PingAM release notes

Changes in AM 7.3.x

AM 7.3.2

Change in behavior for journeys containing a Certificate Collector node

Previously, for journeys containing a Certificate Collector node, AM would throw an exception in the following scenario:

  • You set the node’s Certificate Collection Method property to Either or Header

  • You specified an HTTP header name

  • The certificate was missing from the browser (and from the request if Either was selected)

Now, in this scenario, the journey continues down the Not Collected path.

AM 7.3.1

Change to OAuth 2.0 refresh token introspection response types

Previously, introspecting a stateful refresh token returned some claims as an array containing a single string.

For consistency, the following claims are now returned as strings:

  • realm

  • userName

  • authGrantId

  • clientID

AM 7.3

Artifact updates

If your custom code uses the following supported Java classes, you must update your build dependencies to include these modules:

Class / interface Module

com.sun.identity.idm.IdUtils

customer-api

com.sun.identity.idm.AMIdentity

identity-api

com.sun.identity.idm.IdEventListener

identity-api

com.sun.identity.idm.IdOperation

identity-api

com.sun.identity.idm.IdRepoException

identity-api

com.sun.identity.idm.IdSearchControl

identity-api

com.sun.identity.idm.IdSearchResults

identity-api

com.sun.identity.idm.IdSearchOpModifier

identity-api

com.sun.identity.idm.IdType

identity-api

com.sun.identity.idm.AMIdentityRepository

openam-identity

com.sun.identity.idm.IdRepoListener

openam-identity

AMIdentity constructor

The supported constructor, public AMIdentity(SSOToken token, String universalId) throws IdRepoException, no longer throws an IllegalArgumentException if the provided string is not a valid representation of a DN. Instead, these exceptions are now converted to instances of IdRepoException.

Deletion of site data on logout

For security reasons, AM now instructs the browser to clear site data such as locally cached data and cookies when a user successfully logs out. This behavior can be disabled for compatibility purposes. Refer to the Add clear-site-data Header on Logout property in the Core authentication attributes for more information.

Session condition advice behavior

Previously, a Session condition failure resulted in a No configuration found error. This behavior has been changed as follows:

  • If terminateSession is true and policy evaluation is requested, AM sends the session advice to the Java, Web, or Identity Gateway agent when the maxSessionTime elapses and the user is required to reauthenticate.

  • If terminateSession is false and policy evaluation is requested, AM does not send the session advice to the Java, Web, or Identity Gateway agent when the maxSessionTime elapses. Instead of being redirected to the login page, the user receives a 403 Forbidden response for the protected resource.

Password change messages can now be returned in sentence case

Previously, all password change and password reset messages were transformed to upper case; for example, YOU MUST RESET YOUR PASSWORD. The LDAP Decision node now provide an option to disable this transformation, letting messages be returned in the case in which they are configured; for example You must reset your password.

This option is disabled by default.

Base URL X-Forwarded-* headers

  • Previously, if you set the Base URL source to X-Forwarded-* headers and no X-Forwarded-Proto header was provided, the generated URL would have a protocol of null, for example null://host, which would result in a broken URL.

    From this release, if no X-Forwarded-Proto header is provided, a fallback scheme is used, based on the URI of the request.

  • You can now specify a port in the Base URL, using the X-Forwarded-Port header.

  • If multiple X-Forwarded-Host headers are specified, the outermost proxy host is used.

org.forgerock.openam.services.email.MailServer interface

The supported interface, org.forgerock.openam.services.email.MailServer has moved from the openam-core module to mail-api.

You need to update the dependencies to recompile your implementation of this interface.

Removal of CTS worker thread pool

To simplify AM behavior, CTS operations are now performed as part of the HTTP worker thread created by the HTTP container. This refactoring introduces the following changes:

  • The org.forgerock.services.cts.async.queue.size and org.forgerock.services.cts.async.queue.timeout advanced configuration properties are no longer used.

  • The following monitoring metrics have been replaced:

    • Old: cts.task.queue and cts.task.queue.size

    • New: cts.connection.state.out and cts.connection.state.pending

      For details, refer to CTS metrics.

  • The primary way to tune the CTS connection pool is to use the org.forgerock.services.cts.store.max.connections property. The default value has been increased from 10 to 100. Existing deployments will be upgraded to whichever is greater: 100 or the original value.

  • In previous AM releases, calls to the /json/health/ready endpoint returned an HTTP 200 OK response if the CTS queue was below the configured threshold, even if the CTS data store was unavailable.

    The CTS queue has been removed in AM 7.3 as part of optimizing connections to the CTS store. If the CTS data store is unavailable, calls to the /json/health/ready endpoint now return an HTTP 503 Service Unavailable error.