You can configure PingIDM to meet Federal Information Processing Standard (FIPS) 140-3 compliance standards. Learn more in FIPS 140-3 compliance.

You can run a distributed trace in PingIDM using OpenTelemetry and export the data to an external trace collector for telemetry storage and visualization.

Learn more in Distributed tracing.

The embedded Jetty web server supports Jetty 12.0.16. Instead of jetty.xml, the updated configuration uses a webserver.json for global settings and a webserver.listener-*.json to detect changes. Learn more in Embedded Jetty configuration.

You can choose how synchronization detects managed object array changes using unordered or ordered comparison using the configuration property comparison in the schema. Unordered JSON array comparison ignores the order of elements and can negate the need for certain custom scripts within mappings.

Learn more about managed object schema properties and array comparison.

IDM now uses Logback to generate server logs. Learn more in Server logs.

You can run IDM with Java 21. Learn more in Java requirements.

To verify the current server state without generating audit logs, use the new openidm/health endpoint. Learn more in Audit-free health check.

New metrics are available for ICF operations.

You can configure automatic encryption of your filesystem secret store.

You can store credentials for many services as secrets. The list of supported services has been expanded to include:

Learn more in Secret stores.

Connectors continue to be updated and released outside of IDM. To stay up-to-date with new features and versions, check out the ICF Release notes.

Although not bundled in this release of IDM, the two newest connectors are available to download from Backstage:

IDM now supports international email addresses. This feature is only available for supporting SMTP providers.

For more information, refer to International email addresses.

You can create custom relationship properties in the admin UI or with the REST API.

You can store credentials for various services as secrets. The supported services include:

For more information, refer to Secret stores.

You can have multiple versions of secrets stored in a file system secret store.

For more information, refer to Filesystem secret stores.

Managed objects can now receive relationship graph topology change signals through the SignalPropagationCalculator class that is active by default.

Learn more in Enhanced signal propagation.

The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you are upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.

The customizer script for the Connect to DS with ScriptedREST sample now includes OAuth capabilities for the client_credentials grant type.

Array properties now display in the End User UI.

You can now configure secret stores to use filesystem secret stores. Filesystem secret stores use a directory containing many files, each storing a single secret. For more information, refer to Filesystem secret stores.

In addition to the SMTP client, you can now configure the outbound email service to use the new MS Graph API Client.

For more information, refer to Outbound email service.

New metrics are available for livesync and scheduler functions. For example requests, refer to Scheduler metrics.

Queries within scripts now support the _countOnly parameter.

If you are using IDM with a DS repository, ForgeRock recommends using mTLS to authenticate to DS to better facilitate credential rotation. Refer to Configure mTLS.

The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you are upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.

Array properties now display in the End User UI.

IDM now supports the use of Bouncy Castle FIPS as a security provider. Bouncy Castle FIPS is useful when dealing with government data, where meeting the FIPS 140-2 security requirement is necessary for regulatory compliance.

For information on how to configure Bouncy Castle, refer to FIPS 140-3 compliance.

IDM now supports UTF-8 (non-ascii/international) characters in email addresses, such as zoë@example.com. When sending emails to these type of addresses, the configured SMTP server must also support UTF-8.

You can now disable delegated administrator sort and filter while searching resource collections in the End User UI. For more information, refer to Disable sort and filter for resource collections.

IDM workflows now support JavaScript in addition to Groovy. For more information about scripting workflows, refer to BPMN 2.0 and workflow tools.

It is now possible to patch the root of an object. The only supported patch operations on the root of an object are remove and replace.

/system endpoints now support specifying additional fields when also using *. This allows callers to get fields that are not returned by default.

New sync mapping configuration fields, defaultSourceFields and defaultTargetFields, allow specifying which fields to use for read and query requests made on source and target resource collections.

Upgrading to DS 7.3 is now supported. For more information, refer to Supported repositories.

IDM now supports property-based secret stores and can read keys and trusted certificates from properties that contain keys in Privacy-Enhanced Mail (PEM) format.

For more information, see Property secret stores.

The default IDM configuration now includes two scanning tasks that activate and deactivate a user’s accountStatus, based on their activeDate and inactiveDate. For more information, see Activate and deactivate accounts.

You can now use cc and bcc parameters with the sendTemplate action. For more information, see:

The Flowable embedded workflow engine has been upgraded to version 6.6.0. This upgrade fixes the issue with native email tasks previously mentioned in the Workflow Guide.

You can now validate field removal using the policy action validateProperty.

Relationship-derived Virtual Properties now include reference fields with details of the referenced relationship.

The latest version of the Active Directory password synchronization plugin (v1.7.0) uses UTC timestamps for logs.

Previously, the property openidm.fileinstall.enabled also controlled the configs being loaded on startup. Therefore, to disable file monitoring, you had to first start IDM with it enabled in order to load the configs into the repository, and then restart IDM with it disabled. The new setting openidm.config.bootstrap.enabled (which defaults to true), allows file monitoring to be disabled, and the bootstrap process will load the configuration into the repository.

For more information, see Disable automatic configuration updates.

IDM can now log warnings when API version headers are not specified.

Reconciliation has been enhanced in the following ways:

A new property has been added to synchronization mappings, optimizeAssignmentSync, which determines whether modifications to an assignment’s attributes or relationships should be treated as a synchronization event for members of that assignment or role, or if it should only be treated as a synchronization event for members if the modified assignment is directly relevant to that mapping, or if effectiveAssignments is included in triggerSyncProperties.

Learn more in the Synchronization reference.

For versions of IDM running DS or PostgreSQL as a repository, queryFilter now supports filtering on the contents of arrays. For more information, see Filter objects in arrays.

New metrics are available for workflow and JVM.

The Synchronize data between IDM and Azure Active Directory sample uses the MS Graph API connector to synchronize users between IDM and Azure AD.

Previously, KBA answers were always hashed as SHA-256 upon save, which is still the default setting. However, you can now specify an alternative hashing algorithm.

You can now specify default values for properties in the managed object configuration. For example, the default managed object configuration includes a default value that makes accountStatus:active, which effectively replaces the onCreate script that was previously used to achieve the same result.

You can now perform REST queries on properly configured array fields. Learn more:

The optional waitForCompletion parameter is now available to the config endpoint for create, update, and patch requests. Learn more:

To protect production servers from unauthorized API descriptor requests, IDM now requires admin authentication for the API endpoint. Learn more in Secure the API Explorer.

Queries on explicit tables in JDBC now support bool:, num:, and long: in addition to the previously supported query parameters (strings, list:, and int:).

You can now configure access rules over REST, at the openidm/config/access endpoint. In previous releases, access rules were configured in the access.js file. This script file has been replaced by an access.json configuration file, that performs the same function. Learn more in Authorization and roles.

You can now create privilege dynamic filters for delegated administrators.

You can now configure the temporary storage file size for HTTP I/O requests.

You can use _queryFilter to directly filter expanded relationships from a collection, such as authzRoles. Learn more in Filter expanded relationships.

By default, JWTs are now signed with deterministic Elliptic Curve Digital Signature Algorithm (ECDSA). In order to use this more secure signing method, Bouncy Castle, which is included in the default IDM installation, must be installed. If Bouncy Castle is unavailable or the key is incompatible, IDM falls back to normal ECDSA.

In previous releases, setting javascript.exception.debug.info=true in the boot.properties file enabled additional debug information, including line numbers and file names for JavaScript exceptions. In this release, setting groovy.exception.debug.info=true lets you gather comparable debug information for Groovy scripts.

IDM now supports the ability to specify the REST API version in HTTP calls and scripts. For more information, see REST API Versioning.

The following APIs have been updated in this release:

IDM now supports using AM bearer tokens for authentication, with the rsFilter authentication module. Going forward, this is the only supported method for integrating AM and IDM. Learn more in Authenticate through AM.

Notifications of changes to managed objects are injected into a property in that object type. Previously, the name of this property was always _notifications. In this IDM release, you can customize the name of the notifications property. Learn more in Configure notifications.

The new recon/assoc endpoint can be used to gather detailed information about the associations created between a source and a target object during a reconciliation. This endpoint requires the following tables and views to be added to your repository: reconassoc, reconassocentry, and reconassocentryview. Learn more about reconciliation association details.

For instructions on updating your existing repositories to enable this feature, refer to Upgrade an Existing Repository in the IDM 7.0 documentation.

A new endpoint has been added to self-service, which lets you get a percentage value regarding the completeness of a specified user’s profile.

By default, IDM now safelists fields that are safe to log. Learn more in Use policies to filter audit data.

The in expression clause provides limited support for queries on singleton string properties.

In version 1.5.20.11 of the ICF framework, the framework disposes of idle connector instances in the connection pool (for poolable connectors such as the LDAP connector and the Database Table connector).

A connection pool cleaner thread now runs every minute and removes connections whose lastUsed time is larger than the minEvictableIdleTimeMillis.

This behavior is an improvement on previous releases, where a connection that had been used then returned to the connection pool remained there until the next connector operation. The previous behavior could result in several connections in the pool, that were idle but still connected to the target resource.

This release lets you configure mappings in separate mapping files, instead of, or in addition to one sync.json file. You cannot manage separate mapping configurations through the Admin UI. Learn more in Resource mapping.

This release provides the ability to configure an infinite number of queued synchronization retries. Learn more in Configure queued synchronization.

mat-icon has been added to the schema property of the managed object configuration.

Queries on explicit tables in JDBC now support bool:, num:, and long: in addition to the previously supported query parameters (strings, list:, and int:).

The following content was added to the default config.properties file:

Changing the JVM heap size can improve performance and reduce the time it takes to run reconciliations.

You can set the JVM heap size via the OPENIDM_OPTS environment variable. If OPENIDM_OPTS is undefined, the JVM maximum heap size defaults to 2GB. For example, to set the minimum and maximum heap sizes to 4GB, enter the following before starting IDM:

You can also edit the OPENIDM_OPTS values in startup.sh or startup.bat.

The embedded Jetty web server has been upgraded to Jetty 12.0.16, and jetty.xml is no longer supported in this IDM release. Learn more in Embedded Jetty configuration.

Felix HTTP Jetty has been upgraded to Jetty 12.1.0.

Servlet Specification has been upgraded to 6.0.

You can now configure Jetty thread pool settings in conf/webserver.json.

You can now configure Gzip compression for HTTP responses in conf/webserver.json.

You can now configure Secure protocol settings in conf/webserver.listener-*json.

The embedded DS repository is no longer included with IDM. Before you can use IDM, you must select and configure a repository.

PingIDM now uses Logback to generate its server logs. You will need to add logback.xml to your configuration when updating. Learn more in Server logs.

The end-user UI is no longer bundled with PingIDM. You can download and install the end-user UI separately from the GitHub repository: ForgeRock/end-user-ui. Learn more in the End-user UI.

Starting with IDM 7.3, unordered array comparison became the default behavior. For this release of IDM, ordered array comparison is the default behavior, restoring the default behavior prior to IDM 7.3.

You can now use the comparison managed object schema configuration property to choose how JSON array comparisons are made with regard to array order.

Learn more about managed object schema properties and array comparison.

Previously, running IDM required Java 17. You can now use Java 17 or Java 21. Learn more in Java requirements.

The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you are upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.

Schema fields defined as type array are required to have an item type defined as of IDM 7.4.0. IDM 7.5.0 defaults the item type to string to avoid startup issues if the type is not defined.

The sample secrets configuration (secrets.json) no longer includes the populateDefaults flag. It is safe to remove this from your secrets configuration.

Running IDM requires Java 17. Learn more in Java requirements.

MD5 and SHA-1 are supported for legacy reasons, but should not be used in production environments and have been removed from the Admin UI. Learn more in Salted hash algorithms.

The org.forgerock.openidm.secrets.config.FileBasedStore class has been deprecated and replaced by org.forgerock.openidm.secrets.config.KeyStoreSecretStore. The old class is currently an alias.

The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you are upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.

If you try to run this version of IDM using an older release of JDK, the following error displays:

For a complete list of supported Java versions, refer to Java requirements.

When using IDM with a DB2 database, you previously had to create an OSGi-compliant driver. The driver included with DB2 is now compliant.

For more information, refer to:

The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you are upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.

JSON array comparison during sync is now order-agnostic. This change could negate the need for certain custom scripts within mappings. For example, scripts that were previously required to sort ldapGroups values to avoid unnecessary target object updates.

Assignment attributes are now encrypted if the corresponding connector attribute indicates confidentiality, based on the attribute’s nativeType (such as JAVA_TYPE_GUARDEDSTRING or JAVA_TYPE_GUARDED_BYTE_ARRAY). As part of this change, the managed assignment object now includes the following property:

If attributeEncryption is not present, the assignment attributes are not encrypted. If the property is present but empty, it will default to IDM’s default encryption cipher. To specify a different cipher, add the cipher property. For example:

Additionally, secrets.json has a new secret: idm.assignment.attribute.encryption.

The default onDelete behavior previously called a file-based script, onDelete-roles.js. This has been removed from the managed object configuration.

IDM has upgraded to OSGi Core 8.0 and Felix Framework 7.0.0.

The samples that use the Java Message Service (JMS) have been upgraded to use the 2.0 API and Apache ActiveMQ Artemis:

Previously, illegal PATCH requests could return a 400 or 500 exception. In such cases, IDM now returns a 400 status.

The name property of a managed role is now subject to the uniqueness policy by default. This means that you cannot create multiple roles with the same name. To change this behavior, adjust the policy validation on the role property in your managed object configuration.

Previously, the defaultLocale specified in the Self-Registration Email Template configuration took precedence. As of IDM 7.2, locales specified as preferredLocales in the Accept-Language header take precedence over the defaultLocale.

Synchronization queue processing for a mapping is now paused if either the source or target system route are unregistered. For more information, see Configure queued synchronization.

Previously, you could use the Flowable workflow engine’s embedded H2 database for demo and testing purposes. IDM no longer includes this database. Before you use workflow, you must install a JDBC repository.

Learn more in Enable workflows.

The default JDBC Connection Configuration now uses the connection driver from MySQL 8.1 (com.mysql.cj.jdbc.Driver).

Previously, you could use the Flowable workflow engine’s embedded H2 database for demo and testing purposes. IDM no longer includes this database. Before you use workflow, you must install a JDBC repository.

Learn more in Enable workflows.

Previously, workflows would break when upgrading from version 7.0.2 to 7.1.0 of IDM, because of out-of-sync versions of the Flowable workflow engine. This is fixed in version 7.1.2 of IDM. If you are upgrading IDM from version 7.0, please use IDM version 7.1.2 or higher.

For external DS repositories with explicitly mapped managed objects, the stored data format has changed for certain data types.

In IDM versions prior to 7.1, certain property values were always considered as strings, so the returned JSON format of a managed object would look something like this:

In IDM 7.1, these properties are returned with the correct data type, so a similar object in IDM 7.1 looks something like this:

This change doesn’t affect new deployments. If you are upgrading an existing deployment with an external DS repository with explicit object mappings, you should test this change and adapt your scripts and REST API calls, as necessary.

This change affects the following data types:

The JsonStdoutAuditEventHandler is now pre-configured in the standard audit configuration, but is disabled by default.

Previously, to enable or disable audit handlers, you needed to modify conf/audit.json directly. Now, you can set the following properties in the resolver/boot.properties file to true or false:

Learn more in:

Previously, to enable or disable HTTP or HTTPS, you could modify conf/config.properties directly. Now, you can set the following properties in the resolver/boot.properties file to true or false:

Learn more in Property value substitution.

Previously, to change the Felix web console credentials, you could modify the conf/felix.webconsole.json file directly. Now, you can set the following properties in the resolver/boot.properties file:

Notifications are now disabled by default. Previously, to enable or disable notifications, you could modify the applicable conf/notificationType.json file directly. Now, you can set the following properties in the resolver/boot.properties file to true or false:

Learn more in Configure notifications.

The following files have been moved from the /path/to/openidm/conf/ directory:

Previously, API requests containing the validateProperty action to unknown resources or those with invalid POST body content could result in an invalid true response, or a generic 500 Internal Server Error. Both of these situations now return a 400 Bad Request Error with an explanation.

The default router.json file no longer includes system in the matching pattern.

Previously, you could use the Flowable workflow engine’s embedded H2 database for demo and testing purposes. IDM no longer includes this database. Before you use workflow, you must install a JDBC repository.

Learn more in Enable workflows.

The Activiti workflow engine has been replaced with Flowable. Current workflow definitions will continue to work with the new engine in compatibility mode, but all new workflow definitions must be written for Flowable. Learn more in Workflow definition comparison.

If you are using MySQL for the workflow database, the following apply:

The default log message formatter has changed from ThreadIdLogFormatter to SanitizedThreadIdLogFormatter. The new default encodes control characters (such as newline characters) using URL-encoding, to protect against log forgery. Control characters in stack traces are not encoded. Learn more in Log message format.

In previous IDM releases, managed users were granted the openidm-authorized role as a relationship during user creation as part of the onCreateUser.js script. In IDM 7, users are granted the openidm-authorized role statically when they authenticate. Learn more in Authentication and roles.

The default relationship model for authzRoles and authzMembers has changed in this release. In the default configuration, a user’s authzRoles now references only the internal/role resource collection and not the managed/role. Conversely, an internal role’s authzMembers property now references only the managed/user resource collection.

The default schema configuration files have been amended to support this change. The managed/role collection has been removed from the authzRoles property on a managed user object and the internal/user collection has been removed from the authzMembers property on an internal role object.

Multiple resource collections for a single relationship field are not currently supported with a DS repository. For legacy reasons, Multiple resource collections will still work with a JDBC repository.

The INTERNAL_USER authentication module is no longer provided in the default authentication configuration.

This change means that any scripts you used previously to update internal user passwords in the IDM repository will need to be modified.

Monitoring using Prometheus is no longer achieved with a specific access role. The openidm/metrics/prometheus endpoint is now protected by a basic authentication filter, using credentials set in the resolver/boot.properties file. Learn more in Prometheus endpoint.

Properties stored in the repository with boolean (true/false) values are processed differently from this release. A property value is now considered false if its value is false or null. The value is considered true only if it is true, not if it is null. If you are migrating from a previous IDM release, you might need to adjust your scripts to take this change into account.

effectiveRoles and effectiveAssignments are now calculated in IDM by default, using the new queryConfig property. The old method of using onRetrieve scripts will still work. The new queryConfig property is also available for use with other virtual properties. Learn more in Effective roles and effective assignments and Virtual properties.

You can now configure Gzip compression for HTTP responses in conf/jetty.xml. In previous IDM releases, compression was configured in conf/servletfilter-gzip.json. This file has been removed.

IDM 7 supports configurable hashing algorithms.

Enforcing temporal constraints on roles is now achieved through Java, rather than through the onSync-roles.js and postOperation-roles.js scripts. These scripts are still provided in openidm/bin/defaults/script/roles for backward compatibility.

To use the new Java-based functionality in existing deployments, change the role object in your managed object schema (conf/managed.json) by adding "isTemporalConstraint" : true to the "temporalConstraints" object. For example:

Learn more in Use temporal constraints to restrict effective roles.

The batch configuration for the JMS common audit handler for access logs has changed to support reconnection if the broker becomes unavailable.

This change adds a batch.writeInterval setting. It removes the following settings:

Learn more in Configure the JMS audit event handler.

The default audit configuration no longer includes the recon audit topic. You can enable it by adding the recon audit topic to the topics list in conf/audit.json for the event handlers you choose.

This change does not affect how auditing reconciliations works, just what the default configuration includes. No action is necessary unless you wish to have auditing on reconciliations enabled on a new installation. Learn more in Query the reconciliation audit log.

As a security precaution, the nativeType for userPassword properties has been changed to JAVA_TYPE_GUARDEDSTRING in all sample provisioner files for the LDAP connector. If you have customized provisioner files, you should change this property. For example, change:

Previous IDM versions included a global consent setting in conf/consent.json. This file included a single configuration property, enabled, which determined whether IDM should check any mappings where consent was enabled and prompt end users for consent.

This global consent setting and the corresponding consent.json file have been removed. If you have an existing consent.json file in your configuration, it will be ignored.

Consent is now assessed only on a per-mapping, per-object basis.

IDM 7 adds support for the latest version of MySQL Connector/J. If you are using MySQL Connector/J version 8.0 or later, make sure your datasource.jdbc-default.json file includes a setting for the time zone in your jdbcUrl property:

Also, note the driverClass changed in MySQL Connector/J version 8.0, from com.mysql.jdbc.Driver to com.mysql.cj.jdbc.Driver. The previous driverClass name will still work for now, but should be updated to avoid it displaying a warning when starting up IDM.

The default security protocols for inbound connections to IDM are TLSv1.2 and TLSv1.3. Learn more in Jetty property reference.

Support for the TLSv1.1 protocol has been removed by default.

The address2 attribute has been removed from the managed object schema (conf/managed.json).

The following ICF and connector changes will have an impact on existing IDM deployments that use those connectors:

We’ve removed jetty.xml configuration in this release of IDM. The updated Jetty 12.0.16 configuration is replaced with a webserver.json file for global settings and a webserver.listener-*.json file to detect changes. Learn more in Embedded Jetty configuration.

Custom servlet filters are not supported in IDM 8.0. The only servletfilter-* configurations you can continue to use are CrossOriginFilter and LargePayloadServletFilter.

The embedded DS repository is no longer included with IDM. Before you can use IDM, you must select and configure a repository.

We’ve removed the Apache Felix web console in this release of IDM.

We’ve removed tamper protection for CSV audit logs in this release of IDM.

We’ve removed the IWA authentication module in this release of IDM. This feature is a function of PingAM.

We’ve removed IDM standalone self-service and all self-service stages in this release. From IDM 7 onwards, this functionality is replaced by AM Authentication Trees.

We’ve removed social authentication in this release of IDM. The feature is a function of AM. Once a user has logged in through AM (using a social provider or some other way), they can obtain an access token with that session and use the access token to interact with IDM through the rsFilter configuration.

Additionally, Microsoft has deprecated the "Sign In with LinkedIn" functionality as of August 1, 2023. Refer to Sign In with LinkedIn.

We’ve removed progressive profile data collection in this release of IDM. This functionality is already supported by PingOne Advanced Identity Cloud and AM in a platform deployment. Learn more in:

We’ve removed the following samples and example configurations in this release.

Running IDM requires Java 17. Learn more in Java requirements.

We’ve removed the following sample notification configuration files from the /path/to/openidm/samples/example-configurations/conf directory:

We’ve removed the Splunk and Elasticsearch audit event handlers in this release.

IDM 7.4 supports file-based audit handlers and logging to standard output, both of which Elasticsearch and Splunk can consume.

The OAUTH_CLIENT authentication module has been removed. Using OAuth2 for authentication through AM is available with the resource server filter (rsFilter).

The cli.sh update command (used in older releases to apply maintenance updates) has been removed in this release. Learn more about upgrading to the latest IDM release in the Upgrade Guide. The ability to place a server in maintenance mode has also been removed.

Native query expressions using the _queryExpression keyword are no longer supported on managed objects. You must rewrite any custom queries that use _queryExpression as regular filtered queries or as parameterized queries. Native query expressions are still supported for system objects.

For scripted Groovy connectors, the reloadScriptOnExecution property has been removed from all sample provisioner files, as the property is not used by the connectors. To learn more about how scripts are loaded, refer to Script compilation and caching.

The following properties have been removed from <filename>resolver/boot.properties</filename>:

You can no longer specify custom aliases for the default keys that IDM generates on startup. Learn more in The IDM keystore.

In previous IDM releases, the protocol property of a connector server configuration specified the communication protocol to the remote connector server. This property existed for legacy purposes and was set to websocket by default. The property has now been removed and connections to the remote connector server always use the websocket protocol.

The "full stack sample" (Integrating IDM With the ForgeRock Identity Platform) has been removed. The only supported method of authentication through AM is by using AM bearer tokens and the rsFilter authentication module. Learn more in the Platform Setup Guide.

The ability to generate obfuscated and encrypted property values by using the crypto bundle has been removed. The secrets service replaces this functionality. Learn more in Secret stores.

When configuring self-service registration, the idmUserDetails stage had previously used the identityResourceUrl property instead of identityServiceUrl. This stage now correctly uses the identityServiceUrl property. identityResourceUrl has been removed.

The ScriptedCREST connector and the corresponding sample have been removed in this release. Migrate any deployments that use this connector to the Scripted REST connector.

Support for the Office 365 connector has been removed in this release. Instead of the Office 365 connector, use the Microsoft Graph API connector.

Support for the Active Directory (AD) .NET Connector has been removed.