--- title: Regular channel changelog version 19190.10 description: Version 19190.10 component: pingoneaic page_id: pingoneaic:release-notes:regular-channel/version-19190.10 canonical_url: https://docs.pingidentity.com/pingoneaic/release-notes/regular-channel/version-19190.10.html llms_txt: https://docs.pingidentity.com/pingoneaic/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md section_ids: 21_oct_2025: 21 Oct 2025 key_features: Key features enhancements: Enhancements fixes: Fixes --- # Regular channel changelog version 19190.10 | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This is a changelog entry for version 19190.10. You can review the changelog for all versions in [Regular channel changelog](../regular-channel-changelog.html). | ## 21 Oct 2025 **Version 19190.10** ### Key features * Create custom authentication nodes (IAM-5759) Advanced Identity Cloud lets you create your own nodes to reuse common functionality in authentication journeys. Define properties and run custom server-side scripts in these nodes to dynamically set values and decide the outcome of journeys. Learn more in [Custom nodes](../../journeys/node-designer.html). * Next-generation OAuth 2.0 access token modification scripts (AME-31083) You can now create next-generation access token modification scripts that can use next-generation common bindings, such as `httpClient`, `openidm`, and `utils`. * Ability to configure journeys as *transactional only* (AME-31843) A transactional authentication journey only runs when Advanced Identity Cloud starts a transaction, which happens when Advanced Identity Cloud does one of the following: * Initializes [backchannel authentication](../../am-authentication/backchannel-authentication.html) using either the `/authenticate/backchannel/initialize` endpoint or the [Backchannel Initialize node](https://docs.pingidentity.com/auth-node-ref/latest/backchannel-initialize.html). * Runs a [SAML 2.0 app](../../am-saml2/configure-providers.html#samlapp-journey) journey for a remote SP. * Runs an [OAuth 2.0 app](../../am-oauth2/oauth2-register-client.html) journey when Advanced Identity Cloud is acting as an authorization server. * Enforces a [transactional authorization](../../am-authorization/transactional-authorization.html) policy. You can only configure transactional authentication journeys using the REST API. Set the `transactionalOnly` property to `true` in the journey configuration. * Mapping custom key IDs to secrets (AME-31380) You can now map custom `kid` header values for JWTs signed with the signing key to a specific ESV secret. * Nodes to support backchannel authentication journeys (AME-31636 and AME-31635) The new [Backchannel Initialize node](https://docs.pingidentity.com/auth-node-ref/latest/backchannel-initialize.html) and [Backchannel Status node](https://docs.pingidentity.com/auth-node-ref/latest/backchannel-status.html) let you implement backchannel authentication from within a journey. * Journey binding for scripted nodes (OPENAM-23127) The new `journey` binding for scripted nodes lets you obtain details of the current journey, including inner or child journeys. ### Enhancements * AME-30984 and AME-30609: Enhanced authentication audit logging to include the SAML Identity Provider (IdP) and Service Provider (SP) entity IDs during SAML flows. This information lets you report on the SAML applications users are accessing, supporting analytics and dashboarding efforts. * AME-30985: In SAML v2.0 single sign-on (SSO) flows, the JSON web token (JWT) created in the browser's session storage no longer expires. * AME-31082 and SDKS-3681: Added support for device token refreshing to the Push Notification Service endpoint, enabling the reception of new tokens from mobile devices. * AME-31351 and AME-31471: Improvements to the Device Code flow mean that end users are now prompted to reauthenticate even when there's an existing session for must-run and app journeys. * AME-31398: The [PingOne Protect Evaluation node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-protect-evaluation.html) has been enhanced to support custom attributes. To specify custom attributes to be used in PingOne Protect for custom predictors, set the `Node State Attribute For Custom Attributes` in the node configuration. The node retrieves a map of custom attributes from the node state to be used in the evaluation request to PingOne Protect. * AME-31656 and AME-31468: The [PingOne Protect Evaluation node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-protect-evaluation.html) has been enhanced to support dynamic risk policy IDs and target app IDs. To set the risk policy set ID dynamically, enable `Use Node State Attribute For Risk Policy Set ID` in the node configuration. To set the target app ID dynamically, enable `Use Node State Attribute For Target App ID` in the node configuration. This instructs the node to obtain these IDs from the node state. * AME-31487: Improvements to SAML v2.0 standalone mode include replacing legacy JSPs with URL endpoints. You can still invoke the JSPs because they're mapped to URLs for backward compatibility, but any customizations to these JSPs will be lost. The following URLs supersede SAML v2.0 JSPs: > **Collapse: URLs** > > | Old URL | New URL | > | ------------------------------------------- | --------------------- | > | `/saml2/jsp/exportmetadata.jsp` | `/ExportSamlMetadata` | > | `/saml2/jsp/idpSingleLogoutInit.jsp` | `/IDPSloInit` | > | `/saml2/jsp/idpSingleLogoutRedirect.jsp` | `/IDPSloRedirect` | > | `/saml2/jsp/idpSingleLogoutPOST.jsp` | `/IDPSloPOST` | > | `/saml2/jsp/idpMNIRedirect.jsp` | `/IDPMniRedirect` | > | `/saml2/jsp/idpMNIRequestInit.jsp` | `/IDPMniInit` | > | `/saml2/jsp/idpSSOFederate.jsp` | `/idpSSOFederate` | > | `/saml2/jsp/spAssertionConsumer.jsp` | `/Consumer` | > | `/saml2/jsp/saml2AuthAssertionConsumer.jsp` | `/AuthConsumer` | > | `/saml2/jsp/spSingleLogoutInit.jsp` | `/SPSloInit` | > | `/saml2/jsp/spSingleLogoutRedirect.jsp` | `/SPSloRedirect` | > | `/saml2/jsp/spSingleLogoutPOST.jsp` | `/SPSloPOST` | > | `/saml2/jsp/spMNIRedirect.jsp` | `/SPMniRedirect` | > | `/saml2/jsp/spMNIPOST.jsp` | `/SPMniPOST` | > | `/saml2/jsp/spMNIRequestInit.jsp` | `/SPMniInit` | > | `/saml2/jsp/spSSOInit.jsp` | `/spssoinit` | > | `/saml2/jsp/idpSSOInit.jsp` | `/idpssoinit` | > | `/saml2/jsp/idpSSOFederate.jsp` | `/idpSSOFederate` | > | `/saml2/jsp/SA_IDP.jsp` | `/idpsaehandler` | > | `/saml2/jsp/SA_SP.jsp` | `/spsaehandler` | * OPENAM-23051 and AME-31918: A new ESV, `esv.oauth2.request.object.restrictions.enforced` lets you enforce stricter adherence to the [PAR](https://www.rfc-editor.org/rfc/rfc9126.html) and [JAR](https://www.rfc-editor.org/rfc/rfc9101.html#section-5.2) specifications. Setting the value of this ESV to `true` enforces the following: **The authorization server ignores authorize parameters outside the `request_uri`. **When sending a JWT-Secured Authorization Request (JAR), the `request_uri` *must* be an `https` URI. * IAM-8236: The ability to edit journeys from the AM native admin console has been removed. Use the Advanced Identity Cloud admin console to edit journeys. * IAM-9000, IAM-9001: Add annotations and sticky notes to journeys to assist learning and collaboration. * IAM-9237: Allow ESVs to be embedded in URL fields for federation IdPs. This lets you set up federation IdPs with fewer ESVs because you can define a single ESV containing a UUID shared by multiple URL fields. * IAM-9246: Table columns are now resized uniformly across all table views. * OPENAM-20776: A new OIDC client configuration option, `Private Key JWT Audience`, lets you configure and override the audience (`aud`) claim of a Private Key JWT. * OPENAM-21783: Improved token management for OAuth 2.0 client applications. * OPENAM-23669: *Full* scopes (scopes ending in `*`) can now be used by service accounts in all cases where more specific scopes (for example, `:read`) are used. * OPENAM-23710: The `httpClient` binding is now available to legacy SAML 2.0 IdP adapter scripts. * OPENAM-23850: Enhanced the [PingOne Verify Evaluation node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-verify-evaluation.html) with an `Allow same device verification` option that lets end users continue verification on their current device. * OPENAM-23867: The [LDAP Decision node](https://docs.pingidentity.com/auth-node-ref/latest/ldap-decision.html) no longer logs credential failures as errors. It now logs them at the `info` level. * OPENAM-24062: Added support for the `ECDSA` algorithm to the `utils.crypto.subtle` next-generation binding. This algorithm is supported for key generation, signing, and verification. ### Fixes * AME-31351 and AME-31471: Improvements to the Device Code flow mean that end users are now prompted to reauthenticate even when there's an existing session for must-run and app journeys. * AME-31481: Validation around policy creation has been improved. If you're using the legacy "Policy" environment condition (or a custom environment condition), you'll need to add that to the list of allowed environment conditions for your policy set to create or update policies that use that condition type. * IAM-9153: Password validation now works correctly when pasting a value that matches the existing value. * OPENAM-20749: A new ESV, `esv-enable-oauth2-sync-refresh-token-issuer` causes a stateful OAuth 2.0 introspect response to overwrite the `iss` claim of the introspectable token. To enable this behavior, set this ESV to `false`. * OPENAM-23770: Canceling a WebAuthn flow now results in a `Client Error` outcome, rather than an internal failure. * OPENAM-24159: Fixed an issue that prevented multiple [Identity Assertion](https://docs.pingidentity.com/auth-node-ref/latest/identity-assertion-node.html) nodes from being used in a single journey.