Regular channel changelog version 20814.9

The following OAuth 2.0 scripts can now use the next-generation scripting engine, which gives them access to common bindings such as utils and openidm:

The following SAML 2.0 scripts can now use the next-generation scripting engine, which gives them access to common bindings such as utils and openidm:

AME-32969: You can now make sure the samlApplication binding is available for all SAML flows by enabling the application context in the hosted IdP or remote SP entity configuration. Previously this was only added in certain situations such as when using an application journey or IdP-initiated integrated mode.

AME-32997: Added an Allow Retry option to the Backchannel Initialize node that lets end users retry a failed backchannel authentication journey.

AME-33430: You can now include remote consent agent credentials in a Basic Authentication header for pushed consent requests.

AME-33930: A new testConnection action on the realm-config/services/pingOneWorkerService/workers/pingone-worker-service-name endpoint lets you test the connection from Advanced Identity Cloud to PingOne.

AME-33939: A new listLatestNodeDefinitions action on the realm-config/authentication/authenticationtrees/nodes endpoint provides a list of node definitions for the latest version of each node.

ANALYTICS-1383^[1]: The new historical change report feature provides a complete audit trail of changes to your managed identities. It tracks all modifications to user profiles, roles, accounts, and applications. You can easily generate reports to see what changed, who made the change, and when it happened, which gives you clear insights for compliance and security monitoring.

FRAAS-29084: Custom domains are now restricted to a maximum of 63 characters in the Advanced Identity Cloud admin console. This restriction has always existed on the system backend.

OPENAM-22125: A new Proxy Configuration tab in the Http Client Service configuration lets you use separate proxy configurations per HTTP Client instance.

OPENAM-24476: Added java.util.zip classes to the allowlist for the Scripted Decision node scripting context.

The following enhancements have been made to the nodes provided with Advanced Identity Cloud:

OPENAM-25371: Added a configuration property to the PingOne Verify Evaluation node to enable automatic redirection to the journey after an end user completes verification (when using the Redirect delivery mode).

OPENAM-25618: The new locales binding lets you return the localized version of a string from a translation map. It is available to next-generation Configuration Provider node, Journey Decision node, and Device Match node scripts.

OPENIDM-21493: You can now cancel a clustered reconciliation even when a route associated with the source or target system is unavailable.

AME-34191: You can now override the HTTP binding used to redirect users to the SAML error page. To do this, configure an ESV variable named esv-global-saml-error-page-http-binding and set its value to HTTP-POST or HTTP-Redirect. If you don’t set this variable, Advanced Identity Cloud uses the default value of HTTP-POST.

IAM-6546: End users now have more options to manage their devices in the hosted account pages. For each device, they can view when it was last used for sign on, view when it was added, edit its name, and delete it.

IAM-9672: In the advanced sync Mapping tab, if no properties have been mapped, it now shows a more accurate description of the target and source identity objects whose properties can be mapped.

AME-33653: Custom nodes now work with the Configuration Provider node.

AME-33808: If Node State Attribute For User ID is provided in the PingOne Protect Evaluation node, but the corresponding attribute is missing from the node state, the node triggers the failure outcome rather than using the user ID associated with the AM identity.

AME-34217: Added a version setting to the Configuration Provider node. This update provides the underlying infrastructure for a node versioning feature in an upcoming release.

AME-34034: Fixed an issue where omitting a shared secret label in the RADIUS Decision node caused Prometheus metrics to become unavailable.

ANALYTICS-1326^[1]: Fixed an issue in custom reports caused by relationships between custom identities that contain multiple underscores.

ANALYTICS-1367^[1]: Fixed an issue in custom reports caused by IP addresses in journey events.

OPENAM-23918: Resolved a race condition in the OATH Registration node and OATH Device Storage node where recovery codes could potentially be lost.

OPENAM-24065: Improved consistency for error responses across realms when processing illegal arguments. The /authenticate call now correctly returns a 400 (Bad Request) instead of a 500 (Internal Server Error) for invalid arguments.

OPENAM-25406: Added an identity.exists() method to next-generation objects returned by idRepository.getIdentity(). This lets scripts verify an identity’s existence in the identity store before further processing.

OPENAM-25646: For backward compatibility, we’ve restored the following deprecated fields sent to PingOne Protect by the PingOne Protect Initialize node (in the PingOneProtectInitializeCallback):

OPENAM-25779: Deletion of the samlApplication object is now deferred for unsuccessful authentication journeys so that the object is still available for subsequent sign-on attempts in the same session.

IAM-6640: Fixed an issue in the hosted pages theme preview where clicking Edit Personal Info opened two instances of the modal.

IAM-8221: Fixed an issue in the terms & conditions live preview where interactive elements weren’t disabled.

IAM-9620^[2]: Fixed an Identity Governance issue where clicking Save in the certification template creation wizard didn’t disable the button after submission, which could result in the creation of unintended duplicate templates.

IAM-9786: Fixed an issue where ESV placeholders manually entered into a field were always treated as strings, regardless of whether they were an array, list, or string.

IAM-9886: Fixed a display issue on the Reports Run History tab where the pop-up menu items weren’t displayed correctly.

FRAAS-29855^[3]: Fixed an issue where OTLP log streaming reported all Advanced Identity Cloud logs with am-core or idm-core as the source and omitted custom IDM event-hook logs. Logs streamed via OTLP now preserve their correct source (for example, am-authentication, am-access, idm-access) and include custom IDM event-hook messages.

OPENIDM-21718: The maxQueueSize for queued synchronization now defaults to 1000 and can’t be configured to a value higher than 1000 or lower than 100. The previous default was 20000.