PingAM release notes

Changes in AM 7.4.x

AM 7.4.1

WS-Federation com.sun.identity.wsfederation.logout.wreply URL validation

To facilitate logging out of WS-Federation and multiprotocol environments (WS-Federation communicating with SAML 2.0), you must add the URL specified in the com.sun.identity.wsfederation.logout.wreply query parameter to the Valid goto URL Resources field in the validation service. If you don’t add this URL, redirection fails.

Learn more in Add a URL to the validation service.

Change in behavior for journeys containing a Certificate Collector node

Previously, for journeys containing a Certificate Collector node, AM would throw an exception in the following scenario:

  • You set the node’s Certificate Collection Method property to Either or Header

  • You specified an HTTP header name

  • The certificate was missing from the browser (and from the request if Either was selected)

Now, in this scenario, the journey continues down the Not Collected path.

Change to OAuth 2.0 refresh token introspection response types

Previously, introspecting a stateful refresh token returned some claims as an array containing a single string.

For consistency, the following claims are now returned as strings:

  • realm

  • userName

  • authGrantId

  • clientID

AM 7.4.

Removal of dsameuserpwd from default keystore

The alias of the dsameuserpwd has been removed from the default keystore. The dsameUser is an internal account that AM uses to connect to the configuration store. AM now generates the password for this account on startup, and you can’t read or change it.

If you upgrade to AM 7.4 using the upgrade wizard and need to roll back the upgrade, you must restore the default keystore. The upgrade wizard removes the dsameuserpwd alias. If you don’t restore this alias, the rolled back instance of AM won’t start up.

If you try to use a previous version of ssoadm with AM 7.4, the command will show an error Can’t open boot keystore as it expects the dsameuserpwd to be there. To avoid this error, use the ssoadm version that is delivered with AM 7.4.

Preconfigure policy and application data stores

You can now disable policy and application data stores until you are ready to use them. This means that you can preconfigure a data store before the directory server is ready. When you want to use the data store configuration, you can enable it, at which point AM verifies that it can connect to the configured store.

All default policy and application data store configurations are enabled. A new custom external data store configuration is disabled by default. When you upgrade to AM 7.4, existing data store configurations are enabled by default.

The dataStoreEnabled property is mandatory if you’re creating new data stores over REST (using DataStoreService/config?_action=create). It’s also mandatory if you’re updating data stores over REST with a PUT request. For backward compatibility, if you don’t include this property in the JSON payload, the endpoint currently adds it to the configuration by default with a value of true.

In the next AM release, the endpoint version will be incremented and the latest version will require the property to be present.

Change in behavior when an authentication tree is deleted

From this release, when you delete an authentication tree, any nodes referenced by that tree are also deleted, provided they aren’t referenced by another tree.

This change eliminates orphaned nodes in the configuration and lets you delete the scripts referenced by those nodes.

Change in behavior of subjectattributes endpoint

The behavior of queries to the subjectattributes endpoint has changed in this release.

To override the new behavior and revert to the previous behavior, set the org.forgerock.security.entitlement.enforce.realm advanced server property to false, then restart AM for the change to take effect.

For security reasons you should set this property back to true when you have updated your scripts.

Rotatable secrets for amAdmin password

AM now caches the special secret used to store the password of amAdmin user. The expiry time of the cache is 900 seconds (15 minutes) by default. To change the expiry time, set the org.forgerock.openam.secrets.special.user.secret.refresh.seconds advanced server property.

For more information, refer to Store the amAdmin password in a secret store.