--- title: Rapid channel changelog description: Subscribe to get automatic updates. Learn more in Track rapid channel releases. component: pingoneaic page_id: pingoneaic:release-notes:rapid-channel-changelog canonical_url: https://docs.pingidentity.com/pingoneaic/release-notes/rapid-channel-changelog.html page_aliases: ["product-information:coming-soon.adoc"] section_ids: april_2026: April 2026 28_apr_2026: 28 Apr 2026 changed_functionality: Changed functionality 17_apr_2026: 17 Apr 2026 enhancements: Enhancements 14_apr_2026_rev1: 14 Apr 2026 key_features: Key features enhancements_2: Enhancements fixes: Fixes 09_apr_2026: 09 Apr 2026 enhancements_3: Enhancements fixes_2: Fixes march_2026: March 2026 30_mar_2026: 30 Mar 2026 key_features_2: Key features fixes_3: Fixes 24_mar_2026: 24 Mar 2026 key_features_3: Key features enhancements_4: Enhancements fixes_4: Fixes 23_mar_2026: 23 Mar 2026 18_mar_2026: 18 Mar 2026 key_features_4: Key features enhancements_5: Enhancements fixes_5: Fixes february_2026: February 2026 27_feb_2026: 27 Feb 2026 19_feb_2026: 19 Feb 2026 fixes_6: Fixes changed_functionality_2: Changed functionality 18_feb_2026: 18 Feb 2026 enhancements_6: Enhancements fixes_7: Fixes 17_feb_2025: 17 Feb 2025 reversions: Reversions 16_feb_2026: 16 Feb 2026 fixes_8: Fixes 13_feb_2026: 13 Feb 2026 enhancements_7: Enhancements fixes_9: Fixes 12_feb_2026: 12 Feb 2026 enhancements_8: Enhancements fixes_10: Fixes 09_feb_2026: 09 Feb 2026 06_feb_2026: 06 Feb 2026 enhancements_9: Enhancements fixes_11: Fixes changed_functionality_3: Changed functionality 03_feb_2026: 03 Feb 2026 enhancements_10: Enhancements fixes_12: Fixes january_2026: January 2026 28_jan_2026: 28 Jan 2026 fixes_13: Fixes 27_jan_2026: 27 Jan 2026 enhancements_11: Enhancements fixes_14: Fixes 26_jan_2026: 26 Jan 2026 23_jan_2026: 23 Jan 2026 enhancements_12: Enhancements 20_jan_2026: 20 Jan 2026 14_jan_2026: 14 Jan 2026 fixes_15: Fixes 05_jan_2026: 05 Jan 2026 fixes_16: Fixes december_2025: December 2025 20_dec_2025: 20 Dec 2025 17_dec_2025: 17 Dec 2025 key_features_5: Key features enhancements_13: Enhancements fixes_17: Fixes 15_dec_2025: 15 Dec 2025 10_dec_2025: 10 Dec 2025 enhancements_14: Enhancements fixes_18: Fixes november_2025: November 2025 17_nov_2025: 17 Nov 2025 enhancements_15: Enhancements fixes_19: Fixes changed_functionality_4: Changed functionality 14_nov_2025: 14 Nov 2025 12_nov_2025: 12 Nov 2025 10_nov_2025: 10 Nov 2025 05_nov_2025: 05 Nov 2025 october_2025: October 2025 31_oct_2025: 31 Oct 2025 enhancements_16: Enhancements 27_oct_2025: 27 Oct 2025 enhancements_17: Enhancements fixes_20: Fixes 24_oct_2025: 24 Oct 2025 22_oct_2025: 22 Oct 2025 20_oct_2025: 20 Oct 2025 17_oct_2025: 17 Oct 2025 16_oct_2025: 16 Oct 2025 enhancements_18: Enhancements 15_oct_2025: 15 Oct 2025 08_oct_2025: 08 Oct 2025 fixes_21: Fixes 03_oct_2025: 03 Oct 2025 september_2025: September 2025 29_sept_2025: 29 Sept 2025 26_sept_2025: 26 Sept 2025 key_features_6: Key features enhancements_19: Enhancements fixes_22: Fixes 25_sept_2025: 25 Sept 2025 key_features_7: Key features enhancements_20: Enhancements fixes_23: Fixes 19_sept_2025: 19 Sept 2025 16_sept_2025_v2: 16 Sept 2025 enhancements_21: Enhancements fixes_24: Fixes 04_sept_2025: 04 Sept 2025 03_sept_2025: 03 Sept 2025 01_sept_2025: 01 Sept 2025 key_features_8: Key features enhancements_22: Enhancements fixes_25: Fixes august_2025: August 2025 29_aug_2025: 29 Aug 2025 enhancements_23: Enhancements fixes_26: Fixes log_event_exporter_26_aug_2025: 26 Aug 2025 key_features_9: Key features 19_aug_2025_supplementary: 19 Aug 2025 fixes_27: Fixes 18_aug_2025: 18 Aug 2025 enhancements_24: Enhancements 15_aug_2025: 15 Aug 2025 enhancements_25: Enhancements fixes_28: Fixes 12_aug_2025: 12 Aug 2025 07_aug_2025: 07 Aug 2025 fixes_29: Fixes 06_aug_2025: 06 Aug 2025 enhancements_26: Enhancements july_2025: July 2025 31_jul_2025: 31 Jul 2025 fixes_30: Fixes 30_jul_2025: 30 Jul 2025 29_jul_2025: 29 Jul 2025 28_jul_2025: 28 Jul 2025 24_jul_2025: 24 Jul 2025 23_jul_2025: 23 Jul 2025 22_jul_2025: 22 Jul 2025 21_jul_2025: 21 Jul 2025 18_jul_2025: 18 Jul 2025 key_features_10: Key features enhancements_27: Enhancements fixes_31: Fixes 17_jul_2025: 17 Jul 2025 16_jul_2025: 16 Jul 2025 key_features_11: Key features 14_jul_2025: 14 Jul 2025 fixes_32: Fixes 01_jul_2025: 01 Jul 2025 key_features_12: Key features enhancements_28: Enhancements fixes_33: Fixes removed: Removed june_2025: June 2025 30_june_2025: 30 June 2025 reversions_2: Reversions 25_jun_2025: 25 Jun 2025 fixes_34: Fixes 24_jun_2025: 24 Jun 2025 23_jun_2025: 23 Jun 2025 enhancements_29: Enhancements fixes_35: Fixes 18_jun_2025: 18 Jun 2025 enhancements_30: Enhancements fixes_36: Fixes 16_jun_2025: 16 Jun 2025 13_jun_2025: 13 Jun 2025 10_jun_2025: 10 Jun 2025 enhancements_31: Enhancements fixes_37: Fixes 06_jun_2025_supplementary: 06 Jun 2025 enhancements_32: Enhancements fixes_38: Fixes 06_jun_2025: 06 Jun 2025 fixes_39: Fixes 04_jun_2025: 04 Jun 2025 03_jun_2025: 03 Jun 2025 02_jun_2025: 02 Jun 2025 may_2025: May 2025 30_may_2025: 30 May 2025 key_features_13: Key features enhancements_33: Enhancements fixes_40: Fixes 23_may_2025: 23 May 2025 enhancements_34: Enhancements fixes_41: Fixes 22_may_2025: 22 May 2025 21_may_2025: 21 May 2025 fixes_42: Fixes 15_may_2025: 15 May 2025 13_may_2025: 13 May 2025 12_may_2025: 12 May 2025 enhancements_35: Enhancements 09_may_2025: 09 May 2025 08_may_2025: 08 May 2025 enhancements_36: Enhancements 06_may_2025: 06 May 2025 05_may_2025: 05 May 2025 fixes_43: Fixes 02_may_2025: 02 May 2025 --- # Rapid channel changelog Subscribe to get automatic updates. Learn more in [Track rapid channel releases](release-process.html#track-rapid-channel-releases). For release notes published before May 2025, refer to the [Rapid channel changelog archive](rapid-channel-changelog-archive.html). ## April 2026 ### 28 Apr 2026 **Version 21659.0** #### Changed functionality * Graceful shutdown of identity management services (OPENIDM-19536) **What changed?** When an identity management service instance shuts down, it now drains in-flight HTTP traffic before exiting. In-flight responses include a `Connection: close` header that signals clients to close persistent (keep-alive) connections. **Why it matters?** Previously, integrations that held long-lived connections through a connection pool sent a request over a connection to an instance that had already shut down, which resulted in transient `404` responses or connection errors. With this change, compliant HTTP clients close affected connections and reconnect on the next request, which eliminates those transient failures during routine restarts and upgrades. **What you need to do?** Nothing, in most cases. Standard HTTP client libraries and connection pools honor the `Connection: close` header, by default. If you maintain a custom HTTP client or have explicitly disabled connection-close handling, verify that your client respects `HTTP/1.1` connection-close semantics. ### 17 Apr 2026 **Version 21531.0** #### Enhancements * New binding for next-generation SP adapter scripts (OPENAM-26050) A new `authnRequestHelper` binding has been added for next-generation SP adapter scripts. This binding lets you retrieve and modify the destination property of the `AuthnRequest`. | | | | - | ------------------------------------------------------------------------------------------------------ | | | This entry was revised on 29 April 2026 as OPENAM-26050 was inadvertently excluded from the changelog. | ### 14 Apr 2026 **Version 21478.0** #### Key features * Snowflake connector (OPENIDM-21957) The [Snowflake connector](https://docs.pingidentity.com/openicf/connector-reference/snowflake.html) is now bundled with Advanced Identity Cloud. This new connector allows you to manage users, grant and revoke roles and database roles, and synchronize data between Advanced Identity Cloud and Snowflake. Learn more about the [1.5.20.33 Connector changes](https://docs.pingidentity.com/openicf/connector-release-notes/connectors.html#1_5_20_33_connectors). * Identity Governance Access Modeling\[[1](#_footnotedef_1 "View footnote.")] (IGA-3696) Advanced Identity Cloud Identity Governance introduces a new feature called Access Modeling (role mining) that analyzes existing user-to-entitlement assignments to discover potential access roles that reflect how people use access in your environment. Using advanced machine learning, it examines current roles and entitlements across your access landscape to propose new role candidates and suggest changes to existing ones. Access Modeling is an Advanced Identity Cloud add-on capability that integrates with the Identity Governance add-on capability. #### Enhancements * IAM-1715: Improve messaging on back button for 404 pages in the Advanced Identity Cloud admin console. * IAM-3829: You can now perform dry-run promotions in the Advanced Identity Cloud admin console. * IAM-3834: Distinguish between dry-run and actual promotions in the promotion report in the Advanced Identity Cloud admin console. * IAM-8149, IAM-8275, IAM-8988: Added the following configuration options to the Advanced Identity Cloud admin console when you create or edit a journey: * `Override authenticated session timeout`, `Maximum Session Time`, and `Maximum Idle Time` * `Transactional Only` * `No Session` Previously, these settings could only be configured over REST. * IAM-8972: You can now configure managed objects and relationships in the Advanced Identity Cloud admin console. * IAM-9819\[[2](#_footnotedef_2 "View footnote.")]: Added the ability to export custom reports. * IAM-9822: You can now perform promotion rollbacks in the Advanced Identity Cloud admin console. * IAM-9903\[[2](#_footnotedef_2 "View footnote.")]: Added the ability to import custom reports. * IAM-9960: Added a wider scope to the monitoring search feature by being able to search on `/payload/message` and just `/payload` in cases where the monitoring record's payload is a string. * OPENIDM-22009: All connectors included with Advanced Identity Cloud were upgraded. Learn more in [1.5.20.34 Connector changes](https://docs.pingidentity.com/openicf/connector-release-notes/connectors.html#1_5_20_34_connectors). * IGA-4036: Added the ability to add and remove members of an entitlement directly from the entitlement LCM users tab. #### Fixes * IAM-1907: Fixed an issue where custom endpoint search showed an incorrect message. * IAM-2537: Fixed an issue where non-dashboard URLs didn't show a 404 page. * IAM-2615: Fixed an issue where border radius settings affected the hosted pages editor preview. * IAM-3453: Fixed styling issues with the back button. * IAM-5439: Fixed an issue where an ESV couldn't be updated after its last value was deleted. * IAM-7502: Fixed an issue where the color in the `Card Input Border Focus Color` hosted pages setting wasn't applied to the search field in the **My Applications** hosted account page. * IAM-9475: Fixed an issue in the hosted journey pages where a journey was allowed to continue in the event of a password mismatch when a message node was on the same page. * IAM-9752: Fixed an issue where VoiceOver gestures didn't work on drop-down lists. * IAM-9842: Fixed an issue where VoiceOver didn't announce text for some page elements. * IAM-9936: Fixed an issue with the query operation in the SaaS REST application where setting the type select field prevented the method select field from being cleared, and the other way around. * IAM-9952: Fixed an issue where the table header for the action column was empty on several pages in the hosted account pages. * IAM-9958: Fixed an issue where the table header for the action column was empty on several pages in the Advanced Identity Cloud admin console. * IAM-10056: Fixed an issue on the **Auth Scripts** page where the modal body failed to load after clicking **[icon: add, set=material, size=inline] New Script**. ### 09 Apr 2026 **Version 21386.0** #### Enhancements * FRAAS-31357: You can now use the `/environment/aiagent?_action=enable` endpoint to simplify the process of enabling the AI Agents feature in your sandbox environments. Learn more in [Enable the AI agents feature](rapid-channel/ai-agents-enable.html). * IGA-4247\[[1](#_footnotedef_1 "View footnote.")]: Added two new log sources, `iga-api` and `jas`, to improve Identity Governance monitoring: * The `iga-api` log source captures Identity Governance events related to API requests, certifications, segregation of duties (SOD), events, glossary, and lifecycle management (LCM). * The `jas` log source captures events from the Java API Service (JAS), including receipt, republishing, and processing of identity management audit messages, as well as logging of entity creation and updates with success and failure tracking. #### Fixes * FRAAS-31613: Fixed an issue where password policy updates weren't properly replicating to the datastore in mutable environments. ## March 2026 ### 30 Mar 2026 **Version 21182.0** #### Key features * Identity for AI (IAM-9357) You can now use *AI agents* to secure your organization's AI-driven solutions. AI agents are specialized OAuth 2.0 clients that are onboarded with their own identities. They can securely perform tasks on behalf of end users through a delegated token exchange process, ensuring distinct accountability and granular access control. You can use AI agents to securely build digital assistants that operate on behalf of end users, such as a chatbot on a retail website helping a user navigate products, or an internal workforce assistant acting on behalf of an employee to access enterprise tools like Salesforce. Learn more about AI agents in [Secure your AI-driven solutions using AI agents](rapid-channel/ai-agents.html). #### Fixes * FRAAS-31318: Fixed an issue where setting certain special characters in an ESV prevented the ESV from being interpreted correctly. ### 24 Mar 2026 **Version 21083.0** #### Key features * Partial support for Rich Authorization Requests (RAR) (AME-28325) The `/authorize` and `/par` endpoints now optionally accept the `authorization_details` parameter from the RAR (Rich Authorization Requests) specification RFC 9396, allowing clients to specify fine-grained authorization requirements. * App Policy Decision node (AME-30063) A new [App Policy Decision node](https://docs.pingidentity.com/auth-node-ref/latest/app-policy-decision.html) is a specialized policy node that lets you enforce OIDC and SAML application access policies in journeys. You can use the node to filter access by group, organization, and more. * Support for audience parameter in token exchange (AME-33970) A client can now specify audience parameters in OAuth 2.0 Token Exchange requests. These parameters can be allowlisted and, if valid, are included in the audience claim of the resulting token. * Next-generation scripted JWT operations (OPENAM-25836) The `jwtValidator` and `jwtAssertion` bindings are now available in all next-generation scripts. #### Enhancements * AME-33573: Next-generation scripts now include `utils.base64url.encode()` and `utils.base64url.decodeToBytes()` for Base64URL encoding and decoding. * AME-33971: Added a new Save and Test Connection button to the PingOne worker configuration screen allowing you to validate the connection. * AME-33973: You can now configure the PingOne Worker Service connection using a credential JWT. * AME-34248: You can now use next-generation scripts in the Social Provider Handler node to transform normalized profile data into identities or managed users. * AME-34249: You can now use next-generation scripts in the OIDC ID Token Validator node. The `jwtClaims` binding now behaves as a native JavaScript object. * AME-34540: You can now specify autocomplete attributes for username nodes. * OPENAM-21474: A new `Minimum max_age for Authorize Requests` property is now available in the advanced OIDC settings of the OAuth 2.0 provider service. * OPENAM-23610: The default value for the Return challenge as JavaScript (Legacy) property on the WebAuthn Authentication and WebAuthn Registration nodes is now not enabled. Ping Identity recommends that you keep this setting. * OPENAM-24523: You can now dynamically modify the scopes of a refresh token during the refresh flow with the new next-generation scope validation script binding, `scopeValidatorHelper`, and its method, `inheritAccessTokenScopesOnRefresh()`. This is useful when scope validation scripts alter access token scopes and you need the refresh token to inherit those changes. * OPENAM-25901: Next-generation OAuth 2.0 scope validation scripts now have access to the `availableScopes` binding, which lists all scopes configured for the client. A new `throwInvalidScope()` method is also available to simplify error handling. #### Fixes * AME-34216, AME-34398: When using an SSO token as the subject for a policy with an `IDM user` environment condition, it now correctly resolves to the IDM `_id` instead of the user's AM universal ID. You can temporarily revert this behavior by setting the ESV `esv.am.policy.condition.idm.universalId` to `true` to let you update policies to use another property. * AME-34329: By default, parallel updates can no longer be made for CTS sessions. You can revert this behavior by setting the ESV `esv.cts.use.etag.assertion.on.updates` to `false`. ### 23 Mar 2026 **Version 21076.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 18 Mar 2026 **Version 21027.0** #### Key features * Policy Decision node (AME-28779) A new [Policy Decision node](https://docs.pingidentity.com/auth-node-ref/latest/policy-decision.html) lets you evaluate an authorization policy against resources within an authentication journey. * Backchannel Notification node (AME-32579) Introduced a new [Backchannel Notification node](https://docs.pingidentity.com/auth-node-ref/latest/backchannel-notification.html) that allows a backchannel journey to send real-time status updates to the main authentication journey. #### Enhancements * FRAAS-28387: Invites for Advanced Identity Cloud tenant registration now use a one-time passcode (OTP) instead of a magic link. This change prevents email scanners from accidentally invalidating single-use links. * AME-29745: Improved the certificate validation process in the Certificate Collector and Certificate Validation nodes. By default, Advanced Identity Cloud collects the \_first certificate in a certificate chain (the user certificate). You can now create an ESV named `esv-am-nodes-certificatechain-validation-enforced` and set its value to `true` to collect the chain of certificates. * AME-33851: You can now use next-generation scripts for social identity provider transformation scripts. * OPENAM-25329: The PingOne Protect Initialize node now includes an `Additional Signals SDK Initialization Options` attribute. This allows you to configure options that aren't already defined in the node. The `PingOneProtectInitializeCallback` has been updated with new fields to support this. * OPENAM-25677: The `PingOneProtectInitializeCallback` now includes a `universalDeviceIdentification` field, which replaces the deprecated `enableTrust` field. The `enableTrust` field is still returned for backward compatibility. #### Fixes * IGA-4186\[[1](#_footnotedef_1 "View footnote.")]: Fixed an Identity Governance issue where the end-user UI did not correctly sort and paginate large user populations, improving responsiveness for large datasets. * OPENAM-22698: Fixed a bug that caused duplicate URIs in WS-Federation responses. ## February 2026 ### 27 Feb 2026 **Version 20814.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 19 Feb 2026 **Version 20712.0** #### Fixes * OPENIDM-21493: You can now cancel a clustered reconciliation even when a route associated with the source or target system is unavailable. #### Changed functionality * OPENIDM-21718: The `maxQueueSize` for [queued synchronization](../idm-synchronization/chap-implicit-live-sync.html#queued-sync) now defaults to `1000` and can't be configured to a value higher than `1000` or lower than `100`. The previous default was `20000`. The `pageSize` still defaults to `100`, but now can't be configured to a value higher than `100` or lower than `10`. If the configured `pageSize` is greater than `maxQueueSize / 10`, Advanced Identity Cloud uses `maxQueueSize / 10` for the page size. If you have any configuration outside of these bounds, Advanced Identity Cloud automatically adjusts the values to the nearest bound. ### 18 Feb 2026 **Versions 20698.0, 20705.0** #### Enhancements * AME-34191: You can now override the HTTP binding used to redirect users to the SAML error page. To do this, configure an [ESV variable](../tenants/esvs.html#variables) named `esv-global-saml-error-page-http-binding` and set its value to `HTTP-POST` or `HTTP-Redirect`. If you don't set this variable, Advanced Identity Cloud uses the default value of `HTTP-POST`. * IAM-6546: End users now have more options to manage their devices in the hosted account pages. For each device, they can view when it was last used for sign on, view when it was added, edit its name, and delete it. * IAM-9672: In the advanced sync **Mapping** tab, if no properties have been mapped, it now shows a more accurate description of the target and source identity objects whose properties can be mapped. #### Fixes * IAM-6640: Fixed an issue in the hosted pages theme preview where clicking **Edit Personal Info** opened two instances of the modal. * IAM-8221: Fixed an issue in the terms & conditions live preview where interactive elements weren't disabled. * IAM-9620\[[1](#_footnotedef_1 "View footnote.")]: Fixed an Identity Governance issue where clicking **Save** in the certification template creation wizard didn't disable the button after submission, which could result in the creation of unintended duplicate templates. * IAM-9786: Fixed an issue where ESV placeholders manually entered into a field were always treated as strings, regardless of whether they were an array, list, or string. * IAM-9886: Fixed a display issue on the **Reports Run History** tab where the pop-up menu items weren't displayed correctly. ### 17 Feb 2025 #### Reversions **Versions 20552.0, 20554.0** All identity management (`OPENIDM`) changes associated with this release have been withdrawn. This affects the following changelog entry: * [06 Feb 2025](#06_feb_2026) ### 16 Feb 2026 **Version 20679.0** #### Fixes * OPENAM-25779: Deletion of the `samlApplication` object is now deferred for unsuccessful authentication journeys so that the object is still available for subsequent sign-on attempts in the same session. ### 13 Feb 2026 **Version 20645.0** #### Enhancements * The following OAuth 2.0 scripts can now use the next-generation scripting engine, which gives them access to common bindings such as `utils` and `openidm`: * AME-33228: OIDC claims * AME-33846: Scripted JWT validator * AME-33847: Scope validation * AME-33848: Authorize endpoint data provider * AME-33849: Scope evaluation * AME-33850: May act * The following SAML 2.0 scripts can now use the next-generation scripting engine, which gives them access to common bindings such as `utils` and `openidm`: * AME-32919: SP adapter * AME-32920: IDP adapter * AME-32921: IDP attribute mapper * AME-32969: You can now make sure the `samlApplication` binding is available for all SAML flows by enabling the application context in the hosted IdP or remote SP entity configuration. Previously this was only added in certain situations such as when using an application journey or IdP-initiated integrated mode. * AME-32997: Added an `Allow Retry` option to the Backchannel Initialize node that lets end users retry a failed backchannel authentication journey. * AME-33430: You can now include remote consent agent credentials in a `Basic Authentication` header for pushed consent requests. * AME-33930: A new `testConnection` action on the `realm-config/services/pingOneWorkerService/workers/pingone-worker-service-name` endpoint lets you test the connection from Advanced Identity Cloud to PingOne. * AME-33939: A new `listLatestNodeDefinitions` action on the `realm-config/authentication/authenticationtrees/nodes` endpoint provides a list of node definitions for the *latest* version of each node. This action combines the responses from the following separate actions into a single response: * `getAllTypes` action on the `realm-config/authentication/authenticationtrees/nodes` endpoint * `schema`, `template` and `listOutcomes` actions on the `realm-config/authentication/authenticationtrees/nodes/node-name` endpoint * FRAAS-29084: Custom domains are now restricted to a maximum of 63 characters in the Advanced Identity Cloud admin console. This restriction has always existed on the system backend. * OPENAM-22125: A new Proxy Configuration tab in the Http Client Service configuration lets you use separate proxy configurations per HTTP Client instance. * OPENAM-24476: Added `java.util.zip` classes to the allowlist for the Scripted Decision node scripting context. * The following enhancements have been made to the nodes provided with Advanced Identity Cloud: * AME-33009: Enhanced the RADIUS Decision node to capture Vendor-Specific Attributes (VSA) returned by the RADIUS server during authentication. * Enhancements to the PingOne Protect Evaluation node: * AME-33807: Fixed an issue where a default value was sent for the flow subtype. Previously, the node would fall back to using the value configured in Authentication Flow Subtype or Authorization Flow Subtype. Now, if nothing is found in the node state, the node doesn't send a value to PingOne Protect. * OPENAM-24557: Added a configuration property that lets you specify a custom session ID in the node state. * OPENAM-24562: Added two configuration properties that let you include a custom browser cookie and any externally maintained `deviceId` in the request sent to PingOne. * OPENAM-25553: Added a configuration property that lets you include user group information as part of a risk evaluation. * The following nodes now let you set custom headers on journey success, failure, and error: * AME-33813: Set Success Details node * AME-33874: Set Failure Details node * AME-33873: Set Error Details node * OPENAM-24419: Added a new [RSA SecurID](https://docs.pingidentity.com/auth-node-ref/latest/rsa-securid.html) node. This node replaces the Marketplace RSA SecurID node, which is now deprecated. * OPENAM-24546: Removed certain unused and unsupported configuration properties from the PingOne Protect Initialize node and its associated callback (`PingOneProtectInitializeCallback`). * OPENAM-25372: Added a [JWT Password Replay](https://docs.pingidentity.com/auth-node-ref/latest/jwt-password-replay.html) node to secure the user's password within an encrypted JSON Web Token (JWT). This node is used by PingGateway and replaces the old Password Replay scripting functionality. * OPENAM-24401: The CAPTCHA node now prevents submission after expiry. * OPENAM-24489: The Device Binding and Device Signing Verifier nodes now let you specify a clock skew between the client device and AIC. This helps prevent binding failures caused by clocks being out of sync. * OPENAM-25371: Added a configuration property to the PingOne Verify Evaluation node to enable automatic redirection to the journey after an end user completes verification (when using the `Redirect` delivery mode). * OPENAM-25618: The new `locales` binding lets you return the localized version of a string from a translation map. It is available to next-generation Configuration Provider node, Journey Decision node, and Device Match node scripts. #### Fixes * AME-33653: Custom nodes now work with the Configuration Provider node. * AME-33808: If Node State Attribute For User ID is provided in the PingOne Protect Evaluation node, but the corresponding attribute is missing from the node state, the node triggers the failure outcome rather than using the user ID associated with the AM identity. * AME-34217: Added a version setting to the Configuration Provider node. This update provides the underlying infrastructure for a node versioning feature in an upcoming release. * OPENAM-21881: Updated the Page node to remove `pageNodeCallbacks` from the shared state after the node completes. * OPENAM-23918: Resolved a race condition in the OATH Registration node and OATH Device Storage node where recovery codes could potentially be lost. * OPENAM-24065: Improved consistency for error responses across realms when processing illegal arguments. The `/authenticate` call now correctly returns a 400 (Bad Request) instead of a 500 (Internal Server Error) for invalid arguments. * OPENAM-25406: Added an `identity.exists()` method to next-generation objects returned by `idRepository.getIdentity()`. This lets scripts verify an identity's existence in the identity store before further processing. ### 12 Feb 2026 **Version 20612.0** #### Enhancements * ANALYTICS-1383\[[2](#_footnotedef_2 "View footnote.")]: The new historical change report feature provides a complete audit trail of changes to your managed identities. It tracks all modifications to user profiles, roles, accounts, and applications. You can easily generate reports to see what changed, who made the change, and when it happened, which gives you clear insights for compliance and security monitoring. #### Fixes * ANALYTICS-1326\[[2](#_footnotedef_2 "View footnote.")]: Fixed an issue in custom reports caused by relationships between custom identities that contain multiple underscores. * ANALYTICS-1367\[[2](#_footnotedef_2 "View footnote.")]: Fixed an issue in custom reports caused by IP addresses in journey events. ### 09 Feb 2026 **Versions 20575.0, 20577.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 06 Feb 2026 | | | | - | ------------------------------------------------------------------------------------------------------------------------------------- | | | Identity management changes in this release have been reverted. All OPENIDM changes associated with this release have been withdrawn. | **Versions 20552.0, 20554.0** #### Enhancements * OPENIDM-21472: When provisioning applications and using queued synchronization, changes to a user account now propagate to all associated accounts. #### Fixes * OPENAM-25702: The [PingOne Protect Evaluation node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-protect-evaluation.html) again supports a Node State Attribute For Username setting. PingOne Protect risk evaluation calls can depend on the username. * OPENIDM-21493: You can now cancel a clustered reconciliation even when a route associated with the source or target system is unavailable. * OPENIDM-21776: The Advanced Identity Cloud identity management service now uses synchronous HTTP client requests to connect to external identity management, REST, and token introspection services. This change prevents connection closure exceptions from terminating reconciliation. #### Changed functionality * OPENIDM-21718: The `maxQueueSize` for [queued synchronization](../idm-synchronization/chap-implicit-live-sync.html#queued-sync) now defaults to `1000` and can't be configured to a value higher than `1000` or lower than `100`. The previous default was `20000`. The `pageSize` still defaults to `100`, but now can't be configured to a value higher than `100` or lower than `10`. If the configured `pageSize` is greater than `maxQueueSize / 10`, Advanced Identity Cloud uses `maxQueueSize / 10` for the page size. If you have any configuration outside of these bounds, Advanced Identity Cloud automatically adjusts the values to the nearest bound. ### 03 Feb 2026 **Version 20512.0** #### Enhancements * FRAAS-29829: Removed a reference to "PingOne Advanced Identity Cloud" from the `404 Not Found` error page. #### Fixes * AME-34034: Fixed an issue where omitting a shared secret label in the RADIUS Decision node caused Prometheus metrics to become unavailable. ## January 2026 ### 28 Jan 2026 **Version 20408.0** #### Fixes * OPENAM-25707: Fixed [PingOneProtectInitializeCallback](../am-authentication/callbacks-interactive.html#PingOneProtectInitializeCallback) processing to prevent unwarranted HTTP 4xx and 5xx errors. ### 27 Jan 2026 **Version 20406.0** #### Enhancements * IAM-4464: Next-generation configuration provider scripts created through the journey editor now contain the default config for the selected node type. * IAM-9709: Updated the journey editor to make fewer network calls when saving a journey that contains page nodes. #### Fixes * IAM-4345: Vertical tabs were missing a hover state. * IAM-8033: Journey name field did not have a length check in place. * IAM-8226: When importing a journey, if you skip the the download backup option but then return to it using the **Previous** link, it now completes the backup before offering the download. * IAM-9590: The message shown in the hosted pages for an unauthorized access attempt is now correctly centered on a single page. * IAM-9687: When you enter a valid ESV placeholder in the URL field of a bookmark application, the field is now immediately disabled and shows a delete icon to remove the placeholder. * IAM-9803: The link to the access management native console from the Advanced Identity Cloud admin console now always correctly links to the Alpha or Bravo realm. ### 26 Jan 2026 **Version 20385.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 23 Jan 2026 **Version 20359.0** #### Enhancements * FRAAS-23284: RCS connections to Advanced Identity Cloud now have a default timeout value of `10000` (10 seconds) for new tenants. Existing tenants retain the default timeout value of `-1` (no timeout). ### 20 Jan 2026 **Version 20340.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 14 Jan 2026 **Version 20285.0** #### Fixes * OPENAM-25646: For backward compatibility, we've restored the following deprecated fields sent to PingOne Protect by the PingOne Protect Initialize node (in the `PingOneProtectInitializeCallback`): * `consoleLogEnabled` * `deviceAttributesIgnored` * `customHost` * `lazyMetadata` * `deviceKeyRsyncIntervals` * `disableHub` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | These fields are deprecated and no longer supported in PingOne. This fix restores the fields but you should update your clients and scripts to remove the unsupported fields as soon as possible. | ### 05 Jan 2026 **Version 20185.0** #### Fixes * FRAAS-13233: AM script validation now ignores ESV placeholders in commented-out code. ## December 2025 ### 20 Dec 2025 **Version 20133.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 17 Dec 2025 **Version 20090.0** #### Key features * AD Decision node to authenticate against Active Directory identity stores (AME-14959) The [AD Decision node](https://docs.pingidentity.com/auth-node-ref/latest/ad-decision.html) verifies that the provided username and password exist in the specified Active Directory data store. The node also checks whether the user account is locked, disabled, or has expired. * Cache management service (AME-32248, AME-32285) A new scripted cache management service lets you create and use caches in Scripted Decision nodes. This can improve performance for slow tasks, such as fetching access tokens for third party services that can be reused between journeys. The service has its own metrics. Find more information in [Cache script values](../am-scripting/cache-manager.html). * SAML 2.0 SP account mapper (OPENAM-23986) A new SAML 2.0 SP account mapper script type enables dynamic modification of SAML assertion data before it's used to identify local users. Find more information in [SP account mapper](../am-saml2/custom-sp-account-mapper.html). * Support for SAML 2.0 IdP-initiated flows in integrated mode (AME-29258) You can now configure the hosted SP to redirect to a journey when a response is received from the IdP. Use the new configuration option to check that the IdP entity ID in the incoming SAML assertion matches the IdP entity ID configured for the node. A new method has also been added to the `samlApplication` script binding that returns the assertion as a JSON map. Find more information in [Redirect to a journey on the hosted SP](../am-saml2/configure-providers.html#config-redirect-journey). #### Enhancements * AME-31153: Consent request data can now be pushed via backchannel. * AME-31429: A new field on the remote consent agent lets you include properties from the resource owner's session as part of the consent request. * AME-31846: Next-generation Config Provider Node scripts can now access the following additional scripted node bindings: * `callbacks` * `callbacksBuilder` * `jwtAssertion` * `jwtValidator` * `resumedFromSuspend` * `requestCookies` * `samlApplication` * `oauthApplication` * AME-32064: The [SAML2 Authentication node](https://docs.pingidentity.com/auth-node-ref/latest/saml2.html) includes a new configuration option,`validateIdpEntityId`. When set to `true`, the node validates that the IdP entity ID from the SAML assertion is the same as the IdP entity ID configured on the node. * AME-32970: You can now access the application context for \_all OAuth 2.0 / OIDC flows through the `oauthApplication` binding by setting `Enable Application Context` in the OAuth 2.0 provider or at the client level. Previously, you could only use this binding when using an application journey. * IAM-8244: Adds support for bidirectional mappings in synchronization configuration. * IAM-8497: Added a brand administrator role to the Advanced Identity Cloud admin console. Brand administrators only have access to change hosted pages themes. * IAM-9484: Added ability to provide translation overrides for the Waiting Message field in the Polling Wait node and the Email Suspend Message field in the Email Suspend node. This lets you provide translations when the `PollingWaitCallback` or the `SuspendedTextOutputCallback` callbacks are added using scripts. * OPENAM-23711: Adds a `Detect connection timeout` option to the [Social Provider Handler node](https://docs.pingidentity.com/auth-node-ref/latest/social-provider-handler.html). When enabled, connection timeouts from social identity providers result in the journey following the Timeout outcome. * OPENAM-24059: Adds support for the `android-key` WebAuthn attestation format. * OPENAM-24130: The [PingOne Protect Evaluation node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-protect-evaluation.html) now lets you set the flow subtype that's sent to PingOne Protect. * OPENAM-24137: You can now configure the [PingOne Verify Evaluation node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-verify-evaluation.html) to obtain biographic matching data from the node state. * OPENAM-24350: Cryptographic keys can now be derived in next-generation scripts using the PBKDF2 algorithm. * OPENAM-24548: The [PingOne ProtectInitialize node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-protect-initialize.html) now lets you obtain PingID Device Trust Agent attributes when going through a PingOne Protect flow. * OPENAM-24552: The [PingOne Protect Evaluation node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-protect-evaluation.html) now lets you send a target application name in addition to the existing target application ID, in the PingOne Protect evaluation request. * OPENAM-24554: The [PingOne Protect Evaluation node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-protect-evaluation.html) now lets you use targeted PingOne policies. * OPENAM-24560: Removed the User Type and User Name fields from the PingOne Protect Evaluation node. The user type is always `EXTERNAL` and the user name is not applicable to external user types. Only the `User ID` is sent in the PingOne Protect evaluation request. * OPENAM-24587: You can now configure Google Secret Manager key IDs (KIDs) as ESVs. * OPENAM-25327: Next-generation OAuth 2.0 scripts can now access the `redirectUris` property on the `clientProperties` binding. * OPENAM-25417: You can now configure the `SameSite` option for cookies in the [Set Persistent Cookie node](https://docs.pingidentity.com/auth-node-ref/latest/set-persistent-cookie.html) and the [Persistent Cookie Decision node](https://docs.pingidentity.com/auth-node-ref/latest/persistent-cookie-decision.html). * OPENAM-25418: The attestation `fmt` type is now included in the transient state data of the WebAuthn nodes. #### Fixes * AME-32307: Fixed an issue where end users weren't able to continue a PingOne Verify journey that requested a QR code if they didn't have a separate device to scan the code. * AME-32513: Added the `suspend` action to [Custom nodes](../journeys/node-designer.html). * IAM-8766: Fixed an issue with [mustRun](../am-authentication/configure-authentication-trees.html#enable-journey-completion) journeys and query parameters such as `forceAuth=true`, where end users were authenticated then immediately unauthenticated. * IAM-9430: A warning is now displayed in the Advanced Identity Cloud admin console when a promotion would cause a deferred release tenant to be upgraded at the same time. * OPENAM-20582: Lets you configure a list of accepted JWT issuers for OAuth 2.0 clients. These are now accepted in addition to the OAuth 2.0 client ID for private key JWT authentication. * OPENAM-23929: Fixed a performance issue related to schema caching. * OPENAM-24297: Fixed an issue where the PingOne Verify Evaluation node incorrectly returned a failure outcome when the PingOne environment timed out during the identity verification process. This could happen, for example, if an end user didn't engage with the QR code or selfie capture. The update correctly detects the `TRANSACTION_TIMED_OUT` status in PingOne responses and returns the timeout outcome, letting journeys handle timeouts distinctly from failures. * OPENAM-24309: The PingOne Verify Evaluation node now supports a list of values in an attribute sent for biographic matching. ### 15 Dec 2025 **Versions 20039.0, 20042.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 10 Dec 2025 **Version 19974.0** #### Enhancements * FRAAS-28686: For log streaming, the `am-everything` and `idm-everything` sources now include sub-source information in the `source` and `extracted_source` fields. For example, `am-everything` returns logs containing the corresponding match in `am-access`, `am-activity`, `am-authentication`, `am-config`, `am-core`. This ensures that logs consolidated under `am-everything` are correctly identified and parsed by log analysis tools such as Splunk, retaining their original context. #### Fixes * FRAAS-29022: Streamed logs now correctly identify the application in the `source` field. ## November 2025 ### 17 Nov 2025 **Version 19722.0** #### Enhancements * IAM-9395: Table columns are now resized uniformly across the Advanced Identity Cloud admin console. * IAM-9516: The tenant administrator profile page now prompts for re-authentication when adding or removing an MFA device. * OPENIDM-19400: New Prometheus metric for the availability of connector servers, for example: `idm_icf_connector_server_availability{name="system-id",type="connector-server-type",} 1.0`. * OPENIDM-20341: Identity management scripts now natively support Base64 encoding using the `btoa` (encode) and `atob` (decode) [global script](../idm-scripting/scripting-func-engine.html#global-utility-functions) bindings. * OPENIDM-20790: The `openidm/sync/mappings` endpoint now [supports paging](../idm-synchronization/mappings.html#sync-mapping-paging) using either offsets or cookies. * OPENIDM-20933: Improved task scanner exception handling. If the task scanner encounters a task that results in an exception, it now aborts only that task and continues processing the remaining tasks. Previously, the scanner would abort the entire process when any task caused an exception. * OPENIDM-20937: New provisioner metric `idm_icf_pending`. Includes all the same tags as `idm_icf*`. * OPENIDM-21170: Metrics for router filters now use `router_filter` for the metric name and include a `name` tag to identify the specific filter. * OPENIDM-21171: Metrics for managed identity script hooks now use `managed-script-hook` for the metric name, `object` to tag the identity object, and `script-hook` to tag the script hook. * OPENIDM-21172: Metrics for custom endpoints now use the new `custom_endpoint` metric name and include a `name` tag based on the custom endpoint configuration name after the hyphen. For example, a custom endpoint configuration `endpoint-onboardCustomer.json` will generate metrics with a name tag/label of "onboardCustomer". The policy service makes use of an internal scripted endpoint based on the file `policy.js`, and its metric name is `policy-js`. * OPENIDM-21233: The `openidm/health/ready` endpoint has been enhanced to include the number of waiting requests. A new set of metrics have been added to provide a historical accounting of IDM health. #### Fixes * IAM-9466: Annotation comments added to sub-nodes are now saved correctly. * IAM-9496: The tooltip in journey comments now correctly displays the creator's name without overflow. * IAM-9527: The theme logo now correctly uses the height specified in the theme. * OPENICF-3277: The SaaS REST connector no longer throws a `NullPointerException` when attributes are missing in the request payload. * OPENIDM-20525: The `cn` and `telephoneNumber` schema for `alpha_user` and `bravo_user` are now `scope: public` and `searchable: true`. This schema change applies to sandbox tenants created on or after November 17, 2025. Existing sandbox tenants are unchanged. * OPENIDM-20863: Default values for multivalue mappings are now copied by value to prevent unintended mutations during runtime. * OPENIDM-21421: Updating the configuration of an inactive provisioner no longer throws an `IllegalStateException`. * OPENIDM-21454: Every failed record from a live sync is now stored in the dead-letter queue with a unique entry ID. #### Changed functionality * Default API version for unversioned requests (OPENIDM-21191) Previously, REST API requests without an `Accept-API-Version` header used the latest available API version for the resource. These unversioned requests now default to API version `1.0` for most endpoints. However, the `consent`, `scheduler/job`, `scheduler/trigger`, and `schema` endpoints default to API version `2.0`. ### 14 Nov 2025 **Version 19704.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 12 Nov 2025 **Version 19674.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 10 Nov 2025 **Version 19646.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 05 Nov 2025 **Version 19604.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ## October 2025 ### 31 Oct 2025 **Versions 19567.0, 19573.0** #### Enhancements * IAM-9429: If your production environment is configured for deferred release, you can use the new `/environment/promotion/promote` endpoint to check if running a promotion will trigger a release upgrade. ### 27 Oct 2025 **Version 19521.0** #### Enhancements * IAM-1709: Exposed `useInPlaceholders` and `encoding` attributes when creating ESV secrets in the admin console. * IAM-9312: Table columns are now resized uniformly across the following Advanced Identity Cloud admin console pages: * **Tenant settings** * **Scripts** * **Security** * **Terms & Conditions** * IAM-9323: Added **Metadata** tab to user resource page to display properties such as `createDate` and `loginCount`. #### Fixes * IAM-9217: Fixed cron schedule validation for new jobs. ### 24 Oct 2025 **Version 19514.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 22 Oct 2025 **Version 19480.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 20 Oct 2025 **Version 19448.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 17 Oct 2025 **Version 19433.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 16 Oct 2025 **Version 19414.0** #### Enhancements * FRAAS-28370: Fixed an issue where requests to the `/monitoring/prometheus/am` and `/monitoring/prometheus/idm` endpoints occasionally didn't return timely responses. ### 15 Oct 2025 **Versions 19379.0, 19387.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 08 Oct 2025 **Version 19292.0** #### Fixes * AME-32979: The Core Token Service (CTS) now stores `AUTHENTICATION_WHITELIST` tokens with millisecond-level precision for the expiry timestamp. This minimizes contention in indexes. ### 03 Oct 2025 **Version 19259.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ## September 2025 ### 29 Sept 2025 **Version 19190.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 26 Sept 2025 **Version 19173.0** #### Key features * Create custom authentication nodes (IAM-5759) Advanced Identity Cloud lets you create your own nodes to reuse common functionality in authentication journeys. Define properties and run custom server-side scripts in these nodes to dynamically set values and decide the outcome of journeys. Learn more in [Custom nodes](../journeys/node-designer.html). #### Enhancements * IAM-9000, IAM-9001: Added annotations and sticky notes to journeys to assist learning and collaboration. * IAM-9237: Allow ESVs to be embedded in URL fields for federation IdPs. This lets you set up federation IdPs with fewer ESVs because you can define a single ESV containing a UUID shared by multiple URL fields. * IAM-9246: Table columns are now resized uniformly across all table views. #### Fixes * IAM-9153: Password validation now works correctly when pasting a value that matches the existing value. ### 25 Sept 2025 **Version 19095.0** #### Key features * Mapping custom key IDs to secrets (AME-31380) You can now map custom `kid` header values for JWTs signed with the signing key to a specific ESV secret. * Nodes to support backchannel authentication journeys (AME-31636 and AME-31635) The new [Backchannel Initialize node](https://docs.pingidentity.com/auth-node-ref/latest/backchannel-initialize.html) and [Backchannel Status node](https://docs.pingidentity.com/auth-node-ref/latest/backchannel-status.html) let you implement backchannel authentication from within a journey. * Next-generation OAuth 2.0 access token modification scripts (AME-31083) You can now create next-generation access token modification scripts that can use next-generation common bindings, such as `httpClient`, `openidm`, and `utils`. * Ability to configure journeys as *transactional only* (\[.\_2025-10-14]#AME-31843) A transactional authentication journey only runs when Advanced Identity Cloud starts a transaction, which happens when Advanced Identity Cloud does one of the following: * Initializes [backchannel authentication](../am-authentication/backchannel-authentication.html) using either the `/authenticate/backchannel/initialize` endpoint or the [Backchannel Initialize node](https://docs.pingidentity.com/auth-node-ref/latest/backchannel-initialize.html). * Runs a [SAML 2.0 app](../am-saml2/configure-providers.html#samlapp-journey) journey for a remote SP. * Runs an [OAuth 2.0 app](../am-oauth2/oauth2-register-client.html) journey when Advanced Identity Cloud is acting as an authorization server. * Enforces a [transactional authorization](../am-authorization/transactional-authorization.html) policy. You can only configure transactional authentication journeys using the REST API. Set the `transactionalOnly` property to `true` in the journey configuration. * Journey binding for scripted nodes (OPENAM-23127) The new `journey` binding for scripted nodes lets you obtain details of the current journey, including inner or child journeys. #### Enhancements * AME-30984 and AME-30609: Enhanced authentication audit logging to include the SAML Identity Provider (IdP) and Service Provider (SP) entity IDs during SAML flows. This information lets you report on the SAML applications users are accessing, supporting analytics and dashboarding efforts. * AME-30985: In SAML v2.0 single sign-on (SSO) flows, the JSON web token (JWT) created in the browser's session storage no longer expires. The time allowed to complete the SSO flow is now determined by the configurable [maximum duration](../am-authentication/suspended-auth.html#maximum-duration) of the journey session instead of the JWT expiration. Previously, the JWT expired when the cache was cleared. * AME-31082 and SDKS-3681: Added support for device token refreshing to the Push Notification Service endpoint, enabling the reception of new tokens from mobile devices. * AME-31379: You can now enforce the OAuth 2.0 request object processing rules that apply, regardless of the request type. Create an ESV named `esv.oauth2.provider.request.object.processing.enforced` and set its value to `true`. This setting forces Advanced Identity Cloud to use the specification set in the [Request Object Processing Specification](../am-reference/services-configuration.html#config-request-object-proc-spec) field of the OAuth 2.0 provider configuration for JWT requests. * AME-31656 and AME-31468: The [PingOne Protect Evaluation node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-protect-evaluation.html) has been enhanced to support dynamic risk policy IDs and target app IDs. To set the risk policy set ID dynamically, enable `Use Node State Attribute For Risk Policy Set ID` in the node configuration. To set the target app ID dynamically, enable `Use Node State Attribute For Target App ID` in the node configuration. This instructs the node to obtain these IDs from the node state. * AME-31398: The [PingOne Protect Evaluation node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-protect-evaluation.html) has been enhanced to support custom attributes. To specify custom attributes to be used in PingOne Protect for custom predictors, set the `Node State Attribute For Custom Attributes` in the node configuration. The node retrieves a map of custom attributes from the node state to be used in the evaluation request to PingOne Protect. * AME-31487: Improvements to SAML v2.0 standalone mode include replacing legacy JSPs with URL endpoints. You can still invoke the JSPs because they're mapped to URLs for backward compatibility, but any customizations to these JSPs will be lost. The following URLs supersede SAML v2.0 JSPs: > **Collapse: URLs** > > | Old URL | New URL | > | ------------------------------------------- | --------------------- | > | `/saml2/jsp/exportmetadata.jsp` | `/ExportSamlMetadata` | > | `/saml2/jsp/idpSingleLogoutInit.jsp` | `/IDPSloInit` | > | `/saml2/jsp/idpSingleLogoutRedirect.jsp` | `/IDPSloRedirect` | > | `/saml2/jsp/idpSingleLogoutPOST.jsp` | `/IDPSloPOST` | > | `/saml2/jsp/idpMNIRedirect.jsp` | `/IDPMniRedirect` | > | `/saml2/jsp/idpMNIRequestInit.jsp` | `/IDPMniInit` | > | `/saml2/jsp/idpSSOFederate.jsp` | `/idpSSOFederate` | > | `/saml2/jsp/spAssertionConsumer.jsp` | `/Consumer` | > | `/saml2/jsp/saml2AuthAssertionConsumer.jsp` | `/AuthConsumer` | > | `/saml2/jsp/spSingleLogoutInit.jsp` | `/SPSloInit` | > | `/saml2/jsp/spSingleLogoutRedirect.jsp` | `/SPSloRedirect` | > | `/saml2/jsp/spSingleLogoutPOST.jsp` | `/SPSloPOST` | > | `/saml2/jsp/spMNIRedirect.jsp` | `/SPMniRedirect` | > | `/saml2/jsp/spMNIPOST.jsp` | `/SPMniPOST` | > | `/saml2/jsp/spMNIRequestInit.jsp` | `/SPMniInit` | > | `/saml2/jsp/spSSOInit.jsp` | `/spssoinit` | > | `/saml2/jsp/idpSSOInit.jsp` | `/idpssoinit` | > | `/saml2/jsp/idpSSOFederate.jsp` | `/idpSSOFederate` | > | `/saml2/jsp/SA_IDP.jsp` | `/idpsaehandler` | > | `/saml2/jsp/SA_SP.jsp` | `/spsaehandler` | * IAM-8236: The ability to edit journeys from the AM native admin console has been removed. Use the Advanced Identity Cloud admin console to edit journeys. * OPENAM-20776: A new OIDC client configuration option, `Private Key JWT Audience`, lets you configure and override the audience (`aud`) claim of a Private Key JWT. * OPENAM-21783: Improved token management for OAuth 2.0 client applications. This change resolves issues related to managing tokens issued to OAuth 2.0 clients that override the `Use Client-Side Access & Refresh Tokens` setting. Specifically: **The [/users/user/oauth2/applications](../am-oauth2/rest-api-oauth2-applications-endpoint.html) endpoint now correctly returns all tokens issued to clients. **Administrators can now successfully revoke any tokens issued to a client, as required. * OPENAM-23051 and AME-31918: A new ESV, `esv.oauth2.request.object.restrictions.enforced` lets you enforce stricter adherence to the [PAR](https://www.rfc-editor.org/rfc/rfc9126.html) and [JAR](https://www.rfc-editor.org/rfc/rfc9101.html#section-5.2) specifications. Setting the value of this ESV to `true` enforces the following: **The authorization server ignores authorize parameters outside the `request_uri`. **When sending a JWT-Secured Authorization Request (JAR), the `request_uri` *must* be an `https` URI. * OPENAM-23669: \_Full scopes (scopes ending in `*`) can now be used by service accounts in all cases where more specific scopes (for example, `:read`) are used. * OPENAM-23710: The `httpClient` binding is now available to legacy SAML 2.0 IdP adapter scripts. * OPENAM-23850: Enhanced the [PingOne Verify Evaluation node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-verify-evaluation.html) with an `Allow same device verification` option that lets end users continue verification on their current device. * OPENAM-23867: The [LDAP Decision node](https://docs.pingidentity.com/auth-node-ref/latest/ldap-decision.html) no longer logs credential failures as errors. It now logs them at the `info` level. * OPENAM-24062: Added support for the `ECDSA` algorithm to the `utils.crypto.subtle` next-generation binding. This algorithm is supported for key generation, signing, and verification. #### Fixes * AME-31351 and AME-31471: Improvements to the Device Code flow mean that end users are now prompted to reauthenticate even when there's an existing session for must-run and app journeys. * AME-31481: Validation around policy creation has been improved. If you're using the legacy "Policy" environment condition (or a custom environment condition), you'll need to add that to the list of allowed environment conditions for your policy set to create or update policies that use that condition type. * OPENAM-20749: A new ESV, `esv-enable-oauth2-sync-refresh-token-issuer` causes a stateful OAuth 2.0 introspect response to overwrite the `iss` claim of the introspectable token. To enable this behavior, set this ESV to `false`. For compatibility reasons, the existing behavior in Advanced Identity Cloud is not changed by default. * OPENAM-23770: Canceling a WebAuthn flow now results in a `Client Error` outcome, rather than an internal failure. * OPENAM-24159: Fixed an issue that prevented multiple [Identity Assertion](https://docs.pingidentity.com/auth-node-ref/latest/identity-assertion-node.html) nodes from being used in a single journey. ### 19 Sept 2025 **Versions 19095.0, 19101.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 16 Sept 2025 **Version 19054.0** #### Enhancements * OPENAM-24486: Improved performance when creating large numbers of OAuth 2.0 clients simultaneously. #### Fixes * OPENDJ-11486: Fixed an exception caused when identity management queried for users with a filter containing wildcards and specific object classes. ### 04 Sept 2025 **Version 18897.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 03 Sept 2025 **Versions 18859.0, 18878.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 01 Sept 2025 **Version 18842.0** #### Key features * Reports API endpoints to import and export report templates# (ANALYTICS-1195\[[4](#_footnotedef_4 "View footnote.")]) Added the ability to import and export report templates using reports API endpoints. * Custom objects as data sources for reporting (ANALYTICS-582\[[4](#_footnotedef_4 "View footnote.")]\[[2](#_footnotedef_2 "View footnote.")]) Custom objects can now be used as data sources for reporting. The system uses an object's configured title for the data source name, makes its properties available as attributes, and represents all object relationships. #### Enhancements * ANALYTICS-1165\[[4](#_footnotedef_4 "View footnote.")]: Added the capability to change a report name. * IAM-7547: Access policy modal now validates IPv4 or IPv6 format for IP addresses. * IAM-8922: The Advanced Identity Cloud admin console now accepts ESV placeholders for the following federation fields: * Application ID * Application Secret * Well-Known Endpoint * Authorization Endpoint * User Info Endpoint * Token Endpoint * Issuer * IAM-8982\[[1](#_footnotedef_1 "View footnote.")]: Add event function for setting the query filter/select options of a select field. * IAM-9066: Added **Tenant Auditor** option to Advanced Identity Cloud admin console federation groups claim. * IAM-9099, IAM-9146, IAM-9167: Many table views now support column resizing and customization. #### Fixes * IAM-5488: Terms and Conditions now respects target attribute in anchor tags. * IAM-6588: The Advanced Identity Cloud admin console now correctly displays journey status for journeys disabled and enabled using ESVs. * IAM-8887: Prevent browsers auto-filling passwords in user registration journeys. * IAM-8940: Managed identity number property now accepts float values. * IAM-8956: Deselecting the **Personal Information** option now disables the section containing the user avatar in hosted account pages. * IAM-9169: Fixed styling for responsive table layouts with sticky action column in **Identities** table views. ## August 2025 ### 29 Aug 2025 **Version 18823.0** #### Enhancements * FRAAS-25919: You can now use the API to configure custom domains for the Advanced Identity Cloud admin console. * OPENIDM-21372: Advanced Identity Cloud now prevents access to the identity repository endpoint, `/openidm/repo`. This prevents uncontrolled and potentially incompatible schema changes. #### Fixes * AME-32756: Fixed an issue with policy evaluation returning results from a stale policy index cache. * FRAAS-26287: Advanced Identity Cloud now correctly authenticates the sender address for emails sent to Advanced Identity Cloud tenant administrators, `saas@pingidentity.com`. * OPENDJ-11634: Advanced Identity Cloud now prevents searches with many results and no applicable index from overloading the system. ### 26 Aug 2025 **Version N/A** #### Key features * Log event exporter (FRAAS-19963) Advanced Identity Cloud now lets you export log event data to an external monitoring tool, such as an OpenTelemetry-compatible SIEM or Splunk. This helps you monitor events and troubleshoot issues in near real time. Learn more in [Stream logs to an external monitoring tool](../tenants/audit-debug-logs-push.html). ### 19 Aug 2025 **Version 18712.0** #### Fixes * OPENAM-24393: Fixed an issue where the InnerTreeEvaluator node failed for authentication journeys initially accessed using REST without an `authId`. ### 18 Aug 2025 **Version 18700.0** #### Enhancements * FRAAS-25547: The sender address for emails sent to Advanced Identity Cloud tenant administrators is now `saas@pingidentity.com`. ### 15 Aug 2025 **Versions 18678.0, 18684.0** #### Enhancements * OPENAM-24384: Added `javax.crypto.SecretKeyFactory`, `javax.crypto.spec.PBEKeySpec`, and `com.sun.crypto.provider.PBKDF2KeyImpl` classes to the allowlist for the `OAUTH2_ACCESS_TOKEN_MODIFICATION` scripting context. #### Fixes * FRAAS-25734: Exception stacktraces in access management and identity management logs are now truncated to approximately 300-400 lines. ### 12 Aug 2025 **Version 18623.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 07 Aug 2025 **Versions 18559.0, 18570.0** #### Fixes * FRAAS-25821\[[5](#_footnotedef_5 "View footnote.")]: Fixed an issue that prevented IP rules in the Proxy Connect add-on from being disabled. * OPENAM-24159: Fixed an issue with Identity Assertion nodes failing if there are more than one in a journey. ### 06 Aug 2025 **Version 18550.0** #### Enhancements * FRAAS-24857: CNAME verification is no longer required when creating a custom domain. * FRAAS-26063: You can now override the `samlErrorPageUrl`. To do so, configure an [ESV variable](../tenants/esvs.html#variables) named `esv-global-saml-error-page-url` and set its value to your SAML error page URL. If you don't set this variable, Advanced Identity Cloud uses the default value of `/saml2/jsp/saml2error.jsp`. ## July 2025 ### 31 Jul 2025 **Version 18483.0** #### Fixes * IAM-9062: Hosted pages themes no longer continuously refresh when trying to set up or confirm two-factor authentication (2FA). ### 30 Jul 2025 **Version 18468.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 29 Jul 2025 **Version 18451.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 28 Jul 2025 **Versions 18435.0, 18444.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 24 Jul 2025 **Version 18395.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 23 Jul 2025 **Version 18382.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 22 Jul 2025 **Version 18368.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 21 Jul 2025 **Version 18347.0, 18351.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 18 Jul 2025 **Version 18331.0** #### Key features * Try In SDK button (IAM-8618) A **Try In SDK** button has been added to the **Details** page for Native / SPA applications. This lets developers quickly test SDKs with dynamic configuration code snippets. * Custom WS-Fed applications (IAM-8261) You can now create custom WS-Fed\[[6](#_footnotedef_6 "View footnote.")] applications for single sign-on (SSO). #### Enhancements * FRAAS-25818: The built-in SMTP server in new tenants now has a limit of 10 emails per minute and a fixed email sender address with the format `noreply@`. * IAM-7581: Text wrapping in table views has been improved for readability. * IAM-8573: IDM now includes an endpoint to retrieve individual themes from the `/themerealm` configuration using either an `ID` or a `_queryFilter` by name. This improves performance and ensures reliable theme loading, even on slow networks. * IAM-8610: When you create an SSO application for Microsoft 365, the application now generates a signing certificate, which you can download or rotate as needed. * IAM-8633: You can now add, remove, and rearrange table columns for managed identities and application provisioning tables. * IAM-8925\[[7](#_footnotedef_7 "View footnote.")]: In Identity Governance, you can now configure actions that trigger automatically when a form first loads or when a user changes the value of a specific field. * IGA-3674\[[7](#_footnotedef_7 "View footnote.")]: A Wait node is now available for IGA workflows. This node pauses the workflow until a specified date and time, for example, if you need to seek approvals. * IGA-3700\[[7](#_footnotedef_7 "View footnote.")]: Improved UI for suspended requests in table and request view. * IGA-3742\[[7](#_footnotedef_7 "View footnote.")]: The form editor now includes icons in the list of fields in the left panel. #### Fixes * IAM-8789: Managed identity modals now correctly handle both single-value and array-based enum types. * IAM-4397: Fixed an issue in the hosted journey pages where the prompt text for the Choice Collector node wasn't fully visible and the default option wasn't visible at all. * IAM-8632: Fixed an issue where validation errors were incorrectly displayed for pre-populated fields. * IAM-8871: The hosted account pages no longer freeze and throw an error when editing details if there are empty custom enum array values. * IAM-8902: The application username field in SAML 2.0 NameID flows is now correctly set to `uid` instead of `username`. ### 17 Jul 2025 **Version 18311.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 16 Jul 2025 **Version 18295.0** #### Key features * Monitor log entries in the admin console (FRAAS-25665) Advanced Identity Cloud now provides a console for monitoring log entries in development and sandbox\[[8](#_footnotedef_8 "View footnote.")] environments. You can view, filter, and search log entries for specific log sources within a timeframe to quickly identify issues, track events, and ensure system security. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This is a [beta](../product-information/release-lifecycle.html#beta) feature and is limited to development and sandbox\[[8](#_footnotedef_8 "View footnote.")] environments. It's not available in production environments. | ### 14 Jul 2025 **Version 18274.0** #### Fixes * IAM-8933: Fixed an issue in the Advanced Identity Cloud admin console when creating or modifying identity objects with a required boolean property. You can now set the value of the required boolean property to `false`. ### 01 Jul 2025 **Version 18170.0** #### Key features * Policy binding for next-generation scripting (AME-26150) The next-generation `policy` binding lets you access the policy engine API and evaluate policies from within scripts. The `policy` binding works in a similar way to the [Request policy decisions for a specific resource](../am-authorization/rest-api-authz-policy-decisions.html#rest-api-authz-policy-decision-concrete) API call. * Set Error Details node (AME-30968) The [Set Error Details node](https://docs.pingidentity.com/auth-node-ref/latest/set-error-details.html) adds details to the JSON response when a journey ends in an error. #### Enhancements * AME-31372: An **Agent** journey is now available by default in both Alpha and Bravo realms. The `Agent` journey makes it easier to integrate with Ping Identity agents and gateways. It validates the agent credentials with an [Agent Data Store Decision](https://docs.pingidentity.com/auth-node-ref/latest/agent-data-store-decision.html) node. * AME-30050: You can now enable a next-generation script in the AM native admin console native console to run after a Dynamic Client Registration request is processed. * AME-30716: Removed `Failed to create SSO Token` from logs at warning level. To observe these warnings, increase the log level to debug. * AME-30801: The [Inner Tree Evaluator node](https://docs.pingidentity.com/auth-node-ref/latest/inner-tree-evaluator.html) now has an optional **Error Outcome** that lets you capture exception details if an exception occurs during the evaluation of the child journey. * OPENAM-22467: Customers can now provide any value in the `typ` header in JWTs. * Greater control over journey session duration and authenticated session timeouts: * OPENAM-23265: The [Set Session Properties node](https://docs.pingidentity.com/auth-node-ref/latest/set-session-properties.html) now lets you customize the **Maximum Session Time** and **Maximum Idle Time** of the session granted at the end of the journey. * OPENAM-23290: The new [Update Journey Timeout node](https://docs.pingidentity.com/auth-node-ref/latest/update-journey-timeout.html) lets you update the timeout of the journey. * OPENAM-23291: The [Email Suspend node](https://docs.pingidentity.com/auth-node-ref/latest/email-suspend.html) now lets you configure the **Suspend Duration** in minutes. This duration overrides existing global or realm settings. * OPENAM-23515: You can now set the suspend duration in next-generation scripted decision nodes when suspending the journey. * OPENAM-23438: Following Webauthn Registration and Authentication, new information is added to the transient state. * OPENAM-20709: On successful authentication, the [WebAuthn Authentication node](https://docs.pingidentity.com/auth-node-ref/latest/webauthn-authentication.html) now adds the UUID of the device (`webauthnDeviceUuid`) and the name of the device (`webauthnDeviceName`) to the shared state. This lets you track the use of biometric authentication and the device used to authenticate. #### Fixes * AME-30969: If the **OIDC Claims Plugin Type** in the OAuth 2.0 provider is set to `SCRIPTED` but no script is selected, the `userinfo` endpoint now returns the `sub` claim, in compliance with the OIDC specification. Previously, the `userinfo` endpoint returned an empty JSON object. If you still require this behavior, set the `esv-scripting-legacynulloidcclaimsscriptbehaviour` ESV to `true`. * OPENAM-20749: For server-side OAuth 2.0 tokens, the [/oauth2/introspect](../am-oauth2/oauth2-introspect-endpoint.html) response can now overwrite the `iss` claim of the introspectable token. To enable this behavior, set the `esv-enable-oauth2-sync-refresh-token-issuer` ESV to `false`. * OPENAM-22928: When agents authenticate to Advanced Identity Cloud, the session created no longer expires. * OPENAM-23334: You can now use the `mergeShared` and `mergeTransient` methods to add nested objects to `ObjectAttributes`. * OPENAM-23519: Improved error handling during WebAuthn registration when the Android lock screen isn't enabled. #### Removed * Modules and chains (AME-30762) The legacy PingAM authentication mechanism using modules and chains is enabled by default in Advanced Identity Cloud but has never been supported. Modules and chains remain enabled but have been removed from the Advanced Identity Cloud admin console. Modules and chains will be removed entirely in the near future. If you're using them for authentication, you must migrate to nodes and trees as soon as possible. Advanced Identity Cloud provides default journeys that replace the corresponding *default* modules and chains. Any default authentication processes that relied on modules and chains are unaffected by their removal. ## June 2025 ### 30 June 2025 #### Reversions **Version 18094.0** has been reverted. All changes associated with this version have been withdrawn. This affects the following changelog entry: * [25 Jun 2025](#25_jun_2025) ### 25 Jun 2025 | | | | - | -------------------------------------------------------------------- | | | This version has been reverted and all associated changes withdrawn. | **Version 18094.0** #### Fixes * IAM-8314: Fixed an issue where setting ESVs in connector or provisioner configuration stops the Advanced Identity Cloud admin console from being able to update connectors or run a liveSync operation. ### 24 Jun 2025 **Version 18076.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 23 Jun 2025 **Version 18045.0** #### Enhancements * AME-31379: Setting the new ESV `esv-oauth2-provider-request-object-processing-enforced` to `true` now lets admins enforce which validation rules are applied when processing OAuth 2.0 request objects. #### Fixes * FRAAS-25226: Allow a higher threshold for large JSON log entries before splitting them into smaller plaintext log entries. ### 18 Jun 2025 **Version 17994.0** #### Enhancements * FRAAS-25437: Tenant administrators with the `tenant-auditor` role can now use federated access to authenticate to Advanced Identity Cloud. * IAM-3441: Added pagination to all list views. * IAM-7265: You can now right-click a node in the journey editor to access a context menu. * IAM-7266: Added an action bar to the journey editor that lets you deselect or delete currently selected nodes. * IAM-7580: Pages now span the full width of the screen, improving navigation and usability. * IAM-8260: Advanced Identity Cloud now supports multiple WS-Fed applications\[[6](#_footnotedef_6 "View footnote.")]. * IAM-8640: The **Release Notes** link in **Tenant Settings** now opens the release notes for the tenant's specific version. * IAM-8714\[[1](#_footnotedef_1 "View footnote.")]: You can now configure columns in the Identity Governance access review page. * IAM-6820: The Email Suspend node now provides a drop-down list of available email templates. * OPENIDM-21206\[[9](#_footnotedef_9 "View footnote.")]: Usernames and application names must now be unique, as enforced by the datastore. #### Fixes * IAM-7413: The reCAPTCHA Enterprise node is now fully supported. * IAM-8489: Fixed an issue with the display of application logos in the hosted account pages. * IAM-8770: Fixed an issue with the calendar icon position in date fields. * IAM-8773: Fixed an issue where key actions such as realm login were blocked in older tenants with an unmodified original theme. ### 16 Jun 2025 **Version 17959.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 13 Jun 2025 **Versions 17949.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 10 Jun 2025 **Version 17889.0** #### Enhancements * ANALYTICS-868: The **Tenant Admin Activity** report has been changed to the **Tenant Admin Initiated Managed Objects Changes** report. The new report provides more detailed and business-friendly insights into changes made by tenant administrators: * Field names added, deleted, or modified. * Before and after values of changed attributes (if applicable). * Business-friendly entity name and entity type changes to custom attributes and custom objects. #### Fixes * OPENAM-21783: Improved token management for OAuth 2.0 clients that override the **Use Client-Side Access & Refresh Tokens** setting. The OAuth 2.0 applications endpoint now correctly shows all tokens issued to these clients. Additionally, administrators can now successfully revoke any of the tokens issued to these clients. ### 06 Jun 2025 **Version 17853.0** #### Enhancements * IAM-8405: You can now duplicate out-of-the-box reports. * IAM-8591: Dynamic sorting for report results. You can now sort report results directly in the Advanced Identity Cloud admin console after running a report. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * Sorting is available only when the result set contains fewer than 10,000 rows. * Columns with complex data types (for example, JSON) can't be sorted. * Downloaded reports reflect the original data order, not the sorted view from the Advanced Identity Cloud admin console. | #### Fixes * FRAAS-25434: Fix issue causing source to sometimes be defined as `unknown` in `/monitoring/logs/*` endpoints. ### 06 Jun 2025 **Version 17836.0** #### Fixes * FRAAS-25269: The IDC.CLI OAuth 2.0 client is now deprecated in existing tenants and no longer provisioned in new tenants. Use a [service account](../tenants/service-accounts.html) instead. ### 04 Jun 2025 **Version 17825.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 03 Jun 2025 **Versions 17804.0, 17821.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 02 Jun 2025 **Version 17800.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ## May 2025 ### 30 May 2025 **Version 17779.0** #### Key features * Tenant auditors (IAM-8086) Advanced Identity Cloud now lets you invite tenant auditors to access the Advanced Identity Cloud admin console. Tenant auditors can view settings, configuration, and data but cannot modify them. * Tenant auditor role (FRAAS-24460) Advanced Identity Cloud now supports a tenant auditor role with read-only access to ancillary APIs. For new tenants, Advanced Identity Cloud doesn't support non-global realm user access and OAuth2 client access to the ESV API. Access is deprecated for existing tenants. #### Enhancements * FRAAS-25155: Increased log batching size to avoid truncation of large JSON log entries. #### Fixes * FRAAS-25142: Fixed a memory issue in the ESV service. ### 23 May 2025 **Versions 17709.0, 17713.0** #### Enhancements * FRAAS-25205: Consolidated `End User UI`, `Login UI`, `Administrator Registration UI`, and `Administrator UI` status page components into a single `Administrator UI` component as they were all reporting the same service. * OPENIDM-15771: You can now set locales in identity management scripts with the [`_locale` parameter](../tenants/email-send.html#email-send-post-params). * OPENIDM-17680: Advanced Identity Cloud now supports enumerations in string and number attributes of its identity schema. To make an attribute an enumeration, add `"enum" : [ "one", "two", "three" ]` to the attribute. Advanced Identity Cloud requires create and update privileges to use one of the enumerated values. * OPENIDM-19918: You can now choose whether synchronization detects identity array changes using \_ordered or *unordered* comparisons. Set the [`comparison`](../idm-synchronization/chap-implicit-live-sync.html#array-comparison) configuration property in the schema. Unordered JSON array comparison ignores the order of elements and can negate the need for certain custom scripts within mappings. Relationship and virtual property array fields default to unordered comparisons. All other fields default to ordered comparisons. * OPENIDM-20023: RCS communication with Advanced Identity Cloud can now use stricter authorization. Learn more in [Secure RCS access](../idm-auth/authorization-and-roles.html#secure-openicf-access) and [Migration dependent features](../product-information/migration-dependent-features.html). #### Fixes * OPENIDM-20995: Fixed an issue that prevented error reports during certain operations on groups or users. For example, trying to remove a non-existing attribute or null value now correctly results in an exception message to the client if these operations are not supported by the target system. ### 22 May 2025 **Version 17692.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 21 May 2025 **Version 17680.0** #### Fixes * FRAAS-25256: Fixed an issue that was causing missing data in analytics dashboards. * OPENIDM-20995: Fixed an issue that prevented error reports during certain operations on groups or users. For example trying to remove a non-existing attribute or null value now correctly results in an exception message to the client if these operations are not supported by the target system. ### 15 May 2025 **Versions 17600.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 13 May 2025 **Versions 17581.0, 17584.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 12 May 2025 **Version 17570.0** #### Enhancements * OPENAM-23218: Legacy SAML 2.0 IDP attribute mapper scripts now have access to the 'httpClient' binding. * OPENAM-23710: Legacy SAML 2.0 IDP adapter scripts now have access to the 'httpClient' binding. ### 09 May 2025 **Version 17553.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 08 May 2025 **Versions 17546.0, 17549.0** #### Enhancements * ANALYTICS-1004\[[2](#_footnotedef_2 "View footnote.")]: Support for custom attributes and relationships in the organization entity for advanced reports. ### 06 May 2025 **Versions 17513.0, 17514.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] ### 05 May 2025 **Version 17507.0** #### Fixes * FRAAS-24990: Fixed an issue where requests to the `/monitoring/logs` and `/monitoring/logs/tail` endpoints timed out after 15 seconds rather than the expected 60 seconds. ### 02 May 2025 **Version 17488.0** No customer-facing features, enhancements, or fixes released.\[[3](#_footnotedef_3 "View footnote.")] *** [1](#_footnoteref_1). This change applies to a feature only available in PingOne Identity Governance, which is an [add-on capability](../product-information/add-on-capabilities.html) and must be purchased separately.[2](#_footnoteref_2). This change applies to a feature only available in Advanced Reporting, which is an [add-on capability](../product-information/add-on-capabilities.html) and must be purchased separately.[3](#_footnoteref_3). This release focuses on internal improvements and technical updates to enhance the overall stability, performance, and maintainability of the platform. While there are no direct customer-facing changes, these updates lay the groundwork for future feature releases and improvements.[4](#_footnoteref_4). This issue was added to the changelog on September 4, 2025.[5](#_footnoteref_5). Proxy Connect is an [add-on capability](../product-information/add-on-capabilities.html).[6](#_footnoteref_6). [WS-Federation/WS-Trust](../app-management/register-a-custom-application.html#sso-microsoft-365) is an [add-on capability](../product-information/add-on-capabilities.html).[7](#_footnoteref_7). IGA is an [add-on capability](../product-information/add-on-capabilities.html).[8](#_footnoteref_8). A [sandbox environment](../tenants/environments-sandbox.html) is an [add-on capability](../product-information/add-on-capabilities.html).[9](#_footnoteref_9). This issue was released on June 18, 2025 but inadvertently excluded from the changelog.