PingOne Advanced Identity Cloud

Regular channel changelog version 18368.8

This is a changelog entry for version 18368.8. You can review the changelog for all previous versions in Regular channel changelog.

12 Aug 2025

Version 18368.8

Key features

Policy binding for next-generation scripting (AME-26150)

The next-generation policy binding lets you access the policy engine API and evaluate policies from within scripts. The policy binding works in a similar way to the Request policy decisions for a specific resource API call.

Set Error Details node (AME-30968)

The Set Error Details node adds details to the JSON response when a journey ends in an error.

Monitor log entries in the admin console (FRAAS-25665)

Advanced Identity Cloud now provides a console for monitoring log entries in development and sandbox[1] environments. You can view, filter, and search log entries for specific log sources within a timeframe to quickly identify issues, track events, and ensure system security.

Learn more in Monitor log entries in the admin console.

This is a beta feature and is limited to development and sandbox[1] environments. It’s not available in production environments.
Custom WS-Fed applications (IAM-8261)

You can now create custom WS-Fed[2] applications for single sign-on (SSO).

Try In SDK button (IAM-8618)

A Try In SDK button has been added to the Details page for Native / SPA applications. This lets developers quickly test SDKs with dynamic configuration code snippets.

Enhancements

  • AME-31372[3]: An Agent journey is now available by default in both Alpha and Bravo realms. The Agent journey makes it easier to integrate with Ping Identity agents and gateways. It validates the agent credentials with an Agent Data Store Decision node.

  • AME-30050: You can now enable a next-generation script in the AM native admin console native console to run after a Dynamic Client Registration request is processed.

  • AME-30716: Removed Failed to create SSO Token from logs at warning level. To observe these warnings, increase the log level to debug.

  • AME-30801: The Inner Tree Evaluator node now has an optional Error Outcome that lets you capture exception details if an exception occurs during the evaluation of the child journey.

  • FRAAS-25818: The built-in SMTP server in new tenants now has a limit of 10 emails per minute and a fixed email sender address with the format noreply@<tenant-fqdn>.

  • IAM-7581: Text wrapping in table views has been improved for readability.

  • IAM-8573: IDM now includes an endpoint to retrieve individual themes from the /themerealm configuration using either an ID or a _queryFilter by name. This improves performance and ensures reliable theme loading, even on slow networks.

  • IAM-8610: When you create an SSO application for Microsoft 365, the application now generates a signing certificate, which you can download or rotate as needed.

  • IAM-8633: You can now add, remove, and rearrange table columns for managed identities and application provisioning tables.

  • IAM-8925[4]: In Identity Governance, you can now configure actions that trigger automatically when a form first loads or when a user changes the value of a specific field.

  • OPENAM-22467: Customers can now provide any value in the typ header in JWTs.

  • Greater control over journey session duration and authenticated session timeouts:

    • OPENAM-23265: The Set Session Properties node now lets you customize the Maximum Session Time and Maximum Idle Time of the session granted at the end of the journey.

    • OPENAM-23290: The new Update Journey Timeout node lets you update the timeout of the journey.

    • OPENAM-23291: The Email Suspend node now lets you configure the Suspend Duration in minutes. This duration overrides existing global or realm settings.

    • OPENAM-23515: You can now set the suspend duration in next-generation scripted decision nodes when suspending the journey.

  • OPENAM-23438: Following WebAuthn registration and authentication, new information is added to the transient state.

  • OPENAM-20709: On successful authentication, the WebAuthn Authentication node now adds the UUID of the device (webauthnDeviceUuid) and the name of the device (webauthnDeviceName) to the shared state. This lets you track the use of biometric authentication and the device used to authenticate.

Fixes

  • AME-30969: If the OIDC Claims Plugin Type in the OAuth 2.0 provider is set to SCRIPTED but no script is selected, the userinfo endpoint now returns the sub claim, in compliance with the OIDC specification. Previously, the userinfo endpoint returned an empty JSON object. If you still require this behavior, set the esv-scripting-legacynulloidcclaimsscriptbehaviour ESV to true.

  • IAM-4397: Fixed an issue in the hosted journey pages where the prompt text for the Choice Collector node wasn’t fully visible and the default option wasn’t visible at all.

  • IAM-8632: Fixed an issue where validation errors were incorrectly displayed for pre-populated fields.

  • IAM-8789: Managed identity modals now correctly handle both single-value and array-based enum types.

  • IAM-8871: The hosted account pages no longer freeze and throw an error when editing details if there are empty custom enum array values.

  • IAM-8902: The application username field in SAML 2.0 NameID flows is now correctly set to uid instead of username.

  • IAM-8933: Fixed an issue in the Advanced Identity Cloud admin console when creating or modifying identity objects with a required boolean property. You can now set the value of the required boolean property to false.

  • IAM-9062: Hosted pages themes no longer continuously refresh when trying to set up or confirm two-factor authentication (2FA).

  • OPENAM-20749: For server-side OAuth 2.0 tokens, the /oauth2/introspect response can now overwrite the iss claim of the introspectable token. To enable this behavior, set the esv-enable-oauth2-sync-refresh-token-issuer ESV to false.

  • OPENAM-22928: When agents authenticate to Advanced Identity Cloud, the session created no longer expires.

  • OPENAM-23303[3]: Fixed an issue where access management scripts were failing to load because they contained strings that resembled configuration placeholders. The code that parses these scripts now correctly ignores configuration placeholders and any strings that resemble them.

    If you have access management scripts that reference ESVs, ensure that they use the correct syntax for ESVs. For example, for a script that references an ESV named esv-my-variable, use the syntax systemEnv.getProperty("esv.my.variable").

  • OPENAM-23334: You can now use the mergeShared and mergeTransient methods to add nested objects to ObjectAttributes.

  • OPENAM-23519: Improved error handling during WebAuthn registration when the Android lock screen isn’t enabled.

  • OPENAM-24159: Fixed an issue with Identity Assertion nodes failing if there are more than one in a journey.

Removed

Modules and chains (AME-30762)

The legacy PingAM authentication mechanism using modules and chains is enabled by default in Advanced Identity Cloud but has never been supported. Modules and chains remain enabled but have been removed from the Advanced Identity Cloud admin console.

Modules and chains will be removed entirely in the near future. If you’re using them for authentication, you must migrate to nodes and journeys as soon as possible.

Advanced Identity Cloud provides default journeys that replace the corresponding default modules and chains. Any default authentication processes that relied on modules and chains are unaffected by their removal.

1. A sandbox environment is an add-on capability.
2. WS-Federation/WS-Trust is an add-on capability.
3. This issue was inadvertently excluded from the rapid changelog.
4. IGA is an add-on capability.