Rapid channel changelog

ANALYTICS-1004^[2]: Support for custom attributes and relationships in the organization entity for advanced reports.

FRAAS-24990: Fixed an issue where requests to the /monitoring/logs and /monitoring/logs/tail endpoints timed out after 15 seconds rather than the expected 60 seconds.

IAM-987: Added support for enums (drop-down lists) to hosted account pages.

IAM-1116: Added support for enums (drop-down lists) to the Advanced Identity Cloud admin console.

IAM-2103: Added support for enums (drop-down lists) to hosted journey pages.

IAM-6822: Added the ability to manage cookie domains in the Advanced Identity Cloud admin console.

IAM-7412: Updated the password policy feature in the Advanced Identity Cloud admin console. Added the ability to specify a minimum substring length between 3 - 64 to use when validating passwords against user attribute values. The default is still 5 characters, but can now be reduced to as few as 3 characters to catch shorter string matches.

IAM-7794^[3]: Added support for using custom identity objects in the the form builder.

IAM-7919: Improved color contrast ratio of the Delete Account button text when focused.

IAM-7934: Improved color contrast ratio of date fields when focused.

IAM-7957: Improved color contrast ratio of the Deselect button text when focused.

IAM-7966: Improved color contrast ratio of In Progress text.

IAM-8016^[3]: Allow form authors to specify a user filter when dynamic enums are selected.

IAM-8085: Updated the Add a Parameter reports modal to use entity attributes for input.

FRAAS-15518: Fixed issue that prevented custom localization of Session timed out message in certain locales.

IAM-5834: Fixed a double-encoding issue in the SAML app that affected IdP-initiated sign on.

IAM-6796: Prevented jobs being scheduled with frequencies that caused invalid date errors.

IAM-7855: Fixed a typo in the help text returned when there are no results to display.

IAM-8237: Corrected floating labels in the date picker in the Platform UI Login application.

IAM-8361: Fixed the Save button in the Edit Bookmark application to be inactive while checking if the ESV exists.

IAM-8364: Fixed issues in SAML end-to-end scenarios.

IAM-8378: Fixed an issue that stripped HTML elements from email templates.

IAM-8403: Fixed border focus location and floating label issues in Tag fields.

IAM-8434: Fixed an issue that prevented duplication of new themes that contain special characters.

FRAAS-24449: Enhanced the reliability of metrics collection under high-load conditions.

FRAAS-24631: Fixed a promotions issue where ESVs mapped to secret labels aren’t identified as available in the upper environment.

FRAAS-24648: Fixed an issue with loading ESVs with values containing leading blank spaces.

IAM-7202: In the custom application modal, the native apps link now correctly points to the SDKs documentation.

FRAAS-24646: Fixed an issue where ESVs mapped to AM secret labels could block configuration promotions.

OPENDJ-11175: The password validation mechanism has been enhanced to include checks for attribute values shorter than the min-substring-length (the default is 5).

FRAAS-24546: Tenant-auditor role temporarily disabled in the Advanced Identity Cloud admin console.

AME-31141: Multiple Java libraries added to SAML SP Adapter scripting allowlist.

ANALYTICS-846: You can now select the attribute type and value for report entity attributes.

ANALYTICS-983^[2]: You can now use regular expression operators in Advanced Reporting.

OPENAM-23718: Added additional Java classes to the SAML 2.0 SP adapter scripting allowlist.

IAM-6996: Added the ability to create a specific OAuth 2.0 client when creating a connector server, rather than relying on the default RCSClient.

IAM-7109: You can now use an ESV to set the From Address in the email provider configuration.

IAM-7827/ANALYTICS-835^[2]: In the analytics report editor in Advanced Reporting, you can now reorder columns by dragging and dropping them.

IAM-7841/ANALYTICS-840^[2]: The reports page in Advanced Reporting is now a list view with pagination and search.

IAM-8321: In the journey editor, the node titles now wrap within the left nodes panel.

IAM-1504: User no longer needs to click the cancel button twice in some journey dialogs.

IAM-8111: Schedules can no longer be disabled when running.

AME-27705: Extend the utils binding for all next-generation scripts to support low-level cryptographic operations. These operations include encryption, decryption, hashing, signing, verification, and key generation.

AME-28780: Added an IDM policy condition that can assert conditions against an IDM resource type such as user identities.

AME-28954: Modified the import metadata endpoint to support updating signing and encryption certificates for existing SAML service providers (SPs) without requiring the deletion or recreation of SP configurations.

AME-29307: You can now use DER-encoded certificates for OAuth 2.0 client authentication.

AME-29810: The realm default authentication service can no longer be a journey with mustRun enabled. Also, mustRun can no longer be enabled on journeys that are set as the realm default authentication service.

AME-29835: Configuration Provider Node scripts can now use the next-generation scripting engine, which gives them access to common bindings such as openidm and httpClient.

AME-30076: New getApplicationId() method provides a consistent way to retrieve the application ID from both SAML and OAuth 2.0 applications.

AME-29504: The scriptName and logger bindings in library scripts referenced the same default script name and ID. Their previous behavior has now been restored by inheriting values from the referencing script.

AME-29965: The Configuration Provider node now works with the Inner Tree Evaluator for nested inner journeys.

AME-30377: The following two warning level log messages have been reduced to debug level because they’re rarely useful and appear frequently, drowning out more useful log entries:

OPENAM-22120: Back-channel logout tokens now include the exp claim.

OPENAM-23077: The access_token endpoint now responds with the correct error code when the code_verifier isn’t supplied (for example, invalid_grant).

IAM-7967^[3]: Added an image description for the approvals Low Priority icon.

IAM-7977: Improved the font color contrast ratio of the email address displayed in Advanced Identity Cloud admin console user profiles.

IAM-8053: The Advanced Identity Cloud end-user UI can now use defaultText value as a fallback value when the actual value of a field returns empty.

OPENIDM-20139: Applications can now use postAction scripts for the ONBOARD action.

IAM-7719^[3]: Users are now redirected back to the compliance Policy Rules tab after creating or editing a policy rule.

FRAAS-23812: You can now deactivate the header ruleset after deactivating the IP ruleset when configuring Proxy Connect.

IAM-4692: Managed identity boolean fields now use a checkbox instead of a toggle.

IAM-6581: SAML 2.0 application journeys can now be configured in the Advanced Identity Cloud admin console.

IAM-7248^[3]: In IGA sources, the displayName and logo can now be obtained from the CDN.

IAM-7874^[3]: The Governance > Requests > Settings tab now lets you activate or deactivate Governance LCM.

IAM-1262: Clicking the Toggle Sidebar button now collapses the sidebar.

IAM-5801: For applications that mandate a minimum page size, the page size selector on the Data tab and the Reconciliation Results tab has been removed.

FRAAS-23780: Optimized network utilization to distribute workloads more effectively.

FRAAS-23002: Improvements to OATH support for MFA authenticators

IAM-7454: The inbound mapping for all application templates and scripted application templates has now been configured to make fewer connector requests.

IAM-5242: The Previous link in the New Script modal now always shows the previous step.

IAM-7799: Identity attributes with Time and DateTime format now trigger change events only when a change occurs.

FRAAS-23375: You can now obtain the HTTP client location from the X-Client-City & X-Client-City-Lat-Long HTTP headers in Advanced Identity Cloud scripts and journeys.

IAM-6833: Made existing synchronization tokens editable for incremental reconciliations.

IAM-7223^[3]: Added the ability to set user, role, organization, application, or entitlement objects to provide predefined values for select and multiselect fields in request forms.

IAM-5482: Password policy no longer allows Password length to be set as an empty string.

AME-29504: Fixed issue with script names not displaying in next-generation script logs.

OPENIDM-20542: Added a feature service named am/2fa/profiles to expose certain multi-factor attributes on alpha and bravo users.

OPENDJ-9287: The password validation mechanism has been enhanced to include checks for portions of attribute values within passwords. This improvement ensures that even partial matches between portions of passwords and portions of attribute values are identified and restricted, thereby enhancing security.

AME-26050: You can now create Next-generation Policy Condition scripts that have access to all common bindings, such as openidm and httpClient. Additionally, some existing bindings have been wrapped to improve usability in scripts.

AME-28228: OAuth 2.0 audit logs now include the OAuth 2.0 client ID and any journey associated with the client.

AME-29009: When using the new FIDO Metadata Service, if you link to the FIDO metadata using a URL, Advanced Identity Cloud periodically downloads and updates the latest FIDO metadata based on the nextUpdate date specified in the downloaded data.

AME-29093: Added configuration for integration with WebAuthn Metadata Services (such as the FIDO Metadata Service). This includes a realm-level WebAuthn Metadata service and a new FIDO Certification Level configuration attribute in the WebAuthn Registration Node.

FRAAS-22321: You can now obtain the HTTP client location from the X-Client-Region HTTP header within your scripts and journeys. The X-Client-Region header contains the country (or region) associated with the client’s IP address in the form of a Unicode CLDR region code, such as US or FR. For most countries, these codes correspond directly to ISO-3166-2 codes.

FRAAS-23073: The SAML scripting adapter now lets scripts access org.forgerock.http.protocol.*.

IAM-3323: You can now use XPath transformation functions with additional Workday application template attributes.

IAM-4540: You can now change the border color of a selected input field in journey and end-user pages.

IAM-6397: The Advanced Identity Cloud admin console now lets you page through the list of OAuth 2.0 client profiles.

OPENAM-23109: During a WebAuthn registration flow, if Store data in transient state is enabled, the Authenticator Attestation Global Unique Identifier (AAGUID) is now added to the node state under the webauthnData key.

AME-28016: When an invalid redirect URI is provided to the /par endpoint, the URI mismatch error is now redirect_uri_mismatch instead of invalid_request.

AME-28017: Advanced Identity Cloud now accepts the requested OAuth 2.0 endpoint as a valid JWT audience claim, as per RFC 7519 and RFC 9126.

AME-29170: On LDAP Decision node login failure, stack traces are now logged at debug level.

AME-29965: The Configuration Provider node now works with the Inner Tree Evaluator node for nested inner journeys.

IAM-1782: Long gateway and agent IDs no longer overflow in the Advanced Identity Cloud admin console.

IAM-7523^[3]: A user receiving a forwarded fulfillment task now has permission to approve or reject the task.

IAM-7537^[3]: Governance functionality is now only shown for the alpha realm.

IAM-7689^[3]: The Advanced Identity Cloud admin console now displays the Assigned To value in the task list for a user assigned to a role who receives a forwarded fulfillment task.

OPENAM-18252: Journeys acting on multiple identities now successfully update universalId in the journey context during the authentication flow.

OPENAM-20314: Added the ability to indicate whether an OIDC provider doesn’t return a unique value for the sub claim.

OPENAM-22966: Social IDPs now support NONE as a client authentication method. This option should be used if the provider doesn’t require client authentication at the token endpoint.

02 Dec 2024

[25_nov_2024]

AME-26050: You can now create Next-generation Policy Condition scripts that have access to all common bindings, such as openidm and httpClient. Additionally, some existing bindings have been wrapped to improve usability in scripts.

AME-28228: OAuth 2.0 audit logs now include the OAuth 2.0 client ID and any journey associated with the client.

AME-29009: When using the new FIDO Metadata Service, if you link to the FIDO metadata using a URL, Advanced Identity Cloud periodically downloads and updates the latest FIDO metadata based on the nextUpdate date specified in the downloaded data.

AME-29093: Added configuration for integration with WebAuthn Metadata Services (such as the FIDO Metadata Service). This includes a realm-level WebAuthn Metadata service and a new FIDO Certification Level configuration attribute in the WebAuthn Registration Node.

AME-29769: The Social Provider Handler node has a new configuration option, Store Tokens, that allows access and refresh tokens to be stored in the transient state.

FRAAS-22321: You can now obtain the HTTP client location from the X-Client-Region HTTP header within your scripts and journeys. The X-Client-Region header contains the country (or region) associated with the client’s IP address in the form of a Unicode CLDR region code, such as US or FR. For most countries, these codes correspond directly to ISO-3166-2 codes.

IAM-3323: You can now use XPath transformation functions with additional Workday application template attributes.

IAM-4540: You can now change the border color of a selected input field in journey and end-user pages.

OPENAM-23109: During a WebAuthn registration flow, if Store data in transient state is enabled, the Authenticator Attestation Global Unique Identifier (AAGUID) is now added to the node state under the webauthnData key.

AME-28016: When an invalid redirect URI is provided to the /par endpoint, the URI mismatch error is now redirect_uri_mismatch instead of invalid_request.

AME-28017: Advanced Identity Cloud now accepts the requested OAuth 2.0 endpoint as a valid JWT audience claim, as per RFC 7519 and RFC 9126.

AME-28906: The stack trace of an authentication exception generated on login failure is now logged only when debug level logging is enabled.

AME-29170: On LDAP Decision node login failure, stack traces are now logged at debug level.

IAM-7523^[3]: A user receiving a forwarded fulfillment task now has permission to approve or reject the task.

IAM-7537^[3]: Governance functionality is now only shown for the alpha realm.

OPENAM-18252: Journeys acting on multiple identities now successfully update universalId in the journey context during the authentication flow.

OPENAM-20314: Added the ability to indicate whether an OIDC provider doesn’t return a unique value for the sub claim.

OPENAM-22966: Social IDPs now support NONE as a client authentication method. Use this option if the provider doesn’t require client authentication at the token endpoint.