AME-29769: The Social Provider Handler node has a new configuration option, Store Tokens, that allows access and refresh tokens to be stored in the transient state.

AME-27074: Added a new configProviderScript action to each authentication node endpoint to generate a configuration provider template script For example, authentication/authenticationtrees/nodes/MessageNode?_action=configProviderScript.

AME-28258: Added a new "webAuthnExtensions" input to the WebAuthn Registration and Authentication nodes. This can be set via a Scripted Decision node. It is expected to contain a map of extension name to input. Output is currently not available.

AME-28384: The outcome of a Scripted Decision node can now also be a CharSequence type.

AME-28777: The refresh token grace period now applies to both client-side refresh tokens and server-side refresh tokens.

AME-29157: Authentication nodes with limited possible outcomes are now available to the Configuration Provider node, including:

OPENAM-22601: You can now use the next-generation script binding, utils, to generate secure random numbers.

OPENAM-22811: NodeState has two new methods: mergeShared(Map<String, Object>) and mergeTransient(Map<String, Object>). Use them to merge keys into the shared/transient state, including objectAttributes keys.

OPENDJ-11012: Added support for Microsoft Identity Cloud PBKDF2-SHA512 password scheme in Advanced Identity Cloud.

AME-25491: The Configuration Provider node script now correctly reads node state after an inner tree callback.

AME-28786: Removed several unused UI properties from default social identity provider profiles.

AME-29027: WebAuthN attestations containing a self-signed root CA are now rejected instead of silently removed.

OPENAM-22465: Fixed error to return invalid_resource_uri when request_uri client doesn’t match request parameter client in PAR authorize request.

OPENAM-22675: In next-generation scripting, you can now set a default name correctly when creating a NameCallback.

OPENAM-22688: Page node localization now defaults to correct locale when the incoming accepted-language header doesn’t match the node’s language configuration.

IAM-6388: Added the ability to specify that inner journeys can’t be accessed directly. Learn more in Custom journeys.

IAM-7185: The mapping tab for application provisioning now shows the inbound or outbound application type without needing to inspect a drop-down.

OPENIDM-19810^[6]: The _refProperties of the last relationship field leading to a vertex, whose state is harvested to constitute the RDVP state, can now be included in this RDVP state.

OPENIDM-19847^[6]: The accountType for application grants is now configured in the object mapping under "accountTypes".

OPENIDM-20371^[6]: IDM now allows up to 20 indexed string attributes per user in both Alpha and Bravo realms.

OPENIDM-20372^[6]: IDM now supports up to ten custom relationships per managed object, except for one-to-many relationships.

IAM-7415: When creating an assignment, the _id is now automatically generated instead of using the name specified.

IAM-7187: Integration of SAP app template with IDM scripts.

IAM-7243^[7]: Added text field to utilities category in IGA access request forms.

IAM-7385: Unable to create user when required boolean property is set to false.

FRAAS-21728: Updated the cookie domain API to add default values for GET requests where cookie domain values haven’t been overridden by a PUT request. The default values are derived from the existing tenant cookie domain configuration, so are backward compatible.

AME-26594: Added secrets API binding to all next-generation script contexts.

AME-27129: Added option to exclude client certificate from SAML hosted SP metadata.

AME-27792: Added AM-TREE-LOGIN-COMPLETED audit log event that outputs a result of FAILED.

AME-27839: Added the ability to specify connection and response timeouts for Http Client service instances.

AME-28008: You can now disable certificate revocation checks, or all certificate checks entirely, on your Http Client service instances.

IAM-4753: Added a toggle to the application catalog to hide deprecated templates.

OPENIDM-19698: Added ability to use wildcards in the watchedFields property.

OPENAM-22666: The well-known endpoint is no longer required when configuring a social identity provider service. If it is not provided, AM uses the client secret for signature verification.

SDKS-1752^[6]: Enhance WebAuthn Authentication node, OATH Token Verifier node, and Push Result Verifier node to store creation date and last sign-on date.

FRAAS-16228: Promotions are now halted if the AM CORS service is disabled; the service is essential to the correct functioning of promotions.

FRAAS-21715: Environments can now be unlocked if configuration rollback fails because there are no promotions to roll back.

OPENAM-15410: Fixed an issue that prevented customization of claims if profile and openid scopes are requested.

OPENAM-20609: Fixed inconsistent error message when generating access token using refresh token after changing username.

OPENAM-21974: Adds an OAuth 2.0 client configuration for the new version of the LinkedIn provider.

OPENAM-22298: Log unretrieved SP and IdP descriptors in SAML2 Authentication node.

OPENIDM-19336: Fixed an issue where delegated administrators couldn’t add new users to their organization.

OPENIDM-20238: Fixed an issue where clustered reconciliation can fail with "Expecting a Map or List" under specific circumstances.

IAM-6493: The PingOne application template now supports specifying an LDAP gateway.

IAM-6868: Added screen reader label to end-user access approval button.

IAM-6870: Added screen reader label to end-user access request button.

IAM-6880: Added a toggle in the hosted pages journey settings to disable the error heading fallback that displays if there is no heading in the page content. (FORGEROCK-1582)

FRAAS-21713: The promotion process now retries getting an access token from the lower environment, preventing promotion failures.

IAM-7033: Unable to save user filter in AD/LDAP app template.

IAM-7011: Older app templates are no longer marked "deprecated".

IAM-5233: Update SAP SuccessFactors app template to support connector version 1.5.20.22.

IAM-6874: Update journey analytics to use hourly data.

FRAAS-21318: Promotion report now categorizes AM session service changes correctly.

AME-26135^[6]: The Advanced Identity Cloud admin UI now lets you configure a secret from a secret store for these features:

IAM-4279: Display available ESV placeholders in Decision Node script editor.

IAM-4654: Enable creation of all script types in Advanced Identity Cloud admin UI.

FRAAS-20397: The promotion process now retries tagging the lower environment after a network interruption, preventing blocking promotion failures.

IAM-5356: Session logout warning not displaying when maximum idle time set to a higher value than maximum session time.

IAM-6628: New draft option shouldn’t exist for out-of-the-box workflows.

IAM-6779: Pagination for list of apps not working when there are over 4000 apps.

FRAAS-20970: The /monitoring/logs endpoint now returns an X-Ratelimit-Limit header with a fixed value of 60. Previously, the value was misleading due to the way it was calculated when scaling an environment’s resources. The X-Ratelimit-Remaining header continues to report the number of requests that may be sent before receiving a rate limited response.

FRAAS-20983: Promotion reports now list changes to the default OAuth 2.0 provider.

OPENIDM-20142: Resolved a communication failure between Advanced Identity Cloud and RCS instances that could result in a prolonged failure to activate remote connectors.

OPENIDM-20178: You can’t use scope private fields in query filters. For more information, refer to Security Advisory #202402.

IAM-4785: Synchronize only the modified properties on a target source during reconciliation of applications.

IAM-5487: Correlation rules moved to the top of the reconciliation settings page.

IAM-6231: Scripted Decision Node now updates the list of scripts when a script is added or edited.

IAM-6544: Add reviewer column to administrator list view of compliance violations.

FRAAS-20604: Removed superfluous AM metrics related to token store internals:

IAM-6135: ESV values containing accents get corrupted by encoding process.

IAM-6562: Label duplicated for OAuth 2.0 access token and ID token endpoints.

IAM-6669^[7]: Badge count of violations in end-user navigation doesn’t update when an action is performed.

OPENIDM-18495^[8]: Disable sorting in the connector data tab in the IDM admin UI (native console). (FORGEROCK-1582)

AME-26199: Added the ability to set additional claims, including non-registered claims, during JWT assertion and generation, as per the specification.

AME-26820: Provided library scripts with access to all common script bindings.

AME-26993: Enhanced secret mapping for agents. Updating a secret label identifier value now causes any corresponding secret mapping for the previous identifier to also be updated, provided no other agent shares that secret mapping. If another agent shares the secret mapping, PingOne Advanced Identity Cloud creates a new secret mapping for the updated identifier and copies its aliases from the previously shared secret mapping.

AME-27346: Renamed Secret ID Identifier to Secret Label Identifier in the SAML remote entity provider configuration.

AME-27478: Renamed Client ID Token Public Encryption Key property to ID Token Encryption Public Key in the OAuth 2.0 client configuration.

AME-27775: Added scripting thread pool metrics per script context.

OPENAM-16564: Enabled next-generation scripts to access the cookies in incoming requests.

OPENAM-21800: Added page node functionality to next-generation scripts.

OPENAM-21933: Enabled auto-encoding of the httpClient form body in next-generation scripts.

FRAAS-20786: Fixed the case where a promotion attempts to delete the same application more than once.

FRAAS-19461: Fixed an issue where large audit logs could be missing from IGA events and processing.

FRAAS-20154: ESVs with special characters are now correctly encoded. The workaround of double-encoding ESVs is no longer required.

OPENAM-21748: Restored the missing get wrapper function for HiddenValueCallback in next-generation scripting.

OPENAM-21830^[6]: Unable to get entitlement info hashmap values in SAML IdPAdapter script

OPENAM-21864: Fixed an issue that prevented setting the tracking cookie to resume a journey after returning from a redirect flow.

OPENAM-21897: Corrected inconsistent results from the policy evaluateTree endpoint.

OPENAM-21951: Enabled setting of the selectedIndex property in a ChoiceCallback in next-generation scripts.

OPENAM-22181: Corrected an issue with UMA approve and approveAll requests failing.

TNTP-166:

FRAAS-15404: When updating ESV secrets, the API saves a new secret version only when it differs from the previous value.

FRAAS-19982: Configuration promotion now fails if Advanced Identity Cloud services do not restart successfully with the new configuration.

IAM-6376: In the applications rules tab, you can now configure custom logic to perform specific actions, such as sending an email, when an account is successfully created or updated.

IAM-6380: In the applications rules tab, you can now use the provisioning failure rule to configure custom logic to perform specific actions when provisioning fails.

FRAAS-11180: Authentication session whitelisting is now enabled by default for new tenants

IAM-5593: Adding roles to certain objects no longer breaks readable titles

IAM-6537: Journey import now alerts users if they try to import a file containing missing references

IAM-6548^[6]: Advanced Identity Cloud admin UI now loads Identity Gateway profile properties

IAM-2653: Configure object properties with user-friendly display names.

IAM-3857: Application list view displays enabled/disabled status of enterprise apps.

IAM-5913^[7]: Create custom access request workflows.

IAM-6264: Approval actions display in the UI even when they are not available due to permissions.

IAM-6296: UI doesn’t display paginated results on application data and recon tabs.

IAM-6409: Logging out of UI generates malformed redirect realm URLs.

OPENAM-21575: Add org.forgerock.json.jose.jwe.JweHeader to the allowlist for the Scripted Decision node

IAM-3199: HTML styling in the Message node journey editor allows you to left justify text.

FRAAS-19334: Failure to look up service account names following changes applied through the ESV API.

IAM-5079^[7]: End-user roles page sometimes shows role grants as conditional even when the grants are direct.

IAM-5363^[7]: Show the total number of approvals and access reviews in the inbox.

IAM-5858^[7]: Missing support for access request global configuration options.

IAM-6138^[7]: The governance events filter builder incorrectly validates before and after properties in the user created state.

IAM-6176^[7]: The end-user access request rejection is missing a justification message.

IAM-6203^[7]: The governance events filter doesn’t use after temporal values for user created flows.

IAM-6209: The Advanced Identity Cloud admin UI navigation panel text appears when the panel is collapsed.

OPENIDM-19879: Identity management reconciliation service processes additional source query pages whenever a query returns a pagedResultsCookie.

OPENIDM-19924: Unnecessary quotes not being removed from email addresses.

TNTP-166:

FRAAS-19593: The promotion API incorrectly reports as ready, resulting in a blocking promotion failure when trying to promote (FORGEROCK-1319)

AME-26085: SAML v2.0 NameID mapping can be configured per SP

AME-27126: A SAML SP can now authenticate to IDPs using mutual TLS (mTLS) when making an artifact resolution request.

AME-27133: "Secret ID" has been renamed to "Secret Label" for secret mappings

The following services now support configuration using the Secrets API:

The following services now support rotation of secrets using secret versions:

OPENAM-21031: The performance of Google KMS has been improved by the introduction of caching.

FRAAS-19596: Promotion report should include changes to realm authentication settings.

OPENAM-21473: If you set the collection method of a Certificate Collector node to REQUEST, HEADER, or EITHER, and the certificate is not provided in the request or in the header, the node now returns a status of Not collected.

OPENIDM-19921: The following connectors included with Advanced Identity Cloud were upgraded to 1.5.20.21:

FRAAS-19414: You can now configure custom domains directly in all environments without needing to create ESVs or promote configurations. Existing custom domains will be migrated automatically.

FRAAS-19566: Add _sortKeys query parameter to ESV API

IAM-4585^[7]: Request and approvals page now shows the current and past approvers, their decisions, and the dates

IAM-4968: Expose additional top-level parameters in the advanced section of mapping pages

IAM-5674: Target application can use ONBOARD action for FOUND situation

IAM-5769: Add grouping logic to journey node items

IAM-3927^[7]: Identity Governance now enforces mandatory comments (if configured) for revoke and allow exceptions

IAM-4309^[7]: Access reviews no longer display the internal lastSync user attribute

IAM-4762: Authoritative apps are now requestable

IAM-4986: Platform UI can now determine whether to use a pagedResultsCookie or offset for paging results

IAM-5076^[7]: "Abstain from action" option no longer displays when a campaign has expired

IAM-5362: Marking a property as an authoritative app entitlement no longer causes target app config to be generated

IAM-5413: Account deprovisioning now works in AD/LDAP after deleting a user identity

IAM-5794: Border color of sign-in input fields in hosted pages can now be overridden in themes

IAM-5810: Add option for email configuration to specify UTF-8 address support

IAM-5814: Allow fixed application usernames to be chosen for custom SAML apps

IAM-5875: Journey editor no longer orphans deleted nodes

FRAAS-19341: ESV support for AES keys through the base64aes encoding type

IAM-5602: Add functionality for viewing and deleting user’s trusted devices in Advanced Identity Cloud admin UI

FRAAS-15371: Added ability to prevent search engines from indexing end user login pages

IAM-4257: Updated Azure AD app template to accommodate the latest changes

IAM-4342: Updated MSGraphAPI Connector with a new configuration property

IAM-4892: Updated Salesforce app template to accommodate the latest changes

IAM-4900: Added build number and next release cycle date range to user interface

IAM-5334: Exposed guarded string as an object type property in scripted template

IAM-5459: KBA answer field should contain question context

IAM-5461: Custom login error not read with priority

IAM-5503: Rename "Orchestrations" to "Workflows"

IAM-5563: Updated Google Apps app template to accommodate the latest changes

IAM-5603: Added ability to view device details for managed user identities

IAM-5606: Added "POWERED BY" metadata to journey nodes

IAM-5748: Made 'PingOne' a special case on the federation providers page

IAM-4918: Check that user has correct permissions when requesting access for other users

IAM-5287: Make username, password, and KBA fields H3 elements

IAM-5598: Prevent styled terms and conditions included in a journey from making authenticate call fail

IAM-5611: Correct ability to revoke custom apps from roles, or edit them from the role view

IAM-5641: Custom Endpoints search returned endpoints created by other areas of the UI

IAM-5692: Remove console errors when opening the "Add Bravo user" modal

IAM-5767: SAML SSO was not remembered when app is saved from another tab after SSO setup

IAM-5873: Fix .getTranslation call in Vue

OPENIDM-19405: Special non-ascii characters in emails sent from Advanced Identity Cloud would fail

FRAAS-19288: Autonomous Access and Identity Governance are now available in the Jakarta (asia-southeast2) region

FRAAS-18788: Add AWS, GCP, and SAP S/4HANA connectors to Advanced Identity Cloud

FRAAS-18693: Validation bug prevents use of the base64encodedinlined and keyvaluelist ESV expression types

FRAAS-18414: Changes to an out-of-the-box journey can be incorrectly displayed against both realms in a promotion report

OPENIDM-17878: Allow access to operational attributes in the Advanced Identity Cloud data store

OPENIDM-19674: The relationship-defined virtual property (RDVP) schema editor allows you to edit the flattenProperties property. The anaged object schema editor allows you to edit the notifyRelationships property.

FRAAS-18398: Allow the HTTP OPTIONS method on calls to /openidm/config/* endpoints for CORS preflight checks

FRAAS-18526: Script library functionality can’t be used in the UI in certain environments

IAM-5656: Fix alignment of text, buttons, and links in Message nodes

IAM-5660: Hosted pages not displaying list of themes

OPENIDM-18743: Attempts to use connectors fail with null pointer exceptions when operationOptions is defined in the provisioner configuration

OPENIDM-18957: The scheduler now attempts to release any triggers it attempted to acquire during a timeout due to an unresponsive repository

OPENIDM-19141: Workflow engine queries now properly honor tablePrefix and tablePrefixIsSchema configuration options

OPENIDM-19279: Resource collection is required to create a relationship

FRAAS-7382: Add ability to include JavaScript snippets in login and end-user UIs

IAM-4514^[7]: Allow reviewers to add user, entitlement, and role columns to an access review

IAM-4739: Add read schema option to SCIM application template to discover custom schemas/attributes

IAM-5138^[6]: Add ability to view reports to end-user UI

IAM-5201: Focus on first input field or button automatically upon page load

IAM-5268: Add source-missing situation rule to authoritative applications

IAM-4810: Custom endpoint UI missing context option

IAM-5072: Inbound mapping tab shows in target applications

IAM-5171: Azure Active Directory application template doesn’t return a user’s role membership

IAM-5187: LDAP v2.1 application template doesn’t clear dc=example,dc=com base DN

IAM-5238: LDAP application template is missing the group object classes property

IAM-5422^[7]: Entitlement owner doesn’t show in the entitlement list

OPENAM-21856: Introspecting stateless token with IG/Web agents will cause OAuth2ChfException

AME-22326: The httpClient available in scripts now automatically adds the current transactionId as an HTTP header. This lets you correlate caller and receiver logs to make requests to other ForgeRock products and services.

AME-25392: Add org.forgerock.openam.scripting.api.PrefixedScriptPropertyResolver, used for accessing ESVs from scripts, to the allowlist for SAML2_SP_ADAPTER and SAML2_IDP_ADAPTER script types

AME-25433: Add com.sun.crypto.provider.PBKDF2KeyImpl, javax.crypto.SecretKeyFactory, and javax.crypto.spec.PBEKeySpec to the allowlists for Scripted Decision nodes and Configuration Provider nodes

AME-25608: Add auditing for opening and closing connections for the LDAP decision node, ID Repo service, and Policy Configuration service

AME-25630: Add java.security.spec.InvalidKeySpecException to the allowlist for the Scripted Decision and Configuration Provider nodes

FRAAS-17939: Some connectors included with Advanced Identity Cloud were upgraded to the following versions:

IAM-4511: Hide fields in the Users & Roles tab when editing and creating unreadable properties

IAM-4615: Add a "Skip to main content" link to page headers

OPENAM-16897: The OAuth 2.0 Device grant flow can now return either JSON or HTML

OPENIDM-19037: Update property value substitution to reflect boolean value in the UI

COMMONS-1397: Audit event log entries not logged due to thread contention

FRAAS-17686: Add org.forgerock.json.jose.jwe.JweHeader to the allowlists for the AUTHENTICATION_TREE_DECISION_NODE and CONFIG_PROVIDER_NODE script types

IAM-4401: Disabling Clear-Site-Data header breaks realm login

IAM-4991: When a suspendedId is in use, redirect to failureUrl fails

IAM-5075: Login messages are read twice by screen readers

IAM-5186: User identity related values aren’t saved after removal

OPENAM-17331: Disabled SNS endpoints can now be re-enabled

OPENAM-17816: OAuth 2.0 requests without a Content-Type header fail with a 500 error

OPENAM-19282: Recovery Code Display node only works immediately after a registration node

OPENAM-19889: Policy evaluation fails when subject is agent access token JWT

OPENAM-20026: Social IDP with trailing whitespace in the name can’t be deleted using the UI

OPENAM-20329: Issuer missing from OAuth 2.0 JARM response

OPENAM-21053: Missing userId from access audit log when org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false in JWT client authentication flow

OPENAM-21421: Scripting logger name isn’t based on logging hierarchy convention

OPENAM-21476: Persistent cookie is not created when using Configuration Provider node

OPENAM-21484: Introspection of a stateful refresh token for claims field for known OAuth2 fields is now a string and not nested in a list

OPENIDM-19328: Fix queued sync to recover following node restart

IAM-5275: Advanced Identity Cloud admin UI doesn’t add query parameters to the logout URL

IAM-5289: Fix warning message when maxidletime is greater than 24.8 days

FRAAS-3841: Activate and deactivate journeys in the Advanced Identity Cloud admin UI. Refer to Deactivate journeys.

IAM-4191: Allow tenant session cookie name to be configured. Refer to Session cookie name.

IAM-4735: Add support for schema discovery in application templates

IAM-4806: Show outbound tenant IP addresses in Advanced Identity Cloud admin UI. Refer to Access global settings.

IAM-4853: Add AS400 application template. Refer to the AS400 section in Provision an application.

FRAAS-16785: Incorrect positioning of reCAPTCHA v2 elements

FRAAS-17883: Tenant administrators cannot save edits to their personal information

IAM-2936: Journeys hang indefinitely when using a State Metadata node within a Page node

IAM-4521: Screen readers announce field labels twice

IAM-4956: Advanced Identity Cloud admin UI doesn’t use the current realm when logging out

IAM-5113: Unable to remove an NAO assignment from a user in Advanced Identity Cloud admin UI

IAM-5226: Tenant administrator security questions should not be shown when editing personal information

IAM-5240: No error message displays when a tenant administrator fails to save edits to their personal information

FRAAS-17373^[12]: The following connectors included with Advanced Identity Cloud were upgraded from 1.5.20.15 to 1.5.20.17:

IAM-4211: Display disaster recovery region in the Advanced Identity Cloud admin UI

IAM-4369: Remove AM applications from application list view

IAM-5045: Display pop-up warning when an end user is about to be logged out of an Advanced Identity Cloud hosted page

ANALYTICS-311: The USER-LAST-LOGIN report doesn’t show results if the last journey failed

FRAAS-17413: Improve IDM service reliability during upgrades and routine maintenance

IAM-4698: Fix accessibility issues with messages in page nodes

IAM-4812: Correctly save array ESVs containing newline characters

IAM-4863: Display ESV buttons properly when the user gives them focus

IAM-4877: Display ESV selection button properly while user is modifying a script associated with a Scripted Decision node

IAM-3648: ESV placeholders can now be entered from a drop-down list

IAM-3651: ESV placeholders can now be entered from key-value input fields

IAM-4236: Improve layout of the applications reconciliation tab

IAM-4367: Separate the connection status of OAuth 2.0 client applications into a dedicated list

IAM-4662: ESV placeholders can now be entered from tag input fields

IAM-4717: Added date, datetime, and time fields to the login UI

IAM-4789: Grant roles now show temporal constraints

OPENAM-20847: Sanitized HTML can now be added into messages for the Email Suspend node

FRAAS-17235: Validate ESV values correctly when they are wrapped in white space

FRAAS-17283: Tenant status pages not automatically updated during downtime

IAM-4235: Passthrough authentication using AD connector fails if set up in UI and user DN includes a space

IAM-4418: Fix accessibility issues with multi-select input fields

IAM-4489: Align checkbox color with other form elements

IAM-4491: Correctly label sidebar buttons when expanded or collapsed

IAM-4492: Make navigation bars in end-user UI accessible for screen readers

IAM-4528: Outbound reconciliation mapping preview shows generated password value

IAM-4798: The aria-label is now correctly displayed for all component types on sidebar buttons

OPENIDM-19192: Personal information is still editable by end users when User Editable is set to false

IAM-3650: Add a drop-down menu to checkbox inputs for selecting ESV placeholders

IAM-3826: Add the ability to specify a source and transformation script when mapping application properties.

IAM-4515: Include autocomplete attribute with login form fields

IAM-4525: Update profile picture modal with accessibility improvements for screen readers

IAM-4567: Add a warning when running reconciliations and selecting the persistAssociations option. For details, refer to View a report about the last reconciliation.

IAM-4576: Increase time on screen for loading spinner so that screen readers can announce it

IAM-4616: Include contextual information with the show/hide buttons for improved accessibility

OPENAM-21073: Request headers are now accessible in OAuth 2.0/OIDC scripts for OIDC_CLAIMS, OAUTH2_ACCESS_TOKEN_MODIFICATION, and OAUTH2_MAY_ACT script contexts using the requestProperties binding

OPENAM-21346: Add classes java.util.concurrent.TimeUnit, java.util.concurrent.ExecutionException, and java.util.concurrent.TimeoutException to the scripting allowlist

OPENAM-21355: Jakarta AWS region (ap-southeast-3) enabled for the PingAM push notification service

OPENAM-21416: Canada Central AWS region (ca-central-1) enabled for the PingAM push notification service

IAM-4366: Provide browser-specific logic to handle alternative CSS for accessibility

IAM-4409: Require at least three characters before running identity searches when there are more than 1000 identities of that type

IAM-4460: Screen readers read show/hide buttons for security questions as show/hide password

IAM-4478: Only allow certain combinations of properties in a mapping transformation script

IAM-4493: Fix the heading hierarchy in the UI

IAM-4523: Screen readers read avatar alt text when tabbing to action menu

IAM-4524: Two buttons with different labels open the same dialog

IAM-4568: Do not enable the option to change a user association in the UI

IAM-4584: Drop-down boxes fail ADA compliance

IAM-4639: String/password field button is highlighted in the UI

IAM-4703: Fix display of password fields in some themes

IAM-4710: Fix rounded border of password fields in hosted pages

IAM-4829: Eye icon displays over the password field highlight box in the UI

OPENAM-18599: Allow customization of the error message that displays to end users when their account is locked or inactive using .withErrorMessage() in a Scripted Decision node

OPENAM-18685: Use the OAuth2 Provider service in the AM admin UI to specify if tokens issued should contain the subname claim

OPENAM-19261: Errors are incorrectly logged when triggered by introspection of tokens using OAuth 2.0 client credentials grant

OPENAM-20451: The WebAuthn Registration node now displays an end user’s userName when registering a device when the identity’s name isn’t human-readable

OPENAM-21158: Add support for trusted platform module (TPM) attestation using elliptic curve cryptography (ECC) unique parameter validation starting with Windows 11 version 22H2

OPENAM-21304: The request_uris field does not populate when OAuth 2.0 clients register using dynamic client registration

AME-25061: Provide additional context information in Marketplace authentication nodes to enable UI improvements

IAM-3502: Add the ability to set and reset a sync token for identity management account object type. For details, refer to Reset the last reconciliation job.

IAM-3678: Update error messages and labels in login and signup pages

IAM-3962: Improve design of push number challenge page for Push Wait node

IAM-4248: Add three additional non-account objects to ServiceNow page

IAM-4326: Improve onLink script to handle mapped properties of type array and object

IAM-4334: Update SuccessFactors application templates to support Advanced Identity Cloud built-in SuccessFactors connector

IAM-3877: UI loader spins indefinitely when realm is deactivated

IAM-4093: Replace Google Fonts in the login UI to meet GDPR compliancy requirements

IAM-4176: Advanced setting query filter does not show all available properties

IAM-4240: Accessibility issues in Page node when NVDA readers are used

IAM-4261: Accessing end-user UI with query parameter "code" displays empty page

IAM-4371: Unable to create applications due to userpassword property set

IAM-4384: Platform UI does not resume journeys with custom redirect logic

IAM-4427: Platform UI does not show assignments for tenants running deprecated application management

IAM-4475: Platform UI does not load after tenant administrator signs into an upper tenant during promotion

IAM-4533: Journeys do not resume correctly when returning from a social identity provider without a realm identifier

IAM-4534: Redirect callbacks for journeys not working correctly

OPENAM-18004: Audit logging does not specify transaction IDs correctly for internal requests to certain APIs

OPENAM-18709: Calls to the nodeState.get() method in Scripted Decision nodes do not return values in shared state when a variable is stored in both shared state and secure state

OPENAM-20230: Calls to classes in the allowlist fail occasionally with access prohibited messages

OPENAM-20682: Unable to encrypt id_token error when there are multiple JWKs with the same key ID but different encryption algorithms

OPENAM-20691: Session quota reached when oldest session is not destroyed due to race condition

OPENAM-20783: Logging is incorrect when the authorization code grant flow is used successfully

OPENAM-20920: Null pointer exceptions when a SAML v2.0 binding is null and the SSO endpoint list contains non-SAML v2.0 entries

OPENAM-20953: Policy evaluation with a subject type JwtClaim returns HTTP response code 500

OPENAM-21001: Custom scripted SAML v2.0 IDP account mappers are determined incorrectly

OPENAM-21004: Invalid session ID error when session management is disabled in an OIDC provider

OPENAM-21046: The Create Object and Patch Object nodes do not log exception stack traces when they can’t retrieve the object schema

OPENAM-21164: XML string formatted incorrectly when using a custom adapter to get the assertion from a SAML v2.0 response

FRAAS-16471: ESV variables and secrets API endpoints slow for large result sets

FRAAS-16271: ESV secrets could be incorrectly marked as "not loaded" when tenant has many ESVs

OPENIDM-19245^[6]: Fix IDM version qualifier to prevent ForgeRock REST proxy error

FRAAS-15974: Unable to promote empty configuration to reset staging environment

FRAAS-16041: Support Basic Authentication for Identity Cloud logging endpoints

OPENIDM-19240^[6]: Fix the "internal server error" message when configuring reconciliation mappings

IAM-2826: Filter the "Assignments" tab for identities so that it does not show overrides, entitlements, or resources

IAM-3408: Let provisioners use a range of connector versions

IAM-3677: Remove increment/decrement arrows from numeric input fields

IAM-3678^[6]: Improved ADA accessibility for error messages associated with input fields

IAM-3982: Let users filter risk activity using distributed attack as a risk reason

IAM-3983: Show distributed attack as a risk reason in the risk dashboard

IAM-4051: Improved ADA accessibility for drop-down boxes

IAM-4053: Improved ADA accessibility when NVDA readers are used on pages that use the Page node

IAM-4074: Add a loading animation to the pie chart component

IAM-4136: Use the tab key to move focus and remove tags in multi-select components

FRAAS-5756^[6]: Journeys don’t resume after authentication in downstream identity provider

FRAAS-9230: Sanitize aria-hidden fields

FRAAS-14214: Changing an existing ESV type is now denied by the API and new ESVs always require an explicit type

FRAAS-14262: Include changes to group privileges in the configuration promotions report

FRAAS-14706: Improve the detection of changes to complex configuration files and IDM script hooks in promotion reports

FRAAS-14897: Improve the rate limiting behavior of the /monitoring/logs endpoint

IAM-2026: Support versioning of the application and connector templates

IAM-2713: Prohibit editing of managed application objects

IAM-2972: Route users to the correct realm after granting Salesforce permissions

IAM-3089: Unable to exit a social provider and select a different social provider in a journey

IAM-3594: Correctly redirect control to the End User UI after authenticating with itsme

IAM-3719: Modals not showing display access review comments and activity

IAM-3939: Let end users switch to a different authentication journey

IAM-4013: When using a custom domain, originalLoginRealm is set incorrectly

IAM-4116: Don’t let access review users add reviewers with greater privileges than they themselves have

IAM-4134: User pop-up is visible in "Entitlement" tab

IAM-4200: Last certified date, decision, and actor displaying incorrectly in Governance account details

IAM-4242: Add "Conflicting changes" category to reconciliation summary

IAM-4289: Unable to assign non-account object properties to roles

IAM-4293: Access reviews and line items not shown for staged campaigns

IAM-4295: Reviewer not redirected back to pending reviews after access review sign off

OPENIDM-17481: Managed object schema can now describe a field as a nullable array and specify a default value for this field if not provided in a create request

OPENIDM-17771: Processing of a large number of scheduled jobs no longer causes all scheduled tasks to continuously misfire

OPENIDM-18192: Updating a relationship-defined virtual property (RDVP) on a managed object by signal receipt no longer causes other RDVP state within that object to be lost

OPENIDM-18292^[6]: Add support for the _fields request parameter to the sync getTargetPreview endpoint.

OPENIDM-18360: Use the full object state when validating requests made by a delegated administrator to modify a relationship

OPENIDM-18613: Provide the ability to remove the userPassword attribute

OPENIDM-18644: Correctly determine whether it’s possible to configure clustered reconciliation

OPENIDM-18807^[6]: Update user provisioning workflow sample to check for empty manager strings

OPENIDM-18895: Fixes support for multi-version concurrency control on managed object patches and updates

OPENIDM-18898^[6]: Add support for the _countOnly parameter in identity management scripts

OPENIDM-18980^[6]: Add a new metric to measure the duration of a LiveSync event

OPENIDM-19098^[6]: Enable ES6 support for identity management scripts

AME-24073: Expose the prompt_values_supported parameter of the provider configuration at the OIDC .well-known endpoint

AME-24175: Provide additional classes in the allowlist that scripts used in the Scripted Decision node

FRAAS-13293: Provide more accurate and granular information in promotion reports

FRAAS-14063: Remove orphaned unused scripts during promotion

FRAAS-15022: Improve promotion reports

IAM-2561: Allow adding applications to a user or role from the Identities > Manage page

IAM-3666: Add alternative text to QR code image

IAM-3676: Add keyboard controls to UI to select multiple values in multivalued lists

IAM-4030: Improve handling of identity provider and groups claims

IAM-4031: Generic OIDC configuration returns HTTP 400 Bad Request

OPENAM-18692: Set the minimum value for the Default Max Age property to 0

OPENAM-19745: Add support for EdDSA signing algorithm to WebAuthn Registration node

OPENAM-20541: Add additional inner classes to scripting allowlist to support RSA keypair generation

AME-24026: Allow specifying inputs required by the provider scripts in the Configuration Provider node

IAM-3550: When attempting to validate Office 365 applications, a blank screen appears

IAM-3580: Improve service accounts UI including error handling

IAM-4032: Federation enforcement is missing from the UI

FRAAS-10816: Include thread ID and remove control characters from some Identity Cloud log files for easier log correlation

FRAAS-14956: Promotion preview and report not showing all configuration changes

FRAAS-15188: Ensure environments can be recreated after deletion

OPENAM-12030: Authentication node instances are deleted when journeys containing them are deleted

OPENAM-13329: Display journeys with spaces in their name in the Authentication Configuration drop-down menu

OPENAM-13766: Route user session based on whether policy evaluation is requested or not

OPENAM-17179: Correctly delete a script if its referring journey is deleted

OPENAM-17566: Display account name instead of UUID in the ForgeRock Authenticator when using MFA

OPENAM-18488: Support certificate-based attestation in certificate chains terminating at an intermediate CA

OPENAM-20082: Show correct error message to locked out users

OPENAM-20104: Fix the fragment response mode for the OAuth 2.0 authorize endpoint

OPENAM-20187: Fix the "waiting for response" page so that it fails authentication as configured in the authentication journey

OPENAM-20230: Prevent class allowlist from failing for classes already on the allowlist

OPENAM-20318: Allow a restricted set of HTML tags to be rendered in page node headers and descriptions

OPENAM-20360: Fix default URL encoding to ensure ampersand characters are not double encoded in a SAML assertion

OPENAM-20386: Fix authentication node state reconciliation in some complex journeys

OPENAM-20451: Fix WebAuthn registration node to return a human-readable username

OPENAM-20457: Device Location Match node routes to "Unknown Device" outcome instead of failing the authentication journey when the previously stored location of the device is not provided

OPENAM-20479: Enhance OIDC authentication to handle unsecured JWS requests