Role membership certification, a new certification type for access reviews, lets you review and certify roles and the users who have access to roles. Primary reviewers are role owners, a single user, or users assigned to a role.

09 Jan 2024

Key features

Schedule jobs directly in the Advanced Identity Cloud admin UI (IAM-3489)

You can now schedule the following jobs directly in the Advanced Identity Cloud admin UI without using the IDM admin UI (native console):

  • Scripts: Execute a script at a regular interval.

  • Task scanner: Execute a scan of identities using a complex query filter at a regular interval. The scan can then execute a script on the identities returned by the query filter.

Enhancements

  • FRAAS-7382: Add ability to include JavaScript snippets in login and end-user UIs

  • IAM-4514[3]: Allow reviewers to add user, entitlement, and role columns to an access review

  • IAM-4739: Add read schema option to SCIM application template to discover custom schemas/attributes

  • IAM-5138[2]: Add ability to view reports to end-user UI

  • IAM-5201: Focus on first input field or button automatically upon page load

  • IAM-5268: Add source-missing situation rule to authoritative applications

Fixes

  • IAM-4810: Custom endpoint UI missing context option

  • IAM-5072: Inbound mapping tab shows in target applications

  • IAM-5171: Azure Active Directory application template doesn’t return a user’s role membership

  • IAM-5187: LDAP v2.1 application template doesn’t clear dc=example,dc=com base DN

  • IAM-5238: LDAP application template is missing the group object classes property

  • IAM-5422[3]: Entitlement owner doesn’t show in the entitlement list

  • OPENAM-21856: Introspecting stateless token with IG/Web agents will cause OAuth2ChfException

December 2023

12 Dec 2023

Key features

Duo Universal Prompt node (FRAAS-15675)

The Duo Universal Prompt node lets you provide two-factor authentication using Duo’s Universal Prompt authentication interface. You can integrate Universal Prompt with your web applications using the Duo Web v4 SDK.

For details, refer to Duo Universal Prompt node.

Enhancements

  • AME-22326: The httpClient available in scripts now automatically adds the current transactionId as an HTTP header. This lets you correlate caller and receiver logs to make requests to other ForgeRock products and services.

  • AME-25392: Add org.forgerock.openam.scripting.api.PrefixedScriptPropertyResolver, used for accessing ESVs from scripts, to the allowlist for SAML2_SP_ADAPTER and SAML2_IDP_ADAPTER script types

  • AME-25433: Add com.sun.crypto.provider.PBKDF2KeyImpl, javax.crypto.SecretKeyFactory, and javax.crypto.spec.PBEKeySpec to the allowlists for Scripted Decision nodes and Configuration Provider nodes

  • AME-25608: Add auditing for opening and closing connections for the LDAP decision node, ID Repo service, and Policy Configuration service

  • AME-25630: Add java.security.spec.InvalidKeySpecException to the allowlist for the Scripted Decision and Configuration Provider nodes

  • FRAAS-17939: Some connectors included with Advanced Identity Cloud were upgraded to the following versions:

    1.5.20.19

    For details, refer to 1.5.20.19 Connector changes.

    • Microsoft Graph API connector

    • SCIM connector

    1.5.20.18

    For details, refer to 1.5.20.18 Connector changes.

    • Google Apps connector

    • Microsoft Graph API connector

    • Salesforce connector

    • SCIM connector

    • Workday connector

  • IAM-4511: Hide fields in the Users & Roles tab when editing and creating unreadable properties

  • IAM-4615: Add a "Skip to main content" link to page headers

  • OPENAM-16897: The OAuth 2.0 Device grant flow can now return either JSON or HTML

  • OPENIDM-19037: Update property value substitution to reflect boolean value in the UI

Fixes

  • COMMONS-1397: Audit event log entries not logged due to thread contention

  • FRAAS-17686: Add org.forgerock.json.jose.jwe.JweHeader to the allowlists for the AUTHENTICATION_TREE_DECISION_NODE and CONFIG_PROVIDER_NODE script types

  • IAM-4401: Disabling Clear-Site-Data header breaks realm login

  • IAM-4991: When a suspendedId is in use, redirect to failureUrl fails

  • IAM-5075: Login messages are read twice by screen readers

  • IAM-5186: User identity related values aren’t saved after removal

  • OPENAM-17331: Disabled SNS endpoints can now be re-enabled

  • OPENAM-17816: OAuth 2.0 requests without a Content-Type header fail with a 500 error

  • OPENAM-19282: Recovery Code Display node only works immediately after a registration node

  • OPENAM-19889: Policy evaluation fails when subject is agent access token JWT

  • OPENAM-20026: Social IDP with trailing whitespace in the name can’t be deleted using the UI

  • OPENAM-20329: Issuer missing from OAuth 2.0 JARM response

  • OPENAM-21053: Missing userId from access audit log when org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false in JWT client authentication flow

  • OPENAM-21421: Scripting logger name isn’t based on logging hierarchy convention

  • OPENAM-21476: Persistent cookie is not created when using Configuration Provider node

  • OPENAM-21484: Introspection of a stateful refresh token for claims field for known OAuth2 fields is now a string and not nested in a list

  • OPENIDM-19328: Fix queued sync to recover following node restart

November 2023

30 Nov 2023

Fixes

  • IAM-5275: Advanced Identity Cloud admin UI doesn’t add query parameters to the logout URL

  • IAM-5289: Fix warning message when maxidletime is greater than 24.8 days

Notices

ForgeRock deprecated the option to let Advanced Identity Cloud tenant administrators skip 2-step verification on Friday, February 3, 2023.

The end-of-life date for this deprecation is Friday, March 1, 2024, when the skip option functionality will be removed from Advanced Identity Cloud. You have until this date to update your tenants to make 2-step verification mandatory for all tenant administrators. For more information, refer to Tenant administrator mandatory 2-step verification FAQ.

14 Nov 2023

Key features

Next generation scripting enhancements (AME-25928)

The next generation scripting engine for journey decision node scripts lets you:

  • Reduce the need to allowlist Java classes with a stable set of enhanced bindings.

  • Simplify scripts with fewer imports and more intuitive return types that require less code.

  • Debug efficiently with clear log messages and a simple logging interface based on SLF4J.

  • Make requests to other APIs from within scripts with a more intuitive HTTP client.

  • Modularize your scripts by reusing common code snippets, including external libraries such as CommonJS, with library scripts.

  • Access identity management information seamlessly through the openidm binding.

The next generation engine can’t use legacy scripts.

If your Scripted Decision node uses legacy scripts, you must convert them to use updated bindings to take advantage of the benefits of the next generation scripting engine.

Where possible, you should migrate legacy scripts to take advantage of next generation stability.

For more information, refer to Next-generation scripts.

Gateway Communication node (FRAAS-17380)

Lets Advanced Identity Cloud authentication journeys communicate directly with the PingGateway (${ig.abbr}).

This secure communication channel extends the Advanced Identity Cloud capabilities with ${ig.abbr} features, such as validating a Kerberos ticket and performing other certificate handshakes.

For details, refer to Gateway Communication overview.

Enhancements

  • FRAAS-3841: Activate and deactivate journeys in the Advanced Identity Cloud admin UI. Refer to Deactivate journeys.

  • IAM-4191: Allow tenant session cookie name to be configured. Refer to Session cookie name.

  • IAM-4735: Add support for schema discovery in application templates

  • IAM-4806: Show outbound tenant IP addresses in Advanced Identity Cloud admin UI. Refer to Access global settings.

  • IAM-4853: Add AS400 application template. Refer to the AS400 section in Provision an application.

Fixes

  • FRAAS-16785: Incorrect positioning of reCAPTCHA v2 elements

  • FRAAS-17883: Tenant administrators cannot save edits to their personal information

  • IAM-2936: Journeys hang indefinitely when using a State Metadata node within a Page node

  • IAM-4521: Screen readers announce field labels twice

  • IAM-4956: Advanced Identity Cloud admin UI doesn’t use the current realm when logging out

  • IAM-5113: Unable to remove an NAO assignment from a user in Advanced Identity Cloud admin UI

  • IAM-5226: Tenant administrator security questions should not be shown when editing personal information

  • IAM-5240: No error message displays when a tenant administrator fails to save edits to their personal information

October 2023

31 Oct 2023

Key features

New Autonomous Access capabilities[7] (DATASCI-1269)

User access behavior and tenant access behavior UI pages let administrators understand the typical authentication behavior for a selected user or for all users in the tenant for the past six months by displaying key metrics. Administrators can filter the UI to show certain login metrics, like time of day, city, country, day of week, device used for login, operating system, and browser type. Administrators can also compare a selected user’s authentication behavior to that of the authentication attempts for all other users in the tenant.

Enhancements

  • FRAAS-17373[8]: The following connectors included with Advanced Identity Cloud were upgraded from 1.5.20.15 to 1.5.20.17:

    • Adobe Marketing Cloud connector

    • Google Apps connector

    • Microsoft Graph API connector

    • Salesforce connector

    • SCIM connector

    Some highlights include:

    • OPENICF-900: SCIM connector: Add support for dynamically generated SCIM schemas

    • OPENICF-2453: SCIM connector: Persist optional refresh token upon successful access token renewal

    For a complete list of enhancements and fixes, refer to Connector changes.

  • IAM-4211: Display disaster recovery region in the Advanced Identity Cloud admin UI

  • IAM-4369: Remove AM applications from application list view

  • IAM-5045: Display pop-up warning when an end user is about to be logged out of an Advanced Identity Cloud hosted page

Fixes

  • ANALYTICS-311: The USER-LAST-LOGIN report doesn’t show results if the last journey failed

  • FRAAS-17413: Improve IDM service reliability during upgrades and routine maintenance

  • IAM-4698: Fix accessibility issues with messages in page nodes

  • IAM-4812: Correctly save array ESVs containing newline characters

  • IAM-4863: Display ESV buttons properly when the user gives them focus

  • IAM-4877: Display ESV selection button properly while user is modifying a script associated with a Scripted Decision node

17 Oct 2023

Key features

OneSpan Identity Verification node (FRAAS-13738)

Sends request to OneSpan to analyze the image and determine whether the document is genuine or fraudulent.

For details, refer to OneSpan Identity Verification node.

OneSpan Get User Authenticator (FRAAS-13160)

Retrieves the authenticators assigned to a user and helps enable user’s authentication and security levels.

For details, refer to OneSpan Get User Authenticator node.

New Identity Governance capabilities[3] (IGA-1691)

Access requests let end users request access to resources and let managers request that access be removed from their delegates. The list of resources an end user can request access to is referred to as the access catalog.

Manage access request workflows is a new feature that lets you optionally define flows to include business logic, decisions, and approvals. For example, decide what happens when an approver rejects an access request for an application. Workflows currently only supports access request-related features.

New options in the Advanced Identity Cloud end-user UI let end users submit access requests, submit requests to remove access, and review assigned request items:

  • The My Requests option lets you view and create access requests to resources (applications, roles, entitlements) for yourself or on behalf of others.

  • The My Directory > Direct Reports option lets managers submit access removal requests.

  • The Inbox > Approvals option lists request items (requests an end user submits) for an approver (designated owner) to act on.

Enhancements

  • IAM-3648: ESV placeholders can now be entered from a drop-down list

  • IAM-3651: ESV placeholders can now be entered from key-value input fields

  • IAM-4236: Improve layout of the applications reconciliation tab

  • IAM-4367: Separate the connection status of OAuth 2.0 client applications into a dedicated list

  • IAM-4662: ESV placeholders can now be entered from tag input fields

  • IAM-4717: Added date, datetime, and time fields to the login UI

  • IAM-4789: Grant roles now show temporal constraints

  • OPENAM-20847: Sanitized HTML can now be added into messages for the Email Suspend node

Fixes

  • FRAAS-17235: Validate ESV values correctly when they are wrapped in white space

  • FRAAS-17283: Tenant status pages not automatically updated during downtime

  • IAM-4235: Passthrough authentication using AD connector fails if set up in UI and user DN includes a space

  • IAM-4418: Fix accessibility issues with multi-select input fields

  • IAM-4489: Align checkbox color with other form elements

  • IAM-4491: Correctly label sidebar buttons when expanded or collapsed

  • IAM-4492: Make navigation bars in end-user UI accessible for screen readers

  • IAM-4528: Outbound reconciliation mapping preview shows generated password value

  • IAM-4798: The aria-label is now correctly displayed for all component types on sidebar buttons

  • OPENIDM-19192: Personal information is still editable by end users when User Editable is set to false

03 Oct 2023

Key features

Query Parameter node (AME-24069)

Allows you to insert query parameter values from a journey URL into configurable node state properties. This lets you customize journeys based on the query parameter values.

For details, refer to Query Parameter node.

Enhancements

  • IAM-3650: Add a drop-down menu to checkbox inputs for selecting ESV placeholders

  • IAM-3826: Add the ability to specify a source and transformation script when mapping application properties.

  • IAM-4515: Include autocomplete attribute with login form fields

  • IAM-4525: Update profile picture modal with accessibility improvements for screen readers

  • IAM-4567: Add a warning when running reconciliations and selecting the persistAssociations option. For details, refer to View a report about the last reconciliation.

  • IAM-4576: Increase time on screen for loading spinner so that screen readers can announce it

  • IAM-4616: Include contextual information with the show/hide buttons for improved accessibility

  • OPENAM-21073: Request headers are now accessible in OAuth 2.0/OIDC scripts for OIDC_CLAIMS, OAUTH2_ACCESS_TOKEN_MODIFICATION, and OAUTH2_MAY_ACT script contexts using the requestProperties binding

  • OPENAM-21346: Add classes java.util.concurrent.TimeUnit, java.util.concurrent.ExecutionException, and java.util.concurrent.TimeoutException to the scripting allowlist

  • OPENAM-21355: Jakarta AWS region (ap-southeast-3) enabled for the PingAM push notification service

  • OPENAM-21416: Canada Central AWS region (ca-central-1) enabled for the PingAM push notification service

Fixes

  • IAM-4366: Provide browser-specific logic to handle alternative CSS for accessibility

  • IAM-4409: Require at least three characters before running identity searches when there are more than 1000 identities of that type

  • IAM-4460: Screen readers read show/hide buttons for security questions as show/hide password

  • IAM-4478: Only allow certain combinations of properties in a mapping transformation script

  • IAM-4493: Fix the heading hierarchy in the UI

  • IAM-4523: Screen readers read avatar alt text when tabbing to action menu

  • IAM-4524: Two buttons with different labels open the same dialog

  • IAM-4568: Do not enable the option to change a user association in the UI

  • IAM-4584: Drop-down boxes fail ADA compliance

  • IAM-4639: String/password field button is highlighted in the UI

  • IAM-4703: Fix display of password fields in some themes

  • IAM-4710: Fix rounded border of password fields in hosted pages

  • IAM-4829: Eye icon displays over the password field highlight box in the UI

  • OPENAM-18599: Allow customization of the error message that displays to end users when their account is locked or inactive using .withErrorMessage() in a Scripted Decision node

  • OPENAM-18685: Use the OAuth2 Provider service in the AM admin UI to specify if tokens issued should contain the subname claim

  • OPENAM-19261: Errors are incorrectly logged when triggered by introspection of tokens using OAuth 2.0 client credentials grant

  • OPENAM-20451: The WebAuthn Registration node now displays an end user’s userName when registering a device when the identity’s name isn’t human-readable

  • OPENAM-21158: Add support for trusted platform module (TPM) attestation using elliptic curve cryptography (ECC) unique parameter validation starting with Windows 11 version 22H2

  • OPENAM-21304: The request_uris field does not populate when OAuth 2.0 clients register using dynamic client registration

September 2023

26 Sep 2023

Fixes

  • FRAAS-17278: Health status reports for AM, IDM, and Admin services incorrectly reported as available in some situations

  • IAM-4843: The user column in the certification task list now shows a user’s full name instead of only the first name

  • IAM-4903[9]: Fix IGA calls that are not working in a custom domain

  • IAM-4915[9]: Fix Access Review UI that shows the JSON object of the manager relationship in the User Details modal

19 Sep 2023

Fixes

  • OPENAM-21390: Fix caching error to correctly provide data to nodeState when a journey switches server instances

05 Sep 2023

Key features

Salesforce Community User application template (IAM-4340)

Provision, reconcile, and synchronize Salesforce, Salesforce Portal, and Salesforce Community accounts.

OneSpan Auth VDP User Register node (FRAAS-15426)

Registers end users to authenticate using the virtual one-time password (VOTP).

For details, refer to OneSpan Auth VDP User Register node.

OneSpan Auth Assign Authenticator node (FRAAS-15426)

Assigns a VIR10 authenticator to an end user if the end user isn’t already assigned to one. Requires a VIR10 authenticator to be available in the tenant.

OneSpan Auth Generate VOTP node (FRAAS-15426)

Generates a virtual one-time password (VOTP) and delivers it to an end user through the node’s configured delivery method. Requires the end user to be assigned to a VIR10 authenticator.

For details, refer to OneSpan Auth Generate VOTP node.

August 2023

28 Aug 2023

Key features

Add preference-based provisioning to Privacy and Consent settings (IAM-4243)

End users in target applications can share their data with other applications. After the end user configures a preference to share data with other applications, data from the target application is synchronized with Advanced Identity Cloud.

For details, refer to End-user data sharing.

Enhancements

  • AME-25061: Provide additional context information in Marketplace authentication nodes to enable UI improvements

  • IAM-3502: Add the ability to set and reset a sync token for identity management account object type. For details, refer to Reset the last reconciliation job.

  • IAM-3678: Update error messages and labels in login and signup pages

  • IAM-3962: Improve design of push number challenge page for Push Wait node

  • IAM-4248: Add three additional non-account objects to ServiceNow page

  • IAM-4326: Improve onLink script to handle mapped properties of type array and object

  • IAM-4334: Update SuccessFactors application templates to support Advanced Identity Cloud built-in SuccessFactors connector

Fixes

  • IAM-3877: UI loader spins indefinitely when realm is deactivated

  • IAM-4093: Replace Google Fonts in the login UI to meet GDPR compliancy requirements

  • IAM-4176: Advanced setting query filter does not show all available properties

  • IAM-4240: Accessibility issues in Page node when NVDA readers are used

  • IAM-4261: Accessing end-user UI with query parameter "code" displays empty page

  • IAM-4371: Unable to create applications due to userpassword property set

  • IAM-4384: Platform UI does not resume journeys with custom redirect logic

  • IAM-4427: Platform UI does not show assignments for tenants running deprecated application management

  • IAM-4475: Platform UI does not load after tenant administrator signs into an upper tenant during promotion

  • IAM-4533: Journeys do not resume correctly when returning from a social identity provider without a realm identifier

  • IAM-4534: Redirect callbacks for journeys not working correctly

  • OPENAM-18004: Audit logging does not specify transaction IDs correctly for internal requests to certain APIs

  • OPENAM-18709: Calls to the nodeState.get() method in Scripted Decision nodes do not return values in shared state when a variable is stored in both shared state and secure state

  • OPENAM-20230: Calls to classes in the allowlist fail occasionally with access prohibited messages

  • OPENAM-20682: Unable to encrypt id_token error when there are multiple JWKs with the same key ID but different encryption algorithms

  • OPENAM-20691: Session quota reached when oldest session is not destroyed due to race condition

  • OPENAM-20783: Logging is incorrect when the authorization code grant flow is used successfully

  • OPENAM-20920: Null pointer exceptions when a SAML v2.0 binding is null and the SSO endpoint list contains non-SAML v2.0 entries

  • OPENAM-20953: Policy evaluation with a subject type JwtClaim returns HTTP response code 500

  • OPENAM-21001: Custom scripted SAML v2.0 IDP account mappers are determined incorrectly

  • OPENAM-21004: Invalid session ID error when session management is disabled in an OIDC provider

  • OPENAM-21046: The Create Object and Patch Object nodes do not log exception stack traces when they can’t retrieve the object schema

  • OPENAM-21164: XML string formatted incorrectly when using a custom adapter to get the assertion from a SAML v2.0 response

9 Aug 2023

Fixes

  • FRAAS-16471: ESV variables and secrets API endpoints slow for large result sets

  • FRAAS-16271: ESV secrets could be incorrectly marked as "not loaded" when tenant has many ESVs


1. This release focuses on internal improvements and technical updates to enhance the overall stability, performance, and maintainability of the platform. While there are no direct customer-facing changes, these updates lay the groundwork for future feature releases and improvements.
2. This issue was inadvertently excluded from the rapid changelog.
3. This issue applies to a feature only available in PingOne Identity Governance, which must be purchased separately.
4. This issue is a hotfix so has been released in the rapid and regular channels at the same time.
5. This feature was released earlier but the required scopes were not yet available.
6. This issue was released on January 9, 2024 but inadvertently excluded from the regular changelog.
7. This change applies to a feature only available in PingOne Autonomous Access, which is an add-on capability and must be purchased separately.
8. The updated connectors for FRAAS-17373 were originally listed as: Database Table connector, Microsoft Graph API connector, Oracle EBS connector, Salesforce connector, SCIM connector, ScriptedSQL connector.
9. This issue was released as a hotfix but inadvertently excluded from the rapid changelog.