--- title: Regular channel changelog version 21027.2 description: Version 21027.2 component: pingoneaic page_id: pingoneaic:release-notes:regular-channel/version-21027.2 canonical_url: https://docs.pingidentity.com/pingoneaic/release-notes/regular-channel/version-21027.2.html llms_txt: https://docs.pingidentity.com/pingoneaic/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md section_ids: 01_april_2026: 01 April 2026 key_features: Key features enhancements: Enhancements fixes: Fixes --- # Regular channel changelog version 21027.2 | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This is a changelog entry for version 21027.2. You can review the changelog for all versions in [Regular channel changelog](../regular-channel-changelog.html). | ## 01 April 2026 **Version 21027.2** ### Key features * Policy Decision node (AME-28779) A new [Policy Decision node](https://docs.pingidentity.com/auth-node-ref/latest/policy-decision.html) lets you evaluate an authorization policy against resources within an authentication journey. * Backchannel Notification node (AME-32579) Introduced a new [Backchannel Notification node](https://docs.pingidentity.com/auth-node-ref/latest/backchannel-notification.html) that allows a backchannel journey to send real-time status updates to the main authentication journey. ### Enhancements * FRAAS-28387: Invites for Advanced Identity Cloud tenant registration now use a one-time passcode (OTP) instead of a magic link. This change prevents email scanners from accidentally invalidating single-use links. * AME-29745: Improved the certificate validation process in the Certificate Collector and Certificate Validation nodes. By default, Advanced Identity Cloud collects the *first* certificate in a certificate chain (the user certificate). You can now create an ESV named `esv-am-nodes-certificatechain-validation-enforced` and set its value to `true` to collect the chain of certificates. * AME-33851: You can now use next-generation scripts for social identity provider transformation scripts. * OPENAM-23610: The default value for the Return challenge as JavaScript (Legacy) property on the WebAuthn Authentication and WebAuthn Registration nodes is now not enabled. Ping Identity recommends that you keep this setting. * OPENAM-25329: The PingOne Protect Initialize node now includes an `Additional Signals SDK Initialization Options` attribute. This allows you to configure options that aren't already defined in the node. The `PingOneProtectInitializeCallback` has been updated with new fields to support this. * OPENAM-25677: The `PingOneProtectInitializeCallback` now includes a `universalDeviceIdentification` field, which replaces the deprecated `enableTrust` field. The `enableTrust` field is still returned for backward compatibility. ### Fixes * IGA-4186\[[1](#_footnotedef_1 "View footnote.")]: Fixed an issue for user LCM in the hosted account pages where large user populations weren't correctly sorted and paginated. * OPENAM-22698: Fixed a bug that caused duplicate URIs in WS-Federation responses. *** [1](#_footnoteref_1). This change applies to a feature only available in PingOne Identity Governance, which is an [add-on capability](../../product-information/add-on-capabilities.html) and must be purchased separately.