PingOne Advanced Identity Cloud

Regular channel changelog version 19190.10

This is a changelog entry for version 19190.10. You can review the changelog for all versions in Regular channel changelog.

21 Oct 2025

Version 19190.10

Key features

Create custom authentication nodes (IAM-5759)

Advanced Identity Cloud lets you create your own nodes to reuse common functionality in authentication journeys. Define properties and run custom server-side scripts in these nodes to dynamically set values and decide the outcome of journeys.

Learn more in Custom nodes.

Next-generation OAuth 2.0 access token modification scripts (AME-31083)

You can now create next-generation access token modification scripts that can use next-generation common bindings, such as httpClient, openidm, and utils.

Ability to configure journeys as transactional only (AME-31843)

A transactional authentication journey only runs when Advanced Identity Cloud starts a transaction, which happens when Advanced Identity Cloud does one of the following:

You can only configure transactional authentication journeys using the REST API. Set the transactionalOnly property to true in the journey configuration.

Mapping custom key IDs to secrets (AME-31380)

You can now map custom kid header values for JWTs signed with the signing key to a specific ESV secret.

Nodes to support backchannel authentication journeys (AME-31636 and AME-31635)

The new Backchannel Initialize node and Backchannel Status node let you implement backchannel authentication from within a journey.

Journey binding for scripted nodes (OPENAM-23127)

The new journey binding for scripted nodes lets you obtain details of the current journey, including inner or child journeys.

Enhancements

  • AME-30984 and AME-30609: Enhanced authentication audit logging to include the SAML Identity Provider (IdP) and Service Provider (SP) entity IDs during SAML flows. This information lets you report on the SAML applications users are accessing, supporting analytics and dashboarding efforts.

  • AME-30985: In SAML v2.0 single sign-on (SSO) flows, the JSON web token (JWT) created in the browser’s session storage no longer expires.

  • AME-31082 and SDKS-3681: Added support for device token refreshing to the Push Notification Service endpoint, enabling the reception of new tokens from mobile devices.

  • AME-31351 and AME-31471: Improvements to the Device Code flow mean that end users are now prompted to reauthenticate even when there’s an existing session for must-run and app journeys.

  • AME-31398: The PingOne Protect Evaluation node has been enhanced to support custom attributes. To specify custom attributes to be used in PingOne Protect for custom predictors, set the Node State Attribute For Custom Attributes in the node configuration. The node retrieves a map of custom attributes from the node state to be used in the evaluation request to PingOne Protect.

  • AME-31656 and AME-31468: The PingOne Protect Evaluation node has been enhanced to support dynamic risk policy IDs and target app IDs. To set the risk policy set ID dynamically, enable Use Node State Attribute For Risk Policy Set ID in the node configuration. To set the target app ID dynamically, enable Use Node State Attribute For Target App ID in the node configuration. This instructs the node to obtain these IDs from the node state.

  • AME-31487: Improvements to SAML v2.0 standalone mode include replacing legacy JSPs with URL endpoints.

    You can still invoke the JSPs because they’re mapped to URLs for backward compatibility, but any customizations to these JSPs will be lost.

    The following URLs supersede SAML v2.0 JSPs:

    URLs
    Old URL New URL

    /saml2/jsp/exportmetadata.jsp

    /ExportSamlMetadata

    /saml2/jsp/idpSingleLogoutInit.jsp

    /IDPSloInit

    /saml2/jsp/idpSingleLogoutRedirect.jsp

    /IDPSloRedirect

    /saml2/jsp/idpSingleLogoutPOST.jsp

    /IDPSloPOST

    /saml2/jsp/idpMNIRedirect.jsp

    /IDPMniRedirect

    /saml2/jsp/idpMNIRequestInit.jsp

    /IDPMniInit

    /saml2/jsp/idpSSOFederate.jsp

    /idpSSOFederate

    /saml2/jsp/spAssertionConsumer.jsp

    /Consumer

    /saml2/jsp/saml2AuthAssertionConsumer.jsp

    /AuthConsumer

    /saml2/jsp/spSingleLogoutInit.jsp

    /SPSloInit

    /saml2/jsp/spSingleLogoutRedirect.jsp

    /SPSloRedirect

    /saml2/jsp/spSingleLogoutPOST.jsp

    /SPSloPOST

    /saml2/jsp/spMNIRedirect.jsp

    /SPMniRedirect

    /saml2/jsp/spMNIPOST.jsp

    /SPMniPOST

    /saml2/jsp/spMNIRequestInit.jsp

    /SPMniInit

    /saml2/jsp/spSSOInit.jsp

    /spssoinit

    /saml2/jsp/idpSSOInit.jsp

    /idpssoinit

    /saml2/jsp/idpSSOFederate.jsp

    /idpSSOFederate

    /saml2/jsp/SA_IDP.jsp

    /idpsaehandler

    /saml2/jsp/SA_SP.jsp

    /spsaehandler

  • OPENAM-23051 and AME-31918: A new ESV, esv.oauth2.request.object.restrictions.enforced lets you enforce stricter adherence to the PAR and JAR specifications.

    Setting the value of this ESV to true enforces the following: The authorization server ignores authorize parameters outside the request_uri. When sending a JWT-Secured Authorization Request (JAR), the request_uri must be an https URI.

  • IAM-8236: The ability to edit journeys from the AM native admin console has been removed. Use the Advanced Identity Cloud admin console to edit journeys.

  • IAM-9000, IAM-9001: Add annotations and sticky notes to journeys to assist learning and collaboration.

  • IAM-9237: Allow ESVs to be embedded in URL fields for federation IdPs. This lets you set up federation IdPs with fewer ESVs because you can define a single ESV containing a UUID shared by multiple URL fields.

  • IAM-9246: Table columns are now resized uniformly across all table views.

  • OPENAM-20776: A new OIDC client configuration option, Private Key JWT Audience, lets you configure and override the audience (aud) claim of a Private Key JWT.

  • OPENAM-21783: Improved token management for OAuth 2.0 client applications.

  • OPENAM-23669: Full scopes (scopes ending in *) can now be used by service accounts in all cases where more specific scopes (for example, :read) are used.

  • OPENAM-23710: The httpClient binding is now available to legacy SAML 2.0 IdP adapter scripts.

  • OPENAM-23850: Enhanced the PingOne Verify Evaluation node with an Allow same device verification option that lets end users continue verification on their current device.

  • OPENAM-23867: The LDAP Decision node no longer logs credential failures as errors. It now logs them at the info level.

  • OPENAM-24062: Added support for the ECDSA algorithm to the utils.crypto.subtle next-generation binding. This algorithm is supported for key generation, signing, and verification.

Fixes

  • AME-31351 and AME-31471: Improvements to the Device Code flow mean that end users are now prompted to reauthenticate even when there’s an existing session for must-run and app journeys.

  • AME-31481: Validation around policy creation has been improved. If you’re using the legacy "Policy" environment condition (or a custom environment condition), you’ll need to add that to the list of allowed environment conditions for your policy set to create or update policies that use that condition type.

  • IAM-9153: Password validation now works correctly when pasting a value that matches the existing value.

  • OPENAM-20749: A new ESV, esv-enable-oauth2-sync-refresh-token-issuer causes a stateful OAuth 2.0 introspect response to overwrite the iss claim of the introspectable token. To enable this behavior, set this ESV to false.

  • OPENAM-23770: Canceling a WebAuthn flow now results in a Client Error outcome, rather than an internal failure.

  • OPENAM-24159: Fixed an issue that prevented multiple Identity Assertion nodes from being used in a single journey.