PingOne Advanced Identity Cloud

Regular channel changelog version 20133.8

This is a changelog entry for version 20133.8. You can review the changelog for all versions in Regular channel changelog.

21 Jan 2026

Version 20133.8

Key features

AD Decision node to authenticate against Active Directory identity stores (AME-14959)

The new AD Decision node verifies that the provided username and password exist in the specified Active Directory data store. The node also checks whether the user account is locked, disabled, or has expired.

Cache management service (AME-32248, AME-32285)

A new scripted cache management service lets you create and use caches in Scripted Decision nodes. This can improve performance for slow tasks, such as fetching access tokens for third party services that can be reused between journeys. The service has its own metrics.

Learn more in Cache script values.

SAML 2.0 SP account mapper (OPENAM-23986)

A new SAML 2.0 SP account mapper script type enables dynamic modification of SAML assertion data before it’s used to identify local users.

Learn more in SP account mapper.

Support for SAML 2.0 IdP-initiated flows in integrated mode (AME-29258)

You can now configure the hosted SP to redirect to a journey when a response is received from the IdP.

Use the new configuration option to check that the IdP entity ID in the incoming SAML assertion matches the IdP entity ID configured for the node.

A new method has also been added to the samlApplication script binding that returns the assertion as a JSON map.

Learn more in Redirect to a journey on the hosted SP.

RADIUS authentication nodes (AME-32871)[1]

The new RADIUS Decision node and RADIUS Challenge Collector node provide RADIUS authentication functionality from within a journey, where Advanced Identity Cloud is acting as the RADIUS client.

Set Logout Details node (OPENAM-24505)[1]

The new Set Logout Details node lets you add details to the JSON response when a journey ends with the user logging out.

Identity Governance reports (ANALYTICS-1307)[2][1]

Advanced Identity Cloud now provides pre-built reports for the Identity Governance service. These reports help you understand and manage your identity governance data. Learn more in Identity Governance Reports.

Enhancements

  • AME-31153: Consent request data can now be pushed via backchannel.

  • AME-31429: A new field on the remote consent agent lets you include properties from the resource owner’s session as part of the consent request.

  • AME-31846: Next-generation Config Provider Node scripts can now access the following additional scripted node bindings:

    • callbacks

    • callbacksBuilder

    • jwtAssertion

    • jwtValidator

    • resumedFromSuspend

    • requestCookies

    • samlApplication

    • oauthApplication

  • AME-32064: The SAML2 Authentication node includes a new configuration option,Validate IdP Entity ID. When enabled, the node validates that the IdP entity ID from the SAML assertion is the same as the IdP entity ID configured on the node.

  • AME-32970: You can now access the application context for all OAuth 2.0 / OIDC flows through the oauthApplication binding by setting Enable Application Context in the OAuth 2.0 provider or at the client level. Previously, you could only use this binding when using an application journey.

  • IAM-8244: Adds support for bidirectional mappings in synchronization configuration.

  • IAM-8497: Added a brand administrator role to the Advanced Identity Cloud admin console. Brand administrators only have access to change hosted pages themes.

  • IAM-9484: Added ability to provide translation overrides for the Waiting Message field in the Polling Wait node and the Email Suspend Message field in the Email Suspend node. This lets you provide translations when the PollingWaitCallback or the SuspendedTextOutputCallback callbacks are added using scripts.

  • OPENAM-23711: Adds a Detect Connection Time Out option to the Social Provider Handler node. When enabled, connection timeouts from social identity providers result in the journey following the Timeout outcome.

  • OPENAM-24059: Adds support for the android-key WebAuthn attestation format.

  • OPENAM-24130: The PingOne Protect Evaluation node now lets you set the flow subtype that’s sent to PingOne Protect.

  • OPENAM-24137: You can now configure the PingOne Verify Evaluation node to obtain biographic matching data from the node state.

  • OPENAM-24350: Cryptographic keys can now be derived in next-generation scripts using the PBKDF2 algorithm.

  • OPENAM-24548: The PingOne Protect Initialize node now lets you obtain PingID Device Trust Agent attributes when going through a PingOne Protect flow.

  • OPENAM-24552: The PingOne Protect Evaluation node now lets you send a target application name in addition to the existing target application ID, in the PingOne Protect evaluation request

  • OPENAM-24554: The PingOne Protect Evaluation node now lets you use targeted PingOne policies.

  • OPENAM-24560: Removed the User Type and User Name fields from the PingOne Protect Evaluation node. The user type is always EXTERNAL and the user name is not applicable to external user types. Only the User ID is sent in the PingOne Protect evaluation request.

  • OPENAM-24587: You can now override the default Google Secret Manager key ID (kid) values with human-readable values. Find more information in Override default kid values.

  • OPENAM-25327: Next-generation OAuth 2.0 scripts can now access the redirectUris property on the clientProperties binding.

  • OPENAM-25417: You can now configure the SameSite attribute for cookies in the Set Persistent Cookie node and the Persistent Cookie Decision node.

  • OPENAM-25418: The attestation fmt type is now included in the transient state data of the WebAuthn nodes.

  • OPENAM-24309: The PingOne Verify Evaluation node now supports biographic matching using multiple user attributes.

Fixes

  • AME-32307: Fixed an issue where end users weren’t able to continue a PingOne Verify journey that requested a QR code if they didn’t have a separate device to scan the code.

  • AME-32513: Added the suspend action to Custom nodes.

  • AME-32979: The Core Token Service (CTS) now stores AUTHENTICATION_WHITELIST tokens with millisecond-level precision for the expiry timestamp. This minimizes contention in indexes.

  • IAM-8766: Fixed an issue with mustRun journeys and query parameters such as forceAuth=true, where end users were authenticated then immediately unauthenticated.

  • IAM-9430: A warning is now displayed in the Advanced Identity Cloud admin console when a promotion would cause a deferred release tenant to be upgraded at the same time.

  • OPENAM-20582: Lets you configure a list of accepted JWT issuers for OAuth 2.0 clients. These are now accepted in addition to the OAuth 2.0 client ID for private key JWT authentication.

  • OPENAM-23929: Fixed a performance issue related to schema caching.

  • OPENAM-24297: Fixed an issue where the PingOne Verify Evaluation node incorrectly returned a failure outcome when the PingOne environment timed out during the identity verification process. This could happen if an end user didn’t engage with the QR code or selfie capture. The update correctly detects the TRANSACTION_TIMED_OUT status in PingOne responses and returns the timeout outcome, letting journeys handle timeouts distinctly from failures.

1. This issue was inadvertently excluded from the rapid changelog.
2. This change applies to a feature only available in PingOne Identity Governance, which is an add-on capability and must be purchased separately.