Untitled | PingAM

Release notes

These release notes cover multiple versions of AM software, starting with version 7. They are designed to make it easier to upgrade, especially when you are skipping releases.

Some older AM versions have reached the End of Life (EOL). You can find details in the Ping Identity Product Support Lifecycle Policy. Release notes for EOL versions are available in the documentation sets for those versions. If you are still running an EOL version, upgrade as soon as possible to an actively maintained version.

PingAM software manages access to resources, such as web pages, applications, or web services, that are available over a network. AM centralizes access control by handling both authentication and authorization. Authentication is the process of identifying an individual, for example, by confirming a successful login. Authorization is the process of granting access to resources to authenticated individuals.

What's new

Discover new features.

Requirements

Check AM prerequisites.

Compatibility

Review incompatible changes.

Fixes

Review bug fixes, limitations, known issues.

Documentation

Track documentation changes.

Support

Get support and training.

Name changes for ForgeRock products

Product names changed when ForgeRock became part of Ping Identity.

The following name changes have been in effect since early 2024:

Old name	New name
ForgeRock Identity Cloud	PingOne Advanced Identity Cloud
ForgeRock Access Management	PingAM
ForgeRock Directory Services	PingDS
ForgeRock Identity Management	PingIDM
ForgeRock Identity Gateway	PingGateway

Old name

New name

ForgeRock Identity Cloud

PingOne Advanced Identity Cloud

ForgeRock Access Management

PingAM

ForgeRock Directory Services

PingDS

ForgeRock Identity Management

PingIDM

ForgeRock Identity Gateway

PingGateway

Learn more about the name changes in New names for ForgeRock products in the Knowledge Base.

Requirements

Files to download

PingAM software is available at https://backstage.forgerock.com.

The following table describes the files available for download.

PingAM software
File	Description
`AM-7.5.1.zip`	Cross-platform distribution including all software components. For a list of the files in the .zip archive, see Download AM.
`AM-7.5.1.war`	Deployable web application archive file.
`AM-SSOAdminTools-5.1.3.28.zip`	The .zip file that contains tools to manage AM from the command line.
`AM-SSOConfiguratorTools-5.1.3.28.zip`	The .zip file that contains tools to configure AM from the command line.

Files for previous versions
File	AM 7.0	AM 7.1	AM 7.2	AM 7.3	AM 7.4
AM ZIP	AM-7.0.2.zip	AM-7.1.4.zip	AM-7.2.2.zip	AM-7.3.2.zip	AM-7.4.1.zip
AM WAR	AM-7.0.2.war	AM-7.1.4.war	AM-7.2.2.war	AM-7.3.2.war	AM-7.4.1.war
AM SSO Admin Tools	SSOAdminTools-5.1.3.11.zip	SSOAdminTools-5.1.3.19.zip	SSOAdminTools-5.1.3.27.zip	SSOAdminTools-5.1.3.28.zip	SSOAdminTools-5.1.3.27.zip
AM SSO Configurator Tools	SSOConfiguratorTools-5.1.3.11.zip	SSOConfiguratorTools-5.1.3.19.zip	SSOConfiguratorTools-5.1.3.27.zip	SSOConfiguratorTools-5.1.3.28.zip	SSOConfiguratorTools-5.1.3.27.zip

Operating systems

PingAM software is supported on the following operating systems:

Operating system	AM 7.0	AM 7.1	AM 7.2	AM 7.4
Amazon Linux	2018.03			2018.03, 2023
Debian Linux	Not supported			11
Red Hat Enterprise Linux	8, 9
Rocky Linux	8, 9
SuSE	12, 15			15
Ubuntu	16.04 LTS, 18.04 LTS	18.04 LTS, 20.04 LTS	18.04 LTS, 20.04 LTS, 22.04 LTS, 24.04 LTS
Windows Server	2016, 2019, 2022

Web and Java agents

The following table summarizes the minimum recommended version of web and Java agents:

Minimum agent version recommended
Agent	Version
Web agents	5.10.2
Java agents	5.10.2

AM supports several versions of web agents and Java agents. You can find information about supported container versions and other platform requirements related to agents in the Web Agents Release Notes and the Java Agents Release Notes.

Java

PingAM software is supported on the following Java environments:

Vendor	AM 7.0	AM 7.1	AM 7.2	AM 7.3	AM 7.4	AM 7.5
OpenJDK⁽¹⁾	11			11, 17		17
Oracle Java	11			11, 17		17

⁽¹⁾ AM supports OpenJDK-based distributions, including:

AdoptOpenJDK/Eclipse Temurin Java Development Kit (Adoptium)
Amazon Corretto
Azul Zulu
Red Hat OpenJDK

Ping Identity tests most extensively with AdoptOpenJDK/Eclipse Temurin. Use the HotSpot JVM, if possible.

Always use a JVM with the latest security fixes.

Application containers

This table summarizes supported web application containers and their required versions:

Container	AM 7.0	AM 7.1	AM 7.2	AM 7.5
Apache Tomcat	8.5, 9
IBM WebSphere Liberty	20.0.0.1		22.0.0.4
JBoss Enterprise Application Platform	7.2	7.3	7.4
Wildfly	12, 19	15, 19	15, 26	26

The web application container must be able to write to its own home directory, where AM stores configuration files.

Java Agents and Web Agents require the WebSocket protocol to communicate with AM.

Ensure that the container where AM runs, the web server/container where the agents run, and your network infrastructure all support the WebSocket protocol.

Refer to your network infrastructure and web server/container documentation for more information about WebSocket support.

Directory servers

This table lists supported directory servers.

As described in identity stores, you can configure AM to use LDAPv3-compliant directory servers as user data stores. If you have a special request to deploy AM with a user data store not mentioned in the following table, contact info@forgerock.com.

Supported directory servers
Directory server	AM 7.0	AM 7.1	AM 7.2	AM 7.3	AM 7.4	AM 7.5
Embedded DS⁽¹⁾⁽²⁾	7.0	7.1.5	7.2	7.3	7.4	7.5
External DS⁽²⁾	Any Ping Identity-supported version		6 and later
File system-based	N/A
Oracle Unified Directory	11g R2
Oracle Directory Server Enterprise Edition	11g
Microsoft Active Directory	2016, 2019
IBM Tivoli Directory Server	6.4

⁽¹⁾ Demo and test environments only. ⁽²⁾ PingDS, formerly named ForgeRock Directory Server.

Supported features
Directory server	Configuration	Apps / policies	CTS	Identities	UMA
Embedded PingDS⁽¹⁾	✔	✔	✔	✔	✔
External PingDS	✔	✔	✔	✔	✔
File system-based	✔
Oracle Unified Directory				✔
Oracle Directory Server Enterprise Edition				✔
Microsoft Active Directory				✔
IBM Tivoli Directory Server				✔

⁽¹⁾ Demo and test environments only.

Third-party software

Ping Identity supports using the following third-party software when logging Common Audit events:

Third-party logging software
Software	AM 7.0	AM 7.1	AM 7.2	AM 7.3	AM 7.4	AM 7.5
Java Message Service (JMS)	2.0 API
MySQL JDBC Driver Connector/J	8 (at least 8.0.19)
Splunk	8.0 (at least 8.0.2)

Elasticsearch and Splunk have native or third-party tools to collect, transform, and route logs. Examples include Logstash and Fluentd.

Consider using these alternatives as they have advanced, specialized features focused on getting log data into the target system. They decouple the solution from the Ping Identity Platform systems and version, and provide inherent persistence and reliability. You can configure the tools to avoid losing audit messages if a Ping Identity Platform service goes offline, or delivery issues occur.

These tools can work with Common Audit logging:

Configure the server to log messages to standard output, and route from there.
Configure the server to log to files, and use log collection and routing for the log files.

Ping Identity supports using the following third-party software when monitoring AM servers:

Third-party monitoring software
Software	AM 7.0	AM 7.1	AM 7.2	AM 7.3	AM 7.4	AM 7.5
Grafana	5 (at least 5.0.2)
Graphite	1
Prometheus	2.0

For hardware security module (HSM) support, AM requires a client library that conforms to the PKCS#11 standard v2.20 or later.

Supported clients

The following table summarizes supported clients:

Supported clients
Client Platform	Native Apps⁽¹⁾	Chrome⁽²⁾	Edge⁽²⁾	Firefox⁽²⁾	Safari⁽²⁾	Mobile Safari
Windows 8				
Windows 10				
Mac OS X 10.11 or later					
Ubuntu 14.04 LTS or later				
iOS 9 or later						
Android 6 or later		

⁽¹⁾ Native Apps is a placeholder to indicate the platform is not limited to browser-based technologies. An example of a native app would be something written to use common REST APIs.

⁽²⁾ Latest stable versions are supported.

Special requests

If you have a special request regarding support for a combination not listed here, contact support.

What’s new

AM 7.5.1

AM 7.5.1 is a minor release that introduces new features, functional enhancements, and fixes.

New utility script binding

Use the utils binding to base64 encode/decode strings and generate random values and UUIDs in your next-generation scripts.

Learn more in Script bindings.

Backchannel logout token contains `exp` claim

The logout token generated during backchannel logout now contains an exp claim. Learn more in Backchannel logout.

System property for social provider `sub` claim uniqueness

A new system property (org.forgerock.openam.oidc.SocialProvider.sub.claim.is.not.unique) indicates that the OIDC social provider doesn’t return a unique value for the sub claim.

This is false by default.

New `ssoadm` commands update attributes in a realm service

A fix to the deprecated ssoadm tool adds the following new commands:

add-realm-default-attributes
set-realm-default-attributtes
remove-realm-default-attributes
get-realm-default-attributes

These commands work on realm defaults from AM 7 onwards.

AM 7.5

AM 7.5 is a minor release that introduces new features, functional enhancements, and fixes.

Support for storing secrets in secret stores

The following features now support storing their secrets in a secret store instead of in the configuration. For greater security, move these secrets to a secret store when convenient.

Services

Authentication nodes

CAPTCHA node
OIDC ID Token Validator
OTP Email Sender node and OTP SMS Sender node
Persistent Cookie Decision node and Set Persistent Cookie node signing and encryption
Custom authentication node

Agents

Authentication

Authentication signing secret
AM password encryption key
HTTP outbound request authentication password (advanced server setting)
Password capture and replay
Client-side sessions:
- The HMAC signing key
- The am.global.services.session.clientbased.signing mapping is deprecated and replaced by algorithm-specific mappings
- The am.global.services.session.clientbased.encryption mapping is deprecated and replaced by am.global.services.session.clientbased.encryption.RSA and am.global.services.session.clientbased.encryption.AES

SAML v2.0

Remote SP and IDP basic authentication for SOAP-based binding
SP authentication with mTLS for artifact resolve requests

OAuth 2.0

OAuth 2.0 client authentication secrets
OAuth 2.0 client mTLS self-signed certificate
OAuth 2.0 client ID token public encryption key
OAuth 2.0 client JWT bearer public key
OAuth 2.0 provider salting of hashes

In addition, you can now rotate secrets in file system secret volumes.

Learn more in Map and rotate secrets.

Support for mTLS connections

The following services now support certificate-based connections to the backend LDAP store using mTLS:

Configurable affinity for connections to the DS identity repository

The DS identity repository configuration now includes an Affinity Level setting that lets you specify the operations for which AM should use affinity-based load balancing.

In previous AM releases, you configured affinity only with the Affinity Enabled property, so it was either on or off. With Affinity Enabled set to true, ALL operations to the DS repository used affinity. With Affinity Enabled set to false, the equivalent affinity level was NONE (no operations used affinity).

The new setting introduces the BIND level as a middle ground. When you set the affinity level to BIND, only user authentication requests use affinity. This setting provides a small but significant performance improvement in deployments with multiple replicated DS identity stores.

In addition, the LDAP Decision node has been updated with a new property, affinityLevel (NONE, BIND, and ALL). This is separate to the configuration setting.

The Data Store Decision node uses the identity repository configuration. As such, affinity settings configured for the identity repository will impact connections to the DS server made by this node.

Request Header node

The new Request Header node lets customers inject values into shared state based on request header values. You can use the node to get information about a journey or the user from an external system or even customize the branding of a journey.

Learn more in Request Header node.

Scalable OAuth 2.0 clients

The scalable OAuth 2.0 clients feature lets you create and manage large numbers of OAuth 2.0 clients without impacting system performance. Once you have enabled the feature, create clients as usual through dynamic registration or in the AM admin UI, and then use the AM administration OAuth 2.0 client REST endpoint to search for clients and filter and page query results.

Learn more in Scalable OAuth 2.0 clients.

SAML v2.0 NameID mapping configurable on the service provider (SP)

You can now configure NameID mapping on a remote SP. The SP configuration overrides the NameID Value Map on the IDP, letting you define different name requirements for each SP.

Learn more about NameID value mapping in the Remote service provider configuration properties.

Use a tree hook to run actions on journey failure

Override the new acceptFailure method to run actions on journey failure.

Learn more about the TreeHook interface in the Public API Javadoc.

Storing identified identities in the authentication session

The following new methods let you record users and agents verified to exist in an identity store:

org.forgerock.openam.auth.node.api.Action

public ActionBuilder withIdentifiedIdentity(AMIdentity id)
public ActionBuilder withIdentifiedIdentity(String username, IdType id)

org.forgerock.openam.auth.nodes.script.ActionWrapper

public ActionWrapper withIdentifiedAgent(String agentName)
public ActionWrapper withIdentifiedUser(String username)

A new advanced server property, org.forgerock.am.auth.trees.authenticate.identified.identity determines whether AM uses these stored identified identities when deciding which user to log in.

This lets custom nodes and decision node scripts correctly resolve identities that have the same username. For more information, refer to advanced server properties.

Identity Assertion node and Identity Assertion service

The new Identity Assertion node and supporting service lets AM use PingGateway to manage authentication through a third party such as Windows Desktop SSO or Kerberos.

Learn more in Identity Assertion node and Identity Assertion service.

PingOne Protect nodes and PingOne Worker service

The new PingOne Protect nodes and supporting PingOne Worker service let you integrate with PingOne Protect. Leverage risk predictors and route your journeys based on calculated risk scores.

You can add these nodes to your authentication, registration, and self-service journeys to combat account takeover, new account fraud, and MFA fatigue.

Learn more:

Nodes in a Page node log individual audit events

Nodes contained in a Page node now log individual AM-NODE-LOGIN-COMPLETED audit events.

Learn more about audit logging in Audit log events.

AM 7.4.1

AM 7.4.1 is a minor release that introduces new features, functional enhancements, and fixes.

Storing identified identities in the authentication session

The following new methods let you record users and agents verified to exist in an identity store:

org.forgerock.openam.auth.node.api.Action

public ActionBuilder withIdentifiedIdentity(AMIdentity id)
public ActionBuilder withIdentifiedIdentity(String username, IdType id)

org.forgerock.openam.auth.nodes.script.ActionWrapper

public ActionWrapper withIdentifiedAgent(String agentName)
public ActionWrapper withIdentifiedUser(String username)

A new advanced server property, org.forgerock.am.auth.trees.authenticate.identified.identity determines whether AM uses these stored identified identities when deciding which user to log in.

This lets custom nodes and decision node scripts correctly resolve identities that have the same username.

AM 7.4

AM 7.4 is a minor release that introduces new features, functional enhancements, and fixes.

Bind and verify user devices

The ForgeRock SDKs for Android and iOS can cryptographically bind a mobile device to a user account.

Registered devices generate a key pair and a key ID. The SDK sends the public key and key ID to your AM server for storage in the user’s profile.

The SDK stores the private key on the device in the Android KeyStore or the iOS Secure Enclave. Access to the private keys is protected by biometric security or a PIN.

A user can bind multiple devices to their account, and each device can bind to multiple users.

After binding a device, your authentication journeys can verify ownership of the bound device by requesting that it signs a challenge using its private key, and verifying it corresponds to the public key.

For details, refer to the Device Binding node, Device Binding Storage node, and Device Signing Verifier node.

Support for JSON output from `/oauth2/device/user` endpoint

REST calls to the /oauth2/device/user endpoint return an HTML response by default.

This release adds support for an Accept: application/json header that returns the response in JSON format.

For details, refer to the Device authorization grant.

Setting to disable the `subname` claim

AM adds the subname claim to access and ID tokens by default. You can now change this behavior by disabling the OAuth2 Provider service property, Include subname claim in tokens issued by the OAuth2 Provider.

The value of the subname claim matches the value of the sub claim used in versions of AM earlier than 7.1. It also matches the value of the sub claim if you disable the org.forgerock.security.oauth2.enforce.sub.claim.uniqueness property.

Setting to permit client credentials in token endpoint query parameters

The OAuth 2.0 Provider service includes a new advanced property, Allow Client Credentials in Token Endpoint Query Parameters, that lets you include client credentials as query parameters in OAuth 2.0 token endpoint requests.

In previous AM versions, you could supply client credentials (the client_id and client_secret) as query parameters in POST requests to the /oauth2/access_token endpoint. From AM 7.4 onwards, this is prohibited by default and you must include the credentials within the POST request body.

The new Allow Client Credentials in Token Endpoint Query Parameters setting controls this behavior and is false by default in new deployments. For security reasons, keep this property disabled to prevent client credentials from being included as query parameters.

When you upgrade an existing deployment to AM 7.4, this property is initially set to true for legacy support. After upgrading, you should update your scripts and clients to support the new behavior then set the property to false.

Restriction of access to inner trees

The new innerTreeOnly property of an authentication tree lets you specify that the tree is only an inner tree and can’t be accessed directly.

For details, refer to Disable direct access through an inner tree.

New `nodeState.getObject` method

The new nodeState.getObject(String key) method lets scripted decision nodes retrieve variables stored in both shared and secure state.

For details, refer to Access shared state data.

`X-ForgeRock-TransactionID` available in HTTP client script binding

The httpClient script binding now automatically adds the current transaction ID as an HTTP header. This lets you correlate caller and receiver logs when you use httpClient from a script, such as a decision node script, to make requests to other proprietary products and services.

For details, refer to Access HTTP services.

Customize account lockout message

Use the new ActionBuilder.withLockoutMessage(String lockoutMessage) method in a Scripted Decision node to customize the message displayed to an end user when their account is locked or inactive.

For details, refer to Set script outcome.

Scripting enhancements

AM 7.4 introduces the Next Generation scripting engine, which offers the following benefits:

Stability

A stable set of enhanced bindings, available to decision node scripts, that reduces the need to allowlist Java classes to access common functionality.

Ease of use

Simplify your scripts with fewer imports and more intuitive return types that require less code.
Debug efficiently with clear log messages and a simple logging interface based on SLF4J.
Make requests to other APIs from within scripts more easily with a more intuitive HTTP client.

Reduced complexity

Simplify and modularize your scripts with library scripts by reusing common code snippets as CommonJS modules.

Reference library scripts from a decision node script.
Access identity management information seamlessly through the openidm binding.

For more information, refer to:

Scripting logger name change

Scripts that log debug messages create loggers that now include the name of the script.

The name of a scripting logger uses the format scripts.<context>.<script UUID>.(<script name>); for example, scripts.OIDC_CLAIMS.36863ffb-40ec-48b9-94b1-9a99f71cc3b5.(OIDC Claims Script).

Refer to Debug logging.

Access request header values from OAuth 2.0 scripts

You can now access the requestHeaders binding in the following OAuth 2.0 scripts:

OIDC user info claims (OIDC_CLAIMS)
Access token modification (OAUTH2_ACCESS_TOKEN_MODIFICATION)
Token exchange (OAUTH2_MAY_ACT)

For details, refer to the available objects for each script type.

File-based configuration migration utililty

In a future release, AM will read its configuration only from JSON files, not directory servers. Using LDAP data stores for configuration will be deprecated and file-based configuration (FBC) will be the only supported configuration storage mechanism. Dynamic data will continue to be stored in LDAP directories.

To prepare to migrate your configuration from LDAP directories to JSON files, AM 7.4 provides a technology preview of a configuration migration utility based on the existing amupgrade command. The purpose of this technology preview is to let you test migrating custom configuration to FBC.

For details, refer to Migrate to a file-based configuration.

The interface stability for the file-based configuration (FBC) migration utility is Technology Preview. Technology previews offer access to new technology that is not yet supported. Technology preview features may be functionally incomplete and subject to change without notice. For details, refer to Interface stability.

The purpose of this technology preview is to allow you to test the migration of your configuration data. The technology preview should function correctly but may highlight areas that need improvement before the supported release of this feature.

AM configuration stored in DS remains supported as documented for AM 7.4. In a future AM release, LDAP configuration stores will be deprecated in favor of FBC.

Support for mTLS authentication

AM now supports mTLS authentication to the following external data stores:

mTLS uses certificates to authenticate and is more secure than username/password authentication. For more security, you should rotate certificates periodically.

Due to a known issue in OpenJDK, you can’t configure mTLS authentication to data stores if you’re using Java version 11.0.2. If you’re using this Java version and attempt to authenticate with mTLS, the connection fails and the DS server generates the following error in the ldap-access.audit.json log:

"failureReason":"The SASL EXTERNAL bind request could not be processed because the client did not present a certificate
chain during SSL/TLS negotiation"

AM then enters an invalid state.

To work around this issue, upgrade to Java 11.0.3 or higher, or authenticate using simple authentication.

Query Parameter node

The Query Parameter node lets you insert query parameter values from a journey URL into configurable node state properties. This lets you customize journeys based on the query parameter values.

Support for HTML in Email Suspend node

The |Email Suspend Message of the Email Suspend node now supports HTML code in addition to plain text.

This lets you add HTML components, including links and graphics, to the message displayed to end users.

AM 7.3.2

AM 7.3.2 is a minor release that introduces new features, functional enhancements, and fixes.

Backchannel logout token contains `exp` claim

The logout token generated during backchannel logout now contains an exp claim.

Learn more in Backchannel logout.

System property for social provider `sub` claim uniqueness

A new system property (org.forgerock.openam.oidc.SocialProvider.sub.claim.is.not.unique) indicates that the OIDC social provider doesn’t return a unique value for the sub claim.

This is false by default.

New `ssoadm` commands update attributes in a realm service

A fix to the deprecated ssoadm tool adds the following new commands:

add-realm-default-attributes
set-realm-default-attributtes
remove-realm-default-attributes
get-realm-default-attributes

These commands work on realm defaults from AM 7 onwards.

AM 7.3.1

AM 7.3.1 is a minor release that introduces new features, functional enhancements, and fixes.

Storing identified identities in the authentication session

The following new methods let you record users and agents verified to exist in an identity store:

org.forgerock.openam.auth.node.api.Action

public ActionBuilder withIdentifiedIdentity(AMIdentity id)
public ActionBuilder withIdentifiedIdentity(String username, IdType id)

org.forgerock.openam.auth.nodes.script.ActionWrapper

public ActionWrapper withIdentifiedAgent(String agentName)
public ActionWrapper withIdentifiedUser(String username)

A new advanced server property, org.forgerock.am.auth.trees.authenticate.identified.identity determines whether AM uses these stored identified identities when deciding which user to log in.

This lets custom nodes and decision node scripts correctly resolve identities that have the same username.

For more information, refer to advanced server properties.

Scripting logger name change

Scripts that log debug messages create loggers that now include the name of the script.

The name of a scripting logger uses the format scripts.<context>.<script UUID>.(<script name>); for example, scripts.OIDC_CLAIMS.36863ffb-40ec-48b9-94b1-9a99f71cc3b5.(OIDC Claims Script).

Refer to Debug logging.

Customize account lockout message

Use the new ActionBuilder.withLockoutMessage(String lockoutMessage) method in a Scripted Decision node to customize the message displayed to an end user when their account is locked or inactive.

For details, refer to Scripted decision node API.

Setting to permit client credentials in token endpoint query parameters

In previous AM versions, you could supply client credentials (the client_id and client_secret) as query parameters in POST requests to the /oauth2/access_token endpoint. This is now prohibited by default and you must include the credentials within the POST request body.

When you upgrade an existing deployment to AM 7.3.1, this property is initially set to true for legacy support. After upgrading, you should update your scripts and clients to support the new behavior then set the property to false.

AM 7.3

AM 7.3 is a minor release that introduces new features, functional enhancements, and fixes.

An issue was discovered in the 7.3.0 release of DS that has the potential to corrupt static groups. To ensure data integrity, we highly recommend upgrading to DS 7.3.1. This issue affects the stability and reliability of static groups only. Continuing to use DS 7.3.0 may lead to data corruption and other unintended consequences.

The necessary fixes were made in DS 7.3.1; however if you deployed AM with DS 7.3.0, and you use static groups, you must contact Support for assistance with resolving the data corruption.

Combined MFA Registration node

The Combined MFA Registration node lets an authenticated user register a device, such as a mobile phone, for multi-factor authentication with a push notification and an OATH one-time password in a single step.

For details, refer to Combined MFA Registration node.

OIDC ID Token Validator node

The OIDC ID Token Validator node provides similar functionality to the OpenID Connect id_token bearer module. It evaluates whether the ID token is valid, according to the OIDC specification to let AM rely on an OIDC provider (OP)'s ID token to authenticate an end user.

For details, refer to OIDC ID Token Validator.

OATH Device Storage node

The OATH Device Storage node stores devices in the user profile after an OATH Registration node records them in the shared state.

For details, refer to OATH Device Storage node.

Support for `EdDSA` for `WebAuthn`

The WebAuthn Registration node now supports EdDSA as a signing algorithm. Devices that provide EdDSA-signed attestation data in packed format during registration (specifically EdDSA with the Ed25519 curve, as required by the WebAuthn specification) are now supported.

Scripted support for SAML v2.0 SP adapter

You can now customise the SP adapter with a script. Create a script of type SAML2_SP_ADAPTER and configure the hosted SP entity to use the custom script.

For details, refer to SP adapter.

Addition of `prompt_values_supported` to the OIDC exposed configuration

The OpenID Connect well-known/openid-configuration endpoint has been enhanced to expose the prompt_values_supported parameter of the provider configuration.

Support for multi-tenant social identity providers

Social identity provider configuration now lets you specify a regular expression to evaluate the issuer claim in ID tokens.

For details, refer to the Issuer comparison check setting.

For details, refer to Advanced properties.

Ability to invalidate sessions by username

The new logoutByUser action on the json/sessions endpoint lets you log out all sessions for a specified user. This action is available for server-side and client-side sessions but is disabled for client-side sessions by default. For more information, refer to Invalidate all sessions for a user.

This action introduces a new audit notification topic /agent/session.v2. Subscribers to this topic receive the same notifications available from the /agent/session topic with an additional notification message for a LOGOUT_USER event. The LOGOUT_USER event notification has a different syntax. Instead of a sessionuuid, it contains the user’s universalId. For example:

{
  "topic": "/agent/session.v2",
  "timestamp": "2022-11-14T09:56:56.814Z",
  "body": {
    "universalId": "id=demo,ou=user,dc=openam,dc=forgerock,dc=org",
    "eventType": "LOGOUT_USER"
  }
}

Consumers cannot rely on new events having identical syntax and should check the eventType before deciding how to process the event.

Scripted JWT issuer

For the JWT profile for OAuth 2.0 authorization grant, AM now lets you provide dynamic trusted JWT issuers via a script as an alternative to static configuration.

For details, refer to Configure a scripted JWT issuer.

OAuth 2.0 authentication supported for email service

Microsoft are deprecating SMTP Basic authentication. AM 7.3 introduces the option in the email service to select REST-based OAuth 2.0 authentication using Microsoft Graph API, in addition to supporting the legacy SMTP authentication.

For details, refer to Configure the email service.

Cross-upgrade session reference property

To track the session through upgrade, enable the cross-upgrade session reference property, which retains its value throughout the session lifecycle.

This unique and constant session reference is recorded in the audit logs for session creation and upgrade events.

Refer to the Enable Cross Upgrade Session Reference property for details.

Ability to specify location of REST STS instance

AM 7.3 includes a new option in the REST STS configuration that lets you specify whether the STS instance is running on the AM host or as a separate, remote Java process.

Refer to the STS Instance is running as remote instance property for details.

AM 7.2.2

AM 7.2.2 is a minor release that introduces new features, functional enhancements, and fixes.

Setting to permit client credentials in token endpoint query parameters

In previous AM versions, you could supply client credentials (the client_id and client_secret) as query parameters in POST requests to the /oauth2/access_token endpoint. This is now prohibited by default and you must include the credentials within the POST request body.

When you upgrade an existing deployment to AM 7.2.2, this property is initially set to true for legacy support. After upgrading, you should update your scripts and clients to support the new behavior then set the property to false.

AM 7.2.1

AM 7.2.1 is a minor release that introduces new features, functional enhancements, and fixes.

Keep-alive and load balancer availability checks

DS has introduced a new LDAP health check feature that changes how AM determines server availability. Keep-alive checks are now sent for every LDAP connection to prevent idle timeouts and separate availability checks are performed for load balanced connections.

Two new advanced server properties determine the settings for the keep-alive and availability checks:

org.forgerock.openam.ldap.keepalive.search.base
org.forgerock.openam.ldap.keepalive.search.filter

For details, refer to Advanced properties.

AM 7.2

AM 7.2 is a minor release that introduces new features, functional enhancements, and fixes.

JWKs URI for remote consent agents

To make it easier to publish keys used for remote consent, AM 7.2 provides a new JWKs URI, specifically for remote consent agents. This URI indicates where a remote consent service can obtain the keys that AM uses to sign and encrypt the consent request. These keys include:

The public signing key, used to sign the consent request that is sent to the remote consent server, so that it can be validated on the remote consent server.
The public encryption key for the consent response, so that the response can be encrypted (if encryption is enabled).

The default JWKs URI for remote consent clients is /oauth2/consent_agents/jwk_uri.

For example, https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/consent_agents/jwk_uri.

Flag to request userinfo from Apple

For social authentication through Apple, this flag indicates that the native app can send userinfo in JSON format.

For details, refer to Request Native App for UserInfo.

Configuration Provider node

The Configuration Provider node lets you reference a script that builds up the node configuration, based on the node state.

For details, refer to Configuration Provider node.

CAPTCHA node

The CAPTCHA node has been rewritten to support ReCAPTCHA v3. The new node has two possible outcomes (success and failure), and lets you set a score threshold. For more information, refer to CAPTCHA node.

Pass-through Authentication node for Platform deployments

For details, refer to Passthrough Authentication node.

Set Custom Cookie node

The Set Custom Cookie node lets you store a custom cookie in the client.

For details, refer to Set Custom Cookie node.

Scripted support for Java extension points

The scripted implementation of the existing Java extension points lets you extend AM functionality rapidly and easily, without the need to recompile.

AM now provides JavaScript example scripts for the following extension points:

For OAuth2:
- Access Token Modification
- OIDC Claims
- Scope Evaluation
- Scope Validation
- Authorize Endpoint Data Provider
For SAML2:
- IDP Adapter
- IDP Attribute Mapper

For details, refer to Sample scripts.

OAuth 2.0 Pushed Authorization Requests (PAR)

The addition of a new PAR endpoint as defined in RFC 9126, lets clients push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request, and provides them with a request URI that is used as reference to the data in a subsequent call to the authorization endpoint.

For details, refer to:

System property for AES Key Wrap encryption

A new Java system property (org.forgerock.openam.encryption.padshortinputs) pads short inputs for compatibility with Java 17.

For details, refer to Use stronger encryption algorithms.

ForceAuth server property for authentication chains

A new advanced server property (org.forgerock.openam.authentication.forceAuth.enabled) controls the ForceAuth authentication property for chains.

For details, refer to org.forgerock.openam.authentication.forceAuth.enabled.

Support for JWT-secured authorization response (JARM)

AM now supports JWT-secured authorization response ((JARM), which gives clients the option to receive authorization response parameters packaged in a signed, and optionally encrypted, JWT.

JARM introduces the following client configuration properties and corresponding oauth2/.well-known/openid-configuration parameters:

Client configuration	/oauth2/.well-known/openid-configuration
Authorization Response JWT Signing Algorithm	authorization_signed_response_alg
Authorization Response JWT Encryption Algorithm	authorization_encrypted_response_alg
Authorization Response JWT Encryption Method	authorization_encrypted_response_enc

Client configuration

/oauth2/.well-known/openid-configuration

Authorization Response JWT Signing Algorithm

authorization_signed_response_alg

Authorization Response JWT Encryption Algorithm

authorization_encrypted_response_alg

Authorization Response JWT Encryption Method

authorization_encrypted_response_enc

The supported algorithms and methods are defined in new OAuth 2.0 provider configuration.

For details, refer to response_mode.

UMA interactive claims gathering

The UMA provider service includes a number of new properties to support interactive claims gathering.

For details, refer to Claims gathering.

Grace periods on refresh tokens

You can now configure a grace period on refresh tokens, that effectively lets you reuse a refresh token. This setting lets your OAuth 2.0 clients recover seamlessly, if the response from an original refresh token request is not received, because of a network problem or other transient issue. The ability to reuse refresh tokens is limited by the grace period set in the OAuth2.0 provider configuration or on the OAuth 2.0 client.

Ability to disable authentication trees over REST

A new enabled setting in the authentication tree configuration lets you use the REST interface to disable trees that are not in use, and enable trees when they are ready to be used.

For details, refer to Enable and disable an authentication tree.

Push Wait node

Use this node in conjunction with the Push Sender and Push Result Verifier node when collecting a challenge code from a user’s device.

See Push Wait node.

AM 7.1.4

AM 7.1.4 is the latest minor release targeted for AM 7.1 deployments and can be downloaded from the Backstage website.

The release can be deployed as an initial deployment or updated from an existing AM 7.1.x deployment.

No new features have been added in AM 7.1.4.

AM 7.1.3

AM 7.1.3 is a minor release that introduces new features, functional enhancements, and fixes.

The release can be deployed as an initial deployment or updated from an existing AM 7.1.x deployment.

New JWKs URI for remote consent agents

To make it easier to publish keys used for remote consent, AM 7.1.3 provides a new JWKs URI, specifically for remote consent agents. This URI indicates where a remote consent service can obtain the keys that AM uses to sign and encrypt the consent request. These keys include:

The public signing key, used to sign the consent request that is sent to the remote consent server, so that it can be validated on the remote consent server.
The public encryption key for the consent response, so that the response can be encrypted (if encryption is enabled).

The default JWKs URI for remote consent clients is /oauth2/consent_agents/jwk_uri.

For example, /https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/consent_agents/jwk_uri.

Keep-alive and load balancer availability checks

Two new advanced server properties determine the settings for the keep-alive and availability checks:

org.forgerock.openam.ldap.keepalive.search.base
org.forgerock.openam.ldap.keepalive.search.filter

For details, refer to Advanced properties.

AM 7.1.2

`org.forgerock.openam.encryption.padshortinputs` system property for AES Key Wrap encryption

A new Java system property (org.forgerock.openam.encryption.padshortinputs) pads short inputs for compatibility with Java 17, in preparation for upgrade.

For details, refer to Preparing AES Key Wrap Encryption.

`org.forgerock.openam.authentication.forceAuth.enabled` advanced server property for authentication chains

A new advanced server property (org.forgerock.openam.authentication.forceAuth.enabled) controls the ForceAuth authentication property for chains.

AM 7.1.1

There are no new features in AM 7.1.1, only bug fixes.

AM 7.1

AM 7.1.0 is a minor release that introduces new features, functional enhancements, and fixes.

OAuth 2.0 and OpenID Connect Token Exchange Support

Following the OAuth 2.0 Token Exchange specification, AM 7.1 now lets you exchange ID tokens and access tokens in delegation and impersonation use cases.

For details, refer to OAuth 2.0 Token Exchange.

Social identity provider client improvements

AM 7.1 enhances the OAuth 2.0/OpenID Connect client support offered in the Social Identity Provider Service. To connect to financial-grade identity providers, AM and Ping Identity Platform can now:

Use acr values to specify a set of rules that the authorization request must satisfy when authenticating to the provider; for example, using multi-factor authentication.

Learn more

A new property, ACR Values, has been to the OpenID Connect secondary configuration of the Social Identity Provider Service.
Accept encrypted ID tokens.
Learn more
AM includes a new JWK URI, which the provider can use to obtain keys for verifying request object signatures, and for encrypting ID tokens.

Two new properties have been added to the OpenID Connect secondary configuration of the Social Identity Provider Service:
- OP Encrypts ID Tokens
- Issuer
Send request parameters in a JWT, or as a reference to a JWT.
Learn more
The JWT is always signed, and optionally encrypted.

As part of this change, the following fields have been added to the OpenID Connect secondary configuration of the Social Identity Provider Service:
- Request Parameter JWT Option
- Request Object Audience
- Encrypt Request Parameter JWT
- JWT Signing Algorithm
- JWT Encryption Algorithm
- JWT Encryption Method
Authenticate using a JWT or mutual TLS (mTLS).
Learn more
The JWT is always signed, and optionally encrypted.

As part of this change, the Use Basic Auth switch in the client has been replaced with the Client Authentication Method drop-down list, which contains the following options:
- CLIENT_SECRET_POST
- CLIENT_SECRET_BASIC
- PRIVATE_KEY_JWT
- ENCRYPTED_PRIVATE_KEY_JWT
- TLS_CLIENT_AUTH
- SELF_SIGNED_TLS_CLIENT_AUTH
AM 7.1 also includes a new advanced server property, openam.private.key.jwt.encryption.algorithm.whitelist, that specifies the algorithms the client can use to encrypt authentication JWTs and request object JWTs.
Let social providers return ID tokens by submitting an HTML form using the HTTP POST method, as defined in the OAuth 2.0 Form Post Response Mode specification.

Learn more

The Response Mode drop-down list has been added to the OpenID Connect secondary configuration of the Social Identity Provider Service.

The Redirect after form post URL property has been added to support the form post response mode in custom login pages.

AM 7.1 provides a preconfigured client for Apple and itsme. For details, refer to Social Authentication and the /oauth2/connect/rp/jwk_uri endpoint.

OpenID Connect backchannel logout

As the OpenID provider, AM 7.1 supports the OpenID Connect Back-Channel Logout 1.0 Draft 06. This draft lets AM send logout tokens to relevant relying parties when a session associated with an ID token becomes invalid.

As part of this change, the Store OPS Tokens switch, used to enable session management at the provider, has been renamed to OIDC Session Management.

When OIDC Session Management is enabled, ID tokens contain a new claim, sid. This claim specifies a session ID that identifies the relying party’s session with the provider. The sid can also be found in the logout tokens, if enabled.

For details, refer to Informing Relying Parties that a Session has Expired.

Push authentication nodes

AM 7.1 adds a number of authentication nodes to assist with push authentication:

Account Active Check authentication module

AM 7.1 includes an Account Active Check authentication module that lets you determine whether an account is marked as active, or locked, without having to run through the rest of the authentication chain.

For details, refer to Account Active Check Module.

Properties available to claims and access token scripts

AM 7.1 adds new properties to the OpenID Connect Claims and OAuth 2.0 Access Token Modification script types, to access the properties of the relevant client and the incoming request.

For details, refer to Scripting OpenID Connect 1.0 Claims and Modifying the Content of Access Tokens.

`live` and `ready` status endpoints

AM 7.1 includes new endpoints to check whether an instance is alive and ready to process requests.

For details, refer to Monitoring Instances.

Access to secrets and credentials in authentication scripts

AM 7.1 adds the ability for scripted decision nodes to access the secrets configured in AM secret stores.

For example, a script can access credentials or secrets defined in a file system secret volume in order to make outbound calls to a third-party REST service, without hard-coding those credentials in the script.

For details, refer to Accessing Credentials and Secrets.

Support for PEM-formatted keys and certificates

AM 7.1 adds support for loading the following PEM-formatted secrets:

Elliptic Curve and RSA private keys
- OpenSSL format
- PKCS#8 format
X.509 certificates
RSA public keys
(non-standard) AES secret keys
(non-standard) HMAC secret keys
(non-standard) Generic secrets, such as connection passwords or API keys

Use PEM secrets on the secret stores that support it:

Environment and system property secrets store
File system secret volumes
Google GSM secret stores

For more information, refer to Importing PEM-Formatted Keys.

Session service uses secret stores

Client-based sessions and client-based authentication sessions now use secret stores for:

Signing JWTs with RSA and elliptic curve algorithms.
Encrypting JWTs with RSA algorithms.

The upgrade process migrates the relevant configuration to secret stores automatically. HMAC signing secrets and symmetric AES keys for encryption have not been migrated yet, and are still available in the Session service configuration page.

For more information, refer to Configuring Client-Based Session Security.

Loading secrets from Google Secret Manager

AM 7.1 lets you load secrets from Google Secret Manager (GSM).

For details, refer to Google GSM Secret Stores.

AM 7.0.2

There are no new features in AM 7.0.2, only bug fixes.

AM 7.0.2 is the latest release targeted for AM 7.0.x deployments, and can be downloaded from the Backstage website.

The release can be deployed as an initial deployment or updated from an existing AM 7.0.x deployment.

AM 7.0.1

There are no new features in AM 7.0.1, only bug fixes.

AM 7.0

OAuth 2.0 mutual TLS (mTLS)

AM 7 adds support for draft 12 of the OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens specification, a key component of ForgeRock’s Open Banking and Revised Payment Services Directive (PSD2) support.

For information about authenticating an OAuth 2.0 client using mTLS certificates, Authenticating Clients Using Mutual TLS.

For information about issuing certificate-bound OAuth 2.0 access tokens, refer to Certificate-Bound Proof-of-Possession.

OAuth 2.0 access token modification scripts

AM 7 adds support for scripting the modification of issued OAuth 2.0 access tokens. You can add properties to the access token, for example values taken from the resource owner’s profile such as telephone number or email address.

For information, refer to Modifying the Content of Access Tokens.

OpenID Connect authentication node

AM 7 introduces an OpenID Connect authentication node, for authenticating users from an OpenID Connect-compliant identity provider.

For details, refer to OpenID Connect node in the Authentication and Single Sign-On Guide.

OpenID Connect Client Initiated Backchannel Authentication (CIBA) Support

AM 7 introduces support for Client Initiated Backchannel Authentication (CIBA). This allows a client application, known as the consumption device, to obtain authentication and consent from a user without requiring the user to interact with it directly.

Instead, the user authenticates and consents to the operation using a separate, "decoupled" device, known as the authentication device. For example, an authenticator application, or a mobile banking application on their mobile phone.

For more information, refer to Backchannel Request Grant in the OpenID Connect 1.0 Guide.

Extension Point to Customize Public Key ID (`kid`)

By default, AM generates a key ID (kid) for each public key exposed in the jwk_uri URI when AM is configured as an OAuth 2.0 authorization server.

AM 7 introduces a new extension point, KeyStoreKeyIdProvider, to customize the key ID values associated with public keys stored in keystore secret stores.

For more information, refer to /oauth2/connect/jwk_uri in the OpenID Connect 1.0 Guide.

SAML v2.0 changes and improvements

AM 7 introduces a new user interface for managing SAML v2.0 entities, and circles of trust. For details, refer to Configuring IDPs, SPs, and CoTs in the SAML v2.0 Guide.

The UI is backed by new /federation and /saml2 REST endpoints, for programmatically creating and managing SAML v2.0 deployments. The endpoints are documented in the REST API Explorer.

The new UI supports SAML v2.0 IDP and SP entities only. After upgrade, entities that do not have IDP or SP roles will be listed, but cannot be inspected or edited using the UI. An error will display in the UI when trying to access these entities. Entities containing roles other than IDP and/or SP will only display the IDP and/or SP roles.

In addition, SAML v2.0 signing and encryption now uses AM’s secret stores functionality. AM upgrades SAML v2.0 Service Configurations from previous versions to use secret stores in AM 7. The service itself is no longer required, and is deleted by the upgrade process after the configuration has been migrated. The global service remains unchanged.

For details, refer to Signing and Encryption in the SAML v2.0 Guide.

As part of this change, the way metadata is stored and generated by AM has changed. For example:

Encryption algorithms in the standard metadata are now part of the extended metadata.
Key descriptor elements have been removed from the standard metadata.
Attributes related to signing and encryption have been removed from the extended metadata.
The Secret ID Identifier property has been added to the extended metadata.

The exported metadata remains unchanged. You do not need to share the metadata of your providers again due to the changes previously explained.

AM 7 introduces another change as part of hardening the security around the SAML v2.0 implementation. When AM acts as the hosted service provider, the scheme, FQDN, and port of the URLs specified in the Assertion Consumer Service must exactly match those of the service provider as they appear in its metadata.

To determine the service provider’s endpoint URL, AM uses the Base URL service, if configured.

If the URL does not match, the SAML v2.0 flow will fail and AM will log Invalid Assertion Consumer Location specified in the audit log file.

REST-based method for configuring CORS support

AM 7 introduces a new REST endpoint, /global-config/services/CorsService, for configuring how to handle cross-origin resource sharing (CORS).

Clients and applications can use the endpoints to configure their own CORS requirements, without having to restart AM or the container in which it runs.

For more information, refer to Configuring CORS Support.

Suspended authentication

AM 7 introduces support for suspending an authentication tree, and saving any input made so far. The user is sent a URL, sometimes referred to as a magic link, which lets them resume from where they left off, perhaps after closing the browser, in a different browser, or even on a different device.

For more information, refer to Suspended Authentication

SameSite cookies

AM 7 adds support for applying SameSite cookie rules, as per internet-draft Cookies: HTTP State Management Mechanism.

For more information, refer to Enabling SameSite Cookie Rules.

As part of this change, AM 7 also introduces a filter in its application description file (web.xml) that sets the Secure flag on the cookies AM produces if any of the following is true:

The request comes in through a connection marked as secure. For example, because you have marked an HTTP connector as secure in Tomcat.
The request comes in through an HTTPS connector.

Automatically promoting cookies to secure ensures that the functionality continues to work with the SameSite changes, because you can only opt out of SameSite if a cookie is marked as secure. To ensure that non-secure requests are load-balanced correctly, the amlbcookie cookie is already excluded by default. If you are using a custom cookie for sticky load balancing, you may want to add it to the list of excluded cookies. For more information, refer to Managing the Secure Cookie Filter.

Identity Gateway agents

AM 7 adds support for creating Identity Gateway agents. These agents configure the credentials used by Identity Gateway when making policy evaluation calls, and when registering to receive session and policy configuration notifications over the Web Sockets protocol.

For more information, refer to Setting Up AM for the Examples in the Gateway Guide.

Failover and affinity in external policy and application stores

AM 7 adds support for failover and affinity deployments of external policy and application stores. Previously you could only specify a single directory server instance, making it a single point of failure.

For details, refer to Setting Up Policy and Application Stores.

OAuth 2.0 dynamic client registration management protocol (RFC7592)

AM 7 adds support for OAuth 2.0/OpenID Connect clients to edit and delete their client profile data, as per RFC7592.

Earlier versions of AM offered support for read operations only.

For more information, refer to Dynamic Client Registration.

`id_token_hint` parameter on the OAuth 2.0/OpenID Connect authorization endpoint

AM 7 lets client relying parties use the id_token_hint parameter in requests to the authorization endpoint as a hint about the end user’s session. AM uses the ID token to verify whether the end user specified on it has a valid session.

As part of this change, the authorization endpoint supports the new none response type.

For more information, refer to the /oauth2/authorize endpoint and Retrieving Session State without the Check Session Endpoint.

Debug logging with Logback

AM 7 adds support for configuring debug logging by using Logback.

Functionality provided by Logback can now be applied to AM’s debug logging output, for example, log file rotation, and file compression.

For more information, refer to Debug Logging.

JWT profile for OAuth 2.0 authorization grant

AM 7 adds support for the JWT profile for OAuth 2.0 Authorization Grant, defined in the RPC 7523 specification.

As part of this feature, AM includes a new agent of the type Trusted JWT Issuer.

For more information, refer to JWT Profile for OAuth 2.0 Authorization Grant.

Wildcards in OAuth 2.0 redirection URI ports

AM 7 lets you use wildcards (*) in the redirection URI port to match one or more ports.

This feature requires that the URL configured in the redirection URI is localhost, 127.0.0.1, or ::1. For example, http://localhost:*/, https://127.0.0.1:80*/, or \http://[::1]:*.

For more information, refer to the Allow wildcard ports in redirection URIs property in Client Registration.

JWT response for OAuth token introspection internet draft

AM 7 lets clients configure whether the token introspection endpoint should return its response in JSON format or as a JWT, as per the JWT Response for OAuth Token Introspection Internet Draft.

This feature includes a drop-down menu to choose the endpoint’s output format, as well as several parameters to configure whether the JWT should be signed, or signed and encrypted.

By default, even after an upgrade, clients are configured to receive the output in JSON format.

For more information, refer to the /oauth2/introspect endpoint.

Session property allowlist setting

AM 7 introduces a session property allowlist setting, Session Properties to return for session queries.

This setting shows a list of properties that can be returned to administrators in a REST session query response.

For more information, refer to Session Property Whitelist Service.

Support for macaroons

AM 7 supports a new token format called macaroons, that can be used when issuing OAuth 2.0 access and refresh tokens.

Macaroons can have caveats appended to them, to restrict how a token can be used. Macaroons provide additional security, as tokens can be restricted just before use. For example, you can add a 5-second expiry time to a macaroon access token before sending it to an API, or bind it to a TLS client certificate before use.

As part of this change, AM 7 includes the /json/tokens/macaroon endpoint, used to inspect and manipulate macaroons.

For more information, refer to Macaroons as Access and Refresh Tokens.

Common federation configuration settings

AM 7 introduces the following Common Federation Configuration settings:

AES Key Wrap Algorithm, lets you specify the AES key wrap algorithm to use when the remote entity provider does not specify which key wrap algorithm it supports.
RSA Key Transport Algorithm, lets you specify the RSA key transport algorithm to use when the remote entity provider does not specify which key transport algorithm it supports.

For more information about the Common Federation Configuration settings, see Common Federation Configuration.

Device nodes for Forgerock SDK

AM 7 introduces a number of nodes for profiling devices when using the ForgeRock SDKs:

Capture

Device Profile Collector node

Store

Device Profile Save node

Compare

New authentication nodes

AM 7 introduces the following authentication nodes:

Node	Description
Anonymous Session Upgrade node	Lets anonymous users upgrade their session to a non-anonymous one.
Kerberos node	Enables Window desktop single sign-on such that a user who has already authenticated with a Kerberos Key Distribution Center can authenticate to AM without having to provide the login information again.
SAML2 Authentication node	(Previously in Marketplace) Lets you integrate SAML v2.0 SSO into an AM authentication tree. Use it when deploying SAML v2.0 single sign-on in integrated mode (SP-initiated SSO only).
Write Federation Information node	(Previously in Marketplace) Creates a persistent link between a remote IdP account and a local account in the SP, if none exists yet. If a transient link exists, it is persisted. Existing account links with different IdPs are not lost.
CAPTCHA node	Implements Google’s and hCaptcha’s CAPTCHA widgets.
WebAuthn Device Storage node	Lets you save FIDO2 device data to a profile after having first captured and analyzed the information; for example, with a Scripted Decision node.
Certificate Collector node	(Previously in Marketplace) Collects an X.509 digital certificate from the user that is authenticating, so that AM can use it in place of other types of credentials.
Certificate Validation node	(Previously in Marketplace) Validates a digital X.509 certificate collected by the Certificate Collector node.
Certificate User Extractor node	(Previously in Marketplace) Extracts a value from the certificate collected by the Certificate Collector node, and searches for it in the identity store.
Authenticate Thing node	Authenticates an IoT thing.
Register Thing node	Registers an IoT thing.

Node

Description

Anonymous Session Upgrade node

Lets anonymous users upgrade their session to a non-anonymous one.

Kerberos node

Enables Window desktop single sign-on such that a user who has already authenticated with a Kerberos Key Distribution Center can authenticate to AM without having to provide the login information again.

SAML2 Authentication node

(Previously in Marketplace) Lets you integrate SAML v2.0 SSO into an AM authentication tree. Use it when deploying SAML v2.0 single sign-on in integrated mode (SP-initiated SSO only).

Write Federation Information node

(Previously in Marketplace) Creates a persistent link between a remote IdP account and a local account in the SP, if none exists yet. If a transient link exists, it is persisted. Existing account links with different IdPs are not lost.

CAPTCHA node

Implements Google’s and hCaptcha’s CAPTCHA widgets.

WebAuthn Device Storage node

Lets you save FIDO2 device data to a profile after having first captured and analyzed the information; for example, with a Scripted Decision node.

Certificate Collector node

(Previously in Marketplace) Collects an X.509 digital certificate from the user that is authenticating, so that AM can use it in place of other types of credentials.

Certificate Validation node

(Previously in Marketplace) Validates a digital X.509 certificate collected by the Certificate Collector node.

Certificate User Extractor node

(Previously in Marketplace) Extracts a value from the certificate collected by the Certificate Collector node, and searches for it in the identity store.

Authenticate Thing node

Authenticates an IoT thing.

Registers an IoT thing.

Session storage for SAML v2.0 single sign-on

AM 7 stores SAML v2.0 single sign-on progress as client-side data when using web browsers that support session storage, removing the need to use sticky load balancing.

For more information, refer to Session State Considerations.

Endpoint to get session information and reset idle timeout

AM 7 includes a getSessionInfoAndResetIdleTime endpoint that resets the idle timeout when obtaining information about a session. The existing getSessionInfo endpoint does not reset the idle timeout.

For more information, refer to Managing Sessions (REST).

DevOps-friendly way to change the password of the `amAdmin` user

AM 7 includes a DevOps-friendly way of changing the password of the amAdmin user, based on the secret stores API.

For more information, refer to Changing the amAdmin Password (Secret Stores).

Recursive OAuth 2.0 introspection scope

AM 7 adds the am-introspect-all-tokens-any-realm scope, which lets a client introspect tokens issued to other clients, as long as they are registered in the realm of the introspecting client, or in a subrealm of it.

For more information, refer to Special Scopes.

Method to retrieve data from authentication trees' shared state

AM 7 introduces a tree shared state called the secure state. In cases where a node needs to process sensitive information later on in the authentication flow, AM promotes the data stored in the transientState object to the secureState object and encrypts it with the key stored in the new am.authn.trees.transientstate.encryption secret ID.

What is affected by this feature?

The introduction of the am.authn.trees.transientstate.encryption secret ID requires that you make available an AES 256-bit key called directenctest to your environment before upgrading to AM 7, if one is not already available.

Failure to do so will result in AM not starting up after upgrade, and the following error will show in the logs: Unknown key aliases in configuration: directenctest.

For more information, refer to Upgrading AM Instances.

On new installations, you must change the default alias mapped to this secret ID, and ensure that it is always mapped to an existing, resolvable secret. Failure to do so may result in trees not working as expected.
The introduction of this state has changed the way you should retrieve data from the shared state when coding your authentication nodes. Instead of using the context.sharedState.get() or context.transientState.get() methods, use the context.getState() method.

For a given variable, the context.getState() method tries to retrieve data from the different states in the following order:
1. sharedState
2. transientState
3. secureState
  
  This change also affects Scripted Decision Node scripts.
  
  For more information, refer to Store values in shared tree state.

Google KMS secret store

AM 7 lets you map secrets retrieved from the Google Cloud Key Management Service (KMS) for any feature in AM that supports secret stores.

Support includes:

Mapping Google Cloud KMS secrets to secret IDs used for signing and verification purposes. Using Google Cloud KMS secrets as mappings for encryption and decryption secret IDs is not supported.
Using a Google Cloud KMS secret to decrypt secrets loaded using other secret stores, or to decrypt the hashed password of the amAdmin user.

For more information, refer to Google KMS Secret Stores.

ForgeRock Go usernameless web authentication

With ForgeRock Go, you can create a secure and seamless login experience by authenticating with any credential on the user’s device that supports FIDO2 WebAuthn.

You can also extend passwordless authentication to include usernameless authentication with popular authenticators that support resident keys; for example, Windows Hello (biometric authenticators).

For information, refer to Configuring Usernameless Authentication with ForgeRock Go.

Support for Web Authentication Trust Anchors and TPM

AM 7 adds support for verifying the attestation data provided by FIDO2 devices against certificate chains issued by the device vendor.

The TM attestation format is now supported.

You can also enable revocation checking, if the certificate chains contain CRL or OCSP entries.

For information, refer to Configuring WebAuthn Trust Anchors.

Account Active Check authentication module

For details, refer to Account Active Check Module.

Changes to `/users` Common REST Endpoint

The AM /users endpoint now treats _id and username as separate fields that map to LDAP User Search Attribute and Authentication Naming Attribute respectively.

When AM is configured to use different values for these two attributes, and you create a resource without providing an _id, the /users endpoint generates a unique identifier, which is set as the LDAP User Search Attribute.

For more details, refer to Creating Identities.

Fixes

The following pages list important fixes in AM major or minor versions since AM 7.0.

Fixes in a version are cumulative.

For example, when an issue is fixed in AM 7.3.1, it’s fixed in 7.3.2 and any later 7.3.x minor releases.

Fixes in AM 7.5.x

This page lists the cumulative fixes in AM 7.5.x releases:

AM 7.5.1

IAM-5473: Always save UI environment variables to .env file when using yarn start
IAM-6429: Failure URL node not working as expected on Safari when used with a Message node
OPENAM-23059: SSOADM doesn’t work for realm defaults
OPENAM-22955: Set Persistent Cookie node causes 500 error before failure
OPENAM-22847: Nodes that use a tree hook with an injection annotation cause an error when the tree fails
OPENAM-22836: Unable to update KBA security questions using XUI
OPENAM-22753: Destroy All session may fail to work
OPENAM-22717: SP-initiated SSO fails with "Illegal character in scheme name" when the IdP entity name has a special character
OPENAM-22715: PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder isn’t escaping values correctly
OPENAM-22708: Loop back to the same node causes exception when tree is executed
OPENAM-22696: Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes
OPENAM-22676: SecretsProviderFacadeFactory is not a supported API but is the only valid way to create the SecretsProviderFacade
OPENAM-22675: Unable to set a default value for NameCallback in next-generation callbacksBuilder
OPENAM-22672: Configuring SAML entities with invalid secret label mappings break SAML flows for other entities
OPENAM-22656: Setting JWKs URI content cache timeout to a small value throws an error
OPENAM-22620: Slow response from access token endpoint using client credentials grant
OPENAM-22602: OIDC ID Token Validator Node isn’t using inbuilt httpClient settings to connect to JWK or well-known URL
OPENAM-22465: Unexpected error when request_uri client doesn’t match request parameter client in PAR authorise request
OPENAM-22391: Issues with evaluateTree when using wildcard policies
OPENAM-22322: ArtifactResponse Assertion that is signed cannot be verified and fails
OPENAM-22318: OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication
OPENAM-22289: Session quota action may fail when the session is not updateable but should be fine to proceed.
OPENAM-22281: NameIdFormat values populated for remote IdP
OPENAM-22181: Approve UMA request fails with 500 error when AM deployed as a platform
OPENAM-22171: Forgotten password fails when AM searches for the identity to modify
OPENAM-22146: OAuth 2.0 request object failure not logged for POST requests even when full debug logging is enabled
OPENAM-22120: Backchannel logout tokens now include the exp claim
OPENAM-22109: The expiry time of OPS token in 7.x fails to update correctly
OPENAM-22009: Providing an invalid alias to a secret store mapping breaks AM
OPENAM-21972: SAML artifact binding is failing in load-balanced deployments
OPENAM-21951: No option to set the selectedIndex on a ChoiceCallback
OPENAM-21897: Creation order determines policy evaluate and evaluateTree results
OPENAM-21864: No option to enable the trackingCookie with next-generation callbacksBuilder
OPENAM-21852: Failure when reading input from next-generation SelectIDPCallback
OPENAM-21609: OAuth2Provider service created immediately after install/restart isn’t available in code flow
OPENAM-21191: Web agent sessions have a long session lifetime of 42 years
OPENAM-21158: Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2
OPENAM-20945: Unable to trace token revocation back to resource owner because of missing trackingID field
OPENAM-20609: Inconsistent error message getting access token when using refresh token after changing username
OPENAM-20314: Social Provider Handler node and Social IdP service use the sub claim to search for links to existing accounts

AM 7.5

OPENAM-22206: AM upgrade fails for 7.1.4 and older: Creating UMA PCT Encryption Secret Failed
OPENAM-22191: JUnit jars are bundled in the AM.war release
OPENAM-22119: "Access to Java class ScriptedLoggerWrapper prohibited" exception
OPENAM-22101: UI admin tests are failing since updating secret ID to secret label
OPENAM-22060: am-config-upgrader: poor performance
OPENAM-22035: Page Nodes don’t delete contained nodes when a tree is deleted
OPENAM-22017: ConfigProviderNode creates node class dynamically leading to native memory leak
OPENAM-21976: Single point of locking contention when doing Client-based session logout
OPENAM-21941: Unable to edit policies in the UI
OPENAM-21937: Quota Enforcement affecting agents sessions that authenticate by tree
OPENAM-21936: Unable to use Legacy and Next Generation Script in the same authentication tree
OPENAM-21912: OAuth2/OIDC signing slow with RSA keys when using Google Secret Manager
OPENAM-21856: Introspecting stateless token with IG/Web agents will cause OAuth2ChfException
OPENAM-21854: TermsAndConditionsCallback fails with error on XUI
OPENAM-21840: Warning for missing mapping in dynamic secret doesn’t warn for missing secret label identifier
OPENAM-21803: CertificateUserExtractorNode cannot resolve wrong name when UPN SubjectAltNameExt
OPENAM-21780: Next generation scripting httpClient adds "null" as entity to GET requests
OPENAM-21748: Next generation scripting missing "get" wrapper function for HiddenValueCallback
OPENAM-21739: Running the am-config-upgrader on an empty directory results in unexpected addition of library scripting service
OPENAM-21707: file-functional-tests: OAuth2Provider doesn’t allow setting of default consent agent when scalableAgents are enabled
OPENAM-21693: Remove default global library script
OPENAM-21664: Upgrade fails to AM 7.4 with an uncaught exception when initialising the PrivilegeIndexStore class
OPENAM-21506: Inner Evaluator Tree with Data Store Decision node fails with correct password on first pass when used with Retry Decision node
OPENAM-21484: OAuth2 tokenintrospection response has different claim value types when refresh tokens are introspected
OPENAM-21473: Certificate collector node: getPortalStyleCert throws exception when cert/header not present
OPENAM-21389: Searching algorithm for calculating the reachability of a node in a tree returns incorrect result
OPENAM-21053: User ID is missing from access.audit.json for JWT client authentication flow using org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false
OPENAM-20924: Reentry cookie when set causes the user to redirect to an incorrect IdP
OPENAM-20490: AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"
OPENAM-20329: Forgerock JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) not spec compliant
OPENAM-19999: ID token as AM session doesn’t work with /authorize when openid scope is requested
OPENAM-19889: Policy evaluation fails with Agent access token JWT as subject
OPENAM-17816: 500 Internal Server Error (from NPE) returned for a missing Content-Type header
OPENAM-17315: Update defaults scripts with the change introduced in COMMONS-628

AM 7.4.x

AM 7.4.1

OPENAM-22753: Destroy All session may fail to work
OPENAM-22715: PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder is not escaping values correctly
OPENAM-22696: Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes
OPENAM-22620: Slow response from access token endpoint using client credentials grant
OPENAM-22602: OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL
OPENAM-22421: Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2
OPENAM-22289: Session quota action may fail when the session isn’t updatable but should be fine to proceed
OPENAM-22181: Approve UMA request fails with 500 error when AM deployed as a platform
OPENAM-22171: Forgotten password fails when AM searches for the identity to modify
OPENAM-22119: "Access to Java class ScriptedLoggerWrapper prohibited" exception
OPENAM-22109: The expiry time of OPS token in 7.x doesn’t change with the time of tokens created
OPENAM-22017: Configuration Provider node creates node class dynamically leading to native memory leak
OPENAM-21976: Single point of locking contention when doing client-based session logout
OPENAM-21972: SAML artifact binding is using crosstalk for artifact resolution
OPENAM-21941: Unable to edit policies in the UI
OPENAM-21937: Quota enforcement affects agent sessions that authenticate by tree
OPENAM-21936: Unable to use legacy and next-generation scripts in the same authentication tree
OPENAM-21868: ssoadm create-sub-cfg not working for AM 7.2+ due to the context= field
OPENAM-21854: TermsAndConditionsCallback fails with error on XUI
OPENAM-21803: Certificate User Extractor node cannot resolve wrong name when UPN SubjectAltNameExt
OPENAM-21780: Next-generation httpClient script binding adds "null" as entity to GET requests
OPENAM-21664: Upgrade fails to AM 7.4.0 with an uncaught exception when initializing the PrivilegeIndexStore class
OPENAM-21484: OAuth 2.0 token introspection response has different claim value types when introspecting refresh tokens
OPENAM-21473: Certificate Collector node: getPortalStyleCert throws exception when cert/header not present
OPENAM-21466: AM using OIDC social authentication fails to verify ID token if remote JWK_URIs have duplicate KID
OPENAM-21191: Web agent sessions have a long session lifetime of 42 years
OPENAM-20609: Inconsistent error message when generating access token using refresh token after changing username
OPENAM-19999: ID token as AM session doesn’t work with /authorize when openid scope is requested
OPENAM-19889: Policy evaluation fails with agent access token JWT as subject
OPENAM-17816: 500 Internal Server Error (from NPE) returned for a missing Content-Type header

AM 7.4

OPENAM-21476: Persistent Cookie isn’t created when using Configuration Provider node
OPENAM-21421: Scripting logger name isn’t based on logging hierarchy convention
OPENAM-21390: Fix caching error when a journey switches backend instances to correctly provide data to nodeState
OPENAM-21360: Add java.util.concurrent.ExecutionException to AM scripting class allowlist
OPENAM-21323: LDAP (inline) upgrade fails due to policy creation of UssSelfWriteAttributes
OPENAM-21304: Retain request URI values specified during dynamic client registration
OPENAM-21164: Fix type issue of XML String in SAML responses when using a custom adapter
OPENAM-21160: Make sure secure state values are retained when navigating the authentication tree
OPENAM-21158: Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2
OPENAM-21085: Undefined bindings are incorrectly evaluated in Groovy scripts
OPENAM-21069: WindowsDesktopSSO authentication is failing
OPENAM-21053: Missing userId from Access audit log when org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false in JWT client authentication flow
OPENAM-21010: Social authentication user profile corrupted when remote OIDC server provides non-English identity claims
OPENAM-21004: AM will always look for valid session when scope=openid
OPENAM-21001: SAML IdPAccountMapper isn’t correctly determined
OPENAM-20980: OIDC social provider uses configured issuer instead of wellknown endpoint issuer when using regex comparison
OPENAM-20953: Return subject attributes correctly when evaluating a policy using a JwtClaim as subject type
OPENAM-20920: Improve handling of SAML2 IDP metadata that uses SSO endpoint entries other than HTTP-POST or HTTP-Redirect bindings when binding is null
OPENAM-20897: Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others
OPENAM-20895: Newly created Maven archetype project for building custom authentication nodes fails to build
OPENAM-20851: Existing registered devices unable to use push notifications when AWS SNS credentials are updated
OPENAM-20784: TestUMAPolicy fails for users that will cause LocalizedIllegalArgumentException
OPENAM-20756: Social authentication request for Apple fails due to duplicated response_mode=form_post request parameter
OPENAM-20691: Fix rare race condition in session quota destroy next expiring action that can lead to the oldest session not being destroyed
OPENAM-20682: Unable to encrypt from jwk_uri where there are multiple JWKs with the same kid but different algorithms
OPENAM-20490: AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"
OPENAM-20451: Fix to display user-friendly account name during WebAuthn device registration
OPENAM-20299: Fix to make agent authentication honor com.iplanet.am.session.agentSessionIdleTime
OPENAM-20230: Class allowlisting denies access to permitted classes after running for an extended period of time
OPENAM-20026: Social IDP with trailing whitespace in the name can’t be deleted using the UI
OPENAM-20024: Improve debug logging when login to XUI fails with HTTP 404 JsonValueException from endpoint
OPENAM-19282: Recovery Code Display Node works only immediately after Registration node
OPENAM-19261: Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant
OPENAM-18709: New nodeState.getObject method added to return values stored in both shared and secure state
OPENAM-18685: New realm-level configuration setting to remove or skip subname claim
OPENAM-18004: Support sequential transaction IDs to improve audit logging for HTTP requests to IDM
OPENAM-17331: Push Notifications: User with disabled endpoint is not able to login
OPENAM-17179: Deleting an authentication tree leaves orphaned nodes that prevent deletion of referenced scripts

AM 7.3.x

AM 7.3.1

OPENAM-22017: ConfigProviderNode creates node class dynamically leading to native memory leak
OPENAM-21976: Single point of locking contention when performing client-based session logout
OPENAM-21941: Unable to edit policies in the UI
OPENAM-21854: TermsAndConditionsCallback fails with error on XUI
OPENAM-21728: Certificate module fails using JDK 11.0.21 and later with undefined access to private method
OPENAM-21484: Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response
OPENAM-21421: Scripting logger name isn’t based on logging hierarchy convention
OPENAM-21390: ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment
OPENAM-21304: OAuth 2.0 dynamic client registrations don’t retain request_uri values when creating
OPENAM-21164: Calling toXMLString in custom SAML adapter can return incorrectly formatted XML leading to invalid signature
OPENAM-21160: Inconsistent values in secure state when navigating an authentication tree
OPENAM-21158: Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2
OPENAM-21069: WindowsDesktopSSO authentication is failing
OPENAM-21010: Social authentication for remote OIDC server for user profile non-english words corrupted
OPENAM-21004: AM will always look for valid session when scope=openid
OPENAM-21001: IdPAccountMapper is not correctly determined
OPENAM-20980: Unable to use issuer comparison check regex in oidc social provider
OPENAM-20897: Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others
OPENAM-20895: Newly-created Maven archetype project fails to build
OPENAM-20756: OIDC social authentication request (Apple) fails due to duplicate response_mode=form_post request parameter
OPENAM-20691: Destroy oldest session may fail to work
OPENAM-20682: Unable to encrypt from jwk_uri when there are duplicate kid
OPENAM-20490: AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"
OPENAM-20026: Trailing whitespace prevents social provider deletion via UI
OPENAM-19999: ID token as AM session doesn’t work with /authorize when openid scope is requested
OPENAM-19889: Policy evaluation fails with agent access token JWT as subject
OPENAM-19282: Recovery Code Display Node works only immediately after Registration node
OPENAM-18599: Allow for custom error message if user account is locked

AM 7.3

OPENAM-20396: Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved
OPENAM-20360: Ampersand is double encoded in the Destination of a SAML Assertion
OPENAM-20260: Unable to log into AM when external application store is down
OPENAM-20230: Class allowlisting fails with permission denied after an extended period
OPENAM-20181: AD account notification fails
OPENAM-20159: Upgrader adds requestObjectProcessing to OAuth2Provider subconfigs
OPENAM-20104: The fragment response_mode for the /oauth2/authorize endpoint is not working
OPENAM-20085: STS token generation does not work with clustered docker pods
OPENAM-20082: Locked out users are shown a misleading error message
OPENAM-19868: Correctly handle multi-line text in Email Suspend nodes
OPENAM-19866: Excessive logging when accessing protected resources
OPENAM-19726: The par endpoint doesn’t return a request_uri when using JAR and claims are provided
OPENAM-19515: Unable to update session service with read only identity store
OPENAM-18818: Persistent search error message shows wrong DS identifier
OPENAM-18488: Windows Hello with TPM/platform authenticator returns two certificates
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny

AM 7.2.x

AM 7.2.2

OPENAM-22380: LDAP Decision node adding wrong username causing incorrect log messages
OPENAM-22289: Correctly check failure to save read session causing session quota failure
OPENAM-22017: ConfigProviderNode creates node class dynamically leading to native memory leak
OPENAM-21976: Single point of locking contention when doing client-based session logout
OPENAM-21972: SAML artifact binding fails in load-balanced deployment
OPENAM-21941: Unable to edit policies in the UI
OPENAM-21937: Quota enforcement affecting agent sessions that authenticate by tree
OPENAM-21728: Certificate module fails using JDK 11.0.21 and later with undefined access to private method
OPENAM-21484: Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response
OPENAM-21473: Certificate collector node: getPortalStyleCert throws exception when cert/header not present
OPENAM-21390: ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment
OPENAM-21304: OAuth 2.0 dynamic client registrations don’t retain request_uri values when creating
OPENAM-21160: Ensure secure state values are retained when navigating the authentication tree
OPENAM-21010: Social authentication user profile corrupted when remote OIDC server provides non-English identity claims
OPENAM-21004: AM will always look for valid session when scope=openid
OPENAM-21002: CTS task queue full and SeriesTaskExecutorThread can get stuck waiting
OPENAM-20897: Issue with logging unsupported callbacks
OPENAM-20783: OAuth 2.0 authorization code flow throws an error when content-type isn’t x-www-form-urlencoded and body isn’t JSON
OPENAM-20756: Social authentication request for Apple fails due to duplicated response_mode=form_post request parameter
OPENAM-20682: Unable to encrypt from jwk_uri where there are multiple JWKs with the same kid but different algorithms
OPENAM-20396: Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved
OPENAM-20104: The fragment response_mode for the /oauth2/authorize endpoint is not working
OPENAM-20026: Social IDP with trailing whitespace in the name can’t be deleted using the UI
OPENAM-19999: ID token as AM session doesn’t work with /authorize when openid scope is requested
OPENAM-19282: Recovery Code Display node works only immediately after Registration node
OPENAM-19261: Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant
OPENAM-18599: Allow for custom error message if user account is locked
OPENAM-17816: 500 internal server error (from NPE) returned for a missing Content-Type header

AM 7.2.1

OPENAM-20360: Ampersand is double encoded in the Destination of a SAML Assertion
OPENAM-20318: Accessing AM end user login page for PlatformLogin journey in platform environment shows non-rendered html
OPENAM-20260: Unable to log into AM when external application store is down
OPENAM-20230: Class allowlisting fails with permission denied after an extended period
OPENAM-20181: AD account notification fails
OPENAM-20082: Locked out users are shown a misleading error message
OPENAM-20031: Access token modification can no longer access refresh token reference
OPENAM-19884: AM returns 500 error when ; is used in the access token header
OPENAM-19684: Error EntitlementService.getSubjectAttributesCollectorConfiguration logged on initial agent access
OPENAM-19537: UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong
OPENAM-19515: Unable to update session service with read-only identity store
OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page
OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity
OPENAM-18818: Persistent search error message shows wrong DS identifier
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
OPENAM-16241: Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset
OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect

AM 7.2

OPENAM-19427: KBA question are not falling back to the default language when French is present in the restart password flow
OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing /
OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node
OPENAM-19380: Social Google node does not work if placed after an input collector in a tree
OPENAM-19359: Social authentication not working on Subrealms
OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception
OPENAM-19290: In a cluster, changing AM debug level on local AM2 to remote AM1 does not take effect until the remote AM1 is restarted
OPENAM-19281: OIDC dynamic client registration cannot take \n in the client_description
OPENAM-19266: Cannot add Page Headers or Page Descriptions to page nodes in tree editor
OPENAM-19220: WebAuthN/Fido - Cannot authenticate with recovery codes on Windows
OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade
OPENAM-19196: JavaScript origins in the OAuth2 Client need a restart to apply the changes
OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters
OPENAM-19162: REST API definition inaccurate for endpoint /realm-config/saml
OPENAM-19123: AM validates duplicate registration tokens
OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set
OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions
OPENAM-19086: rest-sts endpoint is not included when CORS is enabled
OPENAM-19083: Creating a client-based access and refresh token breaks subsequent use of Session Quotas
OPENAM-19042: When using Apple SSO, the Social Identity Provider Handler node ignores the user info returned
OPENAM-18996: Issues with trees and navigating quickly between Social Login providers
OPENAM-18990: Non-compliant OAuth 2.0 error response generated
OPENAM-18953: Insufficient logging when OAuth 2.0 token request fails due to invalid client secret
OPENAM-18952: KBA questions are not falling back to the default language when French is present
OPENAM-18928: Client credential OAuth 2.0 request results in searches for OAuth 2.0 client against the Identity Store
OPENAM-18921: Double slashes in oauth 2.0 claim names are handled incorrectly
OPENAM-18891: JWT Profile Oauth 2.0 grant returns invalid_grant
OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt
OPENAM-18877: Creating SAML providers with entity ids containing the plus (+) symbol results in errors listing and creating new providers
OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared
OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null
OPENAM-18775: LdapDecisionNode throws NullPointerException on shared IDM Repository DataStore when Password change policy triggered
OPENAM-18756: Entering correct OTP after an incorrect OTP fails authentication
OPENAM-18754: User profile success URL ignored when authenticating with trees
OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures
OPENAM-18705: Problem with Page Node using node relying on secureState
OPENAM-18701: DN cache doesn’t get deleted in some cases
OPENAM-18684: Redirect to authorize endpoint fails for 2nd OIDC App for Federated Users with multiple OIDC Clients
OPENAM-18679: OATH Registration node doesn’t work when placed inside a Page node
OPENAM-18663: AM should check new realm with rest end-point names by ignoring case
OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted
OPENAM-18655: Deleting OAuth2 Client provides unneeded Notification error message in IdRepo
OPENAM-18644: IdRepo cache can not be disabled anymore
OPENAM-18640: REST-STS uses the old path to reach the users endpoint
OPENAM-18623: Issue with jwk_uri endpoint called in parallel
OPENAM-18610: RealmOAuth2ProviderSettings for getJwks permits an empty set
OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication
OPENAM-18586: No debug message when AM can’t read the encrypted_base64 folder after upgrade
OPENAM-18573: URLPatternMatcher or RedirectURLValidator fails when query string contains "%20"
OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL
OPENAM-18533: Distinguish between standard OIDC and JAR OIDC request parameters
OPENAM-18524: Client assertion JWT generated for private_key_jwt OAuth 2.0 client authentication does not provide a "kid" header - can be rejected by external OAuth 2.0providers
OPENAM-18523: NullPointerException when Web Agent group is changed
OPENAM-18487: Trust anchor check fails with Yubikey
OPENAM-18460: max_age parameter is overwritten
OPENAM-18459: IdTokenInfo endpoint behavior has changed and fails when using client_id in POST
OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP
OPENAM-18443: Transactional authentication is disabled on new installs
OPENAM-18436: UMA pending requests are stored differently depending on sub claim uniqueness mode
OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore
OPENAM-18432: Remove the internal idm-delegation grant type from the well known info
OPENAM-18422: Email Template node creates threads without terminating them
OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth
OPENAM-18384: Email Suspend Node clears the secure state
OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name
OPENAM-18359: Choice Collector Node not present following upgrade
OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server
OPENAM-18306: OAuth 2.0 Authorization Code Grant Fails when including scope parameter at access_token endpoint
OPENAM-18297: Outbound calls to jwk_uri endpoint do not support proxy settings
OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD
OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically
OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication
OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session
OPENAM-18227: Upgrade from 6.0.x / 6.5.x fails with Unsupported node type PersistentCookieDecisionNode
OPENAM-18212: Check for user/agent profile condition during login can be refined further
OPENAM-18207: Global Service cache is not updated by changes from other servers in a site
OPENAM-18205: Excessive logging occurs when agent profile is not found
OPENAM-18180: No TransactionId present for AuthTreeExecutor
OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout
OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST
OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings
OPENAM-18149: Wrong log file is used for SAML2 extensions log message
OPENAM-18141: AM no longer uses global SAML configuration
OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops
OPENAM-18132: Failed to get the distinct userIdAttributes for configured identity stores in realm
OPENAM-18121: Complex authentication trees load slowly
OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter
OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amAdmin
OPENAM-18118: OAuth 2.0 - AM does not implement 'device authorization grant' as specified in RFC 8628
OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM
OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exists
OPENAM-18065: Logback.jsp cannot be used to set log levels for loggers in custom code
OPENAM-18062: SPACSUtils withholds exception and does not log error
OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined
OPENAM-18043: Device Match module not setting correct AuthLevel
OPENAM-18030: Message node shows inconsistent behavior regarding the default locale
OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes
OPENAM-18009: HTTP error code 500 when authenticating with authIndexType service without authIndexValue
OPENAM-18006: Persistent search for identity store does not recover
OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees
OPENAM-17993: org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation
OPENAM-17979: Backchannel authentication auth_req_id can be used to obtain multiple access tokens
OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists
OPENAM-17962: LDAP Decision Node does not put updated password in transient state
OPENAM-17954: Accept-Language header locale ignored on OAuth 2.0 Consent page
OPENAM-17935: Missing return statement in the happy flow of the kerberos node
OPENAM-17923: Retry Limit Decision should not involve user when Save Retry Limit to User is disabled
OPENAM-17916: When no session exists logout page redirects to login
OPENAM-17912: Account lockout count is not reset correctly
OPENAM-17904: JSON Audit Log Location not working when modifying location to only include %SERVER_URI% variable
OPENAM-17896: ForgottenPassword Reset on multiple clusters not working when reset link is clicked
OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does not work after upgrade
OPENAM-17830: Error messages are logged when the Push Notification Service is absent
OPENAM-17828: Apostrophe in username breaks Push/OATH device registration
OPENAM-17826: introspect endpoint returns a static value for expires_in when using client-based tokens
OPENAM-17814: Auth Tree step-up fails if username case does not match
OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname
OPENAM-17783: Language tag limited to 5 characters instead of 8
OPENAM-17782: Policy evaluation fails with 400 error when user does not exist
OPENAM-17760: PEM support incorrectly decodes some EC private keys
OPENAM-17718: OAuth 2.0 introspection endpoint does not accept Accept header with extra accept extension param (like weight q=0.8) or charset
OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17683: Selfservice user registration auto login fails for a sub-realm
OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed
OPENAM-17677: oauth2/device/code endpoint does not support locale parameter
OPENAM-17663: Improve the error response code for "Failed to revoke access token"
OPENAM-17610: OTP Email Sender node does not let you specify connect timeout and IO/read timeout for underlying transport
OPENAM-17593: Deadlock when admin token is invalid and when config data is cleared
OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17590: OIDC login hint cookie broken since 7.0
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17548: Can’t go back to login page after invoking Social Authentication Nodes
OPENAM-17521: Insufficient error logging to track down Multivalued RDNs not supported issue
OPENAM-17515: Sub attribute in access token can be in wrong case
OPENAM-17493: OAuth 2.0 node does not support external proxy authentication (user/pass)
OPENAM-17440: OAuth 2.0 service provider does not error if IAT attribute is mandatory but not issued
OPENAM-17426: No validation for attribute collector node
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config
OPENAM-17320: Revisit prompt=login behavior change that keeps existing session
OPENAM-17308: Custom IdRepo uninstall realm-config/services/id-repositories?_action=nextdescendents fails
OPENAM-17265: Amster updates incorrect authorized_keys file
OPENAM-17040: UMA policy creation does not work with shared repo
OPENAM-16988: accessedEndpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16953: Custom idrepo sample using IdRepoConfig does not work
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator
OPENAM-16642: Server id creation can fail when id is greater than 100
OPENAM-16490: OWASP ESAPI broken
OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong
OPENAM-16262: Javadocs for IdUtils needs updating
OPENAM-16216: Get Session Data node improvements
OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable
OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile
OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in
OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration
OPENAM-13855: CTS creates too many connections to DS
OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"
OPENAM-12969: UMA Resource deletion results in a 500 error unless another resource has been created within the same resource set
OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

AM 7.1.x

AM 7.1.4

OPENAM-21004: AM will always look for valid session when scope=openid
OPENAM-21002: CTS task queue full and SeriesTaskExecutorThread can get stuck waiting
OPENAM-20897: Issue with logging unsupported callbacks
OPENAM-20691: Destroy oldest session may fail to work
OPENAM-20396: Authentication trees are selected in order of ACR - tree mapping (not in the default order) and order is not preserved
OPENAM-20318: Accessing AM End user login page for PlatformLogin journey in platform environment shows non-rendered HTML
OPENAM-20260: Unable to log into AM when external application store is down
OPENAM-20230: Class whitelisting fails with permission denied after an extended period
OPENAM-20181: AD account notification fails
OPENAM-20085: STS token generation does not work with clustered docker pods
OPENAM-20082: Locked out users are shown a misleading error message
OPENAM-19954: SAML hosted entity uses algorithm set in common federation configuration instead of algorithm set in hosted entity configuration
OPENAM-19362: AM to DS certificate log message logged at warning instead of error or critical
OPENAM-18818: Persistent search error message shows wrong DS identifier
OPENAM-18629: RestSTS should validate sessions with a local call and use asynchronous HTTP calls for remote calls
OPENAM-18488: Windows Hello with TPM/platform authenticator returns two certificates
OPENAM-17591: Session quota action destroy next expiring token can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny

AM 7.1.3

OPENAM-19884: AM returns 500 when ; used in access token header
OPENAM-19865: Memory Leak due to samlResponseDataHash not being cleaned up
OPENAM-19649: ID token not linked to session when authorising with sso token
OPENAM-19613: PSearch is already removed error message should be warning
OPENAM-19537: UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong
OPENAM-19530: Upgrade fails when Organization schema defaults are missing for service 'sunFAMSAML2Configuration'
OPENAM-19515: Unable to update session service with read only identity store
OPENAM-19512: Faulty Legacy OAuth 2.0 frrest/oauth2 endpoints
OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page
OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity
OPENAM-19427: Display security questions in the correct default language
OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing '/'
OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node
OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception
OPENAM-19290: In a cluster, changing AM debug level on local (AM2) to remote (AM1) does not have effect until restart of AM1
OPENAM-19281: OIDC dynamic client registration cannot handle "\n" in the client_description
OPENAM-19220: WebAuthN/Fido - can not authenticate with recovery codes on Windows
OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade
OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters
OPENAM-19162: REST API definition inaccurate for endpoint '/realm-config/saml'
OPENAM-19123: AM validates duplicate registration tokens
OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set
OPENAM-19119: GetAuthenticatorApp Node needs better localization support
OPENAM-19112: AM with embedded DJ always runs DJ backup and upgrade
OPENAM-19111: insufficient debug logging to troubleshoot error "Illegal arguments: One or more required arguments is null or empty" when performing user identity subject update via REST API
OPENAM-19109: Insufficient debug logging to troubleshoot CORS service
OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions
OPENAM-19086: rest-sts endpoint is not included when CORS is enabled
OPENAM-19083: Creating a client-based access & refresh token breaks subsequent use of Session Quotas
OPENAM-19016: Logback.jsp should show the actual setting of the loggers instead of defaults
OPENAM-19011: QR code message used in MFA Authentication node should be customizable / localizable
OPENAM-18990: Non-compliant OAuth2 error response generated
OPENAM-18952: KBA questions are not falling back to the default language when French is present
OPENAM-18891: JWT Profile Oauth2 Grant returns 'invalid_grant'
OPENAM-18835: JCEEncryption throws ArrayIndexOutOfBoundException when decrypting empty bytes
OPENAM-18834: AM fails to start when upgrading after using am-upgrader
OPENAM-18655: Deleting OAuth2 Client causes unnecessary notification error message in IdRepo
OPENAM-18478: XUI shows incorrect subjectType following upgrade from AM < 6.5.3
OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP
OPENAM-18432: Remove the internal idm-delegation grant type from the well known info
OPENAM-18384: Email Suspend Node clears the secure state
OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD
OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication
OPENAM-18196: More meaningful error message when Client Secret is not URL-encoded
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level in logs
OPENAM-18149: Wrong log file is used for SAML2 extensions log message
OPENAM-18132: Failed to get the distinct userIdAttributes for configured identity stores in realm
OPENAM-18113: LDAP authentication node : change of connection mode does not recreate the connection pool
OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server
OPENAM-18062: SPACSUtils withholds exception and does not log error
OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists
OPENAM-17882: Slow memory leaks when persistent search starts a retry activity when persistent search fails
OPENAM-17835: Do not display "Unable to retrieve instance of the ValidationServiceConfig" after idpinititated sso
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config
OPENAM-17308: Custom IdRepo uninstall realm-config/services/id-repositories?_action=nextdescendents fails
OPENAM-17201: XMLEncryption does not comply with standard when 'rsa-oaep-mgf1p' is being used
OPENAM-16953: Custom idrepo sample using IdRepoConfig does not work
OPENAM-16878: Scripted Decision Node secrets binding object does not have public API
OPENAM-16490: OWASP ESAPI lib is missing some classes
OPENAM-16241: Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset
OPENAM-15997: Enhance CookieHelper to perform better cookie detection
OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable
OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile
OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny
OPENAM-12992: Misleading error message in XUI console when existing DNS alias is provided
OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect
OPENAM-11319: Add localized "description" for JSON response content to OAuth2UserApplications#getResourceResponse

AM 7.1.2

OPENAM-18928: Client credential OAuth2 request results in searches for OAuth2 client against Identity Store
OPENAM-18921: Double slashes in oauth2 claim name handled incorrectly
OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt
OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared
OPENAM-18836: No TransactionId on "debug.out" for the AM recording.
OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null
OPENAM-18780: JwksOAuth2AgentEventListener class not setting the correct default cache miss time value
OPENAM-18756: Entering correct otp after entering wrong otp fails authentication
OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures
OPENAM-18711: AES Encryption/Decryption fails when running in Java 17
OPENAM-18705: Problem with Page Node using node relying on secureState
OPENAM-18684: redirect to /authorize endpoint fails for 2nd OIDC App for Federated Users w/ multi OIDC Clients
OPENAM-18679: OATH Registration node doesn’t work when placed inside a 'Page' node
OPENAM-18663: AM should check new realm with rest end-point names by ignoring case
OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted
OPENAM-18646: Upgrade for AM 7.1.0 to 7.2+ may fail, because of upgrading existing java agent profile
OPENAM-18644: IdRepo cache can not be disabled anymore
OPENAM-18640: REST-STS is using the old path to reach /users endpoint
OPENAM-18623: issue with jwk_uri endpoint called in parallel
OPENAM-18610: RealmOAuth2ProviderSettings for getJwks is broken in that it permits empty set.
OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication
OPENAM-18586: Lack of debugging message when AM is not able to read the encrypted_base64 folder after upgrade
OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL
OPENAM-18536: Java agent property org.forgerock.agents.session.change.notifications.enabled should be presented in XUI
OPENAM-18511: Missing navigation options when an expired link from "Email Suspend" node is used
OPENAM-18443: Transactional authentication is disabled on new installs
OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore
OPENAM-18297: Outbound calls to Jwks_URI endpoint does not support proxy settings
OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically
OPENAM-18175: SMSUtils#addAttributesToMap inconsistency with array ordering
OPENAM-18141: AM no longer uses global SAML configuration
OPENAM-18130: "Agent Configuration Change Notification" use the same help text in the XUI for Java and Web agents, but the property name is different
OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
OPENAM-18030: Message node shows inconsistent behaviour regarding the default locale
OPENAM-18005: Insufficient error message to troubleshoot persistent search issue
OPENAM-17949: Account lockout applied to tree even when ignore profile selected
OPENAM-17904: Json Audit Log Location not working when modifying location to only include %SERVER_URI% variable
OPENAM-17833: Internal accepted Audience AUD formed from DNS Alias could be wrong when BaseURL does not have port
OPENAM-17830: Error messages are logged when the Push Notification Service is absent
OPENAM-17829: External UMA Resource Set using SSL but not StartTLS fails
OPENAM-17593: Deadlock when admin token is invalid and when config data is getting cleared
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication

AM 7.1.1

OPENAM-18604: Formatting issues in Upgrade Report
OPENAM-18573: URLPatternMatcher or RedirectURLValidator does fails when query string contains "%20"
OPENAM-18566: Missing 'org.forgerock.security.oauth2.enforce.sub.claim.uniqueness' after upgrade from 7.1.0
OPENAM-18559: Upgrade from 6.5.3 to 7.1.0 fails with UpgradeException - "com.sun.identity.sm.InvalidAttributeValueException: Saved Consent Attribute Name is required."
OPENAM-18532: Web Agent property org.forgerock.agents.pdp.javascript.repost has incorrect description in XUI
OPENAM-18523: NullPointerException when AgentsRepo with from group is changed
OPENAM-18459: IdTokenInfo endpoint behaviours change from 6.x and fails when using client_id in POST
OPENAM-18422: Email Template node creates threads without terminating them
OPENAM-18421: In Platform environment, using a Email Template node creates new thread that does not terminate
OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth
OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name
OPENAM-18366: Upgrade Report contains unformatted line feeds "%LF%"
OPENAM-18359: Choice Collector Node appears to not be present following upgrade
OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server
OPENAM-18319: Realm is added more than once when session upgrade happens more than once with modules.
OPENAM-18316: Typo in oauth2 template (templates/touch/authorize.ftl)
OPENAM-18306: OAuth2 Authorization Code Grant Fails when including scope parameter at access_token endpoint
OPENAM-18258: Failed to load configuration for OAuth2Provider observed after upgrade
OPENAM-18241: Permit OAuth2 Modification Script to return scopes as space delimeter string
OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session
OPENAM-18227: Upgrade from 6.0.x / 6.5.x can fail at Unsupported node type PersistentCookieDecisionNode
OPENAM-18212: Check for user/agent profile condition during login can be refined further
OPENAM-18207: Global Service cache is not updated by changes from other servers in a site
OPENAM-18205: Excessive logging occurs when agent profile is not found
OPENAM-18180: No TransactionId present for AuthTreeExecutor
OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout
OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST
OPENAM-18154: Wrong AMR returned with prompt=login and force authn setting enabled
OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings
OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops
OPENAM-18121: Slow loading in Authentication Tree
OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amadmin
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM
OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exist
OPENAM-18065: Logback.jsp can not be used to set log levels loggers in custom code
OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined
OPENAM-18043: Device Match module not setting correct AuthLevel
OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes
OPENAM-18009: AM return HTTP error code 500 when authenticate with authIndexType service without authIndexValue
OPENAM-18006: Persistent search for identity store does not recover
OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees
OPENAM-17993: The org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation
OPENAM-17979: Backchannel authentication - auth_req_id can be used to obtain multiple access tokens
OPENAM-17962: LDAP Decision Node does not put updated password in transient state
OPENAM-17954: Accept-Language header locale ignored on OAuth2 Consent page
OPENAM-17935: Missing 'return' statement in the happy flow of the kerberos node
OPENAM-17923: Retry Limit Decision Should Not Have User Involvement when Save Retry Limit to User is Disabled
OPENAM-17916: When no session exists logout page redirects to login
OPENAM-17912: Account lockout count is not reset correctly
OPENAM-17896: ForgottenPassword Reset on multiple cluster not working when reset link clicked
OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does work after upgrade.
OPENAM-17863: Authorization code is not issued when nonce is not supplied when using OpenID Hybrid profile
OPENAM-17828: Apostrophe in username breaks Push/OATH device registration
OPENAM-17826: Introspect endpoint returns a static value for "expires_in" when using client based tokens
OPENAM-17814: Auth Tree step-up fails if username case does not match
OPENAM-17801: OIDC userinfo subname claim returns incorrect value
OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname
OPENAM-17782: Policy evaluation fails with 400 error when user does not exist
OPENAM-17774: Missing exp claim throws NullPointerException on CIBA bc-authorize endpoint
OPENAM-17773: The acr_values parameter is mandatory on CIBA bc-authorize endpoint
OPENAM-17760: PEM support incorrectly decodes some EC private keys
OPENAM-17738: Java Agent "Client IP Validation Mode" property does not work when key is empty from XUI
OPENAM-17718: OAuth2 Introspection endpoint does not accept Accept header with with extra accept extension param (like weight q=0.8) or charset
OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed
OPENAM-17677: The oauth2/device/code endpoint does not support locale parameter
OPENAM-17663: Improve the error response code for "Failed to revoke access token"
OPENAM-17630: JMS Audit logging broken and cannot start up
OPENAM-17610: OTP Email Sender node does not allow to specify connect timeout and IO/read timeout for underlying transport.
OPENAM-17590: OIDC login hint cookie broken since 7.0
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17493: OAuth2 node does not support external proxy authentication (user/pass)
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17320: Revisit prompt=login behaviour change that keeps existing session
OPENAM-17265: Wrong authorized_keys file updated
OPENAM-17262: Subname claim inconsistences
OPENAM-16988: The accessedEndpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator
OPENAM-16642: Server id creation can fail when id is greater than 100
OPENAM-16554: Misplaced bufferingEnabled checkbox in New Syslog configuration
OPENAM-16491: SAML Update introduces javascript calls that aren’t available in IE8 and below (or IE11 using Enterprise mode)
OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong
OPENAM-16216: Get Session Data node improvements
OPENAM-15861: NullPointerException in CollectionHelper.getServerMapAttrs
OPENAM-15740: Document _fields is case sensitive
OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in
OPENAM-13855: CTS creates too many connections to DS
OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"
OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

AM 7.1

OPENAM-17396: Terms of Service URI Link does not Display in Consent Page
OPENAM-17395: SocialOpenIdConnectNode fails to recover from client’s connection reset
OPENAM-17365: Checking agent type with caller token can cause deadlock
OPENAM-17364: Prompt login / session upgrade / OIDC ACR looping with trees
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
OPENAM-17353: HTML pages are not picked up when placing in a theme folder
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
OPENAM-17343: Access token call returns 500 error if password needs to be changed or has expired
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
OPENAM-17276: AM recorder does not record anymore
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17260: Allow arg=newsession usage in authorize calls
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
OPENAM-17136: OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
OPENAM-17114: Save Consent check box always shown, even when not configured
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
OPENAM-17089: Forgot password functionality broken
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
OPENAM-17060: Audit Logging "Resolve host name" is still available after OPENAM-7849
OPENAM-17037: AM Upgrade from 6.0.0.7 to 7.0.0 causing NPE
OPENAM-17034: In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
OPENAM-17006: Hosted SAML entity - can not remove bindings
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
OPENAM-16988: Accessed endpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
OPENAM-16947: Kerberos Node in 7.0 fails to return goTo(false)
OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist
OPENAM-16936: Tree nodes create new keystore object each time node is called.
OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
OPENAM-16934: sm.getSchemaManager has a typo including a comma
OPENAM-16926: Success URL node doesn’t work with SAML Node for Idpinit when not using Integrated mode
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
OPENAM-16907: Kerberos Node in 7.0 does not work
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
OPENAM-16866: AM should fail gracefully if id_token fails to generate when swapping refresh token
OPENAM-16849: WeChat Social Auth module broken (regression)
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
OPENAM-16847: AM email service failing with 'Start TLS' option
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
OPENAM-16807: The dynamic values for request_uri being stored in client config does not expire and is not automatically removed
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
OPENAM-16784: Upgrade to 7 fails with NullPointerException in Saml2EntitySecretsStep
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
OPENAM-16758: Cannot install AM 7 on Windows
OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
OPENAM-16617: SuccessURL session property is set to gotoURL in authentication tree
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs
OPENAM-16555: Audit logging does not tell which policy allowed or denied a resource request
OPENAM-16540: Issues with Social Login URLs when navigating quickly between providers
OPENAM-16535: "JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
OPENAM-16450: 501 when default resource version set to "oldest" and Accept-API-Version header set
OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
OPENAM-15963: Historical retention files ( csv ) were not deleted
OPENAM-15948: Update DS profiles to add VLV indexes for CTS use
OPENAM-15743: Excessive CTS logging when Reaper is disabled (com.sun.am.ldap.connnection.idle.seconds=0)
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
OPENAM-15663: UserInfoClaims is not part of public API
OPENAM-14898: OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
OPENAM-12503: SizeBasedRotationPolicy does not delete oldest file

AM 7.0.x

AM 7.0.2

OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17683: Selfservice user registration auto login fails for a sub-realm
OPENAM-17673: Nodes within a Page node do not have access to secure state
OPENAM-17672: Page Node does not expose inner nodes inputs or outputs
OPENAM-17630: JMS Audit logging broken and cannot start up
OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17570: OIDC request parameter decryption fails to find any applicable keys
OPENAM-17555: AM 7.x versions of Amster use Java 8 format of debug port
OPENAM-17517: JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error.
OPENAM-17515: Sub attribute in access token can be in wrong casing
OPENAM-17483: SecretsPlugin upgrade from 6.5.x failing
OPENAM-17477: Thread-safety issue in AMAuthenticationManager
OPENAM-17436: JS version of the OIDC Claims script does not work due to a casting error.
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17397: ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check
OPENAM-17365: Checking agent type with caller token can cause deadlock
OPENAM-17364: prompt login / session upgrade / OIDC ACR looping with trees
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
OPENAM-17337: Access token passed in request body results in failure
OPENAM-17324: Client credentials grant in FBC config with group inheritance causes User not Valid Error
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
OPENAM-17321: Prometheus Endpoint returns http 500 error when used with file based config
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
OPENAM-17310: 'ssoadm list-datastore-types' sub-command broken
OPENAM-17277: AM Recording with thread dump only shows depth of 8
OPENAM-17276: AM recorder does not record anymore
OPENAM-17274: AM should not change the supported subject types for an existing install
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17265: Wrong authorized_keys file updated
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
OPENAM-17175: XUI OAuth2 consent page does not render when using themes
OPENAM-17157: Password reset via admin console with Proxied Authorization enabled is not possible
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
OPENAM-17117: Service config XML dump consumes a lot of memory (whole config is read to memory)
OPENAM-17114: Save Consent check box always shown, even when not configured
OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
OPENAM-17089: Forgot password flow not working after initial attempt to reset password fails
OPENAM-17081: OAuth2 client agent group settings are not taken into account
OPENAM-17079: Identities and Session : unexpected returned error when trying to request for unexisting identity
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
OPENAM-17066: Unable to add server to existing deployment through UI
OPENAM-17042: User Self Registration REST API does not generate SSO token
OPENAM-17019: Allowing wildcards in OAuth 2.0 clients prevents exact matching from working
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist
OPENAM-16932: PageNode does not pick up outcomes if ScriptedDecisionNode is used inside
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
OPENAM-16849: WeChat Social Auth module broken (regression)
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'
OPENAM-16651: Default configuration fails if the trust store type JVM property is not defined for the JVM
OPENAM-16638: AM with embedded DS setup fails when Java system keystore properties is set
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
OPENAM-16581: SAML Authentication Module on hosted SP gets SAML No authentication context error
OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
OPENAM-16364: Macaroon access tokens don’t work with the new any-realm token introspection
OPENAM-16262: Javadocs for IdUtils needs updating
OPENAM-15963: Historical retention files ( csv ) were not deleted
OPENAM-15214: Auth Tree - Clicking save with no changes causes render problem with node attributes inside page node
OPENAM-14240: FMSigProvider.verify does not tell if certificates are provided
OPENAM-13783: REST STS: Cannot add or modify nameID format in SAML config, and default value stated in help is incorrect
OPENAM-13575: Unhelpful log message when OIDC public client wants to use HMAC id token signing

AM 7.0.1

OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
OPENAM-16934: sm.getSchemaManager has a typo including a comma
OPENAM-16907: Kerberos Node in 7.0 does not work
OPENAM-16877: Error when creating AM "Self-service Trees" service in native admin ui
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
OPENAM-16847: AM email service failing with 'Start TLS' option
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
OPENAM-16802: Upgrade from OpenAM 7.0 to 7.1.0 SNAPSHOT causes NPE
OPENAM-16794: Google KMS options missing after upgrade from 6.5
OPENAM-16791: AMAccessAuditEventBuilder#forRequest can generate an entry with :-1 for the port
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
OPENAM-16759: Amster on windows : AM does not restart properly after setup
OPENAM-16758: Cannot install AM 7 on Windows
OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
OPENAM-16702: Saving engine configuration in FBC mode makes that config non-readable
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token
OPENAM-16697: Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format
OPENAM-16686: Cannot create a User after upgrade from 6.5.2 to 7.0.1
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
OPENAM-16650: Authz Policy Subjects Policy.title is showing property name text
OPENAM-16641: OAuth2 provider supported grant types attribute missing localization property on XUI
OPENAM-16606: Missing "org.forgerock.openam.saml2.authenticatorlookup.skewAllowance" property in server defaults
OPENAM-16594: ssoadm help should be updated to reflect changes in AME-18650 / OPENAM-16155
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
OPENAM-16555: (audit) logging does not tell which policy allowed or denied a resource request
OPENAM-16551: Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token
OPENAM-16545: Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
OPENAM-16483: XUI - Typo in SAML SP "Default Relay State Url" label
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
OPENAM-15663: UserInfoClaims is not part of public API
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
OPENAM-11706: Policies in a policy set are not visible in Internet Explorer IE

AM 7.0

OPENAM-16433: Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.
OPENAM-16425: AM does not handle malformed/incorrect signature correctly
OPENAM-16402: The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.
OPENAM-16379: URL fragments like # cause forbidden login in the XUI
OPENAM-16284: XUI does not handle Special Chars / UTF-8 in realms properly.
OPENAM-16279: AgentsRepo cannot recover when it fails especially on external Application store.
OPENAM-16251: OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication
OPENAM-16240: REST STS under subrealm cannot generate id_token with realm claim
OPENAM-16233: Policy evaluation fails when subject not found (even in ignore profile)
OPENAM-16214: Push Authentication Module does not work on Session Upgrade when User Cache disabled
OPENAM-16184: Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords
OPENAM-16165: social authmodule causes NullPointerException
OPENAM-16164: social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token
OPENAM-16136: queryFilter only matches against first entry in array
OPENAM-16132: When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates
OPENAM-16032: Unable to delete devices with Recovery Code Collector Decision Node
OPENAM-16031: Intermittent error message when concurrent obtain SSO Token ID with session quota constraints
OPENAM-16014: An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow
OPENAM-16013: Mismatched kid from Json Web Key URI when Specified Encryption Algorithm
OPENAM-16009: Windows Desktop SSO node full adoption and compliance with tree node specifications
OPENAM-15989: OAuth2 client_id should be url-decoded when using basic auth
OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied
OPENAM-15970: Access Token introspect Fails in subrealm after root realm modified
OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked
OPENAM-15905: Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException
OPENAM-15900: Kerberos fails when used with IBM JDK
OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection
OPENAM-15881: Custom AM User (amUser.xml) field does not use default values from the schema
OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used
OPENAM-15853: External UMA store fails on resource creation
OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired
OPENAM-15785: OIDC spec violation - HTTP POST can not be used to send Authentication Request
OPENAM-15784: Form elements in policy environment condition tab are displayed twice
OPENAM-15766: LoginState - account lockout is checkout although AM AccountLockout is disabled
OPENAM-15758: KeyStore Secret Store fails to start due to secretId having some characters.
OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL
OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server
OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect
OPENAM-15698: IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'
OPENAM-15697: Default ACR values from OAuth2 provider not taken into account
OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access
OPENAM-15679: The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling
OPENAM-15670: DeviceIdSave auth module initialization fails if username is null
OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting
OPENAM-15645: The &refresh=true|false parameter for _action=validate is not working as expected
OPENAM-15632: OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support
OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow
OPENAM-15627: Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"
OPENAM-15579: AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'
OPENAM-15559: OATH module broken in Japanese locale
OPENAM-15533: WS-Federation doesn’t work with Authentication Trees
OPENAM-15530: OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS
OPENAM-15520: XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default
OPENAM-15508: moduleMessageEnabledInPasswordGrant does not apply to Trees
OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token
OPENAM-15501: Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly
OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned
OPENAM-15491: Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.
OPENAM-15489: WebAuthN Auth Node Doesn’t Respect UV=Discouraged During AuthN
OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication
OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error
OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported
OPENAM-15374: OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims
OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback
OPENAM-15349: Access Token request returns a 500 error
OPENAM-15345: at_hash value generated does not take the latest modified access token
OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree
OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example
OPENAM-15303: Claims with multiple values in issued_token from REST STS represented inconsistently.
OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions
OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules
OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"
OPENAM-15160: LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind
OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field
OPENAM-15147: HTTP 500 upon accessing openam/json/
OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken
OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )
OPENAM-15117: KeyVault KeyStoreType not supported
OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not
OPENAM-15105: Unable to get trusted devices using REST API
OPENAM-15101: Remove the ability to disable XUI
OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL
OPENAM-15076: webAuthn config does not allow for multiple origins under the same rpId
OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching
OPENAM-15036: Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file
OPENAM-15028: Cannot load metadata in ssoadm without extended metadata
OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment
OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache
OPENAM-14991: Changes to boot.json are overwritten
OPENAM-14979: NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade
OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain
OPENAM-14966: Performing access_token with arbitrary text as trusted cert header causes server error
OPENAM-14919: Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file
OPENAM-14901: XUI - SAML2 module doesn’t redirect to IDP if it’s 2nd in the chain
OPENAM-14895: user identity creation fails with "Identity \*" of type user not found.
OPENAM-14893: XUI displays multiple error messages when an authentication session times out
OPENAM-14889: Upgrade of Peristent Cookie auth module fails
OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration
OPENAM-14881: AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)
OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)
OPENAM-14859: ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty
OPENAM-14858: When NameIDPolicy does not contain Format=.., remoteEntityID is passed as null
OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module
OPENAM-14845: user info endpoint does not correctly handle Certificate Bound Access Tokens
OPENAM-14829: AuthSchemeCondition doesn’t return realm aware policy condition advice
OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search
OPENAM-14804: Memory leak when running UMA RPT soak test
OPENAM-14799: Unable to update Agent profile using REST
OPENAM-14794: User privileges are removed from group if another group is given same privilege
OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO
OPENAM-14783: PKCS11 KeyStore does not work on IBM JVM
OPENAM-14782: AuthTree created Session does not use per User Session Service settings
OPENAM-14766: introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens
OPENAM-14717: mailto attribute have space between ':' and mail address
OPENAM-14694: Consent page still shows claim values even when supported claim description is omitted
OPENAM-14651: OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads
OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier
OPENAM-14578: WDSSO failing but no fallback…
OPENAM-14573: amlbcookie is not secure when authenticating with trees
OPENAM-14572: prompt=login destroys and creates new session
OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different
OPENAM-14548: consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation
OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore
OPENAM-14539: SAML SLO with multi protocols
OPENAM-14529: UMA RPT expiry time incorrect in CTS
OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding
OPENAM-14503: SAML2 - Key Transport Algorithm - RSA OAEP must be supported
OPENAM-14483: If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ
OPENAM-14480: AuthLoginException is lost
OPENAM-14471: Failed to create root realm for data store (External Policy | Application)
OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on
OPENAM-14464: XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used
OPENAM-14450: userinfo typo in Claims.java
OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS/SSL
OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application
OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done
OPENAM-14391: Self Service Link not Display when Using Authentication Tree
OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set
OPENAM-14369: Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure
OPENAM-14362: UMA load test fails with Invalid resource type error
OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy
OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client
OPENAM-14313: Audit Logging - STS transformations create duplicate entries
OPENAM-14310: CheckSession page indicates the session is not valid
OPENAM-14294: am-external Git repository 6.5 have bad source
OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef
OPENAM-14239: FMSigProvider.verify NPE with null input for certificates
OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number
OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set
OPENAM-14229: custom AuthorizeTemplate under theme not used
OPENAM-14213: Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute
OPENAM-14212: SAML redirect to login page fails if AM installed into the root context
OPENAM-14200: Social auth modules do not work when AM is installed into the root context
OPENAM-14189: effectiveRange of Time environment has issue
OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception
OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered
OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.
OPENAM-14147: arg=newsession in XUI just shows the "Loading…" page
OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state
OPENAM-14112: Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie
OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow
OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive
OPENAM-14054: XUI Custom templates and Partials not applied consistently
OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn
OPENAM-14040: LdifUtils debug logging prints out wrong classname
OPENAM-14018: Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server
OPENAM-13999: Custom node containing ConfirmationCallbacks fails when dropped in a page node.
OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm
OPENAM-13978: Session Upgrade - AuthLevel format changes
OPENAM-13942: SAML2 Circle of Trust - REST Update doesn’t update the metadata of the provider
OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given
OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user
OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not
OPENAM-13890: Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext
OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6
OPENAM-13831: RP-Initiated Logout does not handle state parameter
OPENAM-13779: Session API - _action=refresh requires an admin token
OPENAM-13764: Monitoring logs in ERROR for "Agent.configAgentsOnly:agent type = OAuth2Client"
OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals
OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent
OPENAM-13465: Dynamic client registration sets wrong subjectType
OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain
OPENAM-13419: LDAPPolicyFilterCondition doesn’t set request timeout
OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"
OPENAM-13064: OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional
OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation
OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees
OPENAM-12759: max_age should a number, not a string
OPENAM-12574: SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies
OPENAM-12498: Authorization Grant response returns scope(s) in the URL
OPENAM-12228: WebAgent REST API queryFilter expression does not work and acts all "true"
OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme
OPENAM-11921: Incorrect NameId Format offered for SAML2 auth module in console
OPENAM-11863: CORSFilter position in web.xml should come before most filters
OPENAM-11778: Getting accessToken using authorization_code result in Unhandled exception
OPENAM-11338: OpenID Connect id_token bearer auth module mixes up aud, azp during verification
OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.
OPENAM-10843: When generating an OIDC token through STS a "kid" value is not specified
OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled
OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)
OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly
OPENAM-9459: 500 Internal Server Error from changePassword endpoint with AD repo
OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

Fixes in AM 7.4.x

This page lists the cumulative fixes in AM 7.4.x releases:

AM 7.4.1

OPENAM-22753: Destroy All session may fail to work
OPENAM-22715: PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder is not escaping values correctly
OPENAM-22696: Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes
OPENAM-22620: Slow response from access token endpoint using client credentials grant
OPENAM-22602: OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL
OPENAM-22421: Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2
OPENAM-22289: Session quota action may fail when the session isn’t updatable but should be fine to proceed
OPENAM-22181: Approve UMA request fails with 500 error when AM deployed as a platform
OPENAM-22171: Forgotten password fails when AM searches for the identity to modify
OPENAM-22119: "Access to Java class ScriptedLoggerWrapper prohibited" exception
OPENAM-22109: The expiry time of OPS token in 7.x doesn’t change with the time of tokens created
OPENAM-22017: Configuration Provider node creates node class dynamically leading to native memory leak
OPENAM-21976: Single point of locking contention when doing client-based session logout
OPENAM-21972: SAML artifact binding is using crosstalk for artifact resolution
OPENAM-21941: Unable to edit policies in the UI
OPENAM-21937: Quota enforcement affects agent sessions that authenticate by tree
OPENAM-21936: Unable to use legacy and next-generation scripts in the same authentication tree
OPENAM-21868: ssoadm create-sub-cfg not working for AM 7.2+ due to the context= field
OPENAM-21854: TermsAndConditionsCallback fails with error on XUI
OPENAM-21803: Certificate User Extractor node cannot resolve wrong name when UPN SubjectAltNameExt
OPENAM-21780: Next-generation httpClient script binding adds "null" as entity to GET requests
OPENAM-21664: Upgrade fails to AM 7.4.0 with an uncaught exception when initializing the PrivilegeIndexStore class
OPENAM-21484: OAuth 2.0 token introspection response has different claim value types when introspecting refresh tokens
OPENAM-21473: Certificate Collector node: getPortalStyleCert throws exception when cert/header not present
OPENAM-21466: AM using OIDC social authentication fails to verify ID token if remote JWK_URIs have duplicate KID
OPENAM-21191: Web agent sessions have a long session lifetime of 42 years
OPENAM-20609: Inconsistent error message when generating access token using refresh token after changing username
OPENAM-19999: ID token as AM session doesn’t work with /authorize when openid scope is requested
OPENAM-19889: Policy evaluation fails with agent access token JWT as subject
OPENAM-17816: 500 Internal Server Error (from NPE) returned for a missing Content-Type header

AM 7.4

OPENAM-21476: Persistent Cookie isn’t created when using Configuration Provider node
OPENAM-21421: Scripting logger name isn’t based on logging hierarchy convention
OPENAM-21390: Fix caching error when a journey switches backend instances to correctly provide data to nodeState
OPENAM-21360: Add java.util.concurrent.ExecutionException to AM scripting class allowlist
OPENAM-21323: LDAP (inline) upgrade fails due to policy creation of UssSelfWriteAttributes
OPENAM-21304: Retain request URI values specified during dynamic client registration
OPENAM-21164: Fix type issue of XML String in SAML responses when using a custom adapter
OPENAM-21160: Make sure secure state values are retained when navigating the authentication tree
OPENAM-21158: Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2
OPENAM-21085: Undefined bindings are incorrectly evaluated in Groovy scripts
OPENAM-21069: WindowsDesktopSSO authentication is failing
OPENAM-21053: Missing userId from Access audit log when org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false in JWT client authentication flow
OPENAM-21010: Social authentication user profile corrupted when remote OIDC server provides non-English identity claims
OPENAM-21004: AM will always look for valid session when scope=openid
OPENAM-21001: SAML IdPAccountMapper isn’t correctly determined
OPENAM-20980: OIDC social provider uses configured issuer instead of wellknown endpoint issuer when using regex comparison
OPENAM-20953: Return subject attributes correctly when evaluating a policy using a JwtClaim as subject type
OPENAM-20920: Improve handling of SAML2 IDP metadata that uses SSO endpoint entries other than HTTP-POST or HTTP-Redirect bindings when binding is null
OPENAM-20897: Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others
OPENAM-20895: Newly created Maven archetype project for building custom authentication nodes fails to build
OPENAM-20851: Existing registered devices unable to use push notifications when AWS SNS credentials are updated
OPENAM-20784: TestUMAPolicy fails for users that will cause LocalizedIllegalArgumentException
OPENAM-20756: Social authentication request for Apple fails due to duplicated response_mode=form_post request parameter
OPENAM-20691: Fix rare race condition in session quota destroy next expiring action that can lead to the oldest session not being destroyed
OPENAM-20682: Unable to encrypt from jwk_uri where there are multiple JWKs with the same kid but different algorithms
OPENAM-20490: AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"
OPENAM-20451: Fix to display user-friendly account name during WebAuthn device registration
OPENAM-20299: Fix to make agent authentication honor com.iplanet.am.session.agentSessionIdleTime
OPENAM-20230: Class allowlisting denies access to permitted classes after running for an extended period of time
OPENAM-20026: Social IDP with trailing whitespace in the name can’t be deleted using the UI
OPENAM-20024: Improve debug logging when login to XUI fails with HTTP 404 JsonValueException from endpoint
OPENAM-19282: Recovery Code Display Node works only immediately after Registration node
OPENAM-19261: Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant
OPENAM-18709: New nodeState.getObject method added to return values stored in both shared and secure state
OPENAM-18685: New realm-level configuration setting to remove or skip subname claim
OPENAM-18004: Support sequential transaction IDs to improve audit logging for HTTP requests to IDM
OPENAM-17331: Push Notifications: User with disabled endpoint is not able to login
OPENAM-17179: Deleting an authentication tree leaves orphaned nodes that prevent deletion of referenced scripts

AM 7.3.x

AM 7.3.1

OPENAM-22017: ConfigProviderNode creates node class dynamically leading to native memory leak
OPENAM-21976: Single point of locking contention when performing client-based session logout
OPENAM-21941: Unable to edit policies in the UI
OPENAM-21854: TermsAndConditionsCallback fails with error on XUI
OPENAM-21728: Certificate module fails using JDK 11.0.21 and later with undefined access to private method
OPENAM-21484: Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response
OPENAM-21421: Scripting logger name isn’t based on logging hierarchy convention
OPENAM-21390: ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment
OPENAM-21304: OAuth 2.0 dynamic client registrations don’t retain request_uri values when creating
OPENAM-21164: Calling toXMLString in custom SAML adapter can return incorrectly formatted XML leading to invalid signature
OPENAM-21160: Inconsistent values in secure state when navigating an authentication tree
OPENAM-21158: Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2
OPENAM-21069: WindowsDesktopSSO authentication is failing
OPENAM-21010: Social authentication for remote OIDC server for user profile non-english words corrupted
OPENAM-21004: AM will always look for valid session when scope=openid
OPENAM-21001: IdPAccountMapper is not correctly determined
OPENAM-20980: Unable to use issuer comparison check regex in oidc social provider
OPENAM-20897: Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others
OPENAM-20895: Newly-created Maven archetype project fails to build
OPENAM-20756: OIDC social authentication request (Apple) fails due to duplicate response_mode=form_post request parameter
OPENAM-20691: Destroy oldest session may fail to work
OPENAM-20682: Unable to encrypt from jwk_uri when there are duplicate kid
OPENAM-20490: AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"
OPENAM-20026: Trailing whitespace prevents social provider deletion via UI
OPENAM-19999: ID token as AM session doesn’t work with /authorize when openid scope is requested
OPENAM-19889: Policy evaluation fails with agent access token JWT as subject
OPENAM-19282: Recovery Code Display Node works only immediately after Registration node
OPENAM-18599: Allow for custom error message if user account is locked

AM 7.3

OPENAM-20396: Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved
OPENAM-20360: Ampersand is double encoded in the Destination of a SAML Assertion
OPENAM-20260: Unable to log into AM when external application store is down
OPENAM-20230: Class allowlisting fails with permission denied after an extended period
OPENAM-20181: AD account notification fails
OPENAM-20159: Upgrader adds requestObjectProcessing to OAuth2Provider subconfigs
OPENAM-20104: The fragment response_mode for the /oauth2/authorize endpoint is not working
OPENAM-20085: STS token generation does not work with clustered docker pods
OPENAM-20082: Locked out users are shown a misleading error message
OPENAM-19868: Correctly handle multi-line text in Email Suspend nodes
OPENAM-19866: Excessive logging when accessing protected resources
OPENAM-19726: The par endpoint doesn’t return a request_uri when using JAR and claims are provided
OPENAM-19515: Unable to update session service with read only identity store
OPENAM-18818: Persistent search error message shows wrong DS identifier
OPENAM-18488: Windows Hello with TPM/platform authenticator returns two certificates
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny

AM 7.2.x

AM 7.2.2

OPENAM-22380: LDAP Decision node adding wrong username causing incorrect log messages
OPENAM-22289: Correctly check failure to save read session causing session quota failure
OPENAM-22017: ConfigProviderNode creates node class dynamically leading to native memory leak
OPENAM-21976: Single point of locking contention when doing client-based session logout
OPENAM-21972: SAML artifact binding fails in load-balanced deployment
OPENAM-21941: Unable to edit policies in the UI
OPENAM-21937: Quota enforcement affecting agent sessions that authenticate by tree
OPENAM-21728: Certificate module fails using JDK 11.0.21 and later with undefined access to private method
OPENAM-21484: Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response
OPENAM-21473: Certificate collector node: getPortalStyleCert throws exception when cert/header not present
OPENAM-21390: ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment
OPENAM-21304: OAuth 2.0 dynamic client registrations don’t retain request_uri values when creating
OPENAM-21160: Ensure secure state values are retained when navigating the authentication tree
OPENAM-21010: Social authentication user profile corrupted when remote OIDC server provides non-English identity claims
OPENAM-21004: AM will always look for valid session when scope=openid
OPENAM-21002: CTS task queue full and SeriesTaskExecutorThread can get stuck waiting
OPENAM-20897: Issue with logging unsupported callbacks
OPENAM-20783: OAuth 2.0 authorization code flow throws an error when content-type isn’t x-www-form-urlencoded and body isn’t JSON
OPENAM-20756: Social authentication request for Apple fails due to duplicated response_mode=form_post request parameter
OPENAM-20682: Unable to encrypt from jwk_uri where there are multiple JWKs with the same kid but different algorithms
OPENAM-20396: Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved
OPENAM-20104: The fragment response_mode for the /oauth2/authorize endpoint is not working
OPENAM-20026: Social IDP with trailing whitespace in the name can’t be deleted using the UI
OPENAM-19999: ID token as AM session doesn’t work with /authorize when openid scope is requested
OPENAM-19282: Recovery Code Display node works only immediately after Registration node
OPENAM-19261: Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant
OPENAM-18599: Allow for custom error message if user account is locked
OPENAM-17816: 500 internal server error (from NPE) returned for a missing Content-Type header

AM 7.2.1

OPENAM-20360: Ampersand is double encoded in the Destination of a SAML Assertion
OPENAM-20318: Accessing AM end user login page for PlatformLogin journey in platform environment shows non-rendered html
OPENAM-20260: Unable to log into AM when external application store is down
OPENAM-20230: Class allowlisting fails with permission denied after an extended period
OPENAM-20181: AD account notification fails
OPENAM-20082: Locked out users are shown a misleading error message
OPENAM-20031: Access token modification can no longer access refresh token reference
OPENAM-19884: AM returns 500 error when ; is used in the access token header
OPENAM-19684: Error EntitlementService.getSubjectAttributesCollectorConfiguration logged on initial agent access
OPENAM-19537: UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong
OPENAM-19515: Unable to update session service with read-only identity store
OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page
OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity
OPENAM-18818: Persistent search error message shows wrong DS identifier
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
OPENAM-16241: Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset
OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect

AM 7.2

OPENAM-19427: KBA question are not falling back to the default language when French is present in the restart password flow
OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing /
OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node
OPENAM-19380: Social Google node does not work if placed after an input collector in a tree
OPENAM-19359: Social authentication not working on Subrealms
OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception
OPENAM-19290: In a cluster, changing AM debug level on local AM2 to remote AM1 does not take effect until the remote AM1 is restarted
OPENAM-19281: OIDC dynamic client registration cannot take \n in the client_description
OPENAM-19266: Cannot add Page Headers or Page Descriptions to page nodes in tree editor
OPENAM-19220: WebAuthN/Fido - Cannot authenticate with recovery codes on Windows
OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade
OPENAM-19196: JavaScript origins in the OAuth2 Client need a restart to apply the changes
OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters
OPENAM-19162: REST API definition inaccurate for endpoint /realm-config/saml
OPENAM-19123: AM validates duplicate registration tokens
OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set
OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions
OPENAM-19086: rest-sts endpoint is not included when CORS is enabled
OPENAM-19083: Creating a client-based access and refresh token breaks subsequent use of Session Quotas
OPENAM-19042: When using Apple SSO, the Social Identity Provider Handler node ignores the user info returned
OPENAM-18996: Issues with trees and navigating quickly between Social Login providers
OPENAM-18990: Non-compliant OAuth 2.0 error response generated
OPENAM-18953: Insufficient logging when OAuth 2.0 token request fails due to invalid client secret
OPENAM-18952: KBA questions are not falling back to the default language when French is present
OPENAM-18928: Client credential OAuth 2.0 request results in searches for OAuth 2.0 client against the Identity Store
OPENAM-18921: Double slashes in oauth 2.0 claim names are handled incorrectly
OPENAM-18891: JWT Profile Oauth 2.0 grant returns invalid_grant
OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt
OPENAM-18877: Creating SAML providers with entity ids containing the plus (+) symbol results in errors listing and creating new providers
OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared
OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null
OPENAM-18775: LdapDecisionNode throws NullPointerException on shared IDM Repository DataStore when Password change policy triggered
OPENAM-18756: Entering correct OTP after an incorrect OTP fails authentication
OPENAM-18754: User profile success URL ignored when authenticating with trees
OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures
OPENAM-18705: Problem with Page Node using node relying on secureState
OPENAM-18701: DN cache doesn’t get deleted in some cases
OPENAM-18684: Redirect to authorize endpoint fails for 2nd OIDC App for Federated Users with multiple OIDC Clients
OPENAM-18679: OATH Registration node doesn’t work when placed inside a Page node
OPENAM-18663: AM should check new realm with rest end-point names by ignoring case
OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted
OPENAM-18655: Deleting OAuth2 Client provides unneeded Notification error message in IdRepo
OPENAM-18644: IdRepo cache can not be disabled anymore
OPENAM-18640: REST-STS uses the old path to reach the users endpoint
OPENAM-18623: Issue with jwk_uri endpoint called in parallel
OPENAM-18610: RealmOAuth2ProviderSettings for getJwks permits an empty set
OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication
OPENAM-18586: No debug message when AM can’t read the encrypted_base64 folder after upgrade
OPENAM-18573: URLPatternMatcher or RedirectURLValidator fails when query string contains "%20"
OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL
OPENAM-18533: Distinguish between standard OIDC and JAR OIDC request parameters
OPENAM-18524: Client assertion JWT generated for private_key_jwt OAuth 2.0 client authentication does not provide a "kid" header - can be rejected by external OAuth 2.0providers
OPENAM-18523: NullPointerException when Web Agent group is changed
OPENAM-18487: Trust anchor check fails with Yubikey
OPENAM-18460: max_age parameter is overwritten
OPENAM-18459: IdTokenInfo endpoint behavior has changed and fails when using client_id in POST
OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP
OPENAM-18443: Transactional authentication is disabled on new installs
OPENAM-18436: UMA pending requests are stored differently depending on sub claim uniqueness mode
OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore
OPENAM-18432: Remove the internal idm-delegation grant type from the well known info
OPENAM-18422: Email Template node creates threads without terminating them
OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth
OPENAM-18384: Email Suspend Node clears the secure state
OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name
OPENAM-18359: Choice Collector Node not present following upgrade
OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server
OPENAM-18306: OAuth 2.0 Authorization Code Grant Fails when including scope parameter at access_token endpoint
OPENAM-18297: Outbound calls to jwk_uri endpoint do not support proxy settings
OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD
OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically
OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication
OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session
OPENAM-18227: Upgrade from 6.0.x / 6.5.x fails with Unsupported node type PersistentCookieDecisionNode
OPENAM-18212: Check for user/agent profile condition during login can be refined further
OPENAM-18207: Global Service cache is not updated by changes from other servers in a site
OPENAM-18205: Excessive logging occurs when agent profile is not found
OPENAM-18180: No TransactionId present for AuthTreeExecutor
OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout
OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST
OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings
OPENAM-18149: Wrong log file is used for SAML2 extensions log message
OPENAM-18141: AM no longer uses global SAML configuration
OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops
OPENAM-18132: Failed to get the distinct userIdAttributes for configured identity stores in realm
OPENAM-18121: Complex authentication trees load slowly
OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter
OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amAdmin
OPENAM-18118: OAuth 2.0 - AM does not implement 'device authorization grant' as specified in RFC 8628
OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM
OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exists
OPENAM-18065: Logback.jsp cannot be used to set log levels for loggers in custom code
OPENAM-18062: SPACSUtils withholds exception and does not log error
OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined
OPENAM-18043: Device Match module not setting correct AuthLevel
OPENAM-18030: Message node shows inconsistent behavior regarding the default locale
OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes
OPENAM-18009: HTTP error code 500 when authenticating with authIndexType service without authIndexValue
OPENAM-18006: Persistent search for identity store does not recover
OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees
OPENAM-17993: org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation
OPENAM-17979: Backchannel authentication auth_req_id can be used to obtain multiple access tokens
OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists
OPENAM-17962: LDAP Decision Node does not put updated password in transient state
OPENAM-17954: Accept-Language header locale ignored on OAuth 2.0 Consent page
OPENAM-17935: Missing return statement in the happy flow of the kerberos node
OPENAM-17923: Retry Limit Decision should not involve user when Save Retry Limit to User is disabled
OPENAM-17916: When no session exists logout page redirects to login
OPENAM-17912: Account lockout count is not reset correctly
OPENAM-17904: JSON Audit Log Location not working when modifying location to only include %SERVER_URI% variable
OPENAM-17896: ForgottenPassword Reset on multiple clusters not working when reset link is clicked
OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does not work after upgrade
OPENAM-17830: Error messages are logged when the Push Notification Service is absent
OPENAM-17828: Apostrophe in username breaks Push/OATH device registration
OPENAM-17826: introspect endpoint returns a static value for expires_in when using client-based tokens
OPENAM-17814: Auth Tree step-up fails if username case does not match
OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname
OPENAM-17783: Language tag limited to 5 characters instead of 8
OPENAM-17782: Policy evaluation fails with 400 error when user does not exist
OPENAM-17760: PEM support incorrectly decodes some EC private keys
OPENAM-17718: OAuth 2.0 introspection endpoint does not accept Accept header with extra accept extension param (like weight q=0.8) or charset
OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17683: Selfservice user registration auto login fails for a sub-realm
OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed
OPENAM-17677: oauth2/device/code endpoint does not support locale parameter
OPENAM-17663: Improve the error response code for "Failed to revoke access token"
OPENAM-17610: OTP Email Sender node does not let you specify connect timeout and IO/read timeout for underlying transport
OPENAM-17593: Deadlock when admin token is invalid and when config data is cleared
OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17590: OIDC login hint cookie broken since 7.0
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17548: Can’t go back to login page after invoking Social Authentication Nodes
OPENAM-17521: Insufficient error logging to track down Multivalued RDNs not supported issue
OPENAM-17515: Sub attribute in access token can be in wrong case
OPENAM-17493: OAuth 2.0 node does not support external proxy authentication (user/pass)
OPENAM-17440: OAuth 2.0 service provider does not error if IAT attribute is mandatory but not issued
OPENAM-17426: No validation for attribute collector node
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config
OPENAM-17320: Revisit prompt=login behavior change that keeps existing session
OPENAM-17308: Custom IdRepo uninstall realm-config/services/id-repositories?_action=nextdescendents fails
OPENAM-17265: Amster updates incorrect authorized_keys file
OPENAM-17040: UMA policy creation does not work with shared repo
OPENAM-16988: accessedEndpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16953: Custom idrepo sample using IdRepoConfig does not work
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator
OPENAM-16642: Server id creation can fail when id is greater than 100
OPENAM-16490: OWASP ESAPI broken
OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong
OPENAM-16262: Javadocs for IdUtils needs updating
OPENAM-16216: Get Session Data node improvements
OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable
OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile
OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in
OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration
OPENAM-13855: CTS creates too many connections to DS
OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"
OPENAM-12969: UMA Resource deletion results in a 500 error unless another resource has been created within the same resource set
OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

AM 7.1.x

AM 7.1.4

OPENAM-21004: AM will always look for valid session when scope=openid
OPENAM-21002: CTS task queue full and SeriesTaskExecutorThread can get stuck waiting
OPENAM-20897: Issue with logging unsupported callbacks
OPENAM-20691: Destroy oldest session may fail to work
OPENAM-20396: Authentication trees are selected in order of ACR - tree mapping (not in the default order) and order is not preserved
OPENAM-20318: Accessing AM End user login page for PlatformLogin journey in platform environment shows non-rendered HTML
OPENAM-20260: Unable to log into AM when external application store is down
OPENAM-20230: Class whitelisting fails with permission denied after an extended period
OPENAM-20181: AD account notification fails
OPENAM-20085: STS token generation does not work with clustered docker pods
OPENAM-20082: Locked out users are shown a misleading error message
OPENAM-19954: SAML hosted entity uses algorithm set in common federation configuration instead of algorithm set in hosted entity configuration
OPENAM-19362: AM to DS certificate log message logged at warning instead of error or critical
OPENAM-18818: Persistent search error message shows wrong DS identifier
OPENAM-18629: RestSTS should validate sessions with a local call and use asynchronous HTTP calls for remote calls
OPENAM-18488: Windows Hello with TPM/platform authenticator returns two certificates
OPENAM-17591: Session quota action destroy next expiring token can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny

AM 7.1.3

OPENAM-19884: AM returns 500 when ; used in access token header
OPENAM-19865: Memory Leak due to samlResponseDataHash not being cleaned up
OPENAM-19649: ID token not linked to session when authorising with sso token
OPENAM-19613: PSearch is already removed error message should be warning
OPENAM-19537: UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong
OPENAM-19530: Upgrade fails when Organization schema defaults are missing for service 'sunFAMSAML2Configuration'
OPENAM-19515: Unable to update session service with read only identity store
OPENAM-19512: Faulty Legacy OAuth 2.0 frrest/oauth2 endpoints
OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page
OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity
OPENAM-19427: Display security questions in the correct default language
OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing '/'
OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node
OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception
OPENAM-19290: In a cluster, changing AM debug level on local (AM2) to remote (AM1) does not have effect until restart of AM1
OPENAM-19281: OIDC dynamic client registration cannot handle "\n" in the client_description
OPENAM-19220: WebAuthN/Fido - can not authenticate with recovery codes on Windows
OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade
OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters
OPENAM-19162: REST API definition inaccurate for endpoint '/realm-config/saml'
OPENAM-19123: AM validates duplicate registration tokens
OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set
OPENAM-19119: GetAuthenticatorApp Node needs better localization support
OPENAM-19112: AM with embedded DJ always runs DJ backup and upgrade
OPENAM-19111: insufficient debug logging to troubleshoot error "Illegal arguments: One or more required arguments is null or empty" when performing user identity subject update via REST API
OPENAM-19109: Insufficient debug logging to troubleshoot CORS service
OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions
OPENAM-19086: rest-sts endpoint is not included when CORS is enabled
OPENAM-19083: Creating a client-based access & refresh token breaks subsequent use of Session Quotas
OPENAM-19016: Logback.jsp should show the actual setting of the loggers instead of defaults
OPENAM-19011: QR code message used in MFA Authentication node should be customizable / localizable
OPENAM-18990: Non-compliant OAuth2 error response generated
OPENAM-18952: KBA questions are not falling back to the default language when French is present
OPENAM-18891: JWT Profile Oauth2 Grant returns 'invalid_grant'
OPENAM-18835: JCEEncryption throws ArrayIndexOutOfBoundException when decrypting empty bytes
OPENAM-18834: AM fails to start when upgrading after using am-upgrader
OPENAM-18655: Deleting OAuth2 Client causes unnecessary notification error message in IdRepo
OPENAM-18478: XUI shows incorrect subjectType following upgrade from AM < 6.5.3
OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP
OPENAM-18432: Remove the internal idm-delegation grant type from the well known info
OPENAM-18384: Email Suspend Node clears the secure state
OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD
OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication
OPENAM-18196: More meaningful error message when Client Secret is not URL-encoded
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level in logs
OPENAM-18149: Wrong log file is used for SAML2 extensions log message
OPENAM-18132: Failed to get the distinct userIdAttributes for configured identity stores in realm
OPENAM-18113: LDAP authentication node : change of connection mode does not recreate the connection pool
OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server
OPENAM-18062: SPACSUtils withholds exception and does not log error
OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists
OPENAM-17882: Slow memory leaks when persistent search starts a retry activity when persistent search fails
OPENAM-17835: Do not display "Unable to retrieve instance of the ValidationServiceConfig" after idpinititated sso
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config
OPENAM-17308: Custom IdRepo uninstall realm-config/services/id-repositories?_action=nextdescendents fails
OPENAM-17201: XMLEncryption does not comply with standard when 'rsa-oaep-mgf1p' is being used
OPENAM-16953: Custom idrepo sample using IdRepoConfig does not work
OPENAM-16878: Scripted Decision Node secrets binding object does not have public API
OPENAM-16490: OWASP ESAPI lib is missing some classes
OPENAM-16241: Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset
OPENAM-15997: Enhance CookieHelper to perform better cookie detection
OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable
OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile
OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny
OPENAM-12992: Misleading error message in XUI console when existing DNS alias is provided
OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect
OPENAM-11319: Add localized "description" for JSON response content to OAuth2UserApplications#getResourceResponse

AM 7.1.2

OPENAM-18928: Client credential OAuth2 request results in searches for OAuth2 client against Identity Store
OPENAM-18921: Double slashes in oauth2 claim name handled incorrectly
OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt
OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared
OPENAM-18836: No TransactionId on "debug.out" for the AM recording.
OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null
OPENAM-18780: JwksOAuth2AgentEventListener class not setting the correct default cache miss time value
OPENAM-18756: Entering correct otp after entering wrong otp fails authentication
OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures
OPENAM-18711: AES Encryption/Decryption fails when running in Java 17
OPENAM-18705: Problem with Page Node using node relying on secureState
OPENAM-18684: redirect to /authorize endpoint fails for 2nd OIDC App for Federated Users w/ multi OIDC Clients
OPENAM-18679: OATH Registration node doesn’t work when placed inside a 'Page' node
OPENAM-18663: AM should check new realm with rest end-point names by ignoring case
OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted
OPENAM-18646: Upgrade for AM 7.1.0 to 7.2+ may fail, because of upgrading existing java agent profile
OPENAM-18644: IdRepo cache can not be disabled anymore
OPENAM-18640: REST-STS is using the old path to reach /users endpoint
OPENAM-18623: issue with jwk_uri endpoint called in parallel
OPENAM-18610: RealmOAuth2ProviderSettings for getJwks is broken in that it permits empty set.
OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication
OPENAM-18586: Lack of debugging message when AM is not able to read the encrypted_base64 folder after upgrade
OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL
OPENAM-18536: Java agent property org.forgerock.agents.session.change.notifications.enabled should be presented in XUI
OPENAM-18511: Missing navigation options when an expired link from "Email Suspend" node is used
OPENAM-18443: Transactional authentication is disabled on new installs
OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore
OPENAM-18297: Outbound calls to Jwks_URI endpoint does not support proxy settings
OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically
OPENAM-18175: SMSUtils#addAttributesToMap inconsistency with array ordering
OPENAM-18141: AM no longer uses global SAML configuration
OPENAM-18130: "Agent Configuration Change Notification" use the same help text in the XUI for Java and Web agents, but the property name is different
OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
OPENAM-18030: Message node shows inconsistent behaviour regarding the default locale
OPENAM-18005: Insufficient error message to troubleshoot persistent search issue
OPENAM-17949: Account lockout applied to tree even when ignore profile selected
OPENAM-17904: Json Audit Log Location not working when modifying location to only include %SERVER_URI% variable
OPENAM-17833: Internal accepted Audience AUD formed from DNS Alias could be wrong when BaseURL does not have port
OPENAM-17830: Error messages are logged when the Push Notification Service is absent
OPENAM-17829: External UMA Resource Set using SSL but not StartTLS fails
OPENAM-17593: Deadlock when admin token is invalid and when config data is getting cleared
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication

AM 7.1.1

OPENAM-18604: Formatting issues in Upgrade Report
OPENAM-18573: URLPatternMatcher or RedirectURLValidator does fails when query string contains "%20"
OPENAM-18566: Missing 'org.forgerock.security.oauth2.enforce.sub.claim.uniqueness' after upgrade from 7.1.0
OPENAM-18559: Upgrade from 6.5.3 to 7.1.0 fails with UpgradeException - "com.sun.identity.sm.InvalidAttributeValueException: Saved Consent Attribute Name is required."
OPENAM-18532: Web Agent property org.forgerock.agents.pdp.javascript.repost has incorrect description in XUI
OPENAM-18523: NullPointerException when AgentsRepo with from group is changed
OPENAM-18459: IdTokenInfo endpoint behaviours change from 6.x and fails when using client_id in POST
OPENAM-18422: Email Template node creates threads without terminating them
OPENAM-18421: In Platform environment, using a Email Template node creates new thread that does not terminate
OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth
OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name
OPENAM-18366: Upgrade Report contains unformatted line feeds "%LF%"
OPENAM-18359: Choice Collector Node appears to not be present following upgrade
OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server
OPENAM-18319: Realm is added more than once when session upgrade happens more than once with modules.
OPENAM-18316: Typo in oauth2 template (templates/touch/authorize.ftl)
OPENAM-18306: OAuth2 Authorization Code Grant Fails when including scope parameter at access_token endpoint
OPENAM-18258: Failed to load configuration for OAuth2Provider observed after upgrade
OPENAM-18241: Permit OAuth2 Modification Script to return scopes as space delimeter string
OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session
OPENAM-18227: Upgrade from 6.0.x / 6.5.x can fail at Unsupported node type PersistentCookieDecisionNode
OPENAM-18212: Check for user/agent profile condition during login can be refined further
OPENAM-18207: Global Service cache is not updated by changes from other servers in a site
OPENAM-18205: Excessive logging occurs when agent profile is not found
OPENAM-18180: No TransactionId present for AuthTreeExecutor
OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout
OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST
OPENAM-18154: Wrong AMR returned with prompt=login and force authn setting enabled
OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings
OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops
OPENAM-18121: Slow loading in Authentication Tree
OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amadmin
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM
OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exist
OPENAM-18065: Logback.jsp can not be used to set log levels loggers in custom code
OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined
OPENAM-18043: Device Match module not setting correct AuthLevel
OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes
OPENAM-18009: AM return HTTP error code 500 when authenticate with authIndexType service without authIndexValue
OPENAM-18006: Persistent search for identity store does not recover
OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees
OPENAM-17993: The org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation
OPENAM-17979: Backchannel authentication - auth_req_id can be used to obtain multiple access tokens
OPENAM-17962: LDAP Decision Node does not put updated password in transient state
OPENAM-17954: Accept-Language header locale ignored on OAuth2 Consent page
OPENAM-17935: Missing 'return' statement in the happy flow of the kerberos node
OPENAM-17923: Retry Limit Decision Should Not Have User Involvement when Save Retry Limit to User is Disabled
OPENAM-17916: When no session exists logout page redirects to login
OPENAM-17912: Account lockout count is not reset correctly
OPENAM-17896: ForgottenPassword Reset on multiple cluster not working when reset link clicked
OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does work after upgrade.
OPENAM-17863: Authorization code is not issued when nonce is not supplied when using OpenID Hybrid profile
OPENAM-17828: Apostrophe in username breaks Push/OATH device registration
OPENAM-17826: Introspect endpoint returns a static value for "expires_in" when using client based tokens
OPENAM-17814: Auth Tree step-up fails if username case does not match
OPENAM-17801: OIDC userinfo subname claim returns incorrect value
OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname
OPENAM-17782: Policy evaluation fails with 400 error when user does not exist
OPENAM-17774: Missing exp claim throws NullPointerException on CIBA bc-authorize endpoint
OPENAM-17773: The acr_values parameter is mandatory on CIBA bc-authorize endpoint
OPENAM-17760: PEM support incorrectly decodes some EC private keys
OPENAM-17738: Java Agent "Client IP Validation Mode" property does not work when key is empty from XUI
OPENAM-17718: OAuth2 Introspection endpoint does not accept Accept header with with extra accept extension param (like weight q=0.8) or charset
OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed
OPENAM-17677: The oauth2/device/code endpoint does not support locale parameter
OPENAM-17663: Improve the error response code for "Failed to revoke access token"
OPENAM-17630: JMS Audit logging broken and cannot start up
OPENAM-17610: OTP Email Sender node does not allow to specify connect timeout and IO/read timeout for underlying transport.
OPENAM-17590: OIDC login hint cookie broken since 7.0
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17493: OAuth2 node does not support external proxy authentication (user/pass)
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17320: Revisit prompt=login behaviour change that keeps existing session
OPENAM-17265: Wrong authorized_keys file updated
OPENAM-17262: Subname claim inconsistences
OPENAM-16988: The accessedEndpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator
OPENAM-16642: Server id creation can fail when id is greater than 100
OPENAM-16554: Misplaced bufferingEnabled checkbox in New Syslog configuration
OPENAM-16491: SAML Update introduces javascript calls that aren’t available in IE8 and below (or IE11 using Enterprise mode)
OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong
OPENAM-16216: Get Session Data node improvements
OPENAM-15861: NullPointerException in CollectionHelper.getServerMapAttrs
OPENAM-15740: Document _fields is case sensitive
OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in
OPENAM-13855: CTS creates too many connections to DS
OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"
OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

AM 7.1

OPENAM-17396: Terms of Service URI Link does not Display in Consent Page
OPENAM-17395: SocialOpenIdConnectNode fails to recover from client’s connection reset
OPENAM-17365: Checking agent type with caller token can cause deadlock
OPENAM-17364: Prompt login / session upgrade / OIDC ACR looping with trees
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
OPENAM-17353: HTML pages are not picked up when placing in a theme folder
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
OPENAM-17343: Access token call returns 500 error if password needs to be changed or has expired
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
OPENAM-17276: AM recorder does not record anymore
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17260: Allow arg=newsession usage in authorize calls
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
OPENAM-17136: OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
OPENAM-17114: Save Consent check box always shown, even when not configured
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
OPENAM-17089: Forgot password functionality broken
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
OPENAM-17060: Audit Logging "Resolve host name" is still available after OPENAM-7849
OPENAM-17037: AM Upgrade from 6.0.0.7 to 7.0.0 causing NPE
OPENAM-17034: In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
OPENAM-17006: Hosted SAML entity - can not remove bindings
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
OPENAM-16988: Accessed endpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
OPENAM-16947: Kerberos Node in 7.0 fails to return goTo(false)
OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist
OPENAM-16936: Tree nodes create new keystore object each time node is called.
OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
OPENAM-16934: sm.getSchemaManager has a typo including a comma
OPENAM-16926: Success URL node doesn’t work with SAML Node for Idpinit when not using Integrated mode
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
OPENAM-16907: Kerberos Node in 7.0 does not work
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
OPENAM-16866: AM should fail gracefully if id_token fails to generate when swapping refresh token
OPENAM-16849: WeChat Social Auth module broken (regression)
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
OPENAM-16847: AM email service failing with 'Start TLS' option
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
OPENAM-16807: The dynamic values for request_uri being stored in client config does not expire and is not automatically removed
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
OPENAM-16784: Upgrade to 7 fails with NullPointerException in Saml2EntitySecretsStep
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
OPENAM-16758: Cannot install AM 7 on Windows
OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
OPENAM-16617: SuccessURL session property is set to gotoURL in authentication tree
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs
OPENAM-16555: Audit logging does not tell which policy allowed or denied a resource request
OPENAM-16540: Issues with Social Login URLs when navigating quickly between providers
OPENAM-16535: "JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
OPENAM-16450: 501 when default resource version set to "oldest" and Accept-API-Version header set
OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
OPENAM-15963: Historical retention files ( csv ) were not deleted
OPENAM-15948: Update DS profiles to add VLV indexes for CTS use
OPENAM-15743: Excessive CTS logging when Reaper is disabled (com.sun.am.ldap.connnection.idle.seconds=0)
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
OPENAM-15663: UserInfoClaims is not part of public API
OPENAM-14898: OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
OPENAM-12503: SizeBasedRotationPolicy does not delete oldest file

AM 7.0.x

AM 7.0.2

OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17683: Selfservice user registration auto login fails for a sub-realm
OPENAM-17673: Nodes within a Page node do not have access to secure state
OPENAM-17672: Page Node does not expose inner nodes inputs or outputs
OPENAM-17630: JMS Audit logging broken and cannot start up
OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17570: OIDC request parameter decryption fails to find any applicable keys
OPENAM-17555: AM 7.x versions of Amster use Java 8 format of debug port
OPENAM-17517: JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error.
OPENAM-17515: Sub attribute in access token can be in wrong casing
OPENAM-17483: SecretsPlugin upgrade from 6.5.x failing
OPENAM-17477: Thread-safety issue in AMAuthenticationManager
OPENAM-17436: JS version of the OIDC Claims script does not work due to a casting error.
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17397: ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check
OPENAM-17365: Checking agent type with caller token can cause deadlock
OPENAM-17364: prompt login / session upgrade / OIDC ACR looping with trees
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
OPENAM-17337: Access token passed in request body results in failure
OPENAM-17324: Client credentials grant in FBC config with group inheritance causes User not Valid Error
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
OPENAM-17321: Prometheus Endpoint returns http 500 error when used with file based config
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
OPENAM-17310: 'ssoadm list-datastore-types' sub-command broken
OPENAM-17277: AM Recording with thread dump only shows depth of 8
OPENAM-17276: AM recorder does not record anymore
OPENAM-17274: AM should not change the supported subject types for an existing install
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17265: Wrong authorized_keys file updated
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
OPENAM-17175: XUI OAuth2 consent page does not render when using themes
OPENAM-17157: Password reset via admin console with Proxied Authorization enabled is not possible
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
OPENAM-17117: Service config XML dump consumes a lot of memory (whole config is read to memory)
OPENAM-17114: Save Consent check box always shown, even when not configured
OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
OPENAM-17089: Forgot password flow not working after initial attempt to reset password fails
OPENAM-17081: OAuth2 client agent group settings are not taken into account
OPENAM-17079: Identities and Session : unexpected returned error when trying to request for unexisting identity
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
OPENAM-17066: Unable to add server to existing deployment through UI
OPENAM-17042: User Self Registration REST API does not generate SSO token
OPENAM-17019: Allowing wildcards in OAuth 2.0 clients prevents exact matching from working
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist
OPENAM-16932: PageNode does not pick up outcomes if ScriptedDecisionNode is used inside
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
OPENAM-16849: WeChat Social Auth module broken (regression)
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'
OPENAM-16651: Default configuration fails if the trust store type JVM property is not defined for the JVM
OPENAM-16638: AM with embedded DS setup fails when Java system keystore properties is set
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
OPENAM-16581: SAML Authentication Module on hosted SP gets SAML No authentication context error
OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
OPENAM-16364: Macaroon access tokens don’t work with the new any-realm token introspection
OPENAM-16262: Javadocs for IdUtils needs updating
OPENAM-15963: Historical retention files ( csv ) were not deleted
OPENAM-15214: Auth Tree - Clicking save with no changes causes render problem with node attributes inside page node
OPENAM-14240: FMSigProvider.verify does not tell if certificates are provided
OPENAM-13783: REST STS: Cannot add or modify nameID format in SAML config, and default value stated in help is incorrect
OPENAM-13575: Unhelpful log message when OIDC public client wants to use HMAC id token signing

AM 7.0.1

OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
OPENAM-16934: sm.getSchemaManager has a typo including a comma
OPENAM-16907: Kerberos Node in 7.0 does not work
OPENAM-16877: Error when creating AM "Self-service Trees" service in native admin ui
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
OPENAM-16847: AM email service failing with 'Start TLS' option
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
OPENAM-16802: Upgrade from OpenAM 7.0 to 7.1.0 SNAPSHOT causes NPE
OPENAM-16794: Google KMS options missing after upgrade from 6.5
OPENAM-16791: AMAccessAuditEventBuilder#forRequest can generate an entry with :-1 for the port
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
OPENAM-16759: Amster on windows : AM does not restart properly after setup
OPENAM-16758: Cannot install AM 7 on Windows
OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
OPENAM-16702: Saving engine configuration in FBC mode makes that config non-readable
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token
OPENAM-16697: Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format
OPENAM-16686: Cannot create a User after upgrade from 6.5.2 to 7.0.1
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
OPENAM-16650: Authz Policy Subjects Policy.title is showing property name text
OPENAM-16641: OAuth2 provider supported grant types attribute missing localization property on XUI
OPENAM-16606: Missing "org.forgerock.openam.saml2.authenticatorlookup.skewAllowance" property in server defaults
OPENAM-16594: ssoadm help should be updated to reflect changes in AME-18650 / OPENAM-16155
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
OPENAM-16555: (audit) logging does not tell which policy allowed or denied a resource request
OPENAM-16551: Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token
OPENAM-16545: Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
OPENAM-16483: XUI - Typo in SAML SP "Default Relay State Url" label
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
OPENAM-15663: UserInfoClaims is not part of public API
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
OPENAM-11706: Policies in a policy set are not visible in Internet Explorer IE

AM 7.0

OPENAM-16433: Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.
OPENAM-16425: AM does not handle malformed/incorrect signature correctly
OPENAM-16402: The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.
OPENAM-16379: URL fragments like # cause forbidden login in the XUI
OPENAM-16284: XUI does not handle Special Chars / UTF-8 in realms properly.
OPENAM-16279: AgentsRepo cannot recover when it fails especially on external Application store.
OPENAM-16251: OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication
OPENAM-16240: REST STS under subrealm cannot generate id_token with realm claim
OPENAM-16233: Policy evaluation fails when subject not found (even in ignore profile)
OPENAM-16214: Push Authentication Module does not work on Session Upgrade when User Cache disabled
OPENAM-16184: Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords
OPENAM-16165: social authmodule causes NullPointerException
OPENAM-16164: social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token
OPENAM-16136: queryFilter only matches against first entry in array
OPENAM-16132: When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates
OPENAM-16032: Unable to delete devices with Recovery Code Collector Decision Node
OPENAM-16031: Intermittent error message when concurrent obtain SSO Token ID with session quota constraints
OPENAM-16014: An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow
OPENAM-16013: Mismatched kid from Json Web Key URI when Specified Encryption Algorithm
OPENAM-16009: Windows Desktop SSO node full adoption and compliance with tree node specifications
OPENAM-15989: OAuth2 client_id should be url-decoded when using basic auth
OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied
OPENAM-15970: Access Token introspect Fails in subrealm after root realm modified
OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked
OPENAM-15905: Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException
OPENAM-15900: Kerberos fails when used with IBM JDK
OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection
OPENAM-15881: Custom AM User (amUser.xml) field does not use default values from the schema
OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used
OPENAM-15853: External UMA store fails on resource creation
OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired
OPENAM-15785: OIDC spec violation - HTTP POST can not be used to send Authentication Request
OPENAM-15784: Form elements in policy environment condition tab are displayed twice
OPENAM-15766: LoginState - account lockout is checkout although AM AccountLockout is disabled
OPENAM-15758: KeyStore Secret Store fails to start due to secretId having some characters.
OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL
OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server
OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect
OPENAM-15698: IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'
OPENAM-15697: Default ACR values from OAuth2 provider not taken into account
OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access
OPENAM-15679: The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling
OPENAM-15670: DeviceIdSave auth module initialization fails if username is null
OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting
OPENAM-15645: The &refresh=true|false parameter for _action=validate is not working as expected
OPENAM-15632: OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support
OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow
OPENAM-15627: Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"
OPENAM-15579: AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'
OPENAM-15559: OATH module broken in Japanese locale
OPENAM-15533: WS-Federation doesn’t work with Authentication Trees
OPENAM-15530: OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS
OPENAM-15520: XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default
OPENAM-15508: moduleMessageEnabledInPasswordGrant does not apply to Trees
OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token
OPENAM-15501: Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly
OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned
OPENAM-15491: Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.
OPENAM-15489: WebAuthN Auth Node Doesn’t Respect UV=Discouraged During AuthN
OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication
OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error
OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported
OPENAM-15374: OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims
OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback
OPENAM-15349: Access Token request returns a 500 error
OPENAM-15345: at_hash value generated does not take the latest modified access token
OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree
OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example
OPENAM-15303: Claims with multiple values in issued_token from REST STS represented inconsistently.
OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions
OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules
OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"
OPENAM-15160: LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind
OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field
OPENAM-15147: HTTP 500 upon accessing openam/json/
OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken
OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )
OPENAM-15117: KeyVault KeyStoreType not supported
OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not
OPENAM-15105: Unable to get trusted devices using REST API
OPENAM-15101: Remove the ability to disable XUI
OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL
OPENAM-15076: webAuthn config does not allow for multiple origins under the same rpId
OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching
OPENAM-15036: Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file
OPENAM-15028: Cannot load metadata in ssoadm without extended metadata
OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment
OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache
OPENAM-14991: Changes to boot.json are overwritten
OPENAM-14979: NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade
OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain
OPENAM-14966: Performing access_token with arbitrary text as trusted cert header causes server error
OPENAM-14919: Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file
OPENAM-14901: XUI - SAML2 module doesn’t redirect to IDP if it’s 2nd in the chain
OPENAM-14895: user identity creation fails with "Identity \*" of type user not found.
OPENAM-14893: XUI displays multiple error messages when an authentication session times out
OPENAM-14889: Upgrade of Peristent Cookie auth module fails
OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration
OPENAM-14881: AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)
OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)
OPENAM-14859: ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty
OPENAM-14858: When NameIDPolicy does not contain Format=.., remoteEntityID is passed as null
OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module
OPENAM-14845: user info endpoint does not correctly handle Certificate Bound Access Tokens
OPENAM-14829: AuthSchemeCondition doesn’t return realm aware policy condition advice
OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search
OPENAM-14804: Memory leak when running UMA RPT soak test
OPENAM-14799: Unable to update Agent profile using REST
OPENAM-14794: User privileges are removed from group if another group is given same privilege
OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO
OPENAM-14783: PKCS11 KeyStore does not work on IBM JVM
OPENAM-14782: AuthTree created Session does not use per User Session Service settings
OPENAM-14766: introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens
OPENAM-14717: mailto attribute have space between ':' and mail address
OPENAM-14694: Consent page still shows claim values even when supported claim description is omitted
OPENAM-14651: OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads
OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier
OPENAM-14578: WDSSO failing but no fallback…
OPENAM-14573: amlbcookie is not secure when authenticating with trees
OPENAM-14572: prompt=login destroys and creates new session
OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different
OPENAM-14548: consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation
OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore
OPENAM-14539: SAML SLO with multi protocols
OPENAM-14529: UMA RPT expiry time incorrect in CTS
OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding
OPENAM-14503: SAML2 - Key Transport Algorithm - RSA OAEP must be supported
OPENAM-14483: If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ
OPENAM-14480: AuthLoginException is lost
OPENAM-14471: Failed to create root realm for data store (External Policy | Application)
OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on
OPENAM-14464: XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used
OPENAM-14450: userinfo typo in Claims.java
OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS/SSL
OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application
OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done
OPENAM-14391: Self Service Link not Display when Using Authentication Tree
OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set
OPENAM-14369: Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure
OPENAM-14362: UMA load test fails with Invalid resource type error
OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy
OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client
OPENAM-14313: Audit Logging - STS transformations create duplicate entries
OPENAM-14310: CheckSession page indicates the session is not valid
OPENAM-14294: am-external Git repository 6.5 have bad source
OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef
OPENAM-14239: FMSigProvider.verify NPE with null input for certificates
OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number
OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set
OPENAM-14229: custom AuthorizeTemplate under theme not used
OPENAM-14213: Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute
OPENAM-14212: SAML redirect to login page fails if AM installed into the root context
OPENAM-14200: Social auth modules do not work when AM is installed into the root context
OPENAM-14189: effectiveRange of Time environment has issue
OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception
OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered
OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.
OPENAM-14147: arg=newsession in XUI just shows the "Loading…" page
OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state
OPENAM-14112: Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie
OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow
OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive
OPENAM-14054: XUI Custom templates and Partials not applied consistently
OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn
OPENAM-14040: LdifUtils debug logging prints out wrong classname
OPENAM-14018: Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server
OPENAM-13999: Custom node containing ConfirmationCallbacks fails when dropped in a page node.
OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm
OPENAM-13978: Session Upgrade - AuthLevel format changes
OPENAM-13942: SAML2 Circle of Trust - REST Update doesn’t update the metadata of the provider
OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given
OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user
OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not
OPENAM-13890: Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext
OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6
OPENAM-13831: RP-Initiated Logout does not handle state parameter
OPENAM-13779: Session API - _action=refresh requires an admin token
OPENAM-13764: Monitoring logs in ERROR for "Agent.configAgentsOnly:agent type = OAuth2Client"
OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals
OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent
OPENAM-13465: Dynamic client registration sets wrong subjectType
OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain
OPENAM-13419: LDAPPolicyFilterCondition doesn’t set request timeout
OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"
OPENAM-13064: OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional
OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation
OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees
OPENAM-12759: max_age should a number, not a string
OPENAM-12574: SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies
OPENAM-12498: Authorization Grant response returns scope(s) in the URL
OPENAM-12228: WebAgent REST API queryFilter expression does not work and acts all "true"
OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme
OPENAM-11921: Incorrect NameId Format offered for SAML2 auth module in console
OPENAM-11863: CORSFilter position in web.xml should come before most filters
OPENAM-11778: Getting accessToken using authorization_code result in Unhandled exception
OPENAM-11338: OpenID Connect id_token bearer auth module mixes up aud, azp during verification
OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.
OPENAM-10843: When generating an OIDC token through STS a "kid" value is not specified
OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled
OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)
OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly
OPENAM-9459: 500 Internal Server Error from changePassword endpoint with AD repo
OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

Fixes in AM 7.3.x

This page lists the cumulative fixes in AM 7.3.x releases:

AM 7.3.2

OPENAM-22836: Unable to update KBA Security questions using XUI
OPENAM-22753: Destroy All session may fail to work
OPENAM-22717: SP-initiated SSO fails with "Illegal character in scheme name" when IdP name contains a special character
OPENAM-22696: Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes
OPENAM-22656: Setting JWKs URI content cache timeout to a small value throws an error
OPENAM-22632: AMSetupServlet install error with Windows multi-domain environment
OPENAM-22602: OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL
OPENAM-22421: Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2
OPENAM-22391: Issues with evaluateTree when using wildcard policies
OPENAM-22322: Unable to verify signed ArtifactResponse Assertion leading to failure
OPENAM-22318: OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication
OPENAM-22289: Session quota action may fail when the session isn’t updatable but should be fine to proceed
OPENAM-22181: Approve UMA request fails with 500 error when AM deployed as a platform
OPENAM-22120: Backchannel logout token doesn’t contain exp claim
OPENAM-21972: SAML artifact binding is failing in load-balanced deployments
OPENAM-21937: Quota enforcement affects agent sessions that authenticate by tree
OPENAM-21897: Creation order determines policy evaluate and evaluateTree results
OPENAM-21473: Certificate collector node: getPortalStyleCert throws exception when cert/header not present
OPENAM-21322: AM console allows creation of entity provider with space at the end of the name
OPENAM-21191: Web agent sessions have a long session lifetime of 42 years
OPENAM-21085: Undefined bindings are incorrectly evaluated in Groovy scripts
OPENAM-20945: Unable to trace token revocation back to resource owner because of missing trackingID field
OPENAM-20314: Social Provider Handler node and Social IdP service use the sub claim to search for links to existing accounts
OPENAM-20299: Fix to make agent authentication honor com.iplanet.am.session.agentSessionIdleTime
OPENAM-19261: Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant

AM 7.3.1

OPENAM-22017: ConfigProviderNode creates node class dynamically leading to native memory leak
OPENAM-21976: Single point of locking contention when performing client-based session logout
OPENAM-21941: Unable to edit policies in the UI
OPENAM-21854: TermsAndConditionsCallback fails with error on XUI
OPENAM-21728: Certificate module fails using JDK 11.0.21 and later with undefined access to private method
OPENAM-21484: Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response
OPENAM-21421: Scripting logger name isn’t based on logging hierarchy convention
OPENAM-21390: ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment
OPENAM-21304: OAuth 2.0 dynamic client registrations don’t retain request_uri values when creating
OPENAM-21164: Calling toXMLString in custom SAML adapter can return incorrectly formatted XML leading to invalid signature
OPENAM-21160: Inconsistent values in secure state when navigating an authentication tree
OPENAM-21158: Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2
OPENAM-21069: WindowsDesktopSSO authentication is failing
OPENAM-21010: Social authentication for remote OIDC server for user profile non-english words corrupted
OPENAM-21004: AM will always look for valid session when scope=openid
OPENAM-21001: IdPAccountMapper is not correctly determined
OPENAM-20980: Unable to use issuer comparison check regex in oidc social provider
OPENAM-20897: Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others
OPENAM-20895: Newly-created Maven archetype project fails to build
OPENAM-20756: OIDC social authentication request (Apple) fails due to duplicate response_mode=form_post request parameter
OPENAM-20691: Destroy oldest session may fail to work
OPENAM-20682: Unable to encrypt from jwk_uri when there are duplicate kid
OPENAM-20490: AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"
OPENAM-20026: Trailing whitespace prevents social provider deletion via UI
OPENAM-19999: ID token as AM session doesn’t work with /authorize when openid scope is requested
OPENAM-19889: Policy evaluation fails with agent access token JWT as subject
OPENAM-19282: Recovery Code Display Node works only immediately after Registration node
OPENAM-18599: Allow for custom error message if user account is locked

AM 7.3

OPENAM-20396: Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved
OPENAM-20360: Ampersand is double encoded in the Destination of a SAML Assertion
OPENAM-20260: Unable to log into AM when external application store is down
OPENAM-20230: Class allowlisting fails with permission denied after an extended period
OPENAM-20181: AD account notification fails
OPENAM-20159: Upgrader adds requestObjectProcessing to OAuth2Provider subconfigs
OPENAM-20104: The fragment response_mode for the /oauth2/authorize endpoint is not working
OPENAM-20085: STS token generation does not work with clustered docker pods
OPENAM-20082: Locked out users are shown a misleading error message
OPENAM-19868: Correctly handle multi-line text in Email Suspend nodes
OPENAM-19866: Excessive logging when accessing protected resources
OPENAM-19726: The par endpoint doesn’t return a request_uri when using JAR and claims are provided
OPENAM-19515: Unable to update session service with read only identity store
OPENAM-18818: Persistent search error message shows wrong DS identifier
OPENAM-18488: Windows Hello with TPM/platform authenticator returns two certificates
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny

AM 7.2.x

AM 7.2.2

OPENAM-22380: LDAP Decision node adding wrong username causing incorrect log messages
OPENAM-22289: Correctly check failure to save read session causing session quota failure
OPENAM-22017: ConfigProviderNode creates node class dynamically leading to native memory leak
OPENAM-21976: Single point of locking contention when doing client-based session logout
OPENAM-21972: SAML artifact binding fails in load-balanced deployment
OPENAM-21941: Unable to edit policies in the UI
OPENAM-21937: Quota enforcement affecting agent sessions that authenticate by tree
OPENAM-21728: Certificate module fails using JDK 11.0.21 and later with undefined access to private method
OPENAM-21484: Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response
OPENAM-21473: Certificate collector node: getPortalStyleCert throws exception when cert/header not present
OPENAM-21390: ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment
OPENAM-21304: OAuth 2.0 dynamic client registrations don’t retain request_uri values when creating
OPENAM-21160: Ensure secure state values are retained when navigating the authentication tree
OPENAM-21010: Social authentication user profile corrupted when remote OIDC server provides non-English identity claims
OPENAM-21004: AM will always look for valid session when scope=openid
OPENAM-21002: CTS task queue full and SeriesTaskExecutorThread can get stuck waiting
OPENAM-20897: Issue with logging unsupported callbacks
OPENAM-20783: OAuth 2.0 authorization code flow throws an error when content-type isn’t x-www-form-urlencoded and body isn’t JSON
OPENAM-20756: Social authentication request for Apple fails due to duplicated response_mode=form_post request parameter
OPENAM-20682: Unable to encrypt from jwk_uri where there are multiple JWKs with the same kid but different algorithms
OPENAM-20396: Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved
OPENAM-20104: The fragment response_mode for the /oauth2/authorize endpoint is not working
OPENAM-20026: Social IDP with trailing whitespace in the name can’t be deleted using the UI
OPENAM-19999: ID token as AM session doesn’t work with /authorize when openid scope is requested
OPENAM-19282: Recovery Code Display node works only immediately after Registration node
OPENAM-19261: Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant
OPENAM-18599: Allow for custom error message if user account is locked
OPENAM-17816: 500 internal server error (from NPE) returned for a missing Content-Type header

AM 7.2.1

OPENAM-20360: Ampersand is double encoded in the Destination of a SAML Assertion
OPENAM-20318: Accessing AM end user login page for PlatformLogin journey in platform environment shows non-rendered html
OPENAM-20260: Unable to log into AM when external application store is down
OPENAM-20230: Class allowlisting fails with permission denied after an extended period
OPENAM-20181: AD account notification fails
OPENAM-20082: Locked out users are shown a misleading error message
OPENAM-20031: Access token modification can no longer access refresh token reference
OPENAM-19884: AM returns 500 error when ; is used in the access token header
OPENAM-19684: Error EntitlementService.getSubjectAttributesCollectorConfiguration logged on initial agent access
OPENAM-19537: UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong
OPENAM-19515: Unable to update session service with read-only identity store
OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page
OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity
OPENAM-18818: Persistent search error message shows wrong DS identifier
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
OPENAM-16241: Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset
OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect

AM 7.2

OPENAM-19427: KBA question are not falling back to the default language when French is present in the restart password flow
OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing /
OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node
OPENAM-19380: Social Google node does not work if placed after an input collector in a tree
OPENAM-19359: Social authentication not working on Subrealms
OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception
OPENAM-19290: In a cluster, changing AM debug level on local AM2 to remote AM1 does not take effect until the remote AM1 is restarted
OPENAM-19281: OIDC dynamic client registration cannot take \n in the client_description
OPENAM-19266: Cannot add Page Headers or Page Descriptions to page nodes in tree editor
OPENAM-19220: WebAuthN/Fido - Cannot authenticate with recovery codes on Windows
OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade
OPENAM-19196: JavaScript origins in the OAuth2 Client need a restart to apply the changes
OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters
OPENAM-19162: REST API definition inaccurate for endpoint /realm-config/saml
OPENAM-19123: AM validates duplicate registration tokens
OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set
OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions
OPENAM-19086: rest-sts endpoint is not included when CORS is enabled
OPENAM-19083: Creating a client-based access and refresh token breaks subsequent use of Session Quotas
OPENAM-19042: When using Apple SSO, the Social Identity Provider Handler node ignores the user info returned
OPENAM-18996: Issues with trees and navigating quickly between Social Login providers
OPENAM-18990: Non-compliant OAuth 2.0 error response generated
OPENAM-18953: Insufficient logging when OAuth 2.0 token request fails due to invalid client secret
OPENAM-18952: KBA questions are not falling back to the default language when French is present
OPENAM-18928: Client credential OAuth 2.0 request results in searches for OAuth 2.0 client against the Identity Store
OPENAM-18921: Double slashes in oauth 2.0 claim names are handled incorrectly
OPENAM-18891: JWT Profile Oauth 2.0 grant returns invalid_grant
OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt
OPENAM-18877: Creating SAML providers with entity ids containing the plus (+) symbol results in errors listing and creating new providers
OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared
OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null
OPENAM-18775: LdapDecisionNode throws NullPointerException on shared IDM Repository DataStore when Password change policy triggered
OPENAM-18756: Entering correct OTP after an incorrect OTP fails authentication
OPENAM-18754: User profile success URL ignored when authenticating with trees
OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures
OPENAM-18705: Problem with Page Node using node relying on secureState
OPENAM-18701: DN cache doesn’t get deleted in some cases
OPENAM-18684: Redirect to authorize endpoint fails for 2nd OIDC App for Federated Users with multiple OIDC Clients
OPENAM-18679: OATH Registration node doesn’t work when placed inside a Page node
OPENAM-18663: AM should check new realm with rest end-point names by ignoring case
OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted
OPENAM-18655: Deleting OAuth2 Client provides unneeded Notification error message in IdRepo
OPENAM-18644: IdRepo cache can not be disabled anymore
OPENAM-18640: REST-STS uses the old path to reach the users endpoint
OPENAM-18623: Issue with jwk_uri endpoint called in parallel
OPENAM-18610: RealmOAuth2ProviderSettings for getJwks permits an empty set
OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication
OPENAM-18586: No debug message when AM can’t read the encrypted_base64 folder after upgrade
OPENAM-18573: URLPatternMatcher or RedirectURLValidator fails when query string contains "%20"
OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL
OPENAM-18533: Distinguish between standard OIDC and JAR OIDC request parameters
OPENAM-18524: Client assertion JWT generated for private_key_jwt OAuth 2.0 client authentication does not provide a "kid" header - can be rejected by external OAuth 2.0providers
OPENAM-18523: NullPointerException when Web Agent group is changed
OPENAM-18487: Trust anchor check fails with Yubikey
OPENAM-18460: max_age parameter is overwritten
OPENAM-18459: IdTokenInfo endpoint behavior has changed and fails when using client_id in POST
OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP
OPENAM-18443: Transactional authentication is disabled on new installs
OPENAM-18436: UMA pending requests are stored differently depending on sub claim uniqueness mode
OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore
OPENAM-18432: Remove the internal idm-delegation grant type from the well known info
OPENAM-18422: Email Template node creates threads without terminating them
OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth
OPENAM-18384: Email Suspend Node clears the secure state
OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name
OPENAM-18359: Choice Collector Node not present following upgrade
OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server
OPENAM-18306: OAuth 2.0 Authorization Code Grant Fails when including scope parameter at access_token endpoint
OPENAM-18297: Outbound calls to jwk_uri endpoint do not support proxy settings
OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD
OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically
OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication
OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session
OPENAM-18227: Upgrade from 6.0.x / 6.5.x fails with Unsupported node type PersistentCookieDecisionNode
OPENAM-18212: Check for user/agent profile condition during login can be refined further
OPENAM-18207: Global Service cache is not updated by changes from other servers in a site
OPENAM-18205: Excessive logging occurs when agent profile is not found
OPENAM-18180: No TransactionId present for AuthTreeExecutor
OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout
OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST
OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings
OPENAM-18149: Wrong log file is used for SAML2 extensions log message
OPENAM-18141: AM no longer uses global SAML configuration
OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops
OPENAM-18132: Failed to get the distinct userIdAttributes for configured identity stores in realm
OPENAM-18121: Complex authentication trees load slowly
OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter
OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amAdmin
OPENAM-18118: OAuth 2.0 - AM does not implement 'device authorization grant' as specified in RFC 8628
OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM
OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exists
OPENAM-18065: Logback.jsp cannot be used to set log levels for loggers in custom code
OPENAM-18062: SPACSUtils withholds exception and does not log error
OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined
OPENAM-18043: Device Match module not setting correct AuthLevel
OPENAM-18030: Message node shows inconsistent behavior regarding the default locale
OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes
OPENAM-18009: HTTP error code 500 when authenticating with authIndexType service without authIndexValue
OPENAM-18006: Persistent search for identity store does not recover
OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees
OPENAM-17993: org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation
OPENAM-17979: Backchannel authentication auth_req_id can be used to obtain multiple access tokens
OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists
OPENAM-17962: LDAP Decision Node does not put updated password in transient state
OPENAM-17954: Accept-Language header locale ignored on OAuth 2.0 Consent page
OPENAM-17935: Missing return statement in the happy flow of the kerberos node
OPENAM-17923: Retry Limit Decision should not involve user when Save Retry Limit to User is disabled
OPENAM-17916: When no session exists logout page redirects to login
OPENAM-17912: Account lockout count is not reset correctly
OPENAM-17904: JSON Audit Log Location not working when modifying location to only include %SERVER_URI% variable
OPENAM-17896: ForgottenPassword Reset on multiple clusters not working when reset link is clicked
OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does not work after upgrade
OPENAM-17830: Error messages are logged when the Push Notification Service is absent
OPENAM-17828: Apostrophe in username breaks Push/OATH device registration
OPENAM-17826: introspect endpoint returns a static value for expires_in when using client-based tokens
OPENAM-17814: Auth Tree step-up fails if username case does not match
OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname
OPENAM-17783: Language tag limited to 5 characters instead of 8
OPENAM-17782: Policy evaluation fails with 400 error when user does not exist
OPENAM-17760: PEM support incorrectly decodes some EC private keys
OPENAM-17718: OAuth 2.0 introspection endpoint does not accept Accept header with extra accept extension param (like weight q=0.8) or charset
OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17683: Selfservice user registration auto login fails for a sub-realm
OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed
OPENAM-17677: oauth2/device/code endpoint does not support locale parameter
OPENAM-17663: Improve the error response code for "Failed to revoke access token"
OPENAM-17610: OTP Email Sender node does not let you specify connect timeout and IO/read timeout for underlying transport
OPENAM-17593: Deadlock when admin token is invalid and when config data is cleared
OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17590: OIDC login hint cookie broken since 7.0
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17548: Can’t go back to login page after invoking Social Authentication Nodes
OPENAM-17521: Insufficient error logging to track down Multivalued RDNs not supported issue
OPENAM-17515: Sub attribute in access token can be in wrong case
OPENAM-17493: OAuth 2.0 node does not support external proxy authentication (user/pass)
OPENAM-17440: OAuth 2.0 service provider does not error if IAT attribute is mandatory but not issued
OPENAM-17426: No validation for attribute collector node
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config
OPENAM-17320: Revisit prompt=login behavior change that keeps existing session
OPENAM-17308: Custom IdRepo uninstall realm-config/services/id-repositories?_action=nextdescendents fails
OPENAM-17265: Amster updates incorrect authorized_keys file
OPENAM-17040: UMA policy creation does not work with shared repo
OPENAM-16988: accessedEndpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16953: Custom idrepo sample using IdRepoConfig does not work
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator
OPENAM-16642: Server id creation can fail when id is greater than 100
OPENAM-16490: OWASP ESAPI broken
OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong
OPENAM-16262: Javadocs for IdUtils needs updating
OPENAM-16216: Get Session Data node improvements
OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable
OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile
OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in
OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration
OPENAM-13855: CTS creates too many connections to DS
OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"
OPENAM-12969: UMA Resource deletion results in a 500 error unless another resource has been created within the same resource set
OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

AM 7.1.x

AM 7.1.4

OPENAM-21004: AM will always look for valid session when scope=openid
OPENAM-21002: CTS task queue full and SeriesTaskExecutorThread can get stuck waiting
OPENAM-20897: Issue with logging unsupported callbacks
OPENAM-20691: Destroy oldest session may fail to work
OPENAM-20396: Authentication trees are selected in order of ACR - tree mapping (not in the default order) and order is not preserved
OPENAM-20318: Accessing AM End user login page for PlatformLogin journey in platform environment shows non-rendered HTML
OPENAM-20260: Unable to log into AM when external application store is down
OPENAM-20230: Class whitelisting fails with permission denied after an extended period
OPENAM-20181: AD account notification fails
OPENAM-20085: STS token generation does not work with clustered docker pods
OPENAM-20082: Locked out users are shown a misleading error message
OPENAM-19954: SAML hosted entity uses algorithm set in common federation configuration instead of algorithm set in hosted entity configuration
OPENAM-19362: AM to DS certificate log message logged at warning instead of error or critical
OPENAM-18818: Persistent search error message shows wrong DS identifier
OPENAM-18629: RestSTS should validate sessions with a local call and use asynchronous HTTP calls for remote calls
OPENAM-18488: Windows Hello with TPM/platform authenticator returns two certificates
OPENAM-17591: Session quota action destroy next expiring token can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny

AM 7.1.3

OPENAM-19884: AM returns 500 when ; used in access token header
OPENAM-19865: Memory Leak due to samlResponseDataHash not being cleaned up
OPENAM-19649: ID token not linked to session when authorising with sso token
OPENAM-19613: PSearch is already removed error message should be warning
OPENAM-19537: UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong
OPENAM-19530: Upgrade fails when Organization schema defaults are missing for service 'sunFAMSAML2Configuration'
OPENAM-19515: Unable to update session service with read only identity store
OPENAM-19512: Faulty Legacy OAuth 2.0 frrest/oauth2 endpoints
OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page
OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity
OPENAM-19427: Display security questions in the correct default language
OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing '/'
OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node
OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception
OPENAM-19290: In a cluster, changing AM debug level on local (AM2) to remote (AM1) does not have effect until restart of AM1
OPENAM-19281: OIDC dynamic client registration cannot handle "\n" in the client_description
OPENAM-19220: WebAuthN/Fido - can not authenticate with recovery codes on Windows
OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade
OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters
OPENAM-19162: REST API definition inaccurate for endpoint '/realm-config/saml'
OPENAM-19123: AM validates duplicate registration tokens
OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set
OPENAM-19119: GetAuthenticatorApp Node needs better localization support
OPENAM-19112: AM with embedded DJ always runs DJ backup and upgrade
OPENAM-19111: insufficient debug logging to troubleshoot error "Illegal arguments: One or more required arguments is null or empty" when performing user identity subject update via REST API
OPENAM-19109: Insufficient debug logging to troubleshoot CORS service
OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions
OPENAM-19086: rest-sts endpoint is not included when CORS is enabled
OPENAM-19083: Creating a client-based access & refresh token breaks subsequent use of Session Quotas
OPENAM-19016: Logback.jsp should show the actual setting of the loggers instead of defaults
OPENAM-19011: QR code message used in MFA Authentication node should be customizable / localizable
OPENAM-18990: Non-compliant OAuth2 error response generated
OPENAM-18952: KBA questions are not falling back to the default language when French is present
OPENAM-18891: JWT Profile Oauth2 Grant returns 'invalid_grant'
OPENAM-18835: JCEEncryption throws ArrayIndexOutOfBoundException when decrypting empty bytes
OPENAM-18834: AM fails to start when upgrading after using am-upgrader
OPENAM-18655: Deleting OAuth2 Client causes unnecessary notification error message in IdRepo
OPENAM-18478: XUI shows incorrect subjectType following upgrade from AM < 6.5.3
OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP
OPENAM-18432: Remove the internal idm-delegation grant type from the well known info
OPENAM-18384: Email Suspend Node clears the secure state
OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD
OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication
OPENAM-18196: More meaningful error message when Client Secret is not URL-encoded
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level in logs
OPENAM-18149: Wrong log file is used for SAML2 extensions log message
OPENAM-18132: Failed to get the distinct userIdAttributes for configured identity stores in realm
OPENAM-18113: LDAP authentication node : change of connection mode does not recreate the connection pool
OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server
OPENAM-18062: SPACSUtils withholds exception and does not log error
OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists
OPENAM-17882: Slow memory leaks when persistent search starts a retry activity when persistent search fails
OPENAM-17835: Do not display "Unable to retrieve instance of the ValidationServiceConfig" after idpinititated sso
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config
OPENAM-17308: Custom IdRepo uninstall realm-config/services/id-repositories?_action=nextdescendents fails
OPENAM-17201: XMLEncryption does not comply with standard when 'rsa-oaep-mgf1p' is being used
OPENAM-16953: Custom idrepo sample using IdRepoConfig does not work
OPENAM-16878: Scripted Decision Node secrets binding object does not have public API
OPENAM-16490: OWASP ESAPI lib is missing some classes
OPENAM-16241: Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset
OPENAM-15997: Enhance CookieHelper to perform better cookie detection
OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable
OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile
OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny
OPENAM-12992: Misleading error message in XUI console when existing DNS alias is provided
OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect
OPENAM-11319: Add localized "description" for JSON response content to OAuth2UserApplications#getResourceResponse

AM 7.1.2

OPENAM-18928: Client credential OAuth2 request results in searches for OAuth2 client against Identity Store
OPENAM-18921: Double slashes in oauth2 claim name handled incorrectly
OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt
OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared
OPENAM-18836: No TransactionId on "debug.out" for the AM recording.
OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null
OPENAM-18780: JwksOAuth2AgentEventListener class not setting the correct default cache miss time value
OPENAM-18756: Entering correct otp after entering wrong otp fails authentication
OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures
OPENAM-18711: AES Encryption/Decryption fails when running in Java 17
OPENAM-18705: Problem with Page Node using node relying on secureState
OPENAM-18684: redirect to /authorize endpoint fails for 2nd OIDC App for Federated Users w/ multi OIDC Clients
OPENAM-18679: OATH Registration node doesn’t work when placed inside a 'Page' node
OPENAM-18663: AM should check new realm with rest end-point names by ignoring case
OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted
OPENAM-18646: Upgrade for AM 7.1.0 to 7.2+ may fail, because of upgrading existing java agent profile
OPENAM-18644: IdRepo cache can not be disabled anymore
OPENAM-18640: REST-STS is using the old path to reach /users endpoint
OPENAM-18623: issue with jwk_uri endpoint called in parallel
OPENAM-18610: RealmOAuth2ProviderSettings for getJwks is broken in that it permits empty set.
OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication
OPENAM-18586: Lack of debugging message when AM is not able to read the encrypted_base64 folder after upgrade
OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL
OPENAM-18536: Java agent property org.forgerock.agents.session.change.notifications.enabled should be presented in XUI
OPENAM-18511: Missing navigation options when an expired link from "Email Suspend" node is used
OPENAM-18443: Transactional authentication is disabled on new installs
OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore
OPENAM-18297: Outbound calls to Jwks_URI endpoint does not support proxy settings
OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically
OPENAM-18175: SMSUtils#addAttributesToMap inconsistency with array ordering
OPENAM-18141: AM no longer uses global SAML configuration
OPENAM-18130: "Agent Configuration Change Notification" use the same help text in the XUI for Java and Web agents, but the property name is different
OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
OPENAM-18030: Message node shows inconsistent behaviour regarding the default locale
OPENAM-18005: Insufficient error message to troubleshoot persistent search issue
OPENAM-17949: Account lockout applied to tree even when ignore profile selected
OPENAM-17904: Json Audit Log Location not working when modifying location to only include %SERVER_URI% variable
OPENAM-17833: Internal accepted Audience AUD formed from DNS Alias could be wrong when BaseURL does not have port
OPENAM-17830: Error messages are logged when the Push Notification Service is absent
OPENAM-17829: External UMA Resource Set using SSL but not StartTLS fails
OPENAM-17593: Deadlock when admin token is invalid and when config data is getting cleared
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication

AM 7.1.1

OPENAM-18604: Formatting issues in Upgrade Report
OPENAM-18573: URLPatternMatcher or RedirectURLValidator does fails when query string contains "%20"
OPENAM-18566: Missing 'org.forgerock.security.oauth2.enforce.sub.claim.uniqueness' after upgrade from 7.1.0
OPENAM-18559: Upgrade from 6.5.3 to 7.1.0 fails with UpgradeException - "com.sun.identity.sm.InvalidAttributeValueException: Saved Consent Attribute Name is required."
OPENAM-18532: Web Agent property org.forgerock.agents.pdp.javascript.repost has incorrect description in XUI
OPENAM-18523: NullPointerException when AgentsRepo with from group is changed
OPENAM-18459: IdTokenInfo endpoint behaviours change from 6.x and fails when using client_id in POST
OPENAM-18422: Email Template node creates threads without terminating them
OPENAM-18421: In Platform environment, using a Email Template node creates new thread that does not terminate
OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth
OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name
OPENAM-18366: Upgrade Report contains unformatted line feeds "%LF%"
OPENAM-18359: Choice Collector Node appears to not be present following upgrade
OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server
OPENAM-18319: Realm is added more than once when session upgrade happens more than once with modules.
OPENAM-18316: Typo in oauth2 template (templates/touch/authorize.ftl)
OPENAM-18306: OAuth2 Authorization Code Grant Fails when including scope parameter at access_token endpoint
OPENAM-18258: Failed to load configuration for OAuth2Provider observed after upgrade
OPENAM-18241: Permit OAuth2 Modification Script to return scopes as space delimeter string
OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session
OPENAM-18227: Upgrade from 6.0.x / 6.5.x can fail at Unsupported node type PersistentCookieDecisionNode
OPENAM-18212: Check for user/agent profile condition during login can be refined further
OPENAM-18207: Global Service cache is not updated by changes from other servers in a site
OPENAM-18205: Excessive logging occurs when agent profile is not found
OPENAM-18180: No TransactionId present for AuthTreeExecutor
OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout
OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST
OPENAM-18154: Wrong AMR returned with prompt=login and force authn setting enabled
OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings
OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops
OPENAM-18121: Slow loading in Authentication Tree
OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amadmin
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM
OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exist
OPENAM-18065: Logback.jsp can not be used to set log levels loggers in custom code
OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined
OPENAM-18043: Device Match module not setting correct AuthLevel
OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes
OPENAM-18009: AM return HTTP error code 500 when authenticate with authIndexType service without authIndexValue
OPENAM-18006: Persistent search for identity store does not recover
OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees
OPENAM-17993: The org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation
OPENAM-17979: Backchannel authentication - auth_req_id can be used to obtain multiple access tokens
OPENAM-17962: LDAP Decision Node does not put updated password in transient state
OPENAM-17954: Accept-Language header locale ignored on OAuth2 Consent page
OPENAM-17935: Missing 'return' statement in the happy flow of the kerberos node
OPENAM-17923: Retry Limit Decision Should Not Have User Involvement when Save Retry Limit to User is Disabled
OPENAM-17916: When no session exists logout page redirects to login
OPENAM-17912: Account lockout count is not reset correctly
OPENAM-17896: ForgottenPassword Reset on multiple cluster not working when reset link clicked
OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does work after upgrade.
OPENAM-17863: Authorization code is not issued when nonce is not supplied when using OpenID Hybrid profile
OPENAM-17828: Apostrophe in username breaks Push/OATH device registration
OPENAM-17826: Introspect endpoint returns a static value for "expires_in" when using client based tokens
OPENAM-17814: Auth Tree step-up fails if username case does not match
OPENAM-17801: OIDC userinfo subname claim returns incorrect value
OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname
OPENAM-17782: Policy evaluation fails with 400 error when user does not exist
OPENAM-17774: Missing exp claim throws NullPointerException on CIBA bc-authorize endpoint
OPENAM-17773: The acr_values parameter is mandatory on CIBA bc-authorize endpoint
OPENAM-17760: PEM support incorrectly decodes some EC private keys
OPENAM-17738: Java Agent "Client IP Validation Mode" property does not work when key is empty from XUI
OPENAM-17718: OAuth2 Introspection endpoint does not accept Accept header with with extra accept extension param (like weight q=0.8) or charset
OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed
OPENAM-17677: The oauth2/device/code endpoint does not support locale parameter
OPENAM-17663: Improve the error response code for "Failed to revoke access token"
OPENAM-17630: JMS Audit logging broken and cannot start up
OPENAM-17610: OTP Email Sender node does not allow to specify connect timeout and IO/read timeout for underlying transport.
OPENAM-17590: OIDC login hint cookie broken since 7.0
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17493: OAuth2 node does not support external proxy authentication (user/pass)
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17320: Revisit prompt=login behaviour change that keeps existing session
OPENAM-17265: Wrong authorized_keys file updated
OPENAM-17262: Subname claim inconsistences
OPENAM-16988: The accessedEndpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator
OPENAM-16642: Server id creation can fail when id is greater than 100
OPENAM-16554: Misplaced bufferingEnabled checkbox in New Syslog configuration
OPENAM-16491: SAML Update introduces javascript calls that aren’t available in IE8 and below (or IE11 using Enterprise mode)
OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong
OPENAM-16216: Get Session Data node improvements
OPENAM-15861: NullPointerException in CollectionHelper.getServerMapAttrs
OPENAM-15740: Document _fields is case sensitive
OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in
OPENAM-13855: CTS creates too many connections to DS
OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"
OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

AM 7.1

OPENAM-17396: Terms of Service URI Link does not Display in Consent Page
OPENAM-17395: SocialOpenIdConnectNode fails to recover from client’s connection reset
OPENAM-17365: Checking agent type with caller token can cause deadlock
OPENAM-17364: Prompt login / session upgrade / OIDC ACR looping with trees
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
OPENAM-17353: HTML pages are not picked up when placing in a theme folder
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
OPENAM-17343: Access token call returns 500 error if password needs to be changed or has expired
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
OPENAM-17276: AM recorder does not record anymore
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17260: Allow arg=newsession usage in authorize calls
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
OPENAM-17136: OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
OPENAM-17114: Save Consent check box always shown, even when not configured
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
OPENAM-17089: Forgot password functionality broken
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
OPENAM-17060: Audit Logging "Resolve host name" is still available after OPENAM-7849
OPENAM-17037: AM Upgrade from 6.0.0.7 to 7.0.0 causing NPE
OPENAM-17034: In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
OPENAM-17006: Hosted SAML entity - can not remove bindings
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
OPENAM-16988: Accessed endpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
OPENAM-16947: Kerberos Node in 7.0 fails to return goTo(false)
OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist
OPENAM-16936: Tree nodes create new keystore object each time node is called.
OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
OPENAM-16934: sm.getSchemaManager has a typo including a comma
OPENAM-16926: Success URL node doesn’t work with SAML Node for Idpinit when not using Integrated mode
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
OPENAM-16907: Kerberos Node in 7.0 does not work
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
OPENAM-16866: AM should fail gracefully if id_token fails to generate when swapping refresh token
OPENAM-16849: WeChat Social Auth module broken (regression)
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
OPENAM-16847: AM email service failing with 'Start TLS' option
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
OPENAM-16807: The dynamic values for request_uri being stored in client config does not expire and is not automatically removed
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
OPENAM-16784: Upgrade to 7 fails with NullPointerException in Saml2EntitySecretsStep
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
OPENAM-16758: Cannot install AM 7 on Windows
OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
OPENAM-16617: SuccessURL session property is set to gotoURL in authentication tree
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs
OPENAM-16555: Audit logging does not tell which policy allowed or denied a resource request
OPENAM-16540: Issues with Social Login URLs when navigating quickly between providers
OPENAM-16535: "JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
OPENAM-16450: 501 when default resource version set to "oldest" and Accept-API-Version header set
OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
OPENAM-15963: Historical retention files ( csv ) were not deleted
OPENAM-15948: Update DS profiles to add VLV indexes for CTS use
OPENAM-15743: Excessive CTS logging when Reaper is disabled (com.sun.am.ldap.connnection.idle.seconds=0)
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
OPENAM-15663: UserInfoClaims is not part of public API
OPENAM-14898: OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
OPENAM-12503: SizeBasedRotationPolicy does not delete oldest file

AM 7.0.x

AM 7.0.2

OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17683: Selfservice user registration auto login fails for a sub-realm
OPENAM-17673: Nodes within a Page node do not have access to secure state
OPENAM-17672: Page Node does not expose inner nodes inputs or outputs
OPENAM-17630: JMS Audit logging broken and cannot start up
OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17570: OIDC request parameter decryption fails to find any applicable keys
OPENAM-17555: AM 7.x versions of Amster use Java 8 format of debug port
OPENAM-17517: JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error.
OPENAM-17515: Sub attribute in access token can be in wrong casing
OPENAM-17483: SecretsPlugin upgrade from 6.5.x failing
OPENAM-17477: Thread-safety issue in AMAuthenticationManager
OPENAM-17436: JS version of the OIDC Claims script does not work due to a casting error.
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17397: ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check
OPENAM-17365: Checking agent type with caller token can cause deadlock
OPENAM-17364: prompt login / session upgrade / OIDC ACR looping with trees
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
OPENAM-17337: Access token passed in request body results in failure
OPENAM-17324: Client credentials grant in FBC config with group inheritance causes User not Valid Error
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
OPENAM-17321: Prometheus Endpoint returns http 500 error when used with file based config
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
OPENAM-17310: 'ssoadm list-datastore-types' sub-command broken
OPENAM-17277: AM Recording with thread dump only shows depth of 8
OPENAM-17276: AM recorder does not record anymore
OPENAM-17274: AM should not change the supported subject types for an existing install
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17265: Wrong authorized_keys file updated
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
OPENAM-17175: XUI OAuth2 consent page does not render when using themes
OPENAM-17157: Password reset via admin console with Proxied Authorization enabled is not possible
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
OPENAM-17117: Service config XML dump consumes a lot of memory (whole config is read to memory)
OPENAM-17114: Save Consent check box always shown, even when not configured
OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
OPENAM-17089: Forgot password flow not working after initial attempt to reset password fails
OPENAM-17081: OAuth2 client agent group settings are not taken into account
OPENAM-17079: Identities and Session : unexpected returned error when trying to request for unexisting identity
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
OPENAM-17066: Unable to add server to existing deployment through UI
OPENAM-17042: User Self Registration REST API does not generate SSO token
OPENAM-17019: Allowing wildcards in OAuth 2.0 clients prevents exact matching from working
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist
OPENAM-16932: PageNode does not pick up outcomes if ScriptedDecisionNode is used inside
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
OPENAM-16849: WeChat Social Auth module broken (regression)
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'
OPENAM-16651: Default configuration fails if the trust store type JVM property is not defined for the JVM
OPENAM-16638: AM with embedded DS setup fails when Java system keystore properties is set
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
OPENAM-16581: SAML Authentication Module on hosted SP gets SAML No authentication context error
OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
OPENAM-16364: Macaroon access tokens don’t work with the new any-realm token introspection
OPENAM-16262: Javadocs for IdUtils needs updating
OPENAM-15963: Historical retention files ( csv ) were not deleted
OPENAM-15214: Auth Tree - Clicking save with no changes causes render problem with node attributes inside page node
OPENAM-14240: FMSigProvider.verify does not tell if certificates are provided
OPENAM-13783: REST STS: Cannot add or modify nameID format in SAML config, and default value stated in help is incorrect
OPENAM-13575: Unhelpful log message when OIDC public client wants to use HMAC id token signing

AM 7.0.1

OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
OPENAM-16934: sm.getSchemaManager has a typo including a comma
OPENAM-16907: Kerberos Node in 7.0 does not work
OPENAM-16877: Error when creating AM "Self-service Trees" service in native admin ui
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
OPENAM-16847: AM email service failing with 'Start TLS' option
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
OPENAM-16802: Upgrade from OpenAM 7.0 to 7.1.0 SNAPSHOT causes NPE
OPENAM-16794: Google KMS options missing after upgrade from 6.5
OPENAM-16791: AMAccessAuditEventBuilder#forRequest can generate an entry with :-1 for the port
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
OPENAM-16759: Amster on windows : AM does not restart properly after setup
OPENAM-16758: Cannot install AM 7 on Windows
OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
OPENAM-16702: Saving engine configuration in FBC mode makes that config non-readable
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token
OPENAM-16697: Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format
OPENAM-16686: Cannot create a User after upgrade from 6.5.2 to 7.0.1
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
OPENAM-16650: Authz Policy Subjects Policy.title is showing property name text
OPENAM-16641: OAuth2 provider supported grant types attribute missing localization property on XUI
OPENAM-16606: Missing "org.forgerock.openam.saml2.authenticatorlookup.skewAllowance" property in server defaults
OPENAM-16594: ssoadm help should be updated to reflect changes in AME-18650 / OPENAM-16155
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
OPENAM-16555: (audit) logging does not tell which policy allowed or denied a resource request
OPENAM-16551: Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token
OPENAM-16545: Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
OPENAM-16483: XUI - Typo in SAML SP "Default Relay State Url" label
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
OPENAM-15663: UserInfoClaims is not part of public API
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
OPENAM-11706: Policies in a policy set are not visible in Internet Explorer IE

AM 7.0

OPENAM-16433: Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.
OPENAM-16425: AM does not handle malformed/incorrect signature correctly
OPENAM-16402: The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.
OPENAM-16379: URL fragments like # cause forbidden login in the XUI
OPENAM-16284: XUI does not handle Special Chars / UTF-8 in realms properly.
OPENAM-16279: AgentsRepo cannot recover when it fails especially on external Application store.
OPENAM-16251: OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication
OPENAM-16240: REST STS under subrealm cannot generate id_token with realm claim
OPENAM-16233: Policy evaluation fails when subject not found (even in ignore profile)
OPENAM-16214: Push Authentication Module does not work on Session Upgrade when User Cache disabled
OPENAM-16184: Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords
OPENAM-16165: social authmodule causes NullPointerException
OPENAM-16164: social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token
OPENAM-16136: queryFilter only matches against first entry in array
OPENAM-16132: When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates
OPENAM-16032: Unable to delete devices with Recovery Code Collector Decision Node
OPENAM-16031: Intermittent error message when concurrent obtain SSO Token ID with session quota constraints
OPENAM-16014: An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow
OPENAM-16013: Mismatched kid from Json Web Key URI when Specified Encryption Algorithm
OPENAM-16009: Windows Desktop SSO node full adoption and compliance with tree node specifications
OPENAM-15989: OAuth2 client_id should be url-decoded when using basic auth
OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied
OPENAM-15970: Access Token introspect Fails in subrealm after root realm modified
OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked
OPENAM-15905: Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException
OPENAM-15900: Kerberos fails when used with IBM JDK
OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection
OPENAM-15881: Custom AM User (amUser.xml) field does not use default values from the schema
OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used
OPENAM-15853: External UMA store fails on resource creation
OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired
OPENAM-15785: OIDC spec violation - HTTP POST can not be used to send Authentication Request
OPENAM-15784: Form elements in policy environment condition tab are displayed twice
OPENAM-15766: LoginState - account lockout is checkout although AM AccountLockout is disabled
OPENAM-15758: KeyStore Secret Store fails to start due to secretId having some characters.
OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL
OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server
OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect
OPENAM-15698: IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'
OPENAM-15697: Default ACR values from OAuth2 provider not taken into account
OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access
OPENAM-15679: The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling
OPENAM-15670: DeviceIdSave auth module initialization fails if username is null
OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting
OPENAM-15645: The &refresh=true|false parameter for _action=validate is not working as expected
OPENAM-15632: OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support
OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow
OPENAM-15627: Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"
OPENAM-15579: AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'
OPENAM-15559: OATH module broken in Japanese locale
OPENAM-15533: WS-Federation doesn’t work with Authentication Trees
OPENAM-15530: OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS
OPENAM-15520: XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default
OPENAM-15508: moduleMessageEnabledInPasswordGrant does not apply to Trees
OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token
OPENAM-15501: Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly
OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned
OPENAM-15491: Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.
OPENAM-15489: WebAuthN Auth Node Doesn’t Respect UV=Discouraged During AuthN
OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication
OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error
OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported
OPENAM-15374: OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims
OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback
OPENAM-15349: Access Token request returns a 500 error
OPENAM-15345: at_hash value generated does not take the latest modified access token
OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree
OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example
OPENAM-15303: Claims with multiple values in issued_token from REST STS represented inconsistently.
OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions
OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules
OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"
OPENAM-15160: LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind
OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field
OPENAM-15147: HTTP 500 upon accessing openam/json/
OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken
OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )
OPENAM-15117: KeyVault KeyStoreType not supported
OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not
OPENAM-15105: Unable to get trusted devices using REST API
OPENAM-15101: Remove the ability to disable XUI
OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL
OPENAM-15076: webAuthn config does not allow for multiple origins under the same rpId
OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching
OPENAM-15036: Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file
OPENAM-15028: Cannot load metadata in ssoadm without extended metadata
OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment
OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache
OPENAM-14991: Changes to boot.json are overwritten
OPENAM-14979: NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade
OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain
OPENAM-14966: Performing access_token with arbitrary text as trusted cert header causes server error
OPENAM-14919: Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file
OPENAM-14901: XUI - SAML2 module doesn’t redirect to IDP if it’s 2nd in the chain
OPENAM-14895: user identity creation fails with "Identity \*" of type user not found.
OPENAM-14893: XUI displays multiple error messages when an authentication session times out
OPENAM-14889: Upgrade of Peristent Cookie auth module fails
OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration
OPENAM-14881: AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)
OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)
OPENAM-14859: ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty
OPENAM-14858: When NameIDPolicy does not contain Format=.., remoteEntityID is passed as null
OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module
OPENAM-14845: user info endpoint does not correctly handle Certificate Bound Access Tokens
OPENAM-14829: AuthSchemeCondition doesn’t return realm aware policy condition advice
OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search
OPENAM-14804: Memory leak when running UMA RPT soak test
OPENAM-14799: Unable to update Agent profile using REST
OPENAM-14794: User privileges are removed from group if another group is given same privilege
OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO
OPENAM-14783: PKCS11 KeyStore does not work on IBM JVM
OPENAM-14782: AuthTree created Session does not use per User Session Service settings
OPENAM-14766: introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens
OPENAM-14717: mailto attribute have space between ':' and mail address
OPENAM-14694: Consent page still shows claim values even when supported claim description is omitted
OPENAM-14651: OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads
OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier
OPENAM-14578: WDSSO failing but no fallback…
OPENAM-14573: amlbcookie is not secure when authenticating with trees
OPENAM-14572: prompt=login destroys and creates new session
OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different
OPENAM-14548: consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation
OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore
OPENAM-14539: SAML SLO with multi protocols
OPENAM-14529: UMA RPT expiry time incorrect in CTS
OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding
OPENAM-14503: SAML2 - Key Transport Algorithm - RSA OAEP must be supported
OPENAM-14483: If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ
OPENAM-14480: AuthLoginException is lost
OPENAM-14471: Failed to create root realm for data store (External Policy | Application)
OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on
OPENAM-14464: XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used
OPENAM-14450: userinfo typo in Claims.java
OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS/SSL
OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application
OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done
OPENAM-14391: Self Service Link not Display when Using Authentication Tree
OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set
OPENAM-14369: Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure
OPENAM-14362: UMA load test fails with Invalid resource type error
OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy
OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client
OPENAM-14313: Audit Logging - STS transformations create duplicate entries
OPENAM-14310: CheckSession page indicates the session is not valid
OPENAM-14294: am-external Git repository 6.5 have bad source
OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef
OPENAM-14239: FMSigProvider.verify NPE with null input for certificates
OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number
OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set
OPENAM-14229: custom AuthorizeTemplate under theme not used
OPENAM-14213: Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute
OPENAM-14212: SAML redirect to login page fails if AM installed into the root context
OPENAM-14200: Social auth modules do not work when AM is installed into the root context
OPENAM-14189: effectiveRange of Time environment has issue
OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception
OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered
OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.
OPENAM-14147: arg=newsession in XUI just shows the "Loading…" page
OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state
OPENAM-14112: Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie
OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow
OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive
OPENAM-14054: XUI Custom templates and Partials not applied consistently
OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn
OPENAM-14040: LdifUtils debug logging prints out wrong classname
OPENAM-14018: Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server
OPENAM-13999: Custom node containing ConfirmationCallbacks fails when dropped in a page node.
OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm
OPENAM-13978: Session Upgrade - AuthLevel format changes
OPENAM-13942: SAML2 Circle of Trust - REST Update doesn’t update the metadata of the provider
OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given
OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user
OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not
OPENAM-13890: Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext
OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6
OPENAM-13831: RP-Initiated Logout does not handle state parameter
OPENAM-13779: Session API - _action=refresh requires an admin token
OPENAM-13764: Monitoring logs in ERROR for "Agent.configAgentsOnly:agent type = OAuth2Client"
OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals
OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent
OPENAM-13465: Dynamic client registration sets wrong subjectType
OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain
OPENAM-13419: LDAPPolicyFilterCondition doesn’t set request timeout
OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"
OPENAM-13064: OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional
OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation
OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees
OPENAM-12759: max_age should a number, not a string
OPENAM-12574: SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies
OPENAM-12498: Authorization Grant response returns scope(s) in the URL
OPENAM-12228: WebAgent REST API queryFilter expression does not work and acts all "true"
OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme
OPENAM-11921: Incorrect NameId Format offered for SAML2 auth module in console
OPENAM-11863: CORSFilter position in web.xml should come before most filters
OPENAM-11778: Getting accessToken using authorization_code result in Unhandled exception
OPENAM-11338: OpenID Connect id_token bearer auth module mixes up aud, azp during verification
OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.
OPENAM-10843: When generating an OIDC token through STS a "kid" value is not specified
OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled
OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)
OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly
OPENAM-9459: 500 Internal Server Error from changePassword endpoint with AD repo
OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

Fixes in AM 7.2.x

This page lists the cumulative fixes in AM 7.2.x releases:

AM 7.2.2

OPENAM-22380: LDAP Decision node adding wrong username causing incorrect log messages
OPENAM-22289: Correctly check failure to save read session causing session quota failure
OPENAM-22017: ConfigProviderNode creates node class dynamically leading to native memory leak
OPENAM-21976: Single point of locking contention when doing client-based session logout
OPENAM-21972: SAML artifact binding fails in load-balanced deployment
OPENAM-21941: Unable to edit policies in the UI
OPENAM-21937: Quota enforcement affecting agent sessions that authenticate by tree
OPENAM-21728: Certificate module fails using JDK 11.0.21 and later with undefined access to private method
OPENAM-21484: Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response
OPENAM-21473: Certificate collector node: getPortalStyleCert throws exception when cert/header not present
OPENAM-21390: ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment
OPENAM-21304: OAuth 2.0 dynamic client registrations don’t retain request_uri values when creating
OPENAM-21160: Ensure secure state values are retained when navigating the authentication tree
OPENAM-21010: Social authentication user profile corrupted when remote OIDC server provides non-English identity claims
OPENAM-21004: AM will always look for valid session when scope=openid
OPENAM-21002: CTS task queue full and SeriesTaskExecutorThread can get stuck waiting
OPENAM-20897: Issue with logging unsupported callbacks
OPENAM-20783: OAuth 2.0 authorization code flow throws an error when content-type isn’t x-www-form-urlencoded and body isn’t JSON
OPENAM-20756: Social authentication request for Apple fails due to duplicated response_mode=form_post request parameter
OPENAM-20682: Unable to encrypt from jwk_uri where there are multiple JWKs with the same kid but different algorithms
OPENAM-20396: Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved
OPENAM-20104: The fragment response_mode for the /oauth2/authorize endpoint is not working
OPENAM-20026: Social IDP with trailing whitespace in the name can’t be deleted using the UI
OPENAM-19999: ID token as AM session doesn’t work with /authorize when openid scope is requested
OPENAM-19282: Recovery Code Display node works only immediately after Registration node
OPENAM-19261: Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant
OPENAM-18599: Allow for custom error message if user account is locked
OPENAM-17816: 500 internal server error (from NPE) returned for a missing Content-Type header

AM 7.2.1

OPENAM-20360: Ampersand is double encoded in the Destination of a SAML Assertion
OPENAM-20318: Accessing AM end user login page for PlatformLogin journey in platform environment shows non-rendered html
OPENAM-20260: Unable to log into AM when external application store is down
OPENAM-20230: Class allowlisting fails with permission denied after an extended period
OPENAM-20181: AD account notification fails
OPENAM-20082: Locked out users are shown a misleading error message
OPENAM-20031: Access token modification can no longer access refresh token reference
OPENAM-19884: AM returns 500 error when ; is used in the access token header
OPENAM-19684: Error EntitlementService.getSubjectAttributesCollectorConfiguration logged on initial agent access
OPENAM-19537: UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong
OPENAM-19515: Unable to update session service with read-only identity store
OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page
OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity
OPENAM-18818: Persistent search error message shows wrong DS identifier
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
OPENAM-16241: Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset
OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect

AM 7.2

OPENAM-19427: KBA question are not falling back to the default language when French is present in the restart password flow
OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing /
OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node
OPENAM-19380: Social Google node does not work if placed after an input collector in a tree
OPENAM-19359: Social authentication not working on Subrealms
OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception
OPENAM-19290: In a cluster, changing AM debug level on local AM2 to remote AM1 does not take effect until the remote AM1 is restarted
OPENAM-19281: OIDC dynamic client registration cannot take \n in the client_description
OPENAM-19266: Cannot add Page Headers or Page Descriptions to page nodes in tree editor
OPENAM-19220: WebAuthN/Fido - Cannot authenticate with recovery codes on Windows
OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade
OPENAM-19196: JavaScript origins in the OAuth2 Client need a restart to apply the changes
OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters
OPENAM-19162: REST API definition inaccurate for endpoint /realm-config/saml
OPENAM-19123: AM validates duplicate registration tokens
OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set
OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions
OPENAM-19086: rest-sts endpoint is not included when CORS is enabled
OPENAM-19083: Creating a client-based access and refresh token breaks subsequent use of Session Quotas
OPENAM-19042: When using Apple SSO, the Social Identity Provider Handler node ignores the user info returned
OPENAM-18996: Issues with trees and navigating quickly between Social Login providers
OPENAM-18990: Non-compliant OAuth 2.0 error response generated
OPENAM-18953: Insufficient logging when OAuth 2.0 token request fails due to invalid client secret
OPENAM-18952: KBA questions are not falling back to the default language when French is present
OPENAM-18928: Client credential OAuth 2.0 request results in searches for OAuth 2.0 client against the Identity Store
OPENAM-18921: Double slashes in oauth 2.0 claim names are handled incorrectly
OPENAM-18891: JWT Profile Oauth 2.0 grant returns invalid_grant
OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt
OPENAM-18877: Creating SAML providers with entity ids containing the plus (+) symbol results in errors listing and creating new providers
OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared
OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null
OPENAM-18775: LdapDecisionNode throws NullPointerException on shared IDM Repository DataStore when Password change policy triggered
OPENAM-18756: Entering correct OTP after an incorrect OTP fails authentication
OPENAM-18754: User profile success URL ignored when authenticating with trees
OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures
OPENAM-18705: Problem with Page Node using node relying on secureState
OPENAM-18701: DN cache doesn’t get deleted in some cases
OPENAM-18684: Redirect to authorize endpoint fails for 2nd OIDC App for Federated Users with multiple OIDC Clients
OPENAM-18679: OATH Registration node doesn’t work when placed inside a Page node
OPENAM-18663: AM should check new realm with rest end-point names by ignoring case
OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted
OPENAM-18655: Deleting OAuth2 Client provides unneeded Notification error message in IdRepo
OPENAM-18644: IdRepo cache can not be disabled anymore
OPENAM-18640: REST-STS uses the old path to reach the users endpoint
OPENAM-18623: Issue with jwk_uri endpoint called in parallel
OPENAM-18610: RealmOAuth2ProviderSettings for getJwks permits an empty set
OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication
OPENAM-18586: No debug message when AM can’t read the encrypted_base64 folder after upgrade
OPENAM-18573: URLPatternMatcher or RedirectURLValidator fails when query string contains "%20"
OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL
OPENAM-18533: Distinguish between standard OIDC and JAR OIDC request parameters
OPENAM-18524: Client assertion JWT generated for private_key_jwt OAuth 2.0 client authentication does not provide a "kid" header - can be rejected by external OAuth 2.0providers
OPENAM-18523: NullPointerException when Web Agent group is changed
OPENAM-18487: Trust anchor check fails with Yubikey
OPENAM-18460: max_age parameter is overwritten
OPENAM-18459: IdTokenInfo endpoint behavior has changed and fails when using client_id in POST
OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP
OPENAM-18443: Transactional authentication is disabled on new installs
OPENAM-18436: UMA pending requests are stored differently depending on sub claim uniqueness mode
OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore
OPENAM-18432: Remove the internal idm-delegation grant type from the well known info
OPENAM-18422: Email Template node creates threads without terminating them
OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth
OPENAM-18384: Email Suspend Node clears the secure state
OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name
OPENAM-18359: Choice Collector Node not present following upgrade
OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server
OPENAM-18306: OAuth 2.0 Authorization Code Grant Fails when including scope parameter at access_token endpoint
OPENAM-18297: Outbound calls to jwk_uri endpoint do not support proxy settings
OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD
OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically
OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication
OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session
OPENAM-18227: Upgrade from 6.0.x / 6.5.x fails with Unsupported node type PersistentCookieDecisionNode
OPENAM-18212: Check for user/agent profile condition during login can be refined further
OPENAM-18207: Global Service cache is not updated by changes from other servers in a site
OPENAM-18205: Excessive logging occurs when agent profile is not found
OPENAM-18180: No TransactionId present for AuthTreeExecutor
OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout
OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST
OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings
OPENAM-18149: Wrong log file is used for SAML2 extensions log message
OPENAM-18141: AM no longer uses global SAML configuration
OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops
OPENAM-18132: Failed to get the distinct userIdAttributes for configured identity stores in realm
OPENAM-18121: Complex authentication trees load slowly
OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter
OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amAdmin
OPENAM-18118: OAuth 2.0 - AM does not implement 'device authorization grant' as specified in RFC 8628
OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM
OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exists
OPENAM-18065: Logback.jsp cannot be used to set log levels for loggers in custom code
OPENAM-18062: SPACSUtils withholds exception and does not log error
OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined
OPENAM-18043: Device Match module not setting correct AuthLevel
OPENAM-18030: Message node shows inconsistent behavior regarding the default locale
OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes
OPENAM-18009: HTTP error code 500 when authenticating with authIndexType service without authIndexValue
OPENAM-18006: Persistent search for identity store does not recover
OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees
OPENAM-17993: org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation
OPENAM-17979: Backchannel authentication auth_req_id can be used to obtain multiple access tokens
OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists
OPENAM-17962: LDAP Decision Node does not put updated password in transient state
OPENAM-17954: Accept-Language header locale ignored on OAuth 2.0 Consent page
OPENAM-17935: Missing return statement in the happy flow of the kerberos node
OPENAM-17923: Retry Limit Decision should not involve user when Save Retry Limit to User is disabled
OPENAM-17916: When no session exists logout page redirects to login
OPENAM-17912: Account lockout count is not reset correctly
OPENAM-17904: JSON Audit Log Location not working when modifying location to only include %SERVER_URI% variable
OPENAM-17896: ForgottenPassword Reset on multiple clusters not working when reset link is clicked
OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does not work after upgrade
OPENAM-17830: Error messages are logged when the Push Notification Service is absent
OPENAM-17828: Apostrophe in username breaks Push/OATH device registration
OPENAM-17826: introspect endpoint returns a static value for expires_in when using client-based tokens
OPENAM-17814: Auth Tree step-up fails if username case does not match
OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname
OPENAM-17783: Language tag limited to 5 characters instead of 8
OPENAM-17782: Policy evaluation fails with 400 error when user does not exist
OPENAM-17760: PEM support incorrectly decodes some EC private keys
OPENAM-17718: OAuth 2.0 introspection endpoint does not accept Accept header with extra accept extension param (like weight q=0.8) or charset
OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17683: Selfservice user registration auto login fails for a sub-realm
OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed
OPENAM-17677: oauth2/device/code endpoint does not support locale parameter
OPENAM-17663: Improve the error response code for "Failed to revoke access token"
OPENAM-17610: OTP Email Sender node does not let you specify connect timeout and IO/read timeout for underlying transport
OPENAM-17593: Deadlock when admin token is invalid and when config data is cleared
OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17590: OIDC login hint cookie broken since 7.0
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17548: Can’t go back to login page after invoking Social Authentication Nodes
OPENAM-17521: Insufficient error logging to track down Multivalued RDNs not supported issue
OPENAM-17515: Sub attribute in access token can be in wrong case
OPENAM-17493: OAuth 2.0 node does not support external proxy authentication (user/pass)
OPENAM-17440: OAuth 2.0 service provider does not error if IAT attribute is mandatory but not issued
OPENAM-17426: No validation for attribute collector node
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config
OPENAM-17320: Revisit prompt=login behavior change that keeps existing session
OPENAM-17308: Custom IdRepo uninstall realm-config/services/id-repositories?_action=nextdescendents fails
OPENAM-17265: Amster updates incorrect authorized_keys file
OPENAM-17040: UMA policy creation does not work with shared repo
OPENAM-16988: accessedEndpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16953: Custom idrepo sample using IdRepoConfig does not work
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator
OPENAM-16642: Server id creation can fail when id is greater than 100
OPENAM-16490: OWASP ESAPI broken
OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong
OPENAM-16262: Javadocs for IdUtils needs updating
OPENAM-16216: Get Session Data node improvements
OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable
OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile
OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in
OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration
OPENAM-13855: CTS creates too many connections to DS
OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"
OPENAM-12969: UMA Resource deletion results in a 500 error unless another resource has been created within the same resource set
OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

AM 7.1.x

AM 7.1.4

OPENAM-21004: AM will always look for valid session when scope=openid
OPENAM-21002: CTS task queue full and SeriesTaskExecutorThread can get stuck waiting
OPENAM-20897: Issue with logging unsupported callbacks
OPENAM-20691: Destroy oldest session may fail to work
OPENAM-20396: Authentication trees are selected in order of ACR - tree mapping (not in the default order) and order is not preserved
OPENAM-20318: Accessing AM End user login page for PlatformLogin journey in platform environment shows non-rendered HTML
OPENAM-20260: Unable to log into AM when external application store is down
OPENAM-20230: Class whitelisting fails with permission denied after an extended period
OPENAM-20181: AD account notification fails
OPENAM-20085: STS token generation does not work with clustered docker pods
OPENAM-20082: Locked out users are shown a misleading error message
OPENAM-19954: SAML hosted entity uses algorithm set in common federation configuration instead of algorithm set in hosted entity configuration
OPENAM-19362: AM to DS certificate log message logged at warning instead of error or critical
OPENAM-18818: Persistent search error message shows wrong DS identifier
OPENAM-18629: RestSTS should validate sessions with a local call and use asynchronous HTTP calls for remote calls
OPENAM-18488: Windows Hello with TPM/platform authenticator returns two certificates
OPENAM-17591: Session quota action destroy next expiring token can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny

AM 7.1.3

OPENAM-19884: AM returns 500 when ; used in access token header
OPENAM-19865: Memory Leak due to samlResponseDataHash not being cleaned up
OPENAM-19649: ID token not linked to session when authorising with sso token
OPENAM-19613: PSearch is already removed error message should be warning
OPENAM-19537: UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong
OPENAM-19530: Upgrade fails when Organization schema defaults are missing for service 'sunFAMSAML2Configuration'
OPENAM-19515: Unable to update session service with read only identity store
OPENAM-19512: Faulty Legacy OAuth 2.0 frrest/oauth2 endpoints
OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page
OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity
OPENAM-19427: Display security questions in the correct default language
OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing '/'
OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node
OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception
OPENAM-19290: In a cluster, changing AM debug level on local (AM2) to remote (AM1) does not have effect until restart of AM1
OPENAM-19281: OIDC dynamic client registration cannot handle "\n" in the client_description
OPENAM-19220: WebAuthN/Fido - can not authenticate with recovery codes on Windows
OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade
OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters
OPENAM-19162: REST API definition inaccurate for endpoint '/realm-config/saml'
OPENAM-19123: AM validates duplicate registration tokens
OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set
OPENAM-19119: GetAuthenticatorApp Node needs better localization support
OPENAM-19112: AM with embedded DJ always runs DJ backup and upgrade
OPENAM-19111: insufficient debug logging to troubleshoot error "Illegal arguments: One or more required arguments is null or empty" when performing user identity subject update via REST API
OPENAM-19109: Insufficient debug logging to troubleshoot CORS service
OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions
OPENAM-19086: rest-sts endpoint is not included when CORS is enabled
OPENAM-19083: Creating a client-based access & refresh token breaks subsequent use of Session Quotas
OPENAM-19016: Logback.jsp should show the actual setting of the loggers instead of defaults
OPENAM-19011: QR code message used in MFA Authentication node should be customizable / localizable
OPENAM-18990: Non-compliant OAuth2 error response generated
OPENAM-18952: KBA questions are not falling back to the default language when French is present
OPENAM-18891: JWT Profile Oauth2 Grant returns 'invalid_grant'
OPENAM-18835: JCEEncryption throws ArrayIndexOutOfBoundException when decrypting empty bytes
OPENAM-18834: AM fails to start when upgrading after using am-upgrader
OPENAM-18655: Deleting OAuth2 Client causes unnecessary notification error message in IdRepo
OPENAM-18478: XUI shows incorrect subjectType following upgrade from AM < 6.5.3
OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP
OPENAM-18432: Remove the internal idm-delegation grant type from the well known info
OPENAM-18384: Email Suspend Node clears the secure state
OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD
OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication
OPENAM-18196: More meaningful error message when Client Secret is not URL-encoded
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level in logs
OPENAM-18149: Wrong log file is used for SAML2 extensions log message
OPENAM-18132: Failed to get the distinct userIdAttributes for configured identity stores in realm
OPENAM-18113: LDAP authentication node : change of connection mode does not recreate the connection pool
OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server
OPENAM-18062: SPACSUtils withholds exception and does not log error
OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists
OPENAM-17882: Slow memory leaks when persistent search starts a retry activity when persistent search fails
OPENAM-17835: Do not display "Unable to retrieve instance of the ValidationServiceConfig" after idpinititated sso
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config
OPENAM-17308: Custom IdRepo uninstall realm-config/services/id-repositories?_action=nextdescendents fails
OPENAM-17201: XMLEncryption does not comply with standard when 'rsa-oaep-mgf1p' is being used
OPENAM-16953: Custom idrepo sample using IdRepoConfig does not work
OPENAM-16878: Scripted Decision Node secrets binding object does not have public API
OPENAM-16490: OWASP ESAPI lib is missing some classes
OPENAM-16241: Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset
OPENAM-15997: Enhance CookieHelper to perform better cookie detection
OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable
OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile
OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny
OPENAM-12992: Misleading error message in XUI console when existing DNS alias is provided
OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect
OPENAM-11319: Add localized "description" for JSON response content to OAuth2UserApplications#getResourceResponse

AM 7.1.2

OPENAM-18928: Client credential OAuth2 request results in searches for OAuth2 client against Identity Store
OPENAM-18921: Double slashes in oauth2 claim name handled incorrectly
OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt
OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared
OPENAM-18836: No TransactionId on "debug.out" for the AM recording.
OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null
OPENAM-18780: JwksOAuth2AgentEventListener class not setting the correct default cache miss time value
OPENAM-18756: Entering correct otp after entering wrong otp fails authentication
OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures
OPENAM-18711: AES Encryption/Decryption fails when running in Java 17
OPENAM-18705: Problem with Page Node using node relying on secureState
OPENAM-18684: redirect to /authorize endpoint fails for 2nd OIDC App for Federated Users w/ multi OIDC Clients
OPENAM-18679: OATH Registration node doesn’t work when placed inside a 'Page' node
OPENAM-18663: AM should check new realm with rest end-point names by ignoring case
OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted
OPENAM-18646: Upgrade for AM 7.1.0 to 7.2+ may fail, because of upgrading existing java agent profile
OPENAM-18644: IdRepo cache can not be disabled anymore
OPENAM-18640: REST-STS is using the old path to reach /users endpoint
OPENAM-18623: issue with jwk_uri endpoint called in parallel
OPENAM-18610: RealmOAuth2ProviderSettings for getJwks is broken in that it permits empty set.
OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication
OPENAM-18586: Lack of debugging message when AM is not able to read the encrypted_base64 folder after upgrade
OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL
OPENAM-18536: Java agent property org.forgerock.agents.session.change.notifications.enabled should be presented in XUI
OPENAM-18511: Missing navigation options when an expired link from "Email Suspend" node is used
OPENAM-18443: Transactional authentication is disabled on new installs
OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore
OPENAM-18297: Outbound calls to Jwks_URI endpoint does not support proxy settings
OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically
OPENAM-18175: SMSUtils#addAttributesToMap inconsistency with array ordering
OPENAM-18141: AM no longer uses global SAML configuration
OPENAM-18130: "Agent Configuration Change Notification" use the same help text in the XUI for Java and Web agents, but the property name is different
OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
OPENAM-18030: Message node shows inconsistent behaviour regarding the default locale
OPENAM-18005: Insufficient error message to troubleshoot persistent search issue
OPENAM-17949: Account lockout applied to tree even when ignore profile selected
OPENAM-17904: Json Audit Log Location not working when modifying location to only include %SERVER_URI% variable
OPENAM-17833: Internal accepted Audience AUD formed from DNS Alias could be wrong when BaseURL does not have port
OPENAM-17830: Error messages are logged when the Push Notification Service is absent
OPENAM-17829: External UMA Resource Set using SSL but not StartTLS fails
OPENAM-17593: Deadlock when admin token is invalid and when config data is getting cleared
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication

AM 7.1.1

OPENAM-18604: Formatting issues in Upgrade Report
OPENAM-18573: URLPatternMatcher or RedirectURLValidator does fails when query string contains "%20"
OPENAM-18566: Missing 'org.forgerock.security.oauth2.enforce.sub.claim.uniqueness' after upgrade from 7.1.0
OPENAM-18559: Upgrade from 6.5.3 to 7.1.0 fails with UpgradeException - "com.sun.identity.sm.InvalidAttributeValueException: Saved Consent Attribute Name is required."
OPENAM-18532: Web Agent property org.forgerock.agents.pdp.javascript.repost has incorrect description in XUI
OPENAM-18523: NullPointerException when AgentsRepo with from group is changed
OPENAM-18459: IdTokenInfo endpoint behaviours change from 6.x and fails when using client_id in POST
OPENAM-18422: Email Template node creates threads without terminating them
OPENAM-18421: In Platform environment, using a Email Template node creates new thread that does not terminate
OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth
OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name
OPENAM-18366: Upgrade Report contains unformatted line feeds "%LF%"
OPENAM-18359: Choice Collector Node appears to not be present following upgrade
OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server
OPENAM-18319: Realm is added more than once when session upgrade happens more than once with modules.
OPENAM-18316: Typo in oauth2 template (templates/touch/authorize.ftl)
OPENAM-18306: OAuth2 Authorization Code Grant Fails when including scope parameter at access_token endpoint
OPENAM-18258: Failed to load configuration for OAuth2Provider observed after upgrade
OPENAM-18241: Permit OAuth2 Modification Script to return scopes as space delimeter string
OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session
OPENAM-18227: Upgrade from 6.0.x / 6.5.x can fail at Unsupported node type PersistentCookieDecisionNode
OPENAM-18212: Check for user/agent profile condition during login can be refined further
OPENAM-18207: Global Service cache is not updated by changes from other servers in a site
OPENAM-18205: Excessive logging occurs when agent profile is not found
OPENAM-18180: No TransactionId present for AuthTreeExecutor
OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout
OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST
OPENAM-18154: Wrong AMR returned with prompt=login and force authn setting enabled
OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings
OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops
OPENAM-18121: Slow loading in Authentication Tree
OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amadmin
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM
OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exist
OPENAM-18065: Logback.jsp can not be used to set log levels loggers in custom code
OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined
OPENAM-18043: Device Match module not setting correct AuthLevel
OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes
OPENAM-18009: AM return HTTP error code 500 when authenticate with authIndexType service without authIndexValue
OPENAM-18006: Persistent search for identity store does not recover
OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees
OPENAM-17993: The org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation
OPENAM-17979: Backchannel authentication - auth_req_id can be used to obtain multiple access tokens
OPENAM-17962: LDAP Decision Node does not put updated password in transient state
OPENAM-17954: Accept-Language header locale ignored on OAuth2 Consent page
OPENAM-17935: Missing 'return' statement in the happy flow of the kerberos node
OPENAM-17923: Retry Limit Decision Should Not Have User Involvement when Save Retry Limit to User is Disabled
OPENAM-17916: When no session exists logout page redirects to login
OPENAM-17912: Account lockout count is not reset correctly
OPENAM-17896: ForgottenPassword Reset on multiple cluster not working when reset link clicked
OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does work after upgrade.
OPENAM-17863: Authorization code is not issued when nonce is not supplied when using OpenID Hybrid profile
OPENAM-17828: Apostrophe in username breaks Push/OATH device registration
OPENAM-17826: Introspect endpoint returns a static value for "expires_in" when using client based tokens
OPENAM-17814: Auth Tree step-up fails if username case does not match
OPENAM-17801: OIDC userinfo subname claim returns incorrect value
OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname
OPENAM-17782: Policy evaluation fails with 400 error when user does not exist
OPENAM-17774: Missing exp claim throws NullPointerException on CIBA bc-authorize endpoint
OPENAM-17773: The acr_values parameter is mandatory on CIBA bc-authorize endpoint
OPENAM-17760: PEM support incorrectly decodes some EC private keys
OPENAM-17738: Java Agent "Client IP Validation Mode" property does not work when key is empty from XUI
OPENAM-17718: OAuth2 Introspection endpoint does not accept Accept header with with extra accept extension param (like weight q=0.8) or charset
OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed
OPENAM-17677: The oauth2/device/code endpoint does not support locale parameter
OPENAM-17663: Improve the error response code for "Failed to revoke access token"
OPENAM-17630: JMS Audit logging broken and cannot start up
OPENAM-17610: OTP Email Sender node does not allow to specify connect timeout and IO/read timeout for underlying transport.
OPENAM-17590: OIDC login hint cookie broken since 7.0
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17493: OAuth2 node does not support external proxy authentication (user/pass)
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17320: Revisit prompt=login behaviour change that keeps existing session
OPENAM-17265: Wrong authorized_keys file updated
OPENAM-17262: Subname claim inconsistences
OPENAM-16988: The accessedEndpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator
OPENAM-16642: Server id creation can fail when id is greater than 100
OPENAM-16554: Misplaced bufferingEnabled checkbox in New Syslog configuration
OPENAM-16491: SAML Update introduces javascript calls that aren’t available in IE8 and below (or IE11 using Enterprise mode)
OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong
OPENAM-16216: Get Session Data node improvements
OPENAM-15861: NullPointerException in CollectionHelper.getServerMapAttrs
OPENAM-15740: Document _fields is case sensitive
OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in
OPENAM-13855: CTS creates too many connections to DS
OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"
OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

AM 7.1

OPENAM-17396: Terms of Service URI Link does not Display in Consent Page
OPENAM-17395: SocialOpenIdConnectNode fails to recover from client’s connection reset
OPENAM-17365: Checking agent type with caller token can cause deadlock
OPENAM-17364: Prompt login / session upgrade / OIDC ACR looping with trees
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
OPENAM-17353: HTML pages are not picked up when placing in a theme folder
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
OPENAM-17343: Access token call returns 500 error if password needs to be changed or has expired
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
OPENAM-17276: AM recorder does not record anymore
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17260: Allow arg=newsession usage in authorize calls
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
OPENAM-17136: OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
OPENAM-17114: Save Consent check box always shown, even when not configured
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
OPENAM-17089: Forgot password functionality broken
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
OPENAM-17060: Audit Logging "Resolve host name" is still available after OPENAM-7849
OPENAM-17037: AM Upgrade from 6.0.0.7 to 7.0.0 causing NPE
OPENAM-17034: In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
OPENAM-17006: Hosted SAML entity - can not remove bindings
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
OPENAM-16988: Accessed endpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
OPENAM-16947: Kerberos Node in 7.0 fails to return goTo(false)
OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist
OPENAM-16936: Tree nodes create new keystore object each time node is called.
OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
OPENAM-16934: sm.getSchemaManager has a typo including a comma
OPENAM-16926: Success URL node doesn’t work with SAML Node for Idpinit when not using Integrated mode
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
OPENAM-16907: Kerberos Node in 7.0 does not work
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
OPENAM-16866: AM should fail gracefully if id_token fails to generate when swapping refresh token
OPENAM-16849: WeChat Social Auth module broken (regression)
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
OPENAM-16847: AM email service failing with 'Start TLS' option
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
OPENAM-16807: The dynamic values for request_uri being stored in client config does not expire and is not automatically removed
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
OPENAM-16784: Upgrade to 7 fails with NullPointerException in Saml2EntitySecretsStep
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
OPENAM-16758: Cannot install AM 7 on Windows
OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
OPENAM-16617: SuccessURL session property is set to gotoURL in authentication tree
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs
OPENAM-16555: Audit logging does not tell which policy allowed or denied a resource request
OPENAM-16540: Issues with Social Login URLs when navigating quickly between providers
OPENAM-16535: "JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
OPENAM-16450: 501 when default resource version set to "oldest" and Accept-API-Version header set
OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
OPENAM-15963: Historical retention files ( csv ) were not deleted
OPENAM-15948: Update DS profiles to add VLV indexes for CTS use
OPENAM-15743: Excessive CTS logging when Reaper is disabled (com.sun.am.ldap.connnection.idle.seconds=0)
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
OPENAM-15663: UserInfoClaims is not part of public API
OPENAM-14898: OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
OPENAM-12503: SizeBasedRotationPolicy does not delete oldest file

AM 7.0.x

AM 7.0.2

OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17683: Selfservice user registration auto login fails for a sub-realm
OPENAM-17673: Nodes within a Page node do not have access to secure state
OPENAM-17672: Page Node does not expose inner nodes inputs or outputs
OPENAM-17630: JMS Audit logging broken and cannot start up
OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17570: OIDC request parameter decryption fails to find any applicable keys
OPENAM-17555: AM 7.x versions of Amster use Java 8 format of debug port
OPENAM-17517: JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error.
OPENAM-17515: Sub attribute in access token can be in wrong casing
OPENAM-17483: SecretsPlugin upgrade from 6.5.x failing
OPENAM-17477: Thread-safety issue in AMAuthenticationManager
OPENAM-17436: JS version of the OIDC Claims script does not work due to a casting error.
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17397: ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check
OPENAM-17365: Checking agent type with caller token can cause deadlock
OPENAM-17364: prompt login / session upgrade / OIDC ACR looping with trees
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
OPENAM-17337: Access token passed in request body results in failure
OPENAM-17324: Client credentials grant in FBC config with group inheritance causes User not Valid Error
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
OPENAM-17321: Prometheus Endpoint returns http 500 error when used with file based config
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
OPENAM-17310: 'ssoadm list-datastore-types' sub-command broken
OPENAM-17277: AM Recording with thread dump only shows depth of 8
OPENAM-17276: AM recorder does not record anymore
OPENAM-17274: AM should not change the supported subject types for an existing install
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17265: Wrong authorized_keys file updated
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
OPENAM-17175: XUI OAuth2 consent page does not render when using themes
OPENAM-17157: Password reset via admin console with Proxied Authorization enabled is not possible
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
OPENAM-17117: Service config XML dump consumes a lot of memory (whole config is read to memory)
OPENAM-17114: Save Consent check box always shown, even when not configured
OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
OPENAM-17089: Forgot password flow not working after initial attempt to reset password fails
OPENAM-17081: OAuth2 client agent group settings are not taken into account
OPENAM-17079: Identities and Session : unexpected returned error when trying to request for unexisting identity
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
OPENAM-17066: Unable to add server to existing deployment through UI
OPENAM-17042: User Self Registration REST API does not generate SSO token
OPENAM-17019: Allowing wildcards in OAuth 2.0 clients prevents exact matching from working
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist
OPENAM-16932: PageNode does not pick up outcomes if ScriptedDecisionNode is used inside
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
OPENAM-16849: WeChat Social Auth module broken (regression)
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'
OPENAM-16651: Default configuration fails if the trust store type JVM property is not defined for the JVM
OPENAM-16638: AM with embedded DS setup fails when Java system keystore properties is set
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
OPENAM-16581: SAML Authentication Module on hosted SP gets SAML No authentication context error
OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
OPENAM-16364: Macaroon access tokens don’t work with the new any-realm token introspection
OPENAM-16262: Javadocs for IdUtils needs updating
OPENAM-15963: Historical retention files ( csv ) were not deleted
OPENAM-15214: Auth Tree - Clicking save with no changes causes render problem with node attributes inside page node
OPENAM-14240: FMSigProvider.verify does not tell if certificates are provided
OPENAM-13783: REST STS: Cannot add or modify nameID format in SAML config, and default value stated in help is incorrect
OPENAM-13575: Unhelpful log message when OIDC public client wants to use HMAC id token signing

AM 7.0.1

OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
OPENAM-16934: sm.getSchemaManager has a typo including a comma
OPENAM-16907: Kerberos Node in 7.0 does not work
OPENAM-16877: Error when creating AM "Self-service Trees" service in native admin ui
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
OPENAM-16847: AM email service failing with 'Start TLS' option
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
OPENAM-16802: Upgrade from OpenAM 7.0 to 7.1.0 SNAPSHOT causes NPE
OPENAM-16794: Google KMS options missing after upgrade from 6.5
OPENAM-16791: AMAccessAuditEventBuilder#forRequest can generate an entry with :-1 for the port
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
OPENAM-16759: Amster on windows : AM does not restart properly after setup
OPENAM-16758: Cannot install AM 7 on Windows
OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
OPENAM-16702: Saving engine configuration in FBC mode makes that config non-readable
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token
OPENAM-16697: Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format
OPENAM-16686: Cannot create a User after upgrade from 6.5.2 to 7.0.1
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
OPENAM-16650: Authz Policy Subjects Policy.title is showing property name text
OPENAM-16641: OAuth2 provider supported grant types attribute missing localization property on XUI
OPENAM-16606: Missing "org.forgerock.openam.saml2.authenticatorlookup.skewAllowance" property in server defaults
OPENAM-16594: ssoadm help should be updated to reflect changes in AME-18650 / OPENAM-16155
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
OPENAM-16555: (audit) logging does not tell which policy allowed or denied a resource request
OPENAM-16551: Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token
OPENAM-16545: Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
OPENAM-16483: XUI - Typo in SAML SP "Default Relay State Url" label
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
OPENAM-15663: UserInfoClaims is not part of public API
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
OPENAM-11706: Policies in a policy set are not visible in Internet Explorer IE

AM 7.0

OPENAM-16433: Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.
OPENAM-16425: AM does not handle malformed/incorrect signature correctly
OPENAM-16402: The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.
OPENAM-16379: URL fragments like # cause forbidden login in the XUI
OPENAM-16284: XUI does not handle Special Chars / UTF-8 in realms properly.
OPENAM-16279: AgentsRepo cannot recover when it fails especially on external Application store.
OPENAM-16251: OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication
OPENAM-16240: REST STS under subrealm cannot generate id_token with realm claim
OPENAM-16233: Policy evaluation fails when subject not found (even in ignore profile)
OPENAM-16214: Push Authentication Module does not work on Session Upgrade when User Cache disabled
OPENAM-16184: Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords
OPENAM-16165: social authmodule causes NullPointerException
OPENAM-16164: social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token
OPENAM-16136: queryFilter only matches against first entry in array
OPENAM-16132: When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates
OPENAM-16032: Unable to delete devices with Recovery Code Collector Decision Node
OPENAM-16031: Intermittent error message when concurrent obtain SSO Token ID with session quota constraints
OPENAM-16014: An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow
OPENAM-16013: Mismatched kid from Json Web Key URI when Specified Encryption Algorithm
OPENAM-16009: Windows Desktop SSO node full adoption and compliance with tree node specifications
OPENAM-15989: OAuth2 client_id should be url-decoded when using basic auth
OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied
OPENAM-15970: Access Token introspect Fails in subrealm after root realm modified
OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked
OPENAM-15905: Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException
OPENAM-15900: Kerberos fails when used with IBM JDK
OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection
OPENAM-15881: Custom AM User (amUser.xml) field does not use default values from the schema
OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used
OPENAM-15853: External UMA store fails on resource creation
OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired
OPENAM-15785: OIDC spec violation - HTTP POST can not be used to send Authentication Request
OPENAM-15784: Form elements in policy environment condition tab are displayed twice
OPENAM-15766: LoginState - account lockout is checkout although AM AccountLockout is disabled
OPENAM-15758: KeyStore Secret Store fails to start due to secretId having some characters.
OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL
OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server
OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect
OPENAM-15698: IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'
OPENAM-15697: Default ACR values from OAuth2 provider not taken into account
OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access
OPENAM-15679: The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling
OPENAM-15670: DeviceIdSave auth module initialization fails if username is null
OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting
OPENAM-15645: The &refresh=true|false parameter for _action=validate is not working as expected
OPENAM-15632: OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support
OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow
OPENAM-15627: Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"
OPENAM-15579: AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'
OPENAM-15559: OATH module broken in Japanese locale
OPENAM-15533: WS-Federation doesn’t work with Authentication Trees
OPENAM-15530: OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS
OPENAM-15520: XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default
OPENAM-15508: moduleMessageEnabledInPasswordGrant does not apply to Trees
OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token
OPENAM-15501: Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly
OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned
OPENAM-15491: Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.
OPENAM-15489: WebAuthN Auth Node Doesn’t Respect UV=Discouraged During AuthN
OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication
OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error
OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported
OPENAM-15374: OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims
OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback
OPENAM-15349: Access Token request returns a 500 error
OPENAM-15345: at_hash value generated does not take the latest modified access token
OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree
OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example
OPENAM-15303: Claims with multiple values in issued_token from REST STS represented inconsistently.
OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions
OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules
OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"
OPENAM-15160: LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind
OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field
OPENAM-15147: HTTP 500 upon accessing openam/json/
OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken
OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )
OPENAM-15117: KeyVault KeyStoreType not supported
OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not
OPENAM-15105: Unable to get trusted devices using REST API
OPENAM-15101: Remove the ability to disable XUI
OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL
OPENAM-15076: webAuthn config does not allow for multiple origins under the same rpId
OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching
OPENAM-15036: Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file
OPENAM-15028: Cannot load metadata in ssoadm without extended metadata
OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment
OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache
OPENAM-14991: Changes to boot.json are overwritten
OPENAM-14979: NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade
OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain
OPENAM-14966: Performing access_token with arbitrary text as trusted cert header causes server error
OPENAM-14919: Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file
OPENAM-14901: XUI - SAML2 module doesn’t redirect to IDP if it’s 2nd in the chain
OPENAM-14895: user identity creation fails with "Identity \*" of type user not found.
OPENAM-14893: XUI displays multiple error messages when an authentication session times out
OPENAM-14889: Upgrade of Peristent Cookie auth module fails
OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration
OPENAM-14881: AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)
OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)
OPENAM-14859: ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty
OPENAM-14858: When NameIDPolicy does not contain Format=.., remoteEntityID is passed as null
OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module
OPENAM-14845: user info endpoint does not correctly handle Certificate Bound Access Tokens
OPENAM-14829: AuthSchemeCondition doesn’t return realm aware policy condition advice
OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search
OPENAM-14804: Memory leak when running UMA RPT soak test
OPENAM-14799: Unable to update Agent profile using REST
OPENAM-14794: User privileges are removed from group if another group is given same privilege
OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO
OPENAM-14783: PKCS11 KeyStore does not work on IBM JVM
OPENAM-14782: AuthTree created Session does not use per User Session Service settings
OPENAM-14766: introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens
OPENAM-14717: mailto attribute have space between ':' and mail address
OPENAM-14694: Consent page still shows claim values even when supported claim description is omitted
OPENAM-14651: OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads
OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier
OPENAM-14578: WDSSO failing but no fallback…
OPENAM-14573: amlbcookie is not secure when authenticating with trees
OPENAM-14572: prompt=login destroys and creates new session
OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different
OPENAM-14548: consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation
OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore
OPENAM-14539: SAML SLO with multi protocols
OPENAM-14529: UMA RPT expiry time incorrect in CTS
OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding
OPENAM-14503: SAML2 - Key Transport Algorithm - RSA OAEP must be supported
OPENAM-14483: If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ
OPENAM-14480: AuthLoginException is lost
OPENAM-14471: Failed to create root realm for data store (External Policy | Application)
OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on
OPENAM-14464: XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used
OPENAM-14450: userinfo typo in Claims.java
OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS/SSL
OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application
OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done
OPENAM-14391: Self Service Link not Display when Using Authentication Tree
OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set
OPENAM-14369: Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure
OPENAM-14362: UMA load test fails with Invalid resource type error
OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy
OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client
OPENAM-14313: Audit Logging - STS transformations create duplicate entries
OPENAM-14310: CheckSession page indicates the session is not valid
OPENAM-14294: am-external Git repository 6.5 have bad source
OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef
OPENAM-14239: FMSigProvider.verify NPE with null input for certificates
OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number
OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set
OPENAM-14229: custom AuthorizeTemplate under theme not used
OPENAM-14213: Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute
OPENAM-14212: SAML redirect to login page fails if AM installed into the root context
OPENAM-14200: Social auth modules do not work when AM is installed into the root context
OPENAM-14189: effectiveRange of Time environment has issue
OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception
OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered
OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.
OPENAM-14147: arg=newsession in XUI just shows the "Loading…" page
OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state
OPENAM-14112: Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie
OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow
OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive
OPENAM-14054: XUI Custom templates and Partials not applied consistently
OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn
OPENAM-14040: LdifUtils debug logging prints out wrong classname
OPENAM-14018: Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server
OPENAM-13999: Custom node containing ConfirmationCallbacks fails when dropped in a page node.
OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm
OPENAM-13978: Session Upgrade - AuthLevel format changes
OPENAM-13942: SAML2 Circle of Trust - REST Update doesn’t update the metadata of the provider
OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given
OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user
OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not
OPENAM-13890: Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext
OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6
OPENAM-13831: RP-Initiated Logout does not handle state parameter
OPENAM-13779: Session API - _action=refresh requires an admin token
OPENAM-13764: Monitoring logs in ERROR for "Agent.configAgentsOnly:agent type = OAuth2Client"
OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals
OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent
OPENAM-13465: Dynamic client registration sets wrong subjectType
OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain
OPENAM-13419: LDAPPolicyFilterCondition doesn’t set request timeout
OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"
OPENAM-13064: OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional
OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation
OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees
OPENAM-12759: max_age should a number, not a string
OPENAM-12574: SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies
OPENAM-12498: Authorization Grant response returns scope(s) in the URL
OPENAM-12228: WebAgent REST API queryFilter expression does not work and acts all "true"
OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme
OPENAM-11921: Incorrect NameId Format offered for SAML2 auth module in console
OPENAM-11863: CORSFilter position in web.xml should come before most filters
OPENAM-11778: Getting accessToken using authorization_code result in Unhandled exception
OPENAM-11338: OpenID Connect id_token bearer auth module mixes up aud, azp during verification
OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.
OPENAM-10843: When generating an OIDC token through STS a "kid" value is not specified
OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled
OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)
OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly
OPENAM-9459: 500 Internal Server Error from changePassword endpoint with AD repo
OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

Fixes in AM 7.1.x

This page lists the cumulative fixes in AM 7.1.x releases:

AM 7.1.4

OPENAM-21004: AM will always look for valid session when scope=openid
OPENAM-21002: CTS task queue full and SeriesTaskExecutorThread can get stuck waiting
OPENAM-20897: Issue with logging unsupported callbacks
OPENAM-20691: Destroy oldest session may fail to work
OPENAM-20396: Authentication trees are selected in order of ACR - tree mapping (not in the default order) and order is not preserved
OPENAM-20318: Accessing AM End user login page for PlatformLogin journey in platform environment shows non-rendered HTML
OPENAM-20260: Unable to log into AM when external application store is down
OPENAM-20230: Class whitelisting fails with permission denied after an extended period
OPENAM-20181: AD account notification fails
OPENAM-20085: STS token generation does not work with clustered docker pods
OPENAM-20082: Locked out users are shown a misleading error message
OPENAM-19954: SAML hosted entity uses algorithm set in common federation configuration instead of algorithm set in hosted entity configuration
OPENAM-19362: AM to DS certificate log message logged at warning instead of error or critical
OPENAM-18818: Persistent search error message shows wrong DS identifier
OPENAM-18629: RestSTS should validate sessions with a local call and use asynchronous HTTP calls for remote calls
OPENAM-18488: Windows Hello with TPM/platform authenticator returns two certificates
OPENAM-17591: Session quota action destroy next expiring token can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny

AM 7.1.3

OPENAM-19884: AM returns 500 when ; used in access token header
OPENAM-19865: Memory Leak due to samlResponseDataHash not being cleaned up
OPENAM-19649: ID token not linked to session when authorising with sso token
OPENAM-19613: PSearch is already removed error message should be warning
OPENAM-19537: UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong
OPENAM-19530: Upgrade fails when Organization schema defaults are missing for service 'sunFAMSAML2Configuration'
OPENAM-19515: Unable to update session service with read only identity store
OPENAM-19512: Faulty Legacy OAuth 2.0 frrest/oauth2 endpoints
OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page
OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity
OPENAM-19427: Display security questions in the correct default language
OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing '/'
OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node
OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception
OPENAM-19290: In a cluster, changing AM debug level on local (AM2) to remote (AM1) does not have effect until restart of AM1
OPENAM-19281: OIDC dynamic client registration cannot handle "\n" in the client_description
OPENAM-19220: WebAuthN/Fido - can not authenticate with recovery codes on Windows
OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade
OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters
OPENAM-19162: REST API definition inaccurate for endpoint '/realm-config/saml'
OPENAM-19123: AM validates duplicate registration tokens
OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set
OPENAM-19119: GetAuthenticatorApp Node needs better localization support
OPENAM-19112: AM with embedded DJ always runs DJ backup and upgrade
OPENAM-19111: insufficient debug logging to troubleshoot error "Illegal arguments: One or more required arguments is null or empty" when performing user identity subject update via REST API
OPENAM-19109: Insufficient debug logging to troubleshoot CORS service
OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions
OPENAM-19086: rest-sts endpoint is not included when CORS is enabled
OPENAM-19083: Creating a client-based access & refresh token breaks subsequent use of Session Quotas
OPENAM-19016: Logback.jsp should show the actual setting of the loggers instead of defaults
OPENAM-19011: QR code message used in MFA Authentication node should be customizable / localizable
OPENAM-18990: Non-compliant OAuth2 error response generated
OPENAM-18952: KBA questions are not falling back to the default language when French is present
OPENAM-18891: JWT Profile Oauth2 Grant returns 'invalid_grant'
OPENAM-18835: JCEEncryption throws ArrayIndexOutOfBoundException when decrypting empty bytes
OPENAM-18834: AM fails to start when upgrading after using am-upgrader
OPENAM-18655: Deleting OAuth2 Client causes unnecessary notification error message in IdRepo
OPENAM-18478: XUI shows incorrect subjectType following upgrade from AM < 6.5.3
OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP
OPENAM-18432: Remove the internal idm-delegation grant type from the well known info
OPENAM-18384: Email Suspend Node clears the secure state
OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD
OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication
OPENAM-18196: More meaningful error message when Client Secret is not URL-encoded
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level in logs
OPENAM-18149: Wrong log file is used for SAML2 extensions log message
OPENAM-18132: Failed to get the distinct userIdAttributes for configured identity stores in realm
OPENAM-18113: LDAP authentication node : change of connection mode does not recreate the connection pool
OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server
OPENAM-18062: SPACSUtils withholds exception and does not log error
OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists
OPENAM-17882: Slow memory leaks when persistent search starts a retry activity when persistent search fails
OPENAM-17835: Do not display "Unable to retrieve instance of the ValidationServiceConfig" after idpinititated sso
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config
OPENAM-17308: Custom IdRepo uninstall realm-config/services/id-repositories?_action=nextdescendents fails
OPENAM-17201: XMLEncryption does not comply with standard when 'rsa-oaep-mgf1p' is being used
OPENAM-16953: Custom idrepo sample using IdRepoConfig does not work
OPENAM-16878: Scripted Decision Node secrets binding object does not have public API
OPENAM-16490: OWASP ESAPI lib is missing some classes
OPENAM-16241: Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset
OPENAM-15997: Enhance CookieHelper to perform better cookie detection
OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable
OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile
OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny
OPENAM-12992: Misleading error message in XUI console when existing DNS alias is provided
OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect
OPENAM-11319: Add localized "description" for JSON response content to OAuth2UserApplications#getResourceResponse

AM 7.1.2

OPENAM-18928: Client credential OAuth2 request results in searches for OAuth2 client against Identity Store
OPENAM-18921: Double slashes in oauth2 claim name handled incorrectly
OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt
OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared
OPENAM-18836: No TransactionId on "debug.out" for the AM recording.
OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null
OPENAM-18780: JwksOAuth2AgentEventListener class not setting the correct default cache miss time value
OPENAM-18756: Entering correct otp after entering wrong otp fails authentication
OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures
OPENAM-18711: AES Encryption/Decryption fails when running in Java 17
OPENAM-18705: Problem with Page Node using node relying on secureState
OPENAM-18684: redirect to /authorize endpoint fails for 2nd OIDC App for Federated Users w/ multi OIDC Clients
OPENAM-18679: OATH Registration node doesn’t work when placed inside a 'Page' node
OPENAM-18663: AM should check new realm with rest end-point names by ignoring case
OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted
OPENAM-18646: Upgrade for AM 7.1.0 to 7.2+ may fail, because of upgrading existing java agent profile
OPENAM-18644: IdRepo cache can not be disabled anymore
OPENAM-18640: REST-STS is using the old path to reach /users endpoint
OPENAM-18623: issue with jwk_uri endpoint called in parallel
OPENAM-18610: RealmOAuth2ProviderSettings for getJwks is broken in that it permits empty set.
OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication
OPENAM-18586: Lack of debugging message when AM is not able to read the encrypted_base64 folder after upgrade
OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL
OPENAM-18536: Java agent property org.forgerock.agents.session.change.notifications.enabled should be presented in XUI
OPENAM-18511: Missing navigation options when an expired link from "Email Suspend" node is used
OPENAM-18443: Transactional authentication is disabled on new installs
OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore
OPENAM-18297: Outbound calls to Jwks_URI endpoint does not support proxy settings
OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically
OPENAM-18175: SMSUtils#addAttributesToMap inconsistency with array ordering
OPENAM-18141: AM no longer uses global SAML configuration
OPENAM-18130: "Agent Configuration Change Notification" use the same help text in the XUI for Java and Web agents, but the property name is different
OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
OPENAM-18030: Message node shows inconsistent behaviour regarding the default locale
OPENAM-18005: Insufficient error message to troubleshoot persistent search issue
OPENAM-17949: Account lockout applied to tree even when ignore profile selected
OPENAM-17904: Json Audit Log Location not working when modifying location to only include %SERVER_URI% variable
OPENAM-17833: Internal accepted Audience AUD formed from DNS Alias could be wrong when BaseURL does not have port
OPENAM-17830: Error messages are logged when the Push Notification Service is absent
OPENAM-17829: External UMA Resource Set using SSL but not StartTLS fails
OPENAM-17593: Deadlock when admin token is invalid and when config data is getting cleared
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication

AM 7.1.1

OPENAM-18604: Formatting issues in Upgrade Report
OPENAM-18573: URLPatternMatcher or RedirectURLValidator does fails when query string contains "%20"
OPENAM-18566: Missing 'org.forgerock.security.oauth2.enforce.sub.claim.uniqueness' after upgrade from 7.1.0
OPENAM-18559: Upgrade from 6.5.3 to 7.1.0 fails with UpgradeException - "com.sun.identity.sm.InvalidAttributeValueException: Saved Consent Attribute Name is required."
OPENAM-18532: Web Agent property org.forgerock.agents.pdp.javascript.repost has incorrect description in XUI
OPENAM-18523: NullPointerException when AgentsRepo with from group is changed
OPENAM-18459: IdTokenInfo endpoint behaviours change from 6.x and fails when using client_id in POST
OPENAM-18422: Email Template node creates threads without terminating them
OPENAM-18421: In Platform environment, using a Email Template node creates new thread that does not terminate
OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth
OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name
OPENAM-18366: Upgrade Report contains unformatted line feeds "%LF%"
OPENAM-18359: Choice Collector Node appears to not be present following upgrade
OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server
OPENAM-18319: Realm is added more than once when session upgrade happens more than once with modules.
OPENAM-18316: Typo in oauth2 template (templates/touch/authorize.ftl)
OPENAM-18306: OAuth2 Authorization Code Grant Fails when including scope parameter at access_token endpoint
OPENAM-18258: Failed to load configuration for OAuth2Provider observed after upgrade
OPENAM-18241: Permit OAuth2 Modification Script to return scopes as space delimeter string
OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session
OPENAM-18227: Upgrade from 6.0.x / 6.5.x can fail at Unsupported node type PersistentCookieDecisionNode
OPENAM-18212: Check for user/agent profile condition during login can be refined further
OPENAM-18207: Global Service cache is not updated by changes from other servers in a site
OPENAM-18205: Excessive logging occurs when agent profile is not found
OPENAM-18180: No TransactionId present for AuthTreeExecutor
OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout
OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST
OPENAM-18154: Wrong AMR returned with prompt=login and force authn setting enabled
OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings
OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops
OPENAM-18121: Slow loading in Authentication Tree
OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amadmin
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM
OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exist
OPENAM-18065: Logback.jsp can not be used to set log levels loggers in custom code
OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined
OPENAM-18043: Device Match module not setting correct AuthLevel
OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes
OPENAM-18009: AM return HTTP error code 500 when authenticate with authIndexType service without authIndexValue
OPENAM-18006: Persistent search for identity store does not recover
OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees
OPENAM-17993: The org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation
OPENAM-17979: Backchannel authentication - auth_req_id can be used to obtain multiple access tokens
OPENAM-17962: LDAP Decision Node does not put updated password in transient state
OPENAM-17954: Accept-Language header locale ignored on OAuth2 Consent page
OPENAM-17935: Missing 'return' statement in the happy flow of the kerberos node
OPENAM-17923: Retry Limit Decision Should Not Have User Involvement when Save Retry Limit to User is Disabled
OPENAM-17916: When no session exists logout page redirects to login
OPENAM-17912: Account lockout count is not reset correctly
OPENAM-17896: ForgottenPassword Reset on multiple cluster not working when reset link clicked
OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does work after upgrade.
OPENAM-17863: Authorization code is not issued when nonce is not supplied when using OpenID Hybrid profile
OPENAM-17828: Apostrophe in username breaks Push/OATH device registration
OPENAM-17826: Introspect endpoint returns a static value for "expires_in" when using client based tokens
OPENAM-17814: Auth Tree step-up fails if username case does not match
OPENAM-17801: OIDC userinfo subname claim returns incorrect value
OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname
OPENAM-17782: Policy evaluation fails with 400 error when user does not exist
OPENAM-17774: Missing exp claim throws NullPointerException on CIBA bc-authorize endpoint
OPENAM-17773: The acr_values parameter is mandatory on CIBA bc-authorize endpoint
OPENAM-17760: PEM support incorrectly decodes some EC private keys
OPENAM-17738: Java Agent "Client IP Validation Mode" property does not work when key is empty from XUI
OPENAM-17718: OAuth2 Introspection endpoint does not accept Accept header with with extra accept extension param (like weight q=0.8) or charset
OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed
OPENAM-17677: The oauth2/device/code endpoint does not support locale parameter
OPENAM-17663: Improve the error response code for "Failed to revoke access token"
OPENAM-17630: JMS Audit logging broken and cannot start up
OPENAM-17610: OTP Email Sender node does not allow to specify connect timeout and IO/read timeout for underlying transport.
OPENAM-17590: OIDC login hint cookie broken since 7.0
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17493: OAuth2 node does not support external proxy authentication (user/pass)
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17320: Revisit prompt=login behaviour change that keeps existing session
OPENAM-17265: Wrong authorized_keys file updated
OPENAM-17262: Subname claim inconsistences
OPENAM-16988: The accessedEndpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator
OPENAM-16642: Server id creation can fail when id is greater than 100
OPENAM-16554: Misplaced bufferingEnabled checkbox in New Syslog configuration
OPENAM-16491: SAML Update introduces javascript calls that aren’t available in IE8 and below (or IE11 using Enterprise mode)
OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong
OPENAM-16216: Get Session Data node improvements
OPENAM-15861: NullPointerException in CollectionHelper.getServerMapAttrs
OPENAM-15740: Document _fields is case sensitive
OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in
OPENAM-13855: CTS creates too many connections to DS
OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"
OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

AM 7.1

OPENAM-17396: Terms of Service URI Link does not Display in Consent Page
OPENAM-17395: SocialOpenIdConnectNode fails to recover from client’s connection reset
OPENAM-17365: Checking agent type with caller token can cause deadlock
OPENAM-17364: Prompt login / session upgrade / OIDC ACR looping with trees
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
OPENAM-17353: HTML pages are not picked up when placing in a theme folder
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
OPENAM-17343: Access token call returns 500 error if password needs to be changed or has expired
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
OPENAM-17276: AM recorder does not record anymore
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17260: Allow arg=newsession usage in authorize calls
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
OPENAM-17136: OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
OPENAM-17114: Save Consent check box always shown, even when not configured
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
OPENAM-17089: Forgot password functionality broken
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
OPENAM-17060: Audit Logging "Resolve host name" is still available after OPENAM-7849
OPENAM-17037: AM Upgrade from 6.0.0.7 to 7.0.0 causing NPE
OPENAM-17034: In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
OPENAM-17006: Hosted SAML entity - can not remove bindings
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
OPENAM-16988: Accessed endpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
OPENAM-16947: Kerberos Node in 7.0 fails to return goTo(false)
OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist
OPENAM-16936: Tree nodes create new keystore object each time node is called.
OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
OPENAM-16934: sm.getSchemaManager has a typo including a comma
OPENAM-16926: Success URL node doesn’t work with SAML Node for Idpinit when not using Integrated mode
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
OPENAM-16907: Kerberos Node in 7.0 does not work
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
OPENAM-16866: AM should fail gracefully if id_token fails to generate when swapping refresh token
OPENAM-16849: WeChat Social Auth module broken (regression)
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
OPENAM-16847: AM email service failing with 'Start TLS' option
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
OPENAM-16807: The dynamic values for request_uri being stored in client config does not expire and is not automatically removed
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
OPENAM-16784: Upgrade to 7 fails with NullPointerException in Saml2EntitySecretsStep
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
OPENAM-16758: Cannot install AM 7 on Windows
OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
OPENAM-16617: SuccessURL session property is set to gotoURL in authentication tree
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs
OPENAM-16555: Audit logging does not tell which policy allowed or denied a resource request
OPENAM-16540: Issues with Social Login URLs when navigating quickly between providers
OPENAM-16535: "JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
OPENAM-16450: 501 when default resource version set to "oldest" and Accept-API-Version header set
OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
OPENAM-15963: Historical retention files ( csv ) were not deleted
OPENAM-15948: Update DS profiles to add VLV indexes for CTS use
OPENAM-15743: Excessive CTS logging when Reaper is disabled (com.sun.am.ldap.connnection.idle.seconds=0)
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
OPENAM-15663: UserInfoClaims is not part of public API
OPENAM-14898: OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
OPENAM-12503: SizeBasedRotationPolicy does not delete oldest file

AM 7.0.x

AM 7.0.2

OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17683: Selfservice user registration auto login fails for a sub-realm
OPENAM-17673: Nodes within a Page node do not have access to secure state
OPENAM-17672: Page Node does not expose inner nodes inputs or outputs
OPENAM-17630: JMS Audit logging broken and cannot start up
OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17570: OIDC request parameter decryption fails to find any applicable keys
OPENAM-17555: AM 7.x versions of Amster use Java 8 format of debug port
OPENAM-17517: JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error.
OPENAM-17515: Sub attribute in access token can be in wrong casing
OPENAM-17483: SecretsPlugin upgrade from 6.5.x failing
OPENAM-17477: Thread-safety issue in AMAuthenticationManager
OPENAM-17436: JS version of the OIDC Claims script does not work due to a casting error.
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17397: ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check
OPENAM-17365: Checking agent type with caller token can cause deadlock
OPENAM-17364: prompt login / session upgrade / OIDC ACR looping with trees
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
OPENAM-17337: Access token passed in request body results in failure
OPENAM-17324: Client credentials grant in FBC config with group inheritance causes User not Valid Error
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
OPENAM-17321: Prometheus Endpoint returns http 500 error when used with file based config
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
OPENAM-17310: 'ssoadm list-datastore-types' sub-command broken
OPENAM-17277: AM Recording with thread dump only shows depth of 8
OPENAM-17276: AM recorder does not record anymore
OPENAM-17274: AM should not change the supported subject types for an existing install
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17265: Wrong authorized_keys file updated
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
OPENAM-17175: XUI OAuth2 consent page does not render when using themes
OPENAM-17157: Password reset via admin console with Proxied Authorization enabled is not possible
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
OPENAM-17117: Service config XML dump consumes a lot of memory (whole config is read to memory)
OPENAM-17114: Save Consent check box always shown, even when not configured
OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
OPENAM-17089: Forgot password flow not working after initial attempt to reset password fails
OPENAM-17081: OAuth2 client agent group settings are not taken into account
OPENAM-17079: Identities and Session : unexpected returned error when trying to request for unexisting identity
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
OPENAM-17066: Unable to add server to existing deployment through UI
OPENAM-17042: User Self Registration REST API does not generate SSO token
OPENAM-17019: Allowing wildcards in OAuth 2.0 clients prevents exact matching from working
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist
OPENAM-16932: PageNode does not pick up outcomes if ScriptedDecisionNode is used inside
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
OPENAM-16849: WeChat Social Auth module broken (regression)
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'
OPENAM-16651: Default configuration fails if the trust store type JVM property is not defined for the JVM
OPENAM-16638: AM with embedded DS setup fails when Java system keystore properties is set
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
OPENAM-16581: SAML Authentication Module on hosted SP gets SAML No authentication context error
OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
OPENAM-16364: Macaroon access tokens don’t work with the new any-realm token introspection
OPENAM-16262: Javadocs for IdUtils needs updating
OPENAM-15963: Historical retention files ( csv ) were not deleted
OPENAM-15214: Auth Tree - Clicking save with no changes causes render problem with node attributes inside page node
OPENAM-14240: FMSigProvider.verify does not tell if certificates are provided
OPENAM-13783: REST STS: Cannot add or modify nameID format in SAML config, and default value stated in help is incorrect
OPENAM-13575: Unhelpful log message when OIDC public client wants to use HMAC id token signing

AM 7.0.1

OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
OPENAM-16934: sm.getSchemaManager has a typo including a comma
OPENAM-16907: Kerberos Node in 7.0 does not work
OPENAM-16877: Error when creating AM "Self-service Trees" service in native admin ui
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
OPENAM-16847: AM email service failing with 'Start TLS' option
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
OPENAM-16802: Upgrade from OpenAM 7.0 to 7.1.0 SNAPSHOT causes NPE
OPENAM-16794: Google KMS options missing after upgrade from 6.5
OPENAM-16791: AMAccessAuditEventBuilder#forRequest can generate an entry with :-1 for the port
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
OPENAM-16759: Amster on windows : AM does not restart properly after setup
OPENAM-16758: Cannot install AM 7 on Windows
OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
OPENAM-16702: Saving engine configuration in FBC mode makes that config non-readable
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token
OPENAM-16697: Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format
OPENAM-16686: Cannot create a User after upgrade from 6.5.2 to 7.0.1
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
OPENAM-16650: Authz Policy Subjects Policy.title is showing property name text
OPENAM-16641: OAuth2 provider supported grant types attribute missing localization property on XUI
OPENAM-16606: Missing "org.forgerock.openam.saml2.authenticatorlookup.skewAllowance" property in server defaults
OPENAM-16594: ssoadm help should be updated to reflect changes in AME-18650 / OPENAM-16155
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
OPENAM-16555: (audit) logging does not tell which policy allowed or denied a resource request
OPENAM-16551: Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token
OPENAM-16545: Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
OPENAM-16483: XUI - Typo in SAML SP "Default Relay State Url" label
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
OPENAM-15663: UserInfoClaims is not part of public API
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
OPENAM-11706: Policies in a policy set are not visible in Internet Explorer IE

AM 7.0

OPENAM-16433: Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.
OPENAM-16425: AM does not handle malformed/incorrect signature correctly
OPENAM-16402: The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.
OPENAM-16379: URL fragments like # cause forbidden login in the XUI
OPENAM-16284: XUI does not handle Special Chars / UTF-8 in realms properly.
OPENAM-16279: AgentsRepo cannot recover when it fails especially on external Application store.
OPENAM-16251: OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication
OPENAM-16240: REST STS under subrealm cannot generate id_token with realm claim
OPENAM-16233: Policy evaluation fails when subject not found (even in ignore profile)
OPENAM-16214: Push Authentication Module does not work on Session Upgrade when User Cache disabled
OPENAM-16184: Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords
OPENAM-16165: social authmodule causes NullPointerException
OPENAM-16164: social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token
OPENAM-16136: queryFilter only matches against first entry in array
OPENAM-16132: When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates
OPENAM-16032: Unable to delete devices with Recovery Code Collector Decision Node
OPENAM-16031: Intermittent error message when concurrent obtain SSO Token ID with session quota constraints
OPENAM-16014: An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow
OPENAM-16013: Mismatched kid from Json Web Key URI when Specified Encryption Algorithm
OPENAM-16009: Windows Desktop SSO node full adoption and compliance with tree node specifications
OPENAM-15989: OAuth2 client_id should be url-decoded when using basic auth
OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied
OPENAM-15970: Access Token introspect Fails in subrealm after root realm modified
OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked
OPENAM-15905: Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException
OPENAM-15900: Kerberos fails when used with IBM JDK
OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection
OPENAM-15881: Custom AM User (amUser.xml) field does not use default values from the schema
OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used
OPENAM-15853: External UMA store fails on resource creation
OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired
OPENAM-15785: OIDC spec violation - HTTP POST can not be used to send Authentication Request
OPENAM-15784: Form elements in policy environment condition tab are displayed twice
OPENAM-15766: LoginState - account lockout is checkout although AM AccountLockout is disabled
OPENAM-15758: KeyStore Secret Store fails to start due to secretId having some characters.
OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL
OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server
OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect
OPENAM-15698: IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'
OPENAM-15697: Default ACR values from OAuth2 provider not taken into account
OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access
OPENAM-15679: The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling
OPENAM-15670: DeviceIdSave auth module initialization fails if username is null
OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting
OPENAM-15645: The &refresh=true|false parameter for _action=validate is not working as expected
OPENAM-15632: OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support
OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow
OPENAM-15627: Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"
OPENAM-15579: AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'
OPENAM-15559: OATH module broken in Japanese locale
OPENAM-15533: WS-Federation doesn’t work with Authentication Trees
OPENAM-15530: OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS
OPENAM-15520: XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default
OPENAM-15508: moduleMessageEnabledInPasswordGrant does not apply to Trees
OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token
OPENAM-15501: Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly
OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned
OPENAM-15491: Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.
OPENAM-15489: WebAuthN Auth Node Doesn’t Respect UV=Discouraged During AuthN
OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication
OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error
OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported
OPENAM-15374: OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims
OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback
OPENAM-15349: Access Token request returns a 500 error
OPENAM-15345: at_hash value generated does not take the latest modified access token
OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree
OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example
OPENAM-15303: Claims with multiple values in issued_token from REST STS represented inconsistently.
OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions
OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules
OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"
OPENAM-15160: LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind
OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field
OPENAM-15147: HTTP 500 upon accessing openam/json/
OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken
OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )
OPENAM-15117: KeyVault KeyStoreType not supported
OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not
OPENAM-15105: Unable to get trusted devices using REST API
OPENAM-15101: Remove the ability to disable XUI
OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL
OPENAM-15076: webAuthn config does not allow for multiple origins under the same rpId
OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching
OPENAM-15036: Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file
OPENAM-15028: Cannot load metadata in ssoadm without extended metadata
OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment
OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache
OPENAM-14991: Changes to boot.json are overwritten
OPENAM-14979: NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade
OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain
OPENAM-14966: Performing access_token with arbitrary text as trusted cert header causes server error
OPENAM-14919: Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file
OPENAM-14901: XUI - SAML2 module doesn’t redirect to IDP if it’s 2nd in the chain
OPENAM-14895: user identity creation fails with "Identity \*" of type user not found.
OPENAM-14893: XUI displays multiple error messages when an authentication session times out
OPENAM-14889: Upgrade of Peristent Cookie auth module fails
OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration
OPENAM-14881: AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)
OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)
OPENAM-14859: ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty
OPENAM-14858: When NameIDPolicy does not contain Format=.., remoteEntityID is passed as null
OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module
OPENAM-14845: user info endpoint does not correctly handle Certificate Bound Access Tokens
OPENAM-14829: AuthSchemeCondition doesn’t return realm aware policy condition advice
OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search
OPENAM-14804: Memory leak when running UMA RPT soak test
OPENAM-14799: Unable to update Agent profile using REST
OPENAM-14794: User privileges are removed from group if another group is given same privilege
OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO
OPENAM-14783: PKCS11 KeyStore does not work on IBM JVM
OPENAM-14782: AuthTree created Session does not use per User Session Service settings
OPENAM-14766: introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens
OPENAM-14717: mailto attribute have space between ':' and mail address
OPENAM-14694: Consent page still shows claim values even when supported claim description is omitted
OPENAM-14651: OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads
OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier
OPENAM-14578: WDSSO failing but no fallback…
OPENAM-14573: amlbcookie is not secure when authenticating with trees
OPENAM-14572: prompt=login destroys and creates new session
OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different
OPENAM-14548: consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation
OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore
OPENAM-14539: SAML SLO with multi protocols
OPENAM-14529: UMA RPT expiry time incorrect in CTS
OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding
OPENAM-14503: SAML2 - Key Transport Algorithm - RSA OAEP must be supported
OPENAM-14483: If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ
OPENAM-14480: AuthLoginException is lost
OPENAM-14471: Failed to create root realm for data store (External Policy | Application)
OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on
OPENAM-14464: XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used
OPENAM-14450: userinfo typo in Claims.java
OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS/SSL
OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application
OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done
OPENAM-14391: Self Service Link not Display when Using Authentication Tree
OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set
OPENAM-14369: Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure
OPENAM-14362: UMA load test fails with Invalid resource type error
OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy
OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client
OPENAM-14313: Audit Logging - STS transformations create duplicate entries
OPENAM-14310: CheckSession page indicates the session is not valid
OPENAM-14294: am-external Git repository 6.5 have bad source
OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef
OPENAM-14239: FMSigProvider.verify NPE with null input for certificates
OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number
OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set
OPENAM-14229: custom AuthorizeTemplate under theme not used
OPENAM-14213: Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute
OPENAM-14212: SAML redirect to login page fails if AM installed into the root context
OPENAM-14200: Social auth modules do not work when AM is installed into the root context
OPENAM-14189: effectiveRange of Time environment has issue
OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception
OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered
OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.
OPENAM-14147: arg=newsession in XUI just shows the "Loading…" page
OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state
OPENAM-14112: Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie
OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow
OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive
OPENAM-14054: XUI Custom templates and Partials not applied consistently
OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn
OPENAM-14040: LdifUtils debug logging prints out wrong classname
OPENAM-14018: Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server
OPENAM-13999: Custom node containing ConfirmationCallbacks fails when dropped in a page node.
OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm
OPENAM-13978: Session Upgrade - AuthLevel format changes
OPENAM-13942: SAML2 Circle of Trust - REST Update doesn’t update the metadata of the provider
OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given
OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user
OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not
OPENAM-13890: Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext
OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6
OPENAM-13831: RP-Initiated Logout does not handle state parameter
OPENAM-13779: Session API - _action=refresh requires an admin token
OPENAM-13764: Monitoring logs in ERROR for "Agent.configAgentsOnly:agent type = OAuth2Client"
OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals
OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent
OPENAM-13465: Dynamic client registration sets wrong subjectType
OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain
OPENAM-13419: LDAPPolicyFilterCondition doesn’t set request timeout
OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"
OPENAM-13064: OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional
OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation
OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees
OPENAM-12759: max_age should a number, not a string
OPENAM-12574: SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies
OPENAM-12498: Authorization Grant response returns scope(s) in the URL
OPENAM-12228: WebAgent REST API queryFilter expression does not work and acts all "true"
OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme
OPENAM-11921: Incorrect NameId Format offered for SAML2 auth module in console
OPENAM-11863: CORSFilter position in web.xml should come before most filters
OPENAM-11778: Getting accessToken using authorization_code result in Unhandled exception
OPENAM-11338: OpenID Connect id_token bearer auth module mixes up aud, azp during verification
OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.
OPENAM-10843: When generating an OIDC token through STS a "kid" value is not specified
OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled
OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)
OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly
OPENAM-9459: 500 Internal Server Error from changePassword endpoint with AD repo
OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

Fixes in AM 7.0.x

This page lists the cumulative fixes in AM 7.0.x releases:

AM 7.0.2

OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
OPENAM-17683: Selfservice user registration auto login fails for a sub-realm
OPENAM-17673: Nodes within a Page node do not have access to secure state
OPENAM-17672: Page Node does not expose inner nodes inputs or outputs
OPENAM-17630: JMS Audit logging broken and cannot start up
OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
OPENAM-17570: OIDC request parameter decryption fails to find any applicable keys
OPENAM-17555: AM 7.x versions of Amster use Java 8 format of debug port
OPENAM-17517: JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error.
OPENAM-17515: Sub attribute in access token can be in wrong casing
OPENAM-17483: SecretsPlugin upgrade from 6.5.x failing
OPENAM-17477: Thread-safety issue in AMAuthenticationManager
OPENAM-17436: JS version of the OIDC Claims script does not work due to a casting error.
OPENAM-17405: Token introspection response not spec compliant
OPENAM-17397: ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check
OPENAM-17365: Checking agent type with caller token can cause deadlock
OPENAM-17364: prompt login / session upgrade / OIDC ACR looping with trees
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
OPENAM-17337: Access token passed in request body results in failure
OPENAM-17324: Client credentials grant in FBC config with group inheritance causes User not Valid Error
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
OPENAM-17321: Prometheus Endpoint returns http 500 error when used with file based config
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
OPENAM-17310: 'ssoadm list-datastore-types' sub-command broken
OPENAM-17277: AM Recording with thread dump only shows depth of 8
OPENAM-17276: AM recorder does not record anymore
OPENAM-17274: AM should not change the supported subject types for an existing install
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17265: Wrong authorized_keys file updated
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
OPENAM-17175: XUI OAuth2 consent page does not render when using themes
OPENAM-17157: Password reset via admin console with Proxied Authorization enabled is not possible
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
OPENAM-17117: Service config XML dump consumes a lot of memory (whole config is read to memory)
OPENAM-17114: Save Consent check box always shown, even when not configured
OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
OPENAM-17089: Forgot password flow not working after initial attempt to reset password fails
OPENAM-17081: OAuth2 client agent group settings are not taken into account
OPENAM-17079: Identities and Session : unexpected returned error when trying to request for unexisting identity
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
OPENAM-17066: Unable to add server to existing deployment through UI
OPENAM-17042: User Self Registration REST API does not generate SSO token
OPENAM-17019: Allowing wildcards in OAuth 2.0 clients prevents exact matching from working
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist
OPENAM-16932: PageNode does not pick up outcomes if ScriptedDecisionNode is used inside
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
OPENAM-16849: WeChat Social Auth module broken (regression)
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'
OPENAM-16651: Default configuration fails if the trust store type JVM property is not defined for the JVM
OPENAM-16638: AM with embedded DS setup fails when Java system keystore properties is set
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
OPENAM-16581: SAML Authentication Module on hosted SP gets SAML No authentication context error
OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
OPENAM-16364: Macaroon access tokens don’t work with the new any-realm token introspection
OPENAM-16262: Javadocs for IdUtils needs updating
OPENAM-15963: Historical retention files ( csv ) were not deleted
OPENAM-15214: Auth Tree - Clicking save with no changes causes render problem with node attributes inside page node
OPENAM-14240: FMSigProvider.verify does not tell if certificates are provided
OPENAM-13783: REST STS: Cannot add or modify nameID format in SAML config, and default value stated in help is incorrect
OPENAM-13575: Unhelpful log message when OIDC public client wants to use HMAC id token signing

AM 7.0.1

OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
OPENAM-16934: sm.getSchemaManager has a typo including a comma
OPENAM-16907: Kerberos Node in 7.0 does not work
OPENAM-16877: Error when creating AM "Self-service Trees" service in native admin ui
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
OPENAM-16847: AM email service failing with 'Start TLS' option
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
OPENAM-16802: Upgrade from OpenAM 7.0 to 7.1.0 SNAPSHOT causes NPE
OPENAM-16794: Google KMS options missing after upgrade from 6.5
OPENAM-16791: AMAccessAuditEventBuilder#forRequest can generate an entry with :-1 for the port
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
OPENAM-16759: Amster on windows : AM does not restart properly after setup
OPENAM-16758: Cannot install AM 7 on Windows
OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
OPENAM-16702: Saving engine configuration in FBC mode makes that config non-readable
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token
OPENAM-16697: Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format
OPENAM-16686: Cannot create a User after upgrade from 6.5.2 to 7.0.1
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
OPENAM-16650: Authz Policy Subjects Policy.title is showing property name text
OPENAM-16641: OAuth2 provider supported grant types attribute missing localization property on XUI
OPENAM-16606: Missing "org.forgerock.openam.saml2.authenticatorlookup.skewAllowance" property in server defaults
OPENAM-16594: ssoadm help should be updated to reflect changes in AME-18650 / OPENAM-16155
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
OPENAM-16555: (audit) logging does not tell which policy allowed or denied a resource request
OPENAM-16551: Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token
OPENAM-16545: Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
OPENAM-16483: XUI - Typo in SAML SP "Default Relay State Url" label
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
OPENAM-15663: UserInfoClaims is not part of public API
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
OPENAM-11706: Policies in a policy set are not visible in Internet Explorer IE

AM 7.0

OPENAM-16433: Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.
OPENAM-16425: AM does not handle malformed/incorrect signature correctly
OPENAM-16402: The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.
OPENAM-16379: URL fragments like # cause forbidden login in the XUI
OPENAM-16284: XUI does not handle Special Chars / UTF-8 in realms properly.
OPENAM-16279: AgentsRepo cannot recover when it fails especially on external Application store.
OPENAM-16251: OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication
OPENAM-16240: REST STS under subrealm cannot generate id_token with realm claim
OPENAM-16233: Policy evaluation fails when subject not found (even in ignore profile)
OPENAM-16214: Push Authentication Module does not work on Session Upgrade when User Cache disabled
OPENAM-16184: Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords
OPENAM-16165: social authmodule causes NullPointerException
OPENAM-16164: social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token
OPENAM-16136: queryFilter only matches against first entry in array
OPENAM-16132: When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates
OPENAM-16032: Unable to delete devices with Recovery Code Collector Decision Node
OPENAM-16031: Intermittent error message when concurrent obtain SSO Token ID with session quota constraints
OPENAM-16014: An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow
OPENAM-16013: Mismatched kid from Json Web Key URI when Specified Encryption Algorithm
OPENAM-16009: Windows Desktop SSO node full adoption and compliance with tree node specifications
OPENAM-15989: OAuth2 client_id should be url-decoded when using basic auth
OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied
OPENAM-15970: Access Token introspect Fails in subrealm after root realm modified
OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked
OPENAM-15905: Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException
OPENAM-15900: Kerberos fails when used with IBM JDK
OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection
OPENAM-15881: Custom AM User (amUser.xml) field does not use default values from the schema
OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used
OPENAM-15853: External UMA store fails on resource creation
OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired
OPENAM-15785: OIDC spec violation - HTTP POST can not be used to send Authentication Request
OPENAM-15784: Form elements in policy environment condition tab are displayed twice
OPENAM-15766: LoginState - account lockout is checkout although AM AccountLockout is disabled
OPENAM-15758: KeyStore Secret Store fails to start due to secretId having some characters.
OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL
OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server
OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect
OPENAM-15698: IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'
OPENAM-15697: Default ACR values from OAuth2 provider not taken into account
OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access
OPENAM-15679: The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling
OPENAM-15670: DeviceIdSave auth module initialization fails if username is null
OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting
OPENAM-15645: The &refresh=true|false parameter for _action=validate is not working as expected
OPENAM-15632: OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support
OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow
OPENAM-15627: Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"
OPENAM-15579: AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'
OPENAM-15559: OATH module broken in Japanese locale
OPENAM-15533: WS-Federation doesn’t work with Authentication Trees
OPENAM-15530: OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS
OPENAM-15520: XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default
OPENAM-15508: moduleMessageEnabledInPasswordGrant does not apply to Trees
OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token
OPENAM-15501: Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly
OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned
OPENAM-15491: Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.
OPENAM-15489: WebAuthN Auth Node Doesn’t Respect UV=Discouraged During AuthN
OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication
OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error
OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported
OPENAM-15374: OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims
OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback
OPENAM-15349: Access Token request returns a 500 error
OPENAM-15345: at_hash value generated does not take the latest modified access token
OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree
OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example
OPENAM-15303: Claims with multiple values in issued_token from REST STS represented inconsistently.
OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions
OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules
OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"
OPENAM-15160: LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind
OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field
OPENAM-15147: HTTP 500 upon accessing openam/json/
OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken
OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )
OPENAM-15117: KeyVault KeyStoreType not supported
OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not
OPENAM-15105: Unable to get trusted devices using REST API
OPENAM-15101: Remove the ability to disable XUI
OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL
OPENAM-15076: webAuthn config does not allow for multiple origins under the same rpId
OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching
OPENAM-15036: Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file
OPENAM-15028: Cannot load metadata in ssoadm without extended metadata
OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment
OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache
OPENAM-14991: Changes to boot.json are overwritten
OPENAM-14979: NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade
OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain
OPENAM-14966: Performing access_token with arbitrary text as trusted cert header causes server error
OPENAM-14919: Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file
OPENAM-14901: XUI - SAML2 module doesn’t redirect to IDP if it’s 2nd in the chain
OPENAM-14895: user identity creation fails with "Identity \*" of type user not found.
OPENAM-14893: XUI displays multiple error messages when an authentication session times out
OPENAM-14889: Upgrade of Peristent Cookie auth module fails
OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration
OPENAM-14881: AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)
OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)
OPENAM-14859: ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty
OPENAM-14858: When NameIDPolicy does not contain Format=.., remoteEntityID is passed as null
OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module
OPENAM-14845: user info endpoint does not correctly handle Certificate Bound Access Tokens
OPENAM-14829: AuthSchemeCondition doesn’t return realm aware policy condition advice
OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search
OPENAM-14804: Memory leak when running UMA RPT soak test
OPENAM-14799: Unable to update Agent profile using REST
OPENAM-14794: User privileges are removed from group if another group is given same privilege
OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO
OPENAM-14783: PKCS11 KeyStore does not work on IBM JVM
OPENAM-14782: AuthTree created Session does not use per User Session Service settings
OPENAM-14766: introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens
OPENAM-14717: mailto attribute have space between ':' and mail address
OPENAM-14694: Consent page still shows claim values even when supported claim description is omitted
OPENAM-14651: OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads
OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier
OPENAM-14578: WDSSO failing but no fallback…
OPENAM-14573: amlbcookie is not secure when authenticating with trees
OPENAM-14572: prompt=login destroys and creates new session
OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different
OPENAM-14548: consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation
OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore
OPENAM-14539: SAML SLO with multi protocols
OPENAM-14529: UMA RPT expiry time incorrect in CTS
OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding
OPENAM-14503: SAML2 - Key Transport Algorithm - RSA OAEP must be supported
OPENAM-14483: If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ
OPENAM-14480: AuthLoginException is lost
OPENAM-14471: Failed to create root realm for data store (External Policy | Application)
OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on
OPENAM-14464: XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used
OPENAM-14450: userinfo typo in Claims.java
OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS/SSL
OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application
OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done
OPENAM-14391: Self Service Link not Display when Using Authentication Tree
OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set
OPENAM-14369: Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure
OPENAM-14362: UMA load test fails with Invalid resource type error
OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy
OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client
OPENAM-14313: Audit Logging - STS transformations create duplicate entries
OPENAM-14310: CheckSession page indicates the session is not valid
OPENAM-14294: am-external Git repository 6.5 have bad source
OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef
OPENAM-14239: FMSigProvider.verify NPE with null input for certificates
OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number
OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set
OPENAM-14229: custom AuthorizeTemplate under theme not used
OPENAM-14213: Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute
OPENAM-14212: SAML redirect to login page fails if AM installed into the root context
OPENAM-14200: Social auth modules do not work when AM is installed into the root context
OPENAM-14189: effectiveRange of Time environment has issue
OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception
OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered
OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.
OPENAM-14147: arg=newsession in XUI just shows the "Loading…" page
OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state
OPENAM-14112: Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie
OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow
OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive
OPENAM-14054: XUI Custom templates and Partials not applied consistently
OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn
OPENAM-14040: LdifUtils debug logging prints out wrong classname
OPENAM-14018: Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server
OPENAM-13999: Custom node containing ConfirmationCallbacks fails when dropped in a page node.
OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm
OPENAM-13978: Session Upgrade - AuthLevel format changes
OPENAM-13942: SAML2 Circle of Trust - REST Update doesn’t update the metadata of the provider
OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given
OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user
OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not
OPENAM-13890: Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext
OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6
OPENAM-13831: RP-Initiated Logout does not handle state parameter
OPENAM-13779: Session API - _action=refresh requires an admin token
OPENAM-13764: Monitoring logs in ERROR for "Agent.configAgentsOnly:agent type = OAuth2Client"
OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals
OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent
OPENAM-13465: Dynamic client registration sets wrong subjectType
OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain
OPENAM-13419: LDAPPolicyFilterCondition doesn’t set request timeout
OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"
OPENAM-13064: OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional
OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation
OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees
OPENAM-12759: max_age should a number, not a string
OPENAM-12574: SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies
OPENAM-12498: Authorization Grant response returns scope(s) in the URL
OPENAM-12228: WebAgent REST API queryFilter expression does not work and acts all "true"
OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme
OPENAM-11921: Incorrect NameId Format offered for SAML2 auth module in console
OPENAM-11863: CORSFilter position in web.xml should come before most filters
OPENAM-11778: Getting accessToken using authorization_code result in Unhandled exception
OPENAM-11338: OpenID Connect id_token bearer auth module mixes up aud, azp during verification
OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.
OPENAM-10843: When generating an OIDC token through STS a "kid" value is not specified
OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled
OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)
OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly
OPENAM-9459: 500 Internal Server Error from changePassword endpoint with AD repo
OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

Removed

The functionality listed here was removed.

AM 7.5

Java 11: AM 7.5 removes support for Java 11. Only Java 17 is supported in this release.
SNMP monitoring: SNMP monitoring was deprecated in AM 7.3 and is no longer supported.

AM 7.4

No features or functionality were removed in this release.

AM 7.3

Removal of CTS worker pool: The org.forgerock.services.cts.async.queue.size and org.forgerock.services.cts.async.queue.timeout advanced configuration properties were removed.

For details, refer to: Removal of CTS worker thread pool.

AM 7.2

No features or functionality were removed in this release.

AM 7.1

No features or functionality were removed in this release.

AM 7.0

AM 7.0.1

SOAP STS service installation: Installing instances of the SOAP STS service in AM 7.0.1 is not supported. However, upgrading existing instances is.

AM 7.0

Authentication through /UI/login endpoint

Authentication through the /UI/login has been removed. Rewrite your clients to use the /XUI/#login/ endpoint instead.

/openam/cdservlet

The cdservlet servlet, which was used by Web Agents and Java Agents earlier than version 5 to accomplish CDSSO, was removed from AM 7.

As a result, the following were also removed:

The classic CDSSO mode.
The following AM advanced server properties:
- com.iplanet.services.cdc.invalidGotoStrings
- org.forgerock.openam.cdc.validLoginURIs
The com.sun.identity.federation.services.idpLoginURL JVM property.

IDFF cdservlet-related legacy audit log events are no longer logged.

Support for SAML v1.x

Support for SAML v1.x was removed from AM 7. However, AM 7 does support SAML v2.0.

For more information about SAML v2.0, refer to the SAML v2.0 Guide.

Supported APIs

AM 7 removes the following APIs from the com.sun.identity.authentication.AuthContext class, to allow AM to support Java 11:

constructor: public AuthContext(String orgName, String nickName) throws AuthLoginException
constructor: public AuthContext(String orgName, String nickName, URL url) throws AuthLoginException
method: public static void setCertDBPassword(String password)

The following APIs were also removed:

Deprecated SAE_PARAM_APPID field removed from the SecureAttrs class.
Deprecated SiteAttributeMapper and PartnerSiteAttributeMapper interfaces removed.

Instead, use the ConsumerSiteAttributeMapper interface.
Deprecated getAttributeMapForFedlet method removed.

Instead, use the getAttributesForFedlet method.

SAML v2.0 service configurations service

This service was removed by realm. The metadata and signing aliases were removed from the global service configuration, since the providers now use secret stores.

CTS Reaper property org.forgerock.services.cts.reaper.search.pageSize

This advanced server property was removed.

Dashboard wizards

The wizards in the Dashboard of the administrative users have been removed. They were using the JATO implementation of the UI, which is not supported with Java 11.

Advanced server property org.forgerock.openam.audit.access.attempt.enabled

This property was replaced by the org.forgerock.openam.audit.identity.activity.events.blacklist advanced server property.

For more information, refer to Advanced properties.

Incompatible changes

Incompatible changes refer to changes that impact existing functionality and might have an effect on your deployment. Before you upgrade, review these lists and make the appropriate changes to your scripts and plugins.

Changes in AM 7.5.x

AM 7.5

Change in behavior for journeys containing a Certificate Collector node

Previously, for journeys containing a Certificate Collector node, AM would throw an exception in the following scenario:

You set the node’s Certificate Collection Method property to Either or Header
You specified an HTTP header name
The certificate was missing from the browser (and from the request if Either was selected)

Now, in this scenario, the journey continues down the Not Collected path.

Default setting for AES key wrap encryption

The system property org.forgerock.openam.encryption.padshortinputs is now true by default.

This property pads short inputs (less than 8 bytes). If you’re using AES key wrap encryption, do one of the following before you upgrade to AM 7.5:

Check that any passwords encrypted with AES key wrap encryption are longer than eight characters. AM won’t be able to decrypt shorter values.
Set org.forgerock.openam.encryption.padshortinputs to true and re-save any short passwords to update the padding.

Change to OAuth 2.0 refresh token introspection response types

Previously, introspecting a stateful refresh token returned some claims as an array containing a single string.

For consistency, the following claims are now returned as strings:

realm
userName
authGrantId
clientID

Changes in AM 7.4.x

AM 7.4.1

WS-Federation `com.sun.identity.wsfederation.logout.wreply` URL validation

To facilitate logging out of WS-Federation and multiprotocol environments (WS-Federation communicating with SAML 2.0), you must add the URL specified in the com.sun.identity.wsfederation.logout.wreply query parameter to the Valid goto URL Resources field in the validation service. If you don’t add this URL, redirection fails.

Learn more in Add a URL to the validation service.

Change in behavior for journeys containing a Certificate Collector node

Previously, for journeys containing a Certificate Collector node, AM would throw an exception in the following scenario:

You set the node’s Certificate Collection Method property to Either or Header
You specified an HTTP header name
The certificate was missing from the browser (and from the request if Either was selected)

Now, in this scenario, the journey continues down the Not Collected path.

Change to OAuth 2.0 refresh token introspection response types

Previously, introspecting a stateful refresh token returned some claims as an array containing a single string.

For consistency, the following claims are now returned as strings:

realm
userName
authGrantId
clientID

AM 7.4.

Removal of `dsameuserpwd` from default keystore

The alias of the dsameuserpwd has been removed from the default keystore. The dsameUser is an internal account that AM uses to connect to the configuration store. AM now generates the password for this account on startup, and you can’t read or change it.

If you upgrade to AM 7.4 using the upgrade wizard and need to roll back the upgrade, you must restore the default keystore. The upgrade wizard removes the dsameuserpwd alias. If you don’t restore this alias, the rolled back instance of AM won’t start up.

If you try to use a previous version of ssoadm with AM 7.4, the command will show an error Can’t open boot keystore as it expects the dsameuserpwd to be there. To avoid this error, use the ssoadm version that is delivered with AM 7.4.

Preconfigure policy and application data stores

You can now disable policy and application data stores until you are ready to use them. This means that you can preconfigure a data store before the directory server is ready. When you want to use the data store configuration, you can enable it, at which point AM verifies that it can connect to the configured store.

All default policy and application data store configurations are enabled. A new custom external data store configuration is disabled by default. When you upgrade to AM 7.4, existing data store configurations are enabled by default.

The dataStoreEnabled property is mandatory if you’re creating new data stores over REST (using DataStoreService/config?_action=create). It’s also mandatory if you’re updating data stores over REST with a PUT request. For backward compatibility, if you don’t include this property in the JSON payload, the endpoint currently adds it to the configuration by default with a value of true.

In the next AM release, the endpoint version will be incremented and the latest version will require the property to be present.

Change in behavior when an authentication tree is deleted

From this release, when you delete an authentication tree, any nodes referenced by that tree are also deleted, provided they aren’t referenced by another tree.

This change eliminates orphaned nodes in the configuration and lets you delete the scripts referenced by those nodes.

Change in behavior of `subjectattributes` endpoint

The behavior of queries to the subjectattributes endpoint has changed in this release.

To override the new behavior and revert to the previous behavior, set the org.forgerock.security.entitlement.enforce.realm advanced server property to false, then restart AM for the change to take effect.

For security reasons you should set this property back to true when you have updated your scripts.

Rotatable secrets for `amAdmin` password

AM now caches the special secret used to store the password of amAdmin user. The expiry time of the cache is 900 seconds (15 minutes) by default. To change the expiry time, set the org.forgerock.openam.secrets.special.user.secret.refresh.seconds advanced server property.

For more information, refer to Store the amAdmin password in a secret store.

Changes in AM 7.3.x

AM 7.3.2

Change in behavior for journeys containing a Certificate Collector node

Previously, for journeys containing a Certificate Collector node, AM would throw an exception in the following scenario:

You set the node’s Certificate Collection Method property to Either or Header
You specified an HTTP header name
The certificate was missing from the browser (and from the request if Either was selected)

Now, in this scenario, the journey continues down the Not Collected path.

AM 7.3.1

Change to OAuth 2.0 refresh token introspection response types

Previously, introspecting a stateful refresh token returned some claims as an array containing a single string.

For consistency, the following claims are now returned as strings:

realm
userName
authGrantId
clientID

AM 7.3

Artifact updates

If your custom code uses the following supported Java classes, you must update your build dependencies to include these modules:

Class / interface Module

Class / interface	Module
`com.sun.identity.idm.IdUtils`	`customer-api`
`com.sun.identity.idm.AMIdentity`	`identity-api`
`com.sun.identity.idm.IdEventListener`	`identity-api`
`com.sun.identity.idm.IdOperation`	`identity-api`
`com.sun.identity.idm.IdRepoException`	`identity-api`
`com.sun.identity.idm.IdSearchControl`	`identity-api`
`com.sun.identity.idm.IdSearchResults`	`identity-api`
`com.sun.identity.idm.IdSearchOpModifier`	`identity-api`
`com.sun.identity.idm.IdType`	`identity-api`
`com.sun.identity.idm.AMIdentityRepository`	`openam-identity`
`com.sun.identity.idm.IdRepoListener`	`openam-identity`

com.sun.identity.idm.IdUtils

customer-api

com.sun.identity.idm.AMIdentity

identity-api

com.sun.identity.idm.IdEventListener

identity-api

com.sun.identity.idm.IdOperation

identity-api

com.sun.identity.idm.IdRepoException

identity-api

com.sun.identity.idm.IdSearchControl

identity-api

com.sun.identity.idm.IdSearchResults

identity-api

com.sun.identity.idm.IdSearchOpModifier

identity-api

com.sun.identity.idm.IdType

identity-api

com.sun.identity.idm.AMIdentityRepository

openam-identity

com.sun.identity.idm.IdRepoListener

openam-identity

`AMIdentity` constructor

The supported constructor, public AMIdentity(SSOToken token, String universalId) throws IdRepoException, no longer throws an IllegalArgumentException if the provided string is not a valid representation of a DN. Instead, these exceptions are now converted to instances of IdRepoException.

Deletion of site data on logout

For security reasons, AM now instructs the browser to clear site data such as locally cached data and cookies when a user successfully logs out. This behavior can be disabled for compatibility purposes. Refer to the Add clear-site-data Header on Logout property in the Core authentication attributes for more information.

Session condition advice behavior

Previously, a Session condition failure resulted in a No configuration found error. This behavior has been changed as follows:

If terminateSession is true and policy evaluation is requested, AM sends the session advice to the Java, Web, or Identity Gateway agent when the maxSessionTime elapses and the user is required to reauthenticate.
If terminateSession is false and policy evaluation is requested, AM does not send the session advice to the Java, Web, or Identity Gateway agent when the maxSessionTime elapses. Instead of being redirected to the login page, the user receives a 403 Forbidden response for the protected resource.

Password change messages can now be returned in sentence case

Previously, all password change and password reset messages were transformed to upper case; for example, YOU MUST RESET YOUR PASSWORD. The LDAP Decision node now provide an option to disable this transformation, letting messages be returned in the case in which they are configured; for example You must reset your password.

This option is disabled by default.

Base URL `X-Forwarded-*` headers

Previously, if you set the Base URL source to X-Forwarded-* headers and no X-Forwarded-Proto header was provided, the generated URL would have a protocol of null, for example null://host, which would result in a broken URL.

From this release, if no X-Forwarded-Proto header is provided, a fallback scheme is used, based on the URI of the request.
You can now specify a port in the Base URL, using the X-Forwarded-Port header.
If multiple X-Forwarded-Host headers are specified, the outermost proxy host is used.

`org.forgerock.openam.services.email.MailServer` interface

The supported interface, org.forgerock.openam.services.email.MailServer has moved from the openam-core module to mail-api.

You need to update the dependencies to recompile your implementation of this interface.

Removal of CTS worker thread pool

To simplify AM behavior, CTS operations are now performed as part of the HTTP worker thread created by the HTTP container. This refactoring introduces the following changes:

The org.forgerock.services.cts.async.queue.size and org.forgerock.services.cts.async.queue.timeout advanced configuration properties are no longer used.
The following monitoring metrics have been replaced:
- Old: cts.task.queue and cts.task.queue.size
- New: cts.connection.state.out and cts.connection.state.pending
  
  For details, refer to CTS metrics.
The primary way to tune the CTS connection pool is to use the org.forgerock.services.cts.store.max.connections property. The default value has been increased from 10 to 100. Existing deployments will be upgraded to whichever is greater: 100 or the original value.
In previous AM releases, calls to the /json/health/ready endpoint returned an HTTP 200 OK response if the CTS queue was below the configured threshold, even if the CTS data store was unavailable.

The CTS queue has been removed in AM 7.3 as part of optimizing connections to the CTS store. If the CTS data store is unavailable, calls to the /json/health/ready endpoint now return an HTTP 503 Service Unavailable error.

Changes in AM 7.2.x

AM 7.2.2

Change in behavior for journeys containing a Certificate Collector node

Previously, for journeys containing a Certificate Collector node, AM would throw an exception in the following scenario:

You set the node’s Certificate Collection Method property to Either or Header
You specified an HTTP header name
The certificate was missing from the browser (and from the request if Either was selected)

Now, in this scenario, the journey continues down the Not Collected path.

Change to OAuth 2.0 refresh token introspection response types

Previously, introspecting a stateful refresh token returned some claims as an array containing a single string.

For consistency, the following claims are now returned as strings:

realm
userName
authGrantId
clientID

AM 7.2.1

Change in behavior of `httpOnly` flag for trees

When HttpOnly session cookies are enabled and a client calls the /json/authenticate endpoint with a valid SSO token, AM should return an empty tokenId. While this has always been the case for authentication chains, it was not previously the case for authentication trees.

From AM 7.2.1, this behavior is the global default for authentication trees on new installations. It is also the default on new realms created on servers that have been upgraded to AM 7.2.1. For compatibility with previous versions, you can control this behavior using the Stops sending tokenId authentication configuration option.

Globally: Go to Configure > Authentication > Core Attributes > Trees.
By realm: Go to Realms > Realm Name > Authentication > Settings > Trees.

If your existing deployment relies on the previous behavior, where a valid tokenId is returned, disable the Stops sending tokenId option for that particular realm. For security reasons, you should adjust scripts and clients that rely on a tokenId in this situation and re-enable the option as soon as is feasible for your deployment.

Change to access token modification

With the introduction of persistent claims, access token modification is now performed before the id_token and the refresh_token are available to the access token modification script. This functionality dependency can be solved by persistent claims.

AM 7.2.0

OIDC claim classes

The org.forgerock.openidconnect.Claim class has been deprecated. The new org.forgerock.oauth.clients.oidc.Claim class replaces its functionality.

This new class has a getNameWithLocale() method that returns a string of claim names, appended with # and the locale, in line with the OIDC specification.

A new getJavaLocale() method has been added to the Claim class, and lets a caller get the Locale object associated with the claim. The existing getLocale() method remains unchanged, and is equivalent to calling getJavaLocale().toLanguageTag().
The new Claim class contains a Claim.ClaimBuilder`class, that you should use to create instances of the Claim. The `Claim class is immutable and should not be extended. (It cannot be marked as final, for compatibility reasons.)
The ClaimBuilder class no longer contains a withValues method. This method has been split into the following, more granular methods (with corresponding new methods for single items):
- withBooleanValues and withBooleanValue
- withNumericalValues and withNumericalValue
- withJsonValues and withJsonValue
- withStringValues and withStringValue
The new ClaimsMapper class separates and encapsulates the functionality for converting claims to and from JSON. The `asMap method has therefore been removed from the Claim class.

Anonymous user inactive by default

The default anonymous user, used, for example, by the Anonymous User Mapping node, is now Inactive by default. If you have existing nodes, modules, or other clients that reference this user, you must explicitly set the user status to Active.

`normalized-profile-to-managed-user` scripts

For Apple SSO configurations that use the Request Native App for UserInfo property, the normalized-profile-to-managed-user.groovy and normalized-profile-to-managed-user.js scripts have been updated to set a flag that specifies how userinfo objects should be patched.

If you use these scripts, or a custom variation of these scripts, in your Apple SSO authentication tree, you should update your scripts to set the flag. You should also update your social provider journey to add a Scripted Decision node, as described in Request Native App for UserInfo.

Connections made by the CTS

OPENAM-13855 corrected an issue where the CTS was creating too many connections to DS. This fix might imply that the number of connections created is now different in your deployment, corrected to be the expected number of connections. Monitor your environments to ensure that this corrected number of connections is sufficient, and increase it if necessary.

Script content stored in clear text

In file-based configurations, script content is now stored in cleartext, rather than as a base64-encoded string. This makes it easier to find differences between old and new configurations. If you are upgrading AM from a previous version, existing scripts will still appear as base64-encoded strings in their corresponding configuration files. These scripts must be saved again in order for the cleartext script content to be stored in the configuration file. Note that script content is still base64-encoded in REST requests and responses.

OAuth 2.0 token introspection

The /oauth2/introspect endpoint now returns an additional member, username, which specifies the user that authorized the introspected token.

As part of this change, the user_id member, which was used by earlier versions of the specification, is deprecated. It will be removed in a future version of AM.

This change aligns the endpoint’s response with the OAuth 2.0 Token Introspection specification.
HTTP GET requests are now disallowed on the /oauth2/introspect endpoint by default. Using token as a query parameter on this endpoint is also disallowed. To change this behavior to suit existing clients, use the org.forgerock.openam.introspect.token.query.param.allowed advanced server property.

AM 7.2 changes the way the /oauth2/introspect and the /oauth2/tokeninfo endpoints return the value of the expires_in object.

The expires_in object specifies the time, in seconds, that a token is valid for. For example, 3600 seconds. This value is set at token creation time, and it depends on the configuration of the OAuth2 Provider Service.

When providing a token introspection or token information response, earlier versions of AM returned the value of the expires_in object as it was stored in the token. This means that any call to the endpoints while the token is valid returned the same value for the expires_in object.

AM 7.2 calculates the amount of seconds the token is still valid for and returns this value in the expires_in object. Therefore, repeated calls to the endpoints return different values for the object.

However, the actual value of the expires_in object in the token does not change. Inspecting the token without using AM will show the value set at token creation time.

The expires_in object is not always present in the endpoint response:

Introspection endpoint: AM only returns the expires_in object for client-side tokens issued to a client configured in the same realm as the resource owner’s.
Token information endpoint: AM does not return the expires_in object for client-side tokens issued to a client configured in a different realm than the resource owner’s.

OpenID Connect `userinfo` endpoint

AM 7.2 changes when the aud and iss objects are returned in the JWT response of the /oauth2/userinfo endpoint.

Earlier versions of AM returned the iss object when the user information response was a signed, encrypted, or a signed and encrypted JWT. The aud object was never returned.

AM 7.2 returns both the aud and iss objects when response is a signed, or a signed and encrypted JWT, according to the OpenID Connect Core 1.0 incorporating errata set 1 specification.

The iss object is no longer returned when the response is an encrypted JWT.

Web and Java agent properties in AM admin UI

Web agent properties added
- Use Built-in Apache HTTPD Authentication Directives (com.forgerock.agents.no.remoteuser.module.compatibility)
- Hostname to IP Address Map (com.forgerock.agents.config.hostmap)
- Retain Session Cache After Configuration Change (com.forgerock.agents.session.cache.eventually.consistent)
Java agent properties added
- Recheck availability of AM (org.forgerock.agents.am.unavailability.recheck.window.in.seconds)
- Enable Notification of Session Logout (org.forgerock.agents.session.change.notifications.enabled)
Deprecated Java agent properties removed
- Fall-Forward Mode (org.forgerock.agents.fallforward.mode.enabled)
- PDP Cache TTL in Milliseconds (com.sun.identity.agents.config.postdata.preserve.cache.entry.ttl)

Java agent property name changes

The Java Agent property names have changed in AM admin UI. The new names reflect the names now used in the Java Agent documentation.

Summary of new names

Old Name	New Name
Accept SSO Tokens	Enable SSO Token Acceptance
Agent Configuration Change Notification	Enable Notifications of Agent Configuration Change
Agent Filter Mode	Agent Filter Mode Map
Allow Custom Login Mode	Enable Custom Login Mode
AM Conditional Login URL	OAuth Login URL List
AM Conditional Logout URL	Conditional Logout URL List
AM Login URL	AM Login URL List
Application Logout URI	Logout URI Map
Attribute Cookie Encode	Enable Attribute Encoding
Authentication Fail Reason Url	Authentication Fail URL
CDSSO Domain List	JWT Cookie Domain List
CDSSO Redirect URI	Authentication Redirect URI
Continuous Security Cookies	Continuous Security Cookie Map
Continuous Security Headers	Continuous Security Header Map
Convert SSO Tokens into OpenID Connect JWTs	Convert SSO Tokens Into OIDC JWTs
Cookies Reset Domain Map	Reset Cookie Domain Map
Cookies Reset Name List	Reset Cookie List
Cookies Reset Path Map	Reset Cookie Path Map
Custom Conditional Login URL	Legacy Login URL List
Custom Response Header	Custom Response Header Map
Encode Cookies	Enable Encoded Cookies
Exchanged SSO Token Cache Size	Max Entries in SSO Exchange Cache
Exchanged SSO Token Cache Time to Live	Exchanged SSO Token Cache TTL
Expired Session Cache Max Records	Max Entries in Expired Session Cache
FQDN Check	Enable FQDN Checking
FQDN Default	Default FQDN
HTTP 302 Redirect Not Enforced List	HTTP 302 Redirect Not-Enforced List
HTTP 302 Redirect Replacement HTTP Code	HTTP 302 Redirect Replacement HTTP Status Code
HTTP 302 Redirects Enabled	Enable HTTP 302 Redirects
Http Only	Enable HTTP Only Cookies
Invert Not Enforced IPs	Invert Not-Enforced IPs
Invert Not Enforced URIs	Invert Not-Enforced URIs
JWT Cache Size	Max Entries in JWT Cache
Legacy User Agent Support Enable	Enable Legacy Support Handlers
Load Balancer Cookie Enabled	Enable Load Balancer Cookies
Login Form URI	Login Form URI List
Logout Entry URI	Logout Entry URI Map
Logout Introspect Enabled	Enable Logout Introspection
Logout Request Parameter	Logout Request Parameter Map
Missing PDP entry URI	Missing POST Data Preservation Entry URI Map
Not Enforced Client IP List	Not-Enforced Client IP List
Not Enforced Favicon	Not-Enforced Favicon
Not Enforced IP Cache Flag	Enable Not-Enforced IP Cache
Not Enforced IP Cache Size	Max Entries in Not-Enforced IP Cache
Not Enforced URIs Cache Enabled	Enable Not-Enforced URIs Cache
Not Enforced URIs Cache Size	Max Entries in Not-Enforced URI Cache
Not Enforced URIs	Not-Enforced URIs
PDP Cache TTL in Minutes	POST Data Preservation Cache TTL
PDP Maximum Cache Size	POST Data Preservation Cache Size
PDP Maximum Number of Cache Entries	Max Entries in POST Data Preservation Cache
PDP Stickysession key-value	POST Data Preservation Sticky Session Key Value
PDP Stickysession mode	POST Data Preservation Sticky Session Mode
Perform Policy Evaluation in User Authenticated Realm	Enable Policy Evaluation in User Authentication Realm
Policy Cache Per User	Max Entries in Policy Cache per Session
Policy Cache Size	Max Sessions in Policy Cache
Policy Evaluation Realm	Policy Evaluation Realm Map
Policy Set	Policy Set Map
Port Check Enable	Enable Port Checking
Port Check File	Port Check Filename
Port Check Setting	Port Check Protocol Map
Possible XSS code elements	XSS Code Element List
Post Data Preservation enabled	Enable POST Data Preservation
Pre-Authenticated Cookie Max Age	Max Age of Pre-Authentication Cookie
Pre-Authenticated Cookie Name	Pre-Authentication Cookie Name
Profile Attribute Mapping	Profile Attribute Map
Regular Expression Remove Query Parameters	Regex Remove Query Parameters List for Policy Evaluation
Remove Query Parameters	Remove Query Parameters List for Policy Evaluation
Resource Access Denied URI	Access Denied URI Map
Response Attribute Mapping	Response Attribute Map
Restrict To Realm	Restrict to Realm Map
Retain Query Parameters	Query Parameter List for Policy Evaluation
Rotate Local Audit Log	Enable Local Audit Log Rotation
Samesite Cookie Attributes Excluded User Agents Pattern List	Exclude Agents From Samesite Cookie Attributes
Session Attribute Mapping	Session Attribute Map
URL Policy Env GET Parameters	GET Parameter List for URL Policy Env
URL Policy Env jsession Parameters	JSession Parameter List for URL Policy Env
URL Policy Env POST Parameters	POST Parameter List for URL Policy Env
User Principal Flag	Enable User Principal Flag
User Token Name	User Session Name
XSS detection redirect URI	XSS Redirect URI Map

Old Name

New Name

Accept SSO Tokens

Enable SSO Token Acceptance

Agent Configuration Change Notification

Enable Notifications of Agent Configuration Change

Agent Filter Mode

Agent Filter Mode Map

Allow Custom Login Mode

Enable Custom Login Mode

AM Conditional Login URL

OAuth Login URL List

AM Conditional Logout URL

Conditional Logout URL List

AM Login URL

AM Login URL List

Application Logout URI

Logout URI Map

Attribute Cookie Encode

Enable Attribute Encoding

Authentication Fail Reason Url

Authentication Fail URL

CDSSO Domain List

JWT Cookie Domain List

CDSSO Redirect URI

Authentication Redirect URI

Continuous Security Cookies

Continuous Security Cookie Map

Continuous Security Headers

Continuous Security Header Map

Convert SSO Tokens into OpenID Connect JWTs

Convert SSO Tokens Into OIDC JWTs

Cookies Reset Domain Map

Reset Cookie Domain Map

Cookies Reset Name List

Reset Cookie List

Cookies Reset Path Map

Reset Cookie Path Map

Custom Conditional Login URL

Legacy Login URL List

Custom Response Header

Custom Response Header Map

Encode Cookies

Enable Encoded Cookies

Exchanged SSO Token Cache Size

Max Entries in SSO Exchange Cache

Exchanged SSO Token Cache Time to Live

Exchanged SSO Token Cache TTL

Expired Session Cache Max Records

Max Entries in Expired Session Cache

FQDN Check

Enable FQDN Checking

FQDN Default

Default FQDN

HTTP 302 Redirect Not Enforced List

HTTP 302 Redirect Not-Enforced List

HTTP 302 Redirect Replacement HTTP Code

HTTP 302 Redirect Replacement HTTP Status Code

HTTP 302 Redirects Enabled

Enable HTTP 302 Redirects

Http Only

Enable HTTP Only Cookies

Invert Not Enforced IPs

Invert Not-Enforced IPs

Invert Not Enforced URIs

Invert Not-Enforced URIs

JWT Cache Size

Max Entries in JWT Cache

Legacy User Agent Support Enable

Enable Legacy Support Handlers

Load Balancer Cookie Enabled

Enable Load Balancer Cookies

Logout Entry URI

Logout Entry URI Map

Logout Introspect Enabled

Enable Logout Introspection

Logout Request Parameter

Logout Request Parameter Map

Missing PDP entry URI

Missing POST Data Preservation Entry URI Map

Not Enforced Client IP List

Not-Enforced Client IP List

Not Enforced Favicon

Not-Enforced Favicon

Not Enforced IP Cache Flag

Enable Not-Enforced IP Cache

Not Enforced IP Cache Size

Max Entries in Not-Enforced IP Cache

Not Enforced URIs Cache Enabled

Enable Not-Enforced URIs Cache

Not Enforced URIs Cache Size

Max Entries in Not-Enforced URI Cache

Not Enforced URIs

Not-Enforced URIs

PDP Cache TTL in Minutes

POST Data Preservation Cache TTL

PDP Maximum Cache Size

POST Data Preservation Cache Size

PDP Maximum Number of Cache Entries

Max Entries in POST Data Preservation Cache

PDP Stickysession key-value

POST Data Preservation Sticky Session Key Value

PDP Stickysession mode

POST Data Preservation Sticky Session Mode

Perform Policy Evaluation in User Authenticated Realm

Enable Policy Evaluation in User Authentication Realm

Policy Cache Per User

Max Entries in Policy Cache per Session

Policy Cache Size

Max Sessions in Policy Cache

Policy Evaluation Realm

Policy Evaluation Realm Map

Policy Set

Policy Set Map

Port Check Enable

Enable Port Checking

Port Check File

Port Check Filename

Port Check Setting

Port Check Protocol Map

Possible XSS code elements

XSS Code Element List

Post Data Preservation enabled

Enable POST Data Preservation

Pre-Authenticated Cookie Max Age

Max Age of Pre-Authentication Cookie

Pre-Authenticated Cookie Name

Pre-Authentication Cookie Name

Profile Attribute Mapping

Profile Attribute Map

Regular Expression Remove Query Parameters

Regex Remove Query Parameters List for Policy Evaluation

Remove Query Parameters

Remove Query Parameters List for Policy Evaluation

Resource Access Denied URI

Access Denied URI Map

Response Attribute Mapping

Response Attribute Map

Restrict To Realm

Restrict to Realm Map

Retain Query Parameters

Query Parameter List for Policy Evaluation

Rotate Local Audit Log

Enable Local Audit Log Rotation

Samesite Cookie Attributes Excluded User Agents Pattern List

Exclude Agents From Samesite Cookie Attributes

Session Attribute Mapping

Session Attribute Map

URL Policy Env GET Parameters

GET Parameter List for URL Policy Env

URL Policy Env jsession Parameters

JSession Parameter List for URL Policy Env

URL Policy Env POST Parameters

POST Parameter List for URL Policy Env

User Principal Flag

Enable User Principal Flag

User Token Name

User Session Name

XSS detection redirect URI

XSS Redirect URI Map

Session and OAuth 2.0 token terminology

Sessions and OAuth 2.0 (or Open ID Connect) tokens that are stored in the CTS token store were previously referred to as CTS-based, and sessions/tokens that are returned to the client were referred to as client-based.

This release introduces new terminology to clarify and simplify the distinction between the two types of sessions and tokens, moving away from low-level descriptions to the following terms:

Server-side (previously called CTS-based)
Client-side (previously called client-based)

This change is reflected in both the documentation and the configuration settings that you see in the user interface.

Terminology for denying or allowing access

The AM 7.2 release initiates the move towards more descriptive and inclusive terminology for the concept of allowing or denying access to components or services.

Where you might previously configure a whitelist or a blacklist, you now configure an allowlist or a denylist. This renaming task is ongoing throughout the ForgeRock documentation and user interfaces.

Behavior when deleting UMA policies

In previous AM releases, deleting an UMA policy did not impact any nested UMA policies. In AM 7.2, if you delete an UMA policy, any nested UMA policies are deactivated.

For details, refer to Delete an UMA policy (REST).

Changes to the TreeContext class

AM 7.2 introduces the following changes to the TreeContext class:

New method added to preserve the secureState for internal nodes contained in a Page node: public TreeContext copyWithCallbacksAndState(JsonValue sharedState, JsonValue transientState, JsonValue secureState, List<? extends Callback> callbacks)

Changes in AM 7.1.x

Critical changes in AM 7.1

Decompressed JWTs

By default, AM rejects any JWT that expands to more than 32 KiB (32768 bytes) when decompressed.

For information about changing this default value, refer to Controlling the Maximum Size of Compressed JWTs.

Maximum request body size

By default, AM rejects incoming requests with a body larger than 1 MB (1048576 bytes) in size, and returns an HTTP 413 error response.

For information about changing the default value, refer to Limiting the Size of the Request Body.

OAuth 2.0 and OpenID Connect clients

This change affects AM when acting as an OAuth 2.0 or OpenID Connect client.

If a redirection URI uses a scheme, host, or port that differs from that of AM, add it to the Validation Service to ensure that it is pre-approved.

Otherwise, AM rejects the URI, and redirection fails. For details, refer to Configuring Success and Failure Redirection URLs.

Retry Limit Decision node

The new Save Retry Limit to User option in this node is disabled by default after upgrade. For security reasons, it is strongly recommended that you enable this option after upgrade. Enabling the option requires an update to the identity store schema.

One-time passwords stored in transient state

One-time passwords created by the HOTP Generator node are now stored in the authentication tree’s transient state, instead of in the shared state.

Modify any custom authentication nodes or scripts used by the Scripted Decision node to retrieve the one-time passwords from the transient state after upgrading.

Changes to OAuth 2.0 and OIDC script bindings

The format for the following script bindings changed for this release:

requestUri: Old format: String

New format: String with query parameters; for example, http://openam.example.com:8080/openam/oauth2/authorize?test=test
requestParams: Old format: String

New format: Each parameter is returned as an array; for example, grant_type:[authorization_code]

Important changes in AM 7.1.x

AM 7.1.3

OAuth 2.0 introspection changes

HTTP GET requests are now disallowed on the /oauth2/introspect endpoint by default. Using token as a query parameter on this endpoint is also disallowed. To change this behavior to suit existing clients, use the org.forgerock.openam.introspect.token.query.param.allowed advanced server property.

Base URL X-Forwarded-* headers

Previously, if you set the Base URL source to X-Forwarded-* headers and no X-Forwarded-Proto header was provided, the generated URL would have a protocol of null, for example null://host, which would result in a broken URL.

From this release, if no X-Forwarded-Proto header is provided, a fallback scheme is used, based on the URI of the request.

You can now specify a port in the Base URL, using the X-Forwarded-Port header.
If multiple X-Forwarded-Host headers are specified, the outermost proxy host is used.

AM 7.1.2

Java agent property name changes

The Java agent property names have changed in the AM admin UI. The new names reflect the names now used in the Java agent documentation.

Summary of new names

Old Name	New Name
Accept SSO Tokens	Enable SSO Token Acceptance
Agent Configuration Change Notification	Enable Notifications of Agent Configuration Change
Agent Filter Mode	Agent Filter Mode Map
Allow Custom Login Mode	Enable Custom Login Mode
AM Conditional Login URL	OAuth Login URL List
AM Conditional Logout URL	Conditional Logout URL List
AM Login URL	AM Login URL List
Application Logout URI	Logout URI Map
Attribute Cookie Encode	Enable Attribute Encoding
Authentication Fail Reason Url	Authentication Fail URL
CDSSO Domain List	JWT Cookie Domain List
CDSSO Redirect URI	Authentication Redirect URI
Continuous Security Cookies	Continuous Security Cookie Map
Continuous Security Headers	Continuous Security Header Map
Convert SSO Tokens into OpenID Connect JWTs	Convert SSO Tokens Into OIDC JWTs
Cookies Reset Domain Map	Reset Cookie Domain Map
Cookies Reset Name List	Reset Cookie List
Cookies Reset Path Map	Reset Cookie Path Map
Custom Conditional Login URL	Legacy Login URL List
Custom Response Header	Custom Response Header Map
Encode Cookies	Enable Encoded Cookies
Exchanged SSO Token Cache Size	Max Entries in SSO Exchange Cache
Exchanged SSO Token Cache Time to Live	Exchanged SSO Token Cache TTL
Expired Session Cache Max Records	Max Entries in Expired Session Cache
FQDN Check	Enable FQDN Checking
FQDN Default	Default FQDN
HTTP 302 Redirect Not Enforced List	HTTP 302 Redirect Not-Enforced List
HTTP 302 Redirect Replacement HTTP Code	HTTP 302 Redirect Replacement HTTP Status Code
HTTP 302 Redirects Enabled	Enable HTTP 302 Redirects
Http Only	Enable HTTP Only Cookies
Invert Not Enforced IPs	Invert Not-Enforced IPs
Invert Not Enforced URIs	Invert Not-Enforced URIs
JWT Cache Size	Max Entries in JWT Cache
Legacy User Agent Support Enable	Enable Legacy Support Handlers
Load Balancer Cookie Enabled	Enable Load Balancer Cookies
Login Form URI	Login Form URI List
Logout Entry URI	Logout Entry URI Map
Logout Introspect Enabled	Enable Logout Introspection
Logout Request Parameter	Logout Request Parameter Map
Missing PDP entry URI	Missing POST Data Preservation Entry URI Map
Not Enforced Client IP List	Not-Enforced Client IP List
Not Enforced Favicon	Not-Enforced Favicon
Not Enforced IP Cache Flag	Enable Not-Enforced IP Cache
Not Enforced IP Cache Size	Max Entries in Not-Enforced IP Cache
Not Enforced URIs Cache Enabled	Enable Not-Enforced URIs Cache
Not Enforced URIs Cache Size	Max Entries in Not-Enforced URI Cache
Not Enforced URIs	Not-Enforced URIs
PDP Cache TTL in Minutes	POST Data Preservation Cache TTL
PDP Maximum Cache Size	POST Data Preservation Cache Size
PDP Maximum Number of Cache Entries	Max Entries in POST Data Preservation Cache
PDP Stickysession key-value	POST Data Preservation Sticky Session Key Value
PDP Stickysession mode	POST Data Preservation Sticky Session Mode
Perform Policy Evaluation in User Authenticated Realm	Enable Policy Evaluation in User Authentication Realm
Policy Cache Per User	Max Entries in Policy Cache per Session
Policy Cache Size	Max Sessions in Policy Cache
Policy Evaluation Realm	Policy Evaluation Realm Map
Policy Set	Policy Set Map
Port Check Enable	Enable Port Checking
Port Check File	Port Check Filename
Port Check Setting	Port Check Protocol Map
Possible XSS code elements	XSS Code Element List
Post Data Preservation enabled	Enable POST Data Preservation
Pre-Authenticated Cookie Max Age	Max Age of Pre-Authentication Cookie
Pre-Authenticated Cookie Name	Pre-Authentication Cookie Name
Profile Attribute Mapping	Profile Attribute Map
Regular Expression Remove Query Parameters	Regex Remove Query Parameters List for Policy Evaluation
Remove Query Parameters	Remove Query Parameters List for Policy Evaluation
Resource Access Denied URI	Access Denied URI Map
Response Attribute Mapping	Response Attribute Map
Restrict To Realm	Restrict to Realm Map
Retain Query Parameters	Query Parameter List for Policy Evaluation
Rotate Local Audit Log	Enable Local Audit Log Rotation
Samesite Cookie Attributes Excluded User Agents Pattern List	Exclude Agents From Samesite Cookie Attributes
Session Attribute Mapping	Session Attribute Map
URL Policy Env GET Parameters	GET Parameter List for URL Policy Env
URL Policy Env jsession Parameters	JSession Parameter List for URL Policy Env
URL Policy Env POST Parameters	POST Parameter List for URL Policy Env
User Principal Flag	Enable User Principal Flag
User Token Name	User Session Name
XSS detection redirect URI	XSS Redirect URI Map

Old Name

New Name

Accept SSO Tokens

Enable SSO Token Acceptance

Agent Configuration Change Notification

Enable Notifications of Agent Configuration Change

Agent Filter Mode

Agent Filter Mode Map

Allow Custom Login Mode

Enable Custom Login Mode

AM Conditional Login URL

OAuth Login URL List

AM Conditional Logout URL

Conditional Logout URL List

AM Login URL

AM Login URL List

Application Logout URI

Logout URI Map

Attribute Cookie Encode

Enable Attribute Encoding

Authentication Fail Reason Url

Authentication Fail URL

CDSSO Domain List

JWT Cookie Domain List

CDSSO Redirect URI

Authentication Redirect URI

Continuous Security Cookies

Continuous Security Cookie Map

Continuous Security Headers

Continuous Security Header Map

Convert SSO Tokens into OpenID Connect JWTs

Convert SSO Tokens Into OIDC JWTs

Cookies Reset Domain Map

Reset Cookie Domain Map

Cookies Reset Name List

Reset Cookie List

Cookies Reset Path Map

Reset Cookie Path Map

Custom Conditional Login URL

Legacy Login URL List

Custom Response Header

Custom Response Header Map

Encode Cookies

Enable Encoded Cookies

Exchanged SSO Token Cache Size

Max Entries in SSO Exchange Cache

Exchanged SSO Token Cache Time to Live

Exchanged SSO Token Cache TTL

Expired Session Cache Max Records

Max Entries in Expired Session Cache

FQDN Check

Enable FQDN Checking

FQDN Default

Default FQDN

HTTP 302 Redirect Not Enforced List

HTTP 302 Redirect Not-Enforced List

HTTP 302 Redirect Replacement HTTP Code

HTTP 302 Redirect Replacement HTTP Status Code

HTTP 302 Redirects Enabled

Enable HTTP 302 Redirects

Http Only

Enable HTTP Only Cookies

Invert Not Enforced IPs

Invert Not-Enforced IPs

Invert Not Enforced URIs

Invert Not-Enforced URIs

JWT Cache Size

Max Entries in JWT Cache

Legacy User Agent Support Enable

Enable Legacy Support Handlers

Load Balancer Cookie Enabled

Enable Load Balancer Cookies

Logout Entry URI

Logout Entry URI Map

Logout Introspect Enabled

Enable Logout Introspection

Logout Request Parameter

Logout Request Parameter Map

Missing PDP entry URI

Missing POST Data Preservation Entry URI Map

Not Enforced Client IP List

Not-Enforced Client IP List

Not Enforced Favicon

Not-Enforced Favicon

Not Enforced IP Cache Flag

Enable Not-Enforced IP Cache

Not Enforced IP Cache Size

Max Entries in Not-Enforced IP Cache

Not Enforced URIs Cache Enabled

Enable Not-Enforced URIs Cache

Not Enforced URIs Cache Size

Max Entries in Not-Enforced URI Cache

Not Enforced URIs

Not-Enforced URIs

PDP Cache TTL in Minutes

POST Data Preservation Cache TTL

PDP Maximum Cache Size

POST Data Preservation Cache Size

PDP Maximum Number of Cache Entries

Max Entries in POST Data Preservation Cache

PDP Stickysession key-value

POST Data Preservation Sticky Session Key Value

PDP Stickysession mode

POST Data Preservation Sticky Session Mode

Perform Policy Evaluation in User Authenticated Realm

Enable Policy Evaluation in User Authentication Realm

Policy Cache Per User

Max Entries in Policy Cache per Session

Policy Cache Size

Max Sessions in Policy Cache

Policy Evaluation Realm

Policy Evaluation Realm Map

Policy Set

Policy Set Map

Port Check Enable

Enable Port Checking

Port Check File

Port Check Filename

Port Check Setting

Port Check Protocol Map

Possible XSS code elements

XSS Code Element List

Post Data Preservation enabled

Enable POST Data Preservation

Pre-Authenticated Cookie Max Age

Max Age of Pre-Authentication Cookie

Pre-Authenticated Cookie Name

Pre-Authentication Cookie Name

Profile Attribute Mapping

Profile Attribute Map

Regular Expression Remove Query Parameters

Regex Remove Query Parameters List for Policy Evaluation

Remove Query Parameters

Remove Query Parameters List for Policy Evaluation

Resource Access Denied URI

Access Denied URI Map

Response Attribute Mapping

Response Attribute Map

Restrict To Realm

Restrict to Realm Map

Retain Query Parameters

Query Parameter List for Policy Evaluation

Rotate Local Audit Log

Enable Local Audit Log Rotation

Samesite Cookie Attributes Excluded User Agents Pattern List

Exclude Agents From Samesite Cookie Attributes

Session Attribute Mapping

Session Attribute Map

URL Policy Env GET Parameters

GET Parameter List for URL Policy Env

URL Policy Env jsession Parameters

JSession Parameter List for URL Policy Env

URL Policy Env POST Parameters

POST Parameter List for URL Policy Env

User Principal Flag

Enable User Principal Flag

User Token Name

User Session Name

XSS detection redirect URI

XSS Redirect URI Map

AM 7.1.1

Connections made by the CTS

Delegated admin can now query user profile attributes

Admin privileges have been changed to let a delegated admin read user profile attributes. For example, this request returns the OAuth 2.0 applications that have been authorized by the demo user:

curl --request GET \
'http://openam.example.com:8443/openam/json/users/demo/oauth2/applications?_queryFilter=true'

OAuth 2.0 token introspection

The OAuth2 token introspection response is now compliant with RFC 7662 and returns a username rather than a user_id.

The expires_in value returned from OAuth 2.0 endpoints

AM 7.1.1 changes the way the /oauth2/introspect and the /oauth2/tokeninfo endpoints return the value of the expires_in object.

AM 7.1.1 calculates the amount of seconds the token is still valid for and returns this value in the expires_in object. Therefore, repeated calls to the endpoints return different values for the object.

However, the actual value of the expires_in object in the token does not change. Inspecting the token without using AM will show the value set at token creation time.

The expires_in object is not always present in the endpoint response:

Introspection endpoint: AM only returns the expires_in object for client-based tokens issued to a client configured in the same realm as the resource owner’s.
Token information endpoint: AM does not return the expires_in object for client-based tokens issued to a client configured in a different realm than the resource owner’s.

The OIDC /oauth2/userinfo endpoint return values

AM 7.1.1 changes when the aud and iss objects are returned in the JWT response of the OIDC /oauth2/userinfo endpoint.

Earlier versions of AM returned the iss object when the user information response was a signed, encrypted, or a signed and encrypted JWT. The aud object was never returned.

AM 7.1.1 now returns both the aud and iss objects when response is a signed, or a signed and encrypted JWT, according to the OpenID Connect Core 1.0 incorporating errata set 1 specification.

The iss object is no longer returned when the response is an encrypted JWT.

AM 7.1

AM-SESSION-DESTROYED no longer logged

In previous AM releases, session timeout triggered two events. This could cause AM to send two logout tokens on a timeout, if an OAuth 2.0 client was registered for back-channel logout notifications on the session.

With this change, a session is still destroyed on timeout but this is done as part of the timeout event, and the AM-SESSION-DESTROYED activity is not logged.

SAML v2.0 IdP discovery service redirection URLs

The IdP discovery service now includes a mandatory field to configure valid redirection URLs; for example, the URLs of the SPs configured in the CoT to which the discovery service belongs.

After upgrading to AM 7.1, you must:

Redeploy the IdP discovery application and reconfigure it to include the valid redirection URLs.
Configure the valid redirection URLs in the Validation Service of each of the IdPs, in the Top Level Realm.

For more information, refer to:

Deploying the IdP Discovery Service
To Configure the Validation Service

Example remote consent service and secret stores

The remote consent service example has been migrated to use AM’s secret store functionality.

As part of this change, the signing and encryption fields have been removed in the global and realm service configurations. The following secret IDs have been created in their place:

Secret ID mappings for the OAuth 2.0 example Remote Consent service

Secret ID Default alias Algorithms

Secret ID	Default alias	Algorithms
`am.services.oauth2.remote.consent.response.signing.RSA`	`rsajwtsigningkey`	RS256 RSA (at least 2048 bits)
`am.services.oauth2.remote.consent.request.encryption`	`selfserviceenctest`	RSA-OAEP-256 RSA (at least 2048 bits)

am.services.oauth2.remote.consent.response.signing.RSA

rsajwtsigningkey

RS256
RSA (at least 2048 bits)

am.services.oauth2.remote.consent.request.encryption

selfserviceenctest

RSA-OAEP-256
RSA (at least 2048 bits)

For details, refer to The Remote Consent Service.

If you configured the remote consent service example before upgrading, the upgrade process will migrate any secret configuration available to global or realm secret stores.

sub claim in access and ID tokens

The subject claim of access tokens and ID tokens has changed formats to ensure that it is locally unique, as required by the OpenID Connect specification. The new Backchannel logout tokens also use the new format.

The subject claim is in the format (type!subject), where:

subject is the identifier of the user/identity, or the name of the OAuth 2.0/OpenID Connect client that is the subject of the token.
type can be one of the following:
- age. Specifies that the subject is an OAuth 2.0/OpenID Connect-related user-agent or client. For example, an OAuth 2.0 client, a Remote Consent Service agent, and a Web and Java Agent internal client.
- usr. Specifies that the subject is a user/identity.
  
  For example, (usr!demo), or (age!myOAuth2Client).

Clients that use the sub claim to determine the identity about which the token asserts information are impacted by this change.

To make transitioning to the new format easier, AM 7.1 also includes the following:

A new advanced server property, org.forgerock.security.oauth2.enforce.sub.claim.uniqueness.

This property controls whether AM should create tokens using the new sub claim format or not, and it is disabled after an upgrade to AM 7.1, and enabled in new installations.

Tokens using the old sub format will still be accepted after the property is enabled. However, earlier versions of AM cannot read tokens with the new format.
A new claim: subname.

The value of the subname claim matches the value of the sub claim used in versions of AM earlier than 7.1. It also matches the value of the sub claim if you disable the org.forgerock.security.oauth2.enforce.sub.claim.uniqueness property.

An example of the value of the subname claim is demo, or myOauth2Client.

AM adds the subname claim to access and logout tokens regardless of the configuration of the new advanced server property. The claim is also available to ID tokens, but it is not included in the OIDC Claims Script. Therefore, AM does not add it to ID tokens by default.

Before you enable the advanced server property, make sure that your clients can use the new sub claim format, or a combination of the sub and the subname claims.

Maximum size of decompressed JWTs enforced

A number of AM features accept JWTs to receive information. Some examples are:

The Remote Consent service, when it receives consent responses.
The OAuth 2.0/OpenID Connect authorization service, when:
- OpenID Connect clients send request parameters as an encrypted JWT instead of as HTTP parameters.
- OpenID Connect clients register dynamically using software statements.
The Authentication service, when configured to issue client-based sessions.

These JWTs that AM receives can be signed and/or encrypted. Sometimes, if they are fairly large, they can also be compressed so that requests reach AM faster. Decompressing a JWT makes it expand in size. By default, AM 7.1 rejects any JWT that expands to more than 32 KiB (32768 bytes). Before upgrade, ensure that the decompressed JWTs your clients send to AM are smaller than 32 KiB before compression.

If they are not, change the default value to a larger number after upgrade. For information about changing the default value, refer to Controlling the Maximum Size of Compressed JWTs.

Maximum request body size

Application servers can usually mitigate against DoS attacks that POST large amounts of form data, but AM endpoints may receive large amounts of POST data in different ways, such as in JSON, JWT, or JWK formats.

By default, AM 7.1 rejects incoming requests with a body larger than 1 MB (1048576 bytes) in size, and returns an HTTP 413 error response.

For information about changing the default value, refer to Limiting the Size of the Request Body.

Web and Java agent profiles

Web agents

Added properties

AM Load Balancer Cookie Enabled (com.forgerock.agents.config.add.amlbcookie)

Renamed properties

The Agent Profile ID Whitelist property is now Agent Profile ID Allow List.
Java agents
Added properties
- Load Balancer Cookie Enabled (org.forgerock.agents.load.balancer.cookies.enabled)
- Load Balancer Cookie Name (org.forgerock.agents.load.balancer.cookie.name)
- Client IP Validation Mode (org.forgerock.agents.original.ip.check.mode.map)
- Client IP Validation Address Range (org.forgerock.agents.acceptable.ip.address.map)
- Perform Policy Evaluation in User Authenticated Realm (org.forgerock.agents.user.realm.overrides.policy.evaluation.realm.enabled)
- Accept SSO Tokens (org.forgerock.agents.accept.sso.tokens.enabled)
- SSO Cookie Domain List (org.forgerock.agents.ipdp.cookie.domain.list)
- Expired Session Cache Timeout (org.forgerock.agents.sso.expired.session.cache.ttl.minutes)
- Expired Session Cache Max Records (org.forgerock.agents.expired.session.cache.size)
- HTTP 302 Redirects Enabled (org.forgerock.agents.302.redirects.enabled)
- HTTP 302 Redirect Replacement HTTP Code (org.forgerock.agents.302.redirect.http.status.code)
- HTTP 302 Redirect Content Type (org.forgerock.agents.302.redirect.http.content.type)
- HTTP 302 Redirect Data (org.forgerock.agents.302.redirect.http.data)
- HTTP 302 Redirect Not Enforced List (org.forgerock.agents.302.redirect.ner.list)
- HTTP 302 Redirect Invert Not Enforced List (org.forgerock.agents.302.redirect.invert.enabled)
Renamed properties

The CDSSO Secure Enable property is now Transmit Cookies Securely.
Removed properties
- Secure Cookies (org.forgerock.agents.jwt.cookie.secure.enabled)
- Session Logout Notification (org.forgerock.agents.session.change.notifications.enabled)
- Debug Logfile Directory (com.iplanet.services.debug.directory)
- Audit Logfile Path (org.forgerock.agents.local.audit.file.path)
- Service Resolver Class Name (org.forgerock.agents.service.resolver.class.name)

OpenID Connect Discovery endpoint disabled by default

The /.well-known/webfinger OpenID Connect discovery endpoint is now disabled by default, and can only be enabled by realm.

To enable the endpoint for a realm, configure the OAuth2 Provider service on the realm and next, enable the new OIDC Provider Discovery switch. Enabling the endpoint for the realm allows searches for users within that realm only.

After upgrading to AM 7.1, the endpoint will be enabled on realms that had the OAuth2 Provider service configured. Disable the endpoint on those realms that are not using OpenID Connect discovery.

For details, refer to OpenID Connect Discovery.

OAuth 2.0 and OpenID Connect clients

AM 7.1 returns an error if the administrator tries to save a client configuration containing an unsupported signing or encryption algorithm.

For example, upon saving the configuration, AM will return an error if there is a typo on an algorithm, or a symmetric signing or encryption algorithm is configured on a public client: these algorithms are derived from the client’s secret, which public clients do not have.

Clients registering dynamically must also send supported algorithms as part of their configuration, or AM will reject the registration request.

Different features support different algorithms. Refer to the documentation or to the UI for more information.

The following are examples of the errors:

Unknown encryption algorithm configured for User info encrypted response algorithm
Symmetric encryption algorithm configured for ID Token Encryption Algorithm is not allowed for a public client

The error messages are also logged at ERROR level, and identify the client ID to which the error relates.

One-time passwords stored in transient state

One-time passwords created by the HOTP Generator node are now stored in the authentication tree’s transient state, instead of in the shared state.

Modify any custom authentication nodes or scripts used by the Scripted Decision node to retrieve the one-time passwords from the transient state after upgrading to AM 7.1.

For details, refer to Storing Values in a Tree’s Node States.

Changes to the TreeContext class

AM 7.1 introduces the following changes to the TreeContext class:

New method added to preserve the secureState for internal nodes contained in a Page node: public TreeContext copyWithCallbacksAndState(JsonValue sharedState, JsonValue transientState, JsonValue secureState, List<? extends Callback> callbacks)
New method added to provide nodes with access to secureState: public TreeContext copyWithCallbacks(List<? extends Callback> callbacks)

Changes in AM 7.0.x

Critical changes in AM 7.0.2

Decompressed JWTs

By default, AM rejects any JWT that expands to more than 32 KiB (32768 bytes) when decompressed.

For information about changing this default value, refer to Controlling the Maximum Size of Compressed JWTs.

Maximum request body size

By default, AM rejects incoming requests with a body larger than 1 MB (1048576 bytes) in size, and returns an HTTP 413 error response.

For information about changing the default value, refer to Limiting the Size of the Request Body.

One-time passwords stored in transient state

One-time passwords created by the HOTP Generator node are now stored in the authentication tree’s transient state, instead of in the shared state.

Modify any custom authentication nodes or scripts used by the Scripted Decision node to retrieve the one-time passwords from the transient state after upgrading.

Critical changes in AM 7.0.0

User profile allowlist

The profile attribute allowlist controls the information returned to non-administrative users when accessing json/user endpoints.

Common profile attributes are allowlisted by default, but you need to add any custom attribute you want your non-administrative users to see. For more information, refer to Configuring the User Profile Whitelist.

`/json/authenticate`

When a client makes a call to the /json/authenticate endpoint appending a valid SSO token, AM returns the tokenId field empty if HttpOnly cookies are enabled. For example:

{
    "tokenId":"",
    "successUrl":"/openam/console",
    "realm":"/alpha"
}

Secure authentication tree state secret ID

An AES 256-bit key called directenctest must be available in the environment during upgrade, but it does not need to be the same key that AM provides on the default keystore.

After upgrade, ensure that the am.authn.trees.transientstate.encryption secret ID is always mapped to an existing, resolvable secret or key alias. Failure to do so may result in trees not working as expected.

Embedded DS

The embedded DS can only be used for single AM instances, for test and demo purposes. Sites are not supported.

Sites using embedded DS servers must be migrated to external DS servers before upgrading.

SAML v2.0 secrets

AM 7 migrated SAML v2.0 to use secret stores. The upgrade process only creates the secret store files on the AM instance where you ran the upgrade process. For more information, refer to "Configuring Secret Stores After Upgrade".

goto and gotoOnFail redirections

Redirection URLs for authentication services, agents, and SAML v.2.0 must be configured in the Validation Service if they are not in the same scheme, FQDN, and port as AM, or are not relative to AM’s URL.

Web agents earlier than version 5.6.3

Several properties that used to be configured as custom properties (com.sun.identity.agents.config.freeformproperties) have been added as regular properties. Due to this change, upgrading to AM 7 will overwrite the value of the original custom properties with the default value of the new UI properties.

To work around this issue, perform one of the following actions:

Upgrade to Web Agents 5.6.3 or later before upgrading to AM 7.
After upgrading to AM 7, reconfigure the properties that you configured as custom properties in their new UI counterparts.

Changes to the CTS reaper tuning properties

AM 7 changes the way the CTS reaper searches for expired tokens.

After upgrading, retune the CTS Reaper using the information in Reaper Search Size.

OIDC clients authenticating with JWTs

OIDC clients authenticating with JWTs must include in the JWT a jti claim containing a unique identifier, in line with OpenID Connect Core 1.0 incorporating errata set 1.

Cookie Filter

AM flags cookies as secure if they come through a connection marked as secure, or if they come through HTTPS. See "Managing the Secure Cookie Filter".

Important changes in AM 7.0.x

AM 7.0.2

Maximum size of decompressed JWTs enforced

A number of AM features accept JWTs to receive information. Some examples are:

The Remote Consent service, when it receives consent responses.
The OAuth 2.0/OpenID Connect authorization service, when:
- OpenID Connect clients send request parameters as an encrypted JWT instead of as HTTP parameters.
- OpenID Connect clients register dynamically using software statements.
The Authentication service, when configured to issue client-based sessions.

These JWTs that AM receives can be signed and/or encrypted. Sometimes, if they are fairly large, they can also be compressed so that requests reach AM faster. Decompressing a JWT makes it expand in size. By default, AM 7.0.2 rejects any JWT that expands to more than 32 KiB (32768 bytes). Before upgrade, ensure that the decompressed JWTs your clients send to AM are smaller than 32 KiB before compression.

If they are not, change the default value to a larger number after upgrade. For information about changing the default value, refer to Controlling the Maximum Size of Compressed JWTs.

Maximum request body size

By default, AM 7.0.2 rejects incoming requests with a body larger than 1 MB (1048576 bytes) in size, and returns an HTTP 413 error response.

For information about changing the default value, refer to Limiting the Size of the Request Body.

OAuth 2.0 and OpenID Connect clients

AM 7.0.2 returns an error if the administrator tries to save a client configuration containing an unsupported signing or encryption algorithm.

Clients registering dynamically must also send supported algorithms as part of their configuration, or AM will reject the registration request.

Different features support different algorithms. Refer to the documentation or to the UI for more information.

The following are examples of the errors:

Unknown encryption algorithm configured for User info encrypted response algorithm
Symmetric encryption algorithm configured for ID Token Encryption Algorithm is not allowed for a public client

The error messages are also logged at ERROR level, and identify the client ID to which the error relates.

One-time passwords stored in transient state

One-time passwords created by the HOTP Generator node are now stored in the authentication tree’s transient state, instead of in the shared state.

Modify any custom authentication nodes or scripts used by the Scripted Decision node to retrieve the one-time passwords from the transient state after upgrading to AM 7.0.2.

For details, refer to Storing Values in a Tree’s Node States.

OpenID Connect Discovery endpoint disabled by default

The /.well-known/webfinger OpenID Connect discovery endpoint is now disabled by default, and can only be enabled by realm.

After upgrading to AM 7.0.2, the endpoint will be enabled on realms that had the OAuth2 Provider service configured. Disable the endpoint on those realms that are not using OpenID Connect discovery.

For details, refer to OpenID Connect Discovery.

OAuth 2.0 token introspection

The /oauth2/introspect endpoint now returns an additional member, username, which specifies the user that authorized the introspected token.

As part of this change, the user_id member, which was used by earlier versions of the specification, is deprecated. It will be removed in a future version of AM.

This change aligns the endpoint’s response with the OAuth 2.0 Token Introspection specification.

AM 7.0.1

Ability to configure a failure URL in server-side authentication scripts: Server-side scripts can now redirect users to specific URLs after authentication failure.

For more information, refer to Redirecting the User After Authentication Failure.

AM 7.0.0

Upgrading with embedded DS

The embedded DS server is not supported for production in AM 7. Therefore, if you have a site configured with embedded DS, you must migrate it to an external DS store before upgrading to AM 7.

Learn more in the KB article How do I migrate from an embedded to external DS in AM 6.5?

The embedded DS is deprecated in 7 and will be removed in a future release.

As part of this change, the embedded DS does not support replication, and cannot be configured as part of a site. The relevant replication options for the installer UI and Amster have been removed.

How do I know if my deployment uses the embedded DS?

(AM 6 or earlier) Go to Deployment > Servers > Server Name > Advanced, and check the value of the com.sun.identity.sm.sms_object_class_name advanced property.

If the value is com.sun.identity.sm.ldap.SMSEmbeddedLdapObject, the server is an evaluation instance of AM, and is using an embedded DS instance as the configuration store.
In the server where AM is installed, check if the opends directory exists under the /path/to/openam directory.

You might have migrated it to an external directory and not deleted the directory, though. Check the files in the opends/logs directory to determine if the embedded DS is running.
Go to Deployment > Servers > Server Name > Directory Configuration > Server, and check the value of the host name column.

When using an external configuration store, the AM instances point to the FQDN of the load balancer in front of the DS cluster, or to the FQDN of the DS affinity deployment.

When using an embedded configuration store, each AM instance points to its own hostname, because the embedded DS is stored alongside the AM instance.

AM 7 requires secure connections

AM 7 introduces a secure by default approach. One aspect of this approach is that all connections to DS instances must be secure; for example, by using LDAPS.

To connect to a DS instance using LDAPS, AM requires access to the self-signed certificate that DS generates.

To provide these certificates to AM, you must use a truststore that contains the necessary certificates, and configure AM to use that truststore when starting up.

Evaluation installs of AM attempt to automatically add DS’s self-signed certificate to the truststore defined by the javax.net.ssl.truststore property.

If the property is not defined, it creates a copy of the JDK’s default lib/security/cacerts truststore, names it truststore, and places it in /path/to/openam/security/keystores/.

For details, refer to Preparing a Truststore.

goto and gotoOnFail redirections

Earlier versions of AM redirected the user to the URL specified in the goto and gotoOnFail query string parameters supplied to the authentication service, SAML v2.0 entities, or agents during login and logout. To harden security against phishing attacks, we recommended that you configure the Validation Service.

By default, AM 7 only redirects to the URLs specified in those query string parameters if the URLs are in the same scheme, FQDN, and port as AM, or to URLs relative to AM. You must configure any other URL in the Validation Service.

For details, refer to Configuring Success and Failure Redirection URLs.

Account lockout in authentication trees

AM 7 introduces improvements when handling account lockout when using authentication trees.

The Success and Failure nodes now increment or reset the invalid attempts count, and check the user status property, when reached.

For details, refer to About Account Lockout for Trees

As part of these changes, the Data Store Decision node does not check the user status property. Tree evaluation continues along the True path if the credentials are correct and the user is found, even if the user status is set to inactive.

You can use the Account Lockout node to check the user status property at any point in the authentication tree, as long as you have obtained a username first.

Default password of the "demo" evaluation user

The password for the demo user, that AM creates for evaluation purposes, changed in AM 7:

Old password: changeit

New password: Ch4ng31t

SSO token no longer returned on authentication endpoint with existing session

When a client appends a valid SSO token to a call to the json/authenticate endpoint, earlier versions of AM return the SSO token again in the tokenId field of the JSON response, regardless of the flags configured for the session cookie. For example:

[${resources.dir}/endpoints/authenticate.bash:#authenticate-amAdmin-expected]

AM 7 returns the tokenId field empty when HttpOnly cookies are enabled. For example:

[${resources.dir}/endpoints/authenticate.bash:#authenticate-expected-when-session-exists]

Remember that AM upgrades cookies to secure cookies (except the amlbcookie cookie) when requests arrive over a secure channel.

To check if HttpOnly session cookies are configured, refer to Configuring HttpOnly Session Cookies.

Change any custom login pages or applications that were expecting the old response.

AM configuration directory structure

The location of numerous files and directories inside the AM configuration directory have changed. Similar date types are now stored together.

This table describes the new directories located within the AM configuration directory, for example /path/to/openam:

Directory Description

Directory	Description
`/path/to/openam/config`	Contains files used for configuring AM, for example, the `boot.json` file.
`/path/to/openam/security`	Contains directories for storing keys, keystores, and secrets.
`/path/to/openam/var`	Contains folders for transient, writeable data, such as audit and debug log files.

/path/to/openam/config

Contains files used for configuring AM, for example, the boot.json file.

/path/to/openam/security

Contains directories for storing keys, keystores, and secrets.

/path/to/openam/var

Contains folders for transient, writeable data, such as audit and debug log files.

New installations of AM 7 will have the new configuration folder layout described above. Upgrading from a previous version will leave the structure the same as in the previous version.

Audit event allowlisting

AM 7 introduces an allowlist that controls the information that can be logged in audit events. The default allowlist only records values that do not contain sensitive information.

You can add values to the allowlist that are recorded in audit events. You can also override the allowlist by adding items you do not want in the output to a denylist. Anything added to the denylist is not recorded in audit events.

When upgrading from a previous version of AM, any denylisted values are copied into the denylist of the upgraded server, unless they do not exist in the default denylist, and would therefore not be recorded anyway.

For information about audit logging, refer to Implementing the Audit Logging Service.

Admin UI and user UI

In earlier versions of AM, all files related to the UI were located in /openam/XUI.

In AM 7, the UI files are divided as follows:

User UI, located at /openam/XUI. This contains any end user pages. For example, login screens, and user profiles.
Admin UI, located at /openam/ui-admin. This contains any pages related to the administration of an AM server. Note, administrative logins are delegated to the User UI.

Localizing user-facing UI text required rebuilding the UI

In earlier versions of AM, you could copy user-facing localization files into your custom AM .war file. Downloading, localizing, and rebuilding the UI was not necessary.

AM 7 builds the localization text directly into the UI JavaScript files. Therefore, you must rebuild the UI to apply localization. Once rebuilt, redeploy the UI or pack it into your custom .war file.

For information about downloading and rebuilding the UI, refer to the UI Customization Guide.

UI templates and partial files moved

The location of the default UI templates and partials has moved to the /openam-ui-user/src/resources/themes/default/ directory.

When customizing the layout of the user interface, AM uses the partials and templates from the /themes/default directory if an equivalent file is not found in your customized theme.

As part of these changes, the following files have also moved:

Previous Location New Location

Previous Location	New Location
`openam-ui/openam-ui-ria/src/resources/templates/admin/views/common/navigation/_TreeNavigationLeaf.html`	`openam-ui/openam-ui-user/src/resources/themes/default/partials/navigation/_TreeNavigationLeaf.html`
`openam-ui/openam-ui-ria/src/resources/templates/user/uma/views/resource/_DeleteLabelButton.html`	`openam-ui/openam-ui-user/src/resources/themes/default/partials/uma/_DeleteLabelButton.html`
`openam-ui/openam-ui-ria/src/resources/templates/user/uma/views/resource/_NestedList.html`	`openam-ui/openam-ui-user/src/resources/themes/default/partials/uma/_NestedList.html`
`openam-ui/openam-ui-ria/src/resources/templates/user/uma/views/resource/_UnshareAllResourcesButton.html`	`openam-ui/openam-ui-user/src/resources/themes/default/partials/uma/_UnshareAllResourcesButton.html`

openam-ui/openam-ui-ria/src/resources/templates/admin/views/common/navigation/_TreeNavigationLeaf.html

openam-ui/openam-ui-user/src/resources/themes/default/partials/navigation/_TreeNavigationLeaf.html

openam-ui/openam-ui-ria/src/resources/templates/user/uma/views/resource/_DeleteLabelButton.html

openam-ui/openam-ui-user/src/resources/themes/default/partials/uma/_DeleteLabelButton.html

openam-ui/openam-ui-ria/src/resources/templates/user/uma/views/resource/_NestedList.html

openam-ui/openam-ui-user/src/resources/themes/default/partials/uma/_NestedList.html

openam-ui/openam-ui-ria/src/resources/templates/user/uma/views/resource/_UnshareAllResourcesButton.html

openam-ui/openam-ui-user/src/resources/themes/default/partials/uma/_UnshareAllResourcesButton.html

If you have customized any of these files, make sure that you move them to the new location when upgrading to AM 7.

For information on customizing the user interface, refer to UI Customization Guide.

Debug logging uses Logback

In earlier versions of AM, debug logging was configured by going to Debug.jsp.

AM 7 uses Logback for debug logging.

To configure debug logging in AM 7, either go to Logback.jsp to make temporary changes, or create a logback.xml configuration file in the AM classpath to make persistent changes.

For information on configuring Logback, refer to Debug Logging.

Because Logback can be configured to provide the same functionality, the following properties that could be added to the debugconfig.properties file are no longer used in AM 7:

org.forgerock.openam.debug.prefix
org.forgerock.openam.debug.suffix
org.forgerock.openam.debug.rotation
org.forgerock.openam.debug.rotation.maxsize

The Debug.jsp page has also been removed.

LDAPv3Repos LDAP servers stored in comma-separated ordered list

For multiple data stores behind a load balanced deployment, AM now stores servers in a comma-separated list, rather than an ordered list.

Consider, for example a site configuration, ID 02, with two servers, IDs 01 and 03. In previous releases, AM would store the servers as an ordered list:

$./ldapsearch -p 51636 -D "cn=Directory Manager" -w cangetin \
 -b "ou=services,dc=openam,dc=forgerock,dc=org" "objectclass=*"  > backup.ldif
$ grep "sun-idrepo-ldapv3-config-ldap-server" backup.ldif
sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=xxx.example.com:1636\|01\|02
sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=zzz.example.com:1636\|01\|02
sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=xxx.example.com:1636\|03\|02
sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=localhost:51636
sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=zzz.example.com:1636\|03\|02

AM 7 stores this multi-server configuration as a comma-separated ordered list:

$./ldapsearch -p 51636 -D "cn=Directory Manager" -w cangetin \
 -b "ou=services,dc=openam,dc=forgerock,dc=org" "objectclass=*"  > backup.ldif
$ grep "sun-idrepo-ldapv3-config-ldap-server" backup.ldif
sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=[0]=xxx.example.com:1636\|01\|02,xxx.example.com:1636\|03\|02,localhost:51636,zzz.example.com:1636\|01\|02,zzz.example.com:1636\|03\|02

request_uri values must be pre-registered

In earlier versions of AM, you could configure the OAuth 2.0/OpenID Connect provider to require clients to pre-register their request_uri values.

In AM 7, pre-registration of request_URI values is mandatory, and the option to disable it has been removed.

Advanced server property opensso.protocol.handler.pkgs replaced

In earlier versions of AM, you could configure the opensso.protocol.handler.pkgs property with a value of com.sun.identity.protocol.

AM 7 replaces this property with the org.forgerock.openam.http.ssl.connection.manager property. This property must point to a class that implements the org.forgerock.openam.http.SslConnectionManager interface, which controls keystore and truststore settings, and hostname verification.

The property name and value will be corrected when upgrading from a previous version. However, if you have a value other than com.sun.identity.protocol then you must manually set the value of the new property, and create a new implementation of the org.forgerock.openam.http.SslConnectionManager interface.

Labeling of supported and evolving APIs in Javadoc

AM 7 alters the way an API is marked as "supported" or "evolving". To determine whether something is supported or evolving, you might need to assess the object hierarchy to check if a parent is labelled. Previously, each item was marked individually.

alg parameter removed from keys returned by JWK URI endpoints

AM 7 removes the alg parameter from the keys returned by the JWK URI endpoints. As a result, each kid is now unique.

Encrypted ID tokens Added to OpenID Connect end session endpoint

In earlier versions of AM, trying to end a session using an encrypted ID token resulted in failure because the request did not include enough information for AM to decrypt the token.

To support ending sessions when ID tokens are encrypted, AM 7 requires that the request to the end session endpoint includes the client ID for which AM issued the ID token.

This change diverges from the specification defined in the OpenID Connect Session Management 1.0-draft 5.

For details, refer to the /oauth2/connect/checkSession endpoint.

SAML v2.0 failover enabled by default

In earlier versions of AM, you had to manually enable SAML v2.0 failover, by going to Configure > Global Services > SAML v2.0 Service Configuration > Global Attributes, and then choosing the Enable SAML v2.0 failover option.

In AM 7, the Enable SAML v2.0 failover option is enabled by default and cannot be changed. The option no longer appears in the user interface.

For details, refer to Session State Considerations.

SAML v2.0 RelayState redirection restricted to same domain as AM

AM 7 alters the behavior of the Relay State URL List whitelisting property. If you do not specify any URLs in this property, AM will only redirect to URLs that match its deployment domain; for example, example.com.

To redirect using the RelayState parameter to a URL that does not match the instance of AM, you MUST add the URL to the Relay State URL List property.

For details, refer to Relay State URL List or Relay State URL List.

Supported and evolving APIs may require recompilation

The method signature or imports of some supported and evolving APIs may change between versions of AM. We recommend recompiling any customizations implementations you have for each new version of AM.

For example, the following classes related to the Service Management Service (SMS) have changed. You might need to recompile custom implementations that use any of the following classes:

com.sun.identity.sm.ChoiceValues

The class now extends a parent interface that adds no additional methods to implement.
org.forgerock.openam.secrets.Secrets

The import for this evolving API class has changed.

ssoadm command requires a user DN

The value for the --adminid (-u) parameter when using the ssoadm command now requires the universal ID of an administrative user.

For example:

$ ./ssoadm list-servers --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org --password-file $HOME/.pwd.txt

For details, refer to Setting Up Administration Tools.

LDAP connection pool property name corrected

The com.sun.am.ldap.connection.idle.seconds property has been corrected. If you have any files or scripts that have the previous spelling (com.sun.am.ldap.connnection.idle.seconds with three `n`s) you should change them to the correct spelling.

For details about this property, refer to Tuning LDAP Connectivity.

Service configuration notifications processed sequentially by default

The com.sun.identity.sm.notification.threadpool.size property now defaults to 1. This causes notifications to be processed sequentially, avoiding any potential out-of-order conditions.

For details about this property, refer to Notification Settings.

Using the Device Profile authentication nodes requires an identity repository schema update

If you intend to use the ForgeRock SDKs with the new device profiling authentication nodes available in AM 7, you might need to update the schema in your identity repository.

Update the schema if any of the following are true:

You are upgrading AM from a previous version and use an external identity repository.

Refer to Upgrading AM Instances.
You are installing a new AM instance and use an external identity repository.

Refer to To Install and Configure DS for Identity Data.

Removed default value of the Json Web Key URI for OAuth 2.0/OpenID Connect clients

When creating a new OAuth 2.0 or OpenID Connect client, earlier versions of AM set the value of the Json Web Key URI field to the jwk_uri endpoint in AM. For example, https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/connect/jwk_uri.

The value of the Json Web Key URI field in the client should not be AM’s jwk_uri endpoint, but an external URL that holds the client’s public JWK.

New clients created in AM 7 will have this field empty to avoid confusion. Existing clients will not be modified after upgrade.

CTS Reaper tuning properties

AM 7 changes the name and behavior of some advanced server properties used to tune the AM CTS reaper searches:

The default value of the for org.forgerock.services.cts.reaper.search.pollFrequencyMilliseconds property has changed from 300000 to 5000 milliseconds (from 5 minutes, to 5 seconds).
The org.forgerock.services.cts.reaper.search.pageSize property has been replaced with the org.forgerock.services.cts.reaper.search.tokenLimit.

In earlier versions of AM, if the number of expired tokens was larger than the value of the pageSize property, the CTS reaper would make multiple requests of the value of the pageSize property until all expired tokens were deleted.

In environments with very large numbers of expired tokens, this could lead to long pruning cycles that could cause performance degradation on the CTS token store.

In AM 7, the CTS reaper makes one request of the value of the tokenLimit property, then sleeps for the value of the org.forgerock.services.cts.reaper.search.pollFrequencyMilliseconds property.

Requesting the reaper to run more times and recover smaller numbers of tokens avoids the performance impact of the previous implementation.

You should retune the CTS reaper after upgrading AM to account for these changes.

For more information, refer to Reaper Search Size.

JWT ID parameter (jti) required in OpenID Connect JWT client authentication

AM 7 requires that OpenID Connect clients authenticating with a JWT include a jti claim in the JWT. The jti claim must contain a unique identifier, in line with the OpenID Connect Core 1.0 specification.

If the claim is missing, AM returns an HTTP 400 invalid_request error with JWT ID is missing.

For related information, refer to Authenticating Clients Using JWT Profiles.

Changes to Audit Logging service

AM 6.5 introduced the AM-IDENTITY-CHANGE and AM-GROUP-CHANGE audit events to log user and group-related changes such as password changes, user creation and deletion, and others.

AM 7 does not log this information by default because doing so can have a performance impact.

To configure whether the Audit Logging service should log these events, AM 7 includes the org.forgerock.openam.audit.identity.activity.events.blacklist advanced server property, which also enables and disables the logging of AM-ACCESS-ATTEMPT events.

This property replaces the org.forgerock.openam.audit.access.attempt.enabled advanced server property, which has been removed.

For details, refer to Advanced Properties.

Changes to user self-service flows

AM 7 no longer reports that an account does not exist when recovering a username or password, or that an account already exists when registering a new one:

Recovery flows
When KBA or email are enabled as security methods, the flow does not stop if the user provides an invalid username. Instead, AM does one of the following, depending on which security method is configured:
- Presents the user with a random KBA question before failing.
- Presents the user with a message similar to An email has been sent to the address you entered. Click the link in that email to proceed, but does not actually send an email.
If both methods are configured, AM presents the user with the email message.
Registration flow

When email is enabled as a security method, AM presents the user with a message similar to An email has been sent to the address you entered. Click the link in that email to proceed, and then sends an email with a registration link to the address that the user entered.

Clicking on the link sends the user to the registration page again, and AM shows a message similar to One or more user account values are invalid.

WDSSO: Absolute path of keytab file must be specified

When configuring the Windows Desktop SSO (WDSSO) authentication module, the absolute path of the keytab file must be specified, instead of the URL.

Changes to the TreeContext class

AM 7 introduces the following changes to the TreeContext class:

New method added to preserve the secureState for internal nodes contained in a Page node: public TreeContext copyWithCallbacksAndState(JsonValue sharedState, JsonValue transientState, JsonValue secureState, List<? extends Callback> callbacks)

New method added to provide nodes with access to secureState: public TreeContext copyWithCallbacks(List<? extends Callback> callbacks)

Constructors updated with a new parameter, universalId, to let nodes resolve identities using the universal ID.

Constructors updated with a new parameter, identityResource, to move managed object resource collection from nodes to tree configuration. The default is managed/user.

New method to retrieve field from secure state: public JsonValue getSecureState(String stateKey)

New method to retrieve field from transient state: public JsonValue getTransientState(String stateKey)
New constructor added to let suspended trees work with the Inner Tree Evaluator node: public TreeContext(JsonValue sharedState, JsonValue transientState, JsonValue secureState, ExternalRequestContext request, List<? extends Callback> callbacks, boolean resumedFromSuspend)
New method: public boolean hasResumedFromSuspend()

Deprecated

The functionality listed here is deprecated, and likely to be removed in a future release.

Deprecated since AM 7.5

Secret label mappings

The following secret label mappings are deprecated in this release:

am.global.services.session.clientbased.encryption
am.global.services.session.clientbased.signing

Learn more about changes to secret label mappings in Support for storing secrets in secret stores.

Configuration replaced by secret labels

Feature Deprecated field

Feature	Deprecated field
CAPTCHA node	`CAPTCHA Secret Key`
Core authentication settings	`Persistent Cookie Encryption Certificate Alias` `Organization Authentication Signing Secret`
Encrypted device storage services: Device Binding service Device ID service Device Profiles service OATH service Push service WebAuthn service	`Key Store Password` `Key-Pair Alias` `Private Key Password`
OTP SMS Sender node and OTP Email Sender node	`Mail Server Authentication Password`
Password replay	`Replay Password Key` (`com.sun.identity.agents.config.replaypasswd.key`)
Persistent Cookie Decision node and Set Persistent Cookie node	`HMAC Signing Key`
PUSH notification service	`SNS Access Key Secret`
SAML v2.0 remote SP and IDP configuration	`Basic Authentication` settings
Session service	`Encryption Symmetric AES Key` `Signing HMAC Shared Secret`
Social Provider service	`Client Secret`

CAPTCHA node

CAPTCHA Secret Key

Core authentication settings

Persistent Cookie Encryption Certificate Alias

Organization Authentication Signing Secret

Encrypted device storage services:

Key Store Password

Key-Pair Alias

Private Key Password

OTP SMS Sender node and OTP Email Sender node

Mail Server Authentication Password

Password replay

Replay Password Key (com.sun.identity.agents.config.replaypasswd.key)

Persistent Cookie Decision node and Set Persistent Cookie node

HMAC Signing Key

PUSH notification service

SNS Access Key Secret

SAML v2.0 remote SP and IDP configuration

Basic Authentication settings

Session service

Encryption Symmetric AES Key

Signing HMAC Shared Secret

Social Provider service

Client Secret

Changes to org.forgerock.openam.auth.node.api.Action

The following org.forgerock.openam.auth.node.api.Action methods are deprecated in this release:

public ActionBuilder withUniversalId(String universalId)
public ActionBuilder withUniversalId(Optional<String> universalId)

Use the new public ActionBuilder withIdentifiedIdentity(String username, IdType identityType) and public ActionBuilder withIdentifiedIdentity(AMIdentity identity) methods instead.

The Optional <String> universalId field is also deprecated, and is replaced by Optional<IdentifiedIdentity> identifiedIdentity.

Legacy Social Provider node

The Legacy Social Provider Handler node has been marked as deprecated and will be removed in a future release. This node is replaced by a new Social Provider Handler node that resolves issues related to reentry cookies. The legacy node remains supported in existing journeys. If you’re creating new journeys, use the new Social Provider Handler node instead.

Deprecated since AM 7.4

No features or functionality were deprecated in this release.

Deprecated since AM 7.3

Changes to SAML v2.0 classes

The following classes are deprecated and will be removed in a future release:

Deprecated Replacement

Deprecated	Replacement
`com.sun.identity.saml2.plugins.FedletAdapter`	`org.forgerock.openam.saml2.plugins.FedletAdapter`
`com.sun.identity.saml2.plugins.SAML2IDPFinder`	`org.forgerock.openam.saml2.plugins.IDPFinder`
`com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter`	`org.forgerock.openam.saml2.plugins.IDPAdapter`
`com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter`	`org.forgerock.openam.saml2.plugins.SPAdapter`

com.sun.identity.saml2.plugins.FedletAdapter

org.forgerock.openam.saml2.plugins.FedletAdapter

com.sun.identity.saml2.plugins.SAML2IDPFinder

org.forgerock.openam.saml2.plugins.IDPFinder

com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter

org.forgerock.openam.saml2.plugins.IDPAdapter

com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter

org.forgerock.openam.saml2.plugins.SPAdapter

The following methods are deprecated and will be removed in a future release:

InitializePlugin.java: default void initialize(String, String)

Use initialize(Map) instead.
IDPAuthnContextMapper.java: public IDPAuthnContextInfo getIDPAuthnContextInfo(AuthnRequest, String, String) throws SAML2Exception

Use getIDPAuthnContextInfo(AuthnRequest, String, String, String) instead.

SNMP monitoring

Support for SNMP monitoring is deprecated in this release.

AM provides better options for monitoring servers, including support for Prometheus, Graphite, and JMX. For details, refer to Monitor AM instances.

Deprecated since AM 7.2

Legacy audit logging service

The legacy audit logging service is deprecated. Support for its use will be removed in a future AM release. Use the Common REST-based audit logging service instead.

org.forgerock.openidconnect.Claim class

The org.forgerock.openidconnect.Claim class has been deprecated. Support for its use will be removed in a future AM release. Its functionality is replaced by the org.forgerock.oauth.clients.oidc.Claim class, in the OpenAM commons library.

For more information about the new class, refer to Changes to the OIDC claim classes.

user_id field in the OAuth 2.0 introspection response

The user_id field, which is part of the JSON response returned by the /oauth2/introspect endpoint, is deprecated, and will be removed in a future release. It is replaced by the username field, in compliance with RFC 7662.

Legacy CAPTCHA node

The CAPTCHA node has been rewritten. The previous version of the node has been deprecated, and is now shown as Legacy CAPTCHA in the UI. For information on the new node, refer to CAPTCHA node.

org.forgerock.oauth2.core.ScopeValidator interface

The AM API now includes new interfaces, each with a single responsibility. When building plugins, use these interfaces from the org.forgerock.oauth2.core.plugins package instead:

For examples, refer to Customize OAuth 2.0 with plugins.

Command-line tools: ssoadm, ampassword, configurator.jar, and upgrade.jar

The ssoadm command and the configurator.jar, upgrade.jar, and ampassword tools remain deprecated. They will be removed in a future release of AM.

Access Token Enricher plugin for OAuth2 provider

The Access Token Enricher plugin interface is deprecated and will be removed in a future release of AM. The functionality of the access token enricher is superseded by the new AccessTokenModifier extension point.

JAXRPC endpoint URL

The JAXRPC endpoint URL, used by the remote IDM/SMS APIs, is deprecated and will be removed in a future AM release.

SAML2IdentityProviderAdapter method

The following method is deprecated and will be removed in a future AM release: preSendFailureResponse(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse,java.lang.String,java.lang.String)

If you have a custom implementation of the SAML2IdentityProviderAdapter interface, you should now plan to replace the deprecated method with the new implementation: preSendFailureResponse(java.lang.String,java.lang.String,javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse,java.lang.String,java.lang.String).

Deprecated since AM 7.1

Elasticsearch and Splunk audit handlers

AM 7.1 supports both file-based audit handlers and logging to standard output, which Elasticsearch and Splunk can consume.

For information, refer to Implement the audit logging service.

isAlive JSP page

Using the isAlive.jsp to determine if an instance is alive is deprecated.

AM 7.1 includes new endpoints to determine if an instance is alive, and ready to process requests.

For information, refer to Monitor AM instances.

Existing getIDPAuthnContextInfo signature

The existing signature for the getIDPAuthnContextInfo method of the IDPAuthnContextMapper interface is deprecated.

AM 7.1 includes a new signature for the getIDPAuthnContextInfo method, which includes an additional parameter for the entity ID of the service provider (SP).

The deprecated method still works in AM 7.1, but you should update any code that uses it to the new four-parameter signature. The deprecated three-parameter signature will be removed in a future release.

Social authentication nodes

The following authentication nodes have been deprecated in favor of the Social Provider Handler node:

As part of this change, the Social Authentication Implementations Service is also deprecated. For information about using the Social provider node, refer to social registration.

Direct access to the transient, secure, and shared state of authentication trees

Direct access to authentication trees' transient, secure, and shared states using the TreeContext class has been deprecated.

As part of this change:

Use of the sharedState and the transientState bindings for reading and updating state with the Scripted Decision Node API are deprecated.

Use the nodeState binding instead.
Use of the getState method from the TreeContext class, used to read state in authentication nodes, is deprecated.

Use the getStateFor method instead.

For more information, refer to Store values in a tree’s node states and Access shared state data.

Deprecated since AM 7.0

SOAP STS service

This service is deprecated and will be removed in a future release. Installing instances of this service in AM 7.0.1 is not supported. However, upgrading existing instances is.

Embedded DS instance in production

You can use the embedded DS instance for evaluation and demonstration purposes only.

The embedded DS server will be removed in a future release. If you are still using the embedded DS server, change to an external DS server instead.

Authentication chains and modules

You should migrate your environments to Intelligent Access using authentication trees and nodes.

Unused authentication methods in hosted IDP authentication context mapping

Support for the following authentication methods in the authentication context table, when configuring a hosted identity provider, is deprecated:

User
Role
Resource URL

The other authentication methods are not deprecated, and can be used to achieve the same results as the deprecated options.

For information about configuring SAML v2.0 authentication context mappings, refer to authentication context.

Documentation updates

In addition to the changes described elsewhere in these notes, the published documentation for each AM version includes the following important changes.

AM 7.5

Date Description

Date	Description
2024-12-12	Release of AM 7.5.1. The following documentation issues were addressed as part of this release: AME-29538: Update next-generation scripting documentation with exception handling scenarios AME-28883: Add info from KB about different token types in the CTS AME-28766: Documentation for new utility class script binding AME-28682: Update options in DS command-line examples AME-27982: Add customize account lockout message example from Knowledge Base AME-27930: Documentation on preparing a truststore should use DS 7.x security model AME-27726: Add more information for activity audit log events AME-22545: `com.sun.identity.sm.filebased_embedded_enabled` must be set to false after migration AMAGENTS-6487: Update info about web agent and session cookie name in line with changes to web agent docs FRAAS-20042: Add content from How do I check what MFA devices are registered to a user in Identity Cloud and AM? OPENAM-23277: Update Amster upgrade section to include 7.5 OPENAM-23188: Correct steps for accessing `am-external` in auth node developer guide OPENAM-23078: Update steps for letting DS manage CTS tokens OPENAM-23005: Add section on creating trees using REST OPENAM-22972: Request to add a statement on async in doc OPENAM-22931: Two callbacks are incorrectly named in the documentation OPENAM-22871: Wrong default value for `STS instance is running as remote instance` OPENAM-22741: Add missing step in "Configure amr claims" procedure OPENAM-22641: Correct token terminology per feedback OPENAM-22635: Rework pruning CTS tokens OPENAM-22607: Link to DS docs for appropriate tuning info OPENAM-22515: Document Logout Webhook key WebhookEventType OPENAM-22356: Include a more useful link in Release Notes for custom auth node secrets enablement OPENAM-22343: Document method return types for the script binding OPENAM-22339: Provide example systemd script for AM OPENAM-22327: Remove mention of Internet Explorer from AM documentation OPENAM-22254: Update browser support table for WebAuthn OPENAM-22157: Clarify version support in upgrade instructions OPENAM-22099: Remove misleading information about unsupported custom callbacks OPENAM-22045: Correct default log level OPENAM-21935: Document the maximum JWT token lifetime accepted by AM OPENAM-21907: Added a tip to the Setup guide for finding server and site IDs OPENAM-21778: Error in documentation on modifying access tokens OPENAM-20673: Clarify device reset with WebAuthn OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars OPENAM-19899: Remove all instances of /UI/login OPENAM-19575: OIDC guide feedback: Check algorithm statement for /oauth2/connect/jwk_uri OPENAM-19533: Remove unnecessary images from installation steps OPENAM-19395: Distinguish between general mail server and self-service mail service SDKS-3173: The PingOne Worker service requires a configured OAuth 2.0 provider service SDKS-2861: Add PingOne Protect nodes to the list of nodes
2024-04-02	Initial release of AM 7.5 software. The following documentation issues were addressed as part of this release: OPENAM-22207: List HiddenValueCallback as interactive not read-only OPENAM-22098: Additional information required in JWT validation example OPENAM-22065: Fix Knowledge Base link in documentation OPENAM-22061: The Get Session Data Node updates the objectAttributes OPENAM-21964: Update and align documentation for secret default mappings OPENAM-21914: Clarify deprecation and replacement of shared and transient state bindings OPENAM-21900: The Identify Existing User Node updates the shared state username OPENAM-21885: Clarify statement on realms in the API Explorer docs OPENAM-21882: Document minimum OTP length for HOTP Generator node OPENAM-21851: Clarify use of setting for the IdP OPENAM-21801: Next generation scripting: Update nodeState.getObject OPENAM-21798: Next generation scripting: Document "get" wrapper functions OPENAM-21759: Clarify use of Java class allowlisting in next-generation scripting OPENAM-21754: Add warning to library scrips about use of third party libraries OPENAM-21723: Attribute Present Decision node: Add note about case-sensitivity OPENAM-21711: Incorrect `acr_values` step in Backchannel request grant OPENAM-21706: Policy evaluation will succeed for failed transactional authorization under certain conditions OPENAM-21699: Fix example for authenticating to specific services OPENAM-21696: Add a note to the Set Custom Cookie node docs around host vs domain cookies OPENAM-21670: Setup guide: Check and update link to affinity load balancing OPENAM-21667: Sessions guide: Set JWT token expiry if you update max session TTL OPENAM-21622: Retry limit decision node: Wrong shared state property name OPENAM-21620: Node development: Improve and correct Node class documentation OPENAM-21603: Missing spaces in catalina opts example prevents tomcat starting OPENAM-21504: List Prometheus output with better description. OPENAM-21418: Fix numbering in JWT profile sequence diagram OPENAM-21413: Sample script in SAML docs does not work OPENAM-21344: Update profile data scripting examples with try-catch blocks OPENAM-20906: Artifact changes in AM 7.3 are not documented in Release Notes OPENAM-20752: OAuth2 scripted policy condition variables needs updating OPENAM-20522: State in docs that Sector Identifier URI is needed for Pairwise OAuth2Client profile OPENAM-20349: Add detail to the Device Match node docs OPENAM-19204: Customer cannot rely on Transient Node data for WebAuthN Authentication Node OPENAM-18095: Update documentation with all available audit log fields

2024-12-12

Release of AM 7.5.1. The following documentation issues were addressed as part of this release:

AME-29538: Update next-generation scripting documentation with exception handling scenarios
AME-28883: Add info from KB about different token types in the CTS
AME-28766: Documentation for new utility class script binding
AME-28682: Update options in DS command-line examples
AME-27982: Add customize account lockout message example from Knowledge Base
AME-27930: Documentation on preparing a truststore should use DS 7.x security model
AME-27726: Add more information for activity audit log events
AME-22545: com.sun.identity.sm.filebased_embedded_enabled must be set to false after migration
AMAGENTS-6487: Update info about web agent and session cookie name in line with changes to web agent docs
FRAAS-20042: Add content from How do I check what MFA devices are registered to a user in Identity Cloud and AM?
OPENAM-23277: Update Amster upgrade section to include 7.5
OPENAM-23188: Correct steps for accessing am-external in auth node developer guide
OPENAM-23078: Update steps for letting DS manage CTS tokens
OPENAM-23005: Add section on creating trees using REST
OPENAM-22972: Request to add a statement on async in doc
OPENAM-22931: Two callbacks are incorrectly named in the documentation
OPENAM-22871: Wrong default value for STS instance is running as remote instance
OPENAM-22741: Add missing step in "Configure amr claims" procedure
OPENAM-22641: Correct token terminology per feedback
OPENAM-22635: Rework pruning CTS tokens
OPENAM-22607: Link to DS docs for appropriate tuning info
OPENAM-22515: Document Logout Webhook key WebhookEventType
OPENAM-22356: Include a more useful link in Release Notes for custom auth node secrets enablement
OPENAM-22343: Document method return types for the script binding
OPENAM-22339: Provide example systemd script for AM
OPENAM-22327: Remove mention of Internet Explorer from AM documentation
OPENAM-22254: Update browser support table for WebAuthn
OPENAM-22157: Clarify version support in upgrade instructions
OPENAM-22099: Remove misleading information about unsupported custom callbacks
OPENAM-22045: Correct default log level
OPENAM-21935: Document the maximum JWT token lifetime accepted by AM
OPENAM-21907: Added a tip to the Setup guide for finding server and site IDs
OPENAM-21778: Error in documentation on modifying access tokens
OPENAM-20673: Clarify device reset with WebAuthn
OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars
OPENAM-19899: Remove all instances of /UI/login
OPENAM-19575: OIDC guide feedback: Check algorithm statement for /oauth2/connect/jwk_uri
OPENAM-19533: Remove unnecessary images from installation steps
OPENAM-19395: Distinguish between general mail server and self-service mail service
SDKS-3173: The PingOne Worker service requires a configured OAuth 2.0 provider service
SDKS-2861: Add PingOne Protect nodes to the list of nodes

2024-04-02

Initial release of AM 7.5 software. The following documentation issues were addressed as part of this release:

OPENAM-22207: List HiddenValueCallback as interactive not read-only
OPENAM-22098: Additional information required in JWT validation example
OPENAM-22065: Fix Knowledge Base link in documentation
OPENAM-22061: The Get Session Data Node updates the objectAttributes
OPENAM-21964: Update and align documentation for secret default mappings
OPENAM-21914: Clarify deprecation and replacement of shared and transient state bindings
OPENAM-21900: The Identify Existing User Node updates the shared state username
OPENAM-21885: Clarify statement on realms in the API Explorer docs
OPENAM-21882: Document minimum OTP length for HOTP Generator node
OPENAM-21851: Clarify use of setting for the IdP
OPENAM-21801: Next generation scripting: Update nodeState.getObject
OPENAM-21798: Next generation scripting: Document "get" wrapper functions
OPENAM-21759: Clarify use of Java class allowlisting in next-generation scripting
OPENAM-21754: Add warning to library scrips about use of third party libraries
OPENAM-21723: Attribute Present Decision node: Add note about case-sensitivity
OPENAM-21711: Incorrect acr_values step in Backchannel request grant
OPENAM-21706: Policy evaluation will succeed for failed transactional authorization under certain conditions
OPENAM-21699: Fix example for authenticating to specific services
OPENAM-21696: Add a note to the Set Custom Cookie node docs around host vs domain cookies
OPENAM-21670: Setup guide: Check and update link to affinity load balancing
OPENAM-21667: Sessions guide: Set JWT token expiry if you update max session TTL
OPENAM-21622: Retry limit decision node: Wrong shared state property name
OPENAM-21620: Node development: Improve and correct Node class documentation
OPENAM-21603: Missing spaces in catalina opts example prevents tomcat starting
OPENAM-21504: List Prometheus output with better description.
OPENAM-21418: Fix numbering in JWT profile sequence diagram
OPENAM-21413: Sample script in SAML docs does not work
OPENAM-21344: Update profile data scripting examples with try-catch blocks
OPENAM-20906: Artifact changes in AM 7.3 are not documented in Release Notes
OPENAM-20752: OAuth2 scripted policy condition variables needs updating
OPENAM-20522: State in docs that Sector Identifier URI is needed for Pairwise OAuth2Client profile
OPENAM-20349: Add detail to the Device Match node docs
OPENAM-19204: Customer cannot rely on Transient Node data for WebAuthN Authentication Node
OPENAM-18095: Update documentation with all available audit log fields

AM 7.4

Date Description

Date	Description
2024-08-28	Release of AM 7.4.1. The following documentation issues were addressed as part of this release: AME-27930: Prepare truststore should use 7.x DS security model AME-27531: Incorrect description for Scripting Engine configuration for Thread pool queue size AME-25385: Document the HTTP client asynchronous feature OPENAM-22635: Procedure for enabling the AM reaper is incorrect OPENAM-22207: List HiddenValueCallback as interactive not read-only OPENAM-22099: Remove misleading information about unsupported custom callbacks OPENAM-22098: Additional information required in JWT validation example OPENAM-22066: Document Social Provider Handler node `nodeState` updates OPENAM-22065: Fix Knowledge Base link in documentation OPENAM-21914: Clarify deprecation and replacement of shared and transient state bindings OPENAM-21851: Clarify use of `Single SignOn Service` setting for the IdP OPENAM-21801: Next generation scripting: Update `nodeState.getObject` OPENAM-21798: Next generation scripting: Document "get" wrapper functions OPENAM-21754: Add warning to library scrips about use of third party libraries OPENAM-21699: Fix example for authenticating to specific services OPENAM-21696: Add a note to the Set Custom Cookie node docs around host vs domain cookies OPENAM-21667: Sessions guide: Set JWT token expiry if you update max session TTL OPENAM-21666: Security guide: Byte and MB values of request body limit don’t match OPENAM-21620: Node development: Improve and correct Node class documentation OPENAM-21603: Missing spaces in catalina opts example prevents tomcat starting OPENAM-21457: Clarify where the Failure node routes a user OPENAM-21419: Security guide: Attach Java examples for custom secret stores OPENAM-21413: Fix sample script in SAML docs OPENAM-21344: Update profile data scripting examples with try-catch blocks OPENAM-20752: OAuth 2.0 scripted policy condition variables need updating OPENAM-20522: State that Sector Identifier URI is needed for Pairwise OAuth2Client profile OPENAM-18598: Clarify account linking in Social Provider Handler Node documentation OPENAM-18095: List all usable audit log attributes
2023-10-09	Initial release of AM 7.4 software. Corrected name of `SSOResponse` binding in SAML SP adapter sample script. Added links to Knowledge Base articles about restricting access to endpoints. Updated social identity provider configuration reference with more information about transformation scripts and added realm to redirect URL example. Provided more detail about audit log events. Corrected error in WDSSO REST call in Authentication guide. Note added about a `SESSION_BLACKLIST` token that exists for client-side authentication sessions. Clarified documentation for the OIDC user info plugin that the `/userinfo` retrieves claims from the `profile` scope only. Added explanation for audit filtering example in the Security guide. Amended wording describing the Amster version used for upgrading exported configuration. Updated instructions to download the UI source. Documented changes to the OAuth 2.0 device authorization grant. Updated format of scripting logger names Fixed error in Device Profile Collector node documentation. Clarified information around tuning the CTS connection pool. Added note to caution that a certificate must exist in the keystore before mapping secrets to that keystore. Removed references to unsupported CoreWrapper API from the documentation. Improved the information about the bindings available to OAuth 2.0 scripted extensions. Added more information for the following authentication nodes: Configuration Provider node Data Store Decision node Email Suspend node Email Template node Message node Platform Username node Push Sender node Zero Page Login Collector node Corrected information about storing device data in shared state for OATH Registration node. Updated Node development documentation with a note that OTP Email Sender node supports plain text notifications only. Added note to advise installers and upgraders to remove `web.xml` entry to prevent a click-servlet exception. Documented the new `org.forgerock.openam.ldap.secure.protocol.version` advanced property for defining the protocols AM uses to connect to a secure LDAP server. Added new REST STS configuration property, `STS Instance is running as remote instance`. For details, refer to REST STS configuration Updated Authentication guide with links to WS-Federation implementation steps in Knowledge Base. Clarified supported claims when requesting policy decisions. Added a table to list the certificates used in SAML 2.0 flows with their corresponding secret mappings. For details, refer to Certificates and secrets. Clarified the steps to remove an AM instance in the installation guide. Added the default path for audit logs on Windows. Added a note about adding urls to Valid WReply List to ensure successful WS-Federation sign-on flow. Added Inner Tree Node capabilities and restrictions. Corrected an error in the deployment diagram. Refer to Example deployment topology. Updated module information to refer readers to Knowledge Base articles about certificate authentication. Fixed a documentation error relating to OAuth 2.0 email service configuration values. Documented authentication session state management scheme differences and concerns. For details, refer to Server-side sessions and Client-side sessions. Updated instructions for setting CATALINA_OPTS on Windows. Documented the setting to configure the rotatable amadmin secret cache expiry time. Refer to `org.forgerock.openam.secrets.special.user.secret.refresh.seconds`. Documented the new `Enabled` setting for external data stores.

2024-08-28

Release of AM 7.4.1. The following documentation issues were addressed as part of this release:

AME-27930: Prepare truststore should use 7.x DS security model
AME-27531: Incorrect description for Scripting Engine configuration for Thread pool queue size
AME-25385: Document the HTTP client asynchronous feature
OPENAM-22635: Procedure for enabling the AM reaper is incorrect
OPENAM-22207: List HiddenValueCallback as interactive not read-only
OPENAM-22099: Remove misleading information about unsupported custom callbacks
OPENAM-22098: Additional information required in JWT validation example
OPENAM-22066: Document Social Provider Handler node nodeState updates
OPENAM-22065: Fix Knowledge Base link in documentation
OPENAM-21914: Clarify deprecation and replacement of shared and transient state bindings
OPENAM-21851: Clarify use of Single SignOn Service setting for the IdP
OPENAM-21801: Next generation scripting: Update nodeState.getObject
OPENAM-21798: Next generation scripting: Document "get" wrapper functions
OPENAM-21754: Add warning to library scrips about use of third party libraries
OPENAM-21699: Fix example for authenticating to specific services
OPENAM-21696: Add a note to the Set Custom Cookie node docs around host vs domain cookies
OPENAM-21667: Sessions guide: Set JWT token expiry if you update max session TTL
OPENAM-21666: Security guide: Byte and MB values of request body limit don’t match
OPENAM-21620: Node development: Improve and correct Node class documentation
OPENAM-21603: Missing spaces in catalina opts example prevents tomcat starting
OPENAM-21457: Clarify where the Failure node routes a user
OPENAM-21419: Security guide: Attach Java examples for custom secret stores
OPENAM-21413: Fix sample script in SAML docs
OPENAM-21344: Update profile data scripting examples with try-catch blocks
OPENAM-20752: OAuth 2.0 scripted policy condition variables need updating
OPENAM-20522: State that Sector Identifier URI is needed for Pairwise OAuth2Client profile
OPENAM-18598: Clarify account linking in Social Provider Handler Node documentation
OPENAM-18095: List all usable audit log attributes

2023-10-09

Initial release of AM 7.4 software.

Corrected name of SSOResponse binding in SAML SP adapter sample script.
Added links to Knowledge Base articles about restricting access to endpoints.
Updated social identity provider configuration reference with more information about transformation scripts and added realm to redirect URL example.
Provided more detail about audit log events.
Corrected error in WDSSO REST call in Authentication guide.
Note added about a SESSION_BLACKLIST token that exists for client-side authentication sessions.
Clarified documentation for the OIDC user info plugin that the /userinfo retrieves claims from the profile scope only.
Added explanation for audit filtering example in the Security guide.
Amended wording describing the Amster version used for upgrading exported configuration.
Updated instructions to download the UI source.
Documented changes to the OAuth 2.0 device authorization grant.
Updated format of scripting logger names
Fixed error in Device Profile Collector node documentation.
Clarified information around tuning the CTS connection pool.
Added note to caution that a certificate must exist in the keystore before mapping secrets to that keystore.
Removed references to unsupported CoreWrapper API from the documentation.
Improved the information about the bindings available to OAuth 2.0 scripted extensions.
Added more information for the following authentication nodes:
Corrected information about storing device data in shared state for OATH Registration node.
Updated Node development documentation with a note that OTP Email Sender node supports plain text notifications only.
Added note to advise installers and upgraders to remove web.xml entry to prevent a click-servlet exception.
Documented the new org.forgerock.openam.ldap.secure.protocol.version advanced property for defining the protocols AM uses to connect to a secure LDAP server.
Added new REST STS configuration property, STS Instance is running as remote instance. For details, refer to REST STS configuration
Updated Authentication guide with links to WS-Federation implementation steps in Knowledge Base.
Clarified supported claims when requesting policy decisions.
Added a table to list the certificates used in SAML 2.0 flows with their corresponding secret mappings. For details, refer to Certificates and secrets.
Clarified the steps to remove an AM instance in the installation guide.
Added the default path for audit logs on Windows.
Added a note about adding urls to Valid WReply List to ensure successful WS-Federation sign-on flow.
Added Inner Tree Node capabilities and restrictions.
Corrected an error in the deployment diagram. Refer to Example deployment topology.
Updated module information to refer readers to Knowledge Base articles about certificate authentication.
Fixed a documentation error relating to OAuth 2.0 email service configuration values.
Documented authentication session state management scheme differences and concerns. For details, refer to Server-side sessions and Client-side sessions.
Updated instructions for setting CATALINA_OPTS on Windows.
Documented the setting to configure the rotatable amadmin secret cache expiry time. Refer to org.forgerock.openam.secrets.special.user.secret.refresh.seconds.
Documented the new Enabled setting for external data stores.

AM 7.3

Date	Description
2024-12-18	Release of AM 7.3.2. The following documentation issues were addressed as part of this release: OPENAM-22871: Wrong default value for `STS instance is running as remote instance` OPENAM-22741: Add missing step in "Configure amr claims" procedure OPENAM-22635: Procedure for enabling the AM reaper is incorrect OPENAM-22207: List HiddenValueCallback as interactive not read-only OPENAM-22099: Remove misleading information about unsupported custom callbacks OPENAM-21851: Clarify use of `Single SignOn Service` setting for the IdP OPENAM-19575: OIDC guide feedback: Check algorithm statement for `/oauth2/connect/jwk_uri` OPENAM-18598: Clarify account linking in Social Provider Handler Node documentation OPENAM-23188: Correct steps for accessing `am-external` in Node developer guide OPENAM-23139: Fix links to Agent docs from AM OPENAM-23065: Update Knowledge links to Salesforce location OPENAM-22871: Wrong default value for `STS instance is running as remote instance` OPENAM-22741: Add missing step in "Configure amr claims" procedure OPENAM-22635: Procedure for enabling the AM reaper is incorrect OPENAM-22515: Document Logout Webhook key WebhookEventType OPENAM-22449: Add Combined MFA Registration node to 7.3.x documentation OPENAM-22327: Remove mention of Internet Explorer from AM docs OPENAM-22254: Update browser support table for WebAuthn OPENAM-22078: Update OATH Device Storage node OPENAM-22207: List HiddenValueCallback as interactive not read-only OPENAM-22099: Remove misleading information about unsupported custom callbacks OPENAM-22045: Correct default log level OPENAM-21935: Document the maximum JWT token liftime accepted by AM OPENAM-21851: Clarify use of `Single SignOn Service` setting for the IdP OPENAM-21650: Update base DN for AM configuration data OPENAM-21051: Update logger names with new format OPENAM-20987: Document OAuth 2.0 provider setting `Allow Client Credentials in Token Endpoint Query Parameters` OPENAM-20673: Clarify device reset with WebAuthn OPENAM-19899: Remove all instances of `/UI/login` OPENAM-19575: Correct algorithm statement for `/oauth2/connect/jwk_uri` OPENAM-19533: Remove unnecessary images from install steps OPENAM-18598: Clarify account linking in Social Provider Handler node documentation
2024-02-26	Release of AM 7.3.1. The following documentation issues were addressed as part of this release: AME-25154: Update the CATALINA_OPTS in setenv.bat for Windows OPENAM-21851: Clarify use of `Single SignOn Service` setting for the IdP OPENAM-21699: Fix example for authenticating to specific services OPENAM-21620: Node development: Improve and correct Node class documentation OPENAM-21580: Improve documentation on updating OAuth 2.0 clients OPENAM-21579: Java keystores require ASCII passwords OPENAM-21573: Amster upgrade documentation description contains an error OPENAM-21383: Instructions to download the UI source code are out of date OPENAM-21344: Update profile data scripting examples with try-catch blocks OPENAM-21254: Complete note in Invalidate all sessions for a user section OPENAM-21051: Update logger name and review debug logging page OPENAM-21048: Error in Device Profile Collector node documentation OPENAM-20925: Inaccurate documentation on CTS tuning OPENAM-20911: `Corewrapper` object no longer accessible in authentication nodes OPENAM-20909: Align multi-version release notes with content of previous versions OPENAM-20906: Artifact changes in AM 7.3 aren’t documented in Release Notes OPENAM-20903: Clarify audit filtering example OPENAM-20870: Access token script API is incomplete OPENAM-20835: Explain the `SESSION_BLACKLIST` token that exists for client-side authentication sessions OPENAM-20666: Caution against duplicate OIDC ACR mappings OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars OPENAM-20522: State that Sector Identifier URI is needed for Pairwise OAuth2Client profile OPENAM-20311: Document AM property for LDAPS protocol OPENAM-20038: Document which URLs for REST STS are made locally/remotely OPENAM-19215: Missing documentation for WS Federation in Admin guide OPENAM-19214: Authorization guide: Clarify supported claims in requesting policy decisions OPENAM-19149: Clarify SAML certificates and secrets usage OPENAM-18606: The documentation to remove an AM instance is misleading OPENAM-18495: Provide details of each audit log event name in the AM documentation OPENAM-18468: Maintenance guide: Update config store connection pool values OPENAM-18099: Explanation of rawProfile information and mappings OPENAM-18092: Provide better explanation on default Social Identity Provider configuration OPENAM-18078: Review documentation on endpoints OPENAM-17906: State default path for audit logs on windows OPENAM-17580: Document configuration settings needed for AM 6.5.3+ for WS-Federation token issuer endpoints OPENAM-17535: Authorization guide: Building the sample plugin is showing outdated info OPENAM-16325: Inner Tree node capabilities and restrictions OPENAM-16311: Rework transactional authorization over REST OPENAM-16191: Deployment images lost accuracy between release 13.5 and 6 OPENAM-15083: Certificate Auth module needs detailed documentation
2023-04-04	Initial release of AM 7.3 software. Removed instructions on using deprecated chains and modules to set up push authentication. Use authentication trees instead, as described in Push authentication journeys. Updated the format of these release notes to list cumulative changes, instead of reflecting only the changes for the current release. Clarified that AM truncates sequences of whitespace with a single whitespace when creating SAML v2.0 values such as entity IDs. Removed use of deprecated `with` method from Scripted decision node API callbacks. Documented new `Use mixed case for password change messages` property for the LDAP Decision node. Added missing HTTP connector settings to WildFly setup instructions. Updated information about `--acceptLicense` parameter in the Set up administration tools steps. Removed access token from header in call to /oauth2/connect/endSession. Documented how to mark configuration properties as passwords in the Node development guide. Improved documentation for dynamic client registration. Improved description of the `Transformation Script` field for the Social Provider Handler node. Documented how to use the amupgrade tool to upgrade configuration. Improved navigation of the authentication nodes configuration reference. Clarified that the ForgeRock Authenticator app supports JPEG and PNG image formats. Clarified location of `setenv` script in the Evaluation guide. Updated installation and deployment graphics to show less complex DS installations. Described the role of the `Latest Access Time Update Frequency` property in session management.

AM 7.2

Date Description

Date	Description
2023-06-26	Release of AM 7.2.2. The following documentation issues were addressed as part of this release: OPENAM-22207: List HiddenValueCallback as interactive not read-only OPENAM-22099: Remove misleading information about unsupported custom callbacks OPENAM-22065: Fix Knowledge Base link in documentation OPENAM-21851: Clarify use of `Single SignOn Service` setting for the IdP OPENAM-21815: Clarify how transient state is removed after next callback OPENAM-21383: Instructions to download the UI source code are out of date OPENAM-21071: Add more information for LDAP availability (KeepAlive) changes OPENAM-21048: Error in Device Profile Collector node documentation OPENAM-20929: Switch to multi-version release notes OPENAM-20835: Explain the `SESSION_BLACKLIST` token that exists for client-side authentication sessions OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars OPENAM-20522: State that Sector Identifier URI is needed for Pairwise OAuth2Client profile OPENAM-20311: Document AM property for LDAPS protocol OPENAM-19215: Missing documentation for WS Federation in Admin guide OPENAM-19214: Authorization Guide: Clarify supported claims in Requesting Policy Decisions OPENAM-19149: Clarify SAML certificates and secrets usage OPENAM-18606: The documentation to remove an AM instance is misleading OPENAM-18468: Maintenance guide: Update config store connection pool values OPENAM-18099: Explanation of rawProfile information and mappings OPENAM-17580: Document configuration settings needed for AM 6.5.3+ for WS-Federation token issuer endpoints OPENAM-17535: Authorization guide: Building the sample plugin is showing outdated info OPENAM-16325: Inner Tree node capabilities and restrictions OPENAM-15083: Certificate Auth module needs detailed documentation
2023-04-04	Release of AM 7.2.1. In addition to these release notes, the following changes were made to the documentation: Updated Changes in AM 7.2.x with changes to the TreeContext class. Documented the advanced server properties that determine search settings for keepalive and availability checks. For details, refer to Advanced properties. Documented the `evalThreadSize` setting as a tuning parameter for policy evaluation. For details, refer to Policy evaluation settings. Fixed an error in the Pass-through authentication node documentation. Noted that the `JavaScript origins` property of an OAuth 2.0 client does not support non-standard headers. Clarified that SAML assertions must be signed when using HTTP-POST. Updated the JVM monitoring metrics. Clarified the use of the `auditEntryDetail` for the scripted decision node. Clarified that Transactional authorization does not trigger account lockout. Fixed an error in the UI customization documentation. Updated the documentation on configuring JBoss and WildFly. Updated the documentation on the validateGoto endpoint. Indicated that /pingam/7.2/oidc1-guide/oidc-additional-use-cases.html[using ID tokens as session tokens] requires specific privileges. Improved the social authentication documentation. Updated the documentation on stateless session upgrade.
September 30, 2022	Updated the Choice Collector node documentation to clarify that the default choice is the first in the list if no default choice is specified. Recommended the removal of the `velocity-1.7.jar` library after install or upgrade. Added a step to the instructions on building custom nodes. Added `Logback.jsp` logger names to the Debug logging documentation.
2022-06-30	Initial release of AM 7.2.

2023-06-26

Release of AM 7.2.2. The following documentation issues were addressed as part of this release:

OPENAM-22207: List HiddenValueCallback as interactive not read-only
OPENAM-22099: Remove misleading information about unsupported custom callbacks
OPENAM-22065: Fix Knowledge Base link in documentation
OPENAM-21851: Clarify use of Single SignOn Service setting for the IdP
OPENAM-21815: Clarify how transient state is removed after next callback
OPENAM-21383: Instructions to download the UI source code are out of date
OPENAM-21071: Add more information for LDAP availability (KeepAlive) changes
OPENAM-21048: Error in Device Profile Collector node documentation
OPENAM-20929: Switch to multi-version release notes
OPENAM-20835: Explain the SESSION_BLACKLIST token that exists for client-side authentication sessions
OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars
OPENAM-20522: State that Sector Identifier URI is needed for Pairwise OAuth2Client profile
OPENAM-20311: Document AM property for LDAPS protocol
OPENAM-19215: Missing documentation for WS Federation in Admin guide
OPENAM-19214: Authorization Guide: Clarify supported claims in Requesting Policy Decisions
OPENAM-19149: Clarify SAML certificates and secrets usage
OPENAM-18606: The documentation to remove an AM instance is misleading
OPENAM-18468: Maintenance guide: Update config store connection pool values
OPENAM-18099: Explanation of rawProfile information and mappings
OPENAM-17580: Document configuration settings needed for AM 6.5.3+ for WS-Federation token issuer endpoints
OPENAM-17535: Authorization guide: Building the sample plugin is showing outdated info
OPENAM-16325: Inner Tree node capabilities and restrictions
OPENAM-15083: Certificate Auth module needs detailed documentation

2023-04-04

Release of AM 7.2.1. In addition to these release notes, the following changes were made to the documentation:

Updated Changes in AM 7.2.x with changes to the TreeContext class.
Documented the advanced server properties that determine search settings for keepalive and availability checks. For details, refer to Advanced properties.
Documented the evalThreadSize setting as a tuning parameter for policy evaluation. For details, refer to Policy evaluation settings.
Fixed an error in the Pass-through authentication node documentation.
Noted that the JavaScript origins property of an OAuth 2.0 client does not support non-standard headers.
Clarified that SAML assertions must be signed when using HTTP-POST.
Updated the JVM monitoring metrics.
Clarified the use of the auditEntryDetail for the scripted decision node.
Clarified that Transactional authorization does not trigger account lockout.
Fixed an error in the UI customization documentation.
Updated the documentation on configuring JBoss and WildFly.
Updated the documentation on the validateGoto endpoint.
Indicated that /pingam/7.2/oidc1-guide/oidc-additional-use-cases.html[using ID tokens as session tokens] requires specific privileges.
Improved the social authentication documentation.
Updated the documentation on stateless session upgrade.

September 30, 2022

Updated the Choice Collector node documentation to clarify that the default choice is the first in the list if no default choice is specified.
Recommended the removal of the velocity-1.7.jar library after install or upgrade.
Added a step to the instructions on building custom nodes.
Added Logback.jsp logger names to the Debug logging documentation.

2022-06-30

Initial release of AM 7.2.

AM 7.1

Date	Description
2023-07-11	Release of AM 7.1.4 Cautioned that host-based cookies should be used for security reasons (Securing the Session Cookie) Changed the default expiry time of server-side agent sessions (`com.iplanet.am.session.agentSessionIdleTime`) Updated docs to indicate that the `failureUrl` is not included in REST responses if it is empty Clarified SAML certificates and secrets usage Clarified supported claims when requesting policy decisions over REST Fixed an error in the Device Profile Collector node docs Documented settings for WS-Federation token issuer endpoints (Federation Authentication Module) Added Inner Tree Node capabilities and restrictions Documented AM property for LDAPS protocol `org.forgerock.openam.ldap.secure.protocol.version`) Advised that changes to Authentication Naming Attribute after setup require existing identities to be updated Enhanced the documentation of the Provision Dynamic Account node Advised administrators to increase DS search limits for large numbers of SAML entities SAML Deployment Considerations) Documented `evalThreadSize` setting as tuning parameter for policy evaluation Clarified that SAML assertion must be signed when using HTTP-POST Clarified use of `auditEntryDetail` for scripted decision node Added missing HTTP connector setting to JBoss setup instructions Updated instructions on validating a `goto` URL Enhanced the documentation on the LDAP availability / KeepAlive changes, new in 7.1.3 Removed incorrect wording about namespaces in the node development docs Noted that the `JavaScript Origins` property of an OAuth2 client does not support non-standard headers Creating a SAML2 entity with a double space results in SAML2 entity with a single space Updated Changes in AM 7.1.x with changes to the `TreeContext` class Updated the upgrade instructions with information on custom server default properties
2022-10-13	Release of AM 7.1.3 Updated Changes in AM 7.1.x with changes to the TreeContext class. Added the `org.forgerock.openam.introspect.token.query.param.allowed` advanced server property. Added the `org.forgerock.openam.ldap.dncache.expire.time` advanced server property, which sets the DN cache timeout. Updated the OATH Registration node and Push Registration node documentation for the customizable QR code message. Updated the Remote consent documentation to describe the new JWKs URI. Clarified the limitation on using ID tokens as access tokens. For details, refer to Additional Use Cases for ID Tokens. Improved the logback documentation. Updated the documentation on scripted policy conditions. Documented the crypto settings in the IDM Provisioning service. Added information on specifying remote entity encryption methods. Added subject and body to the OTP Email Sender Node and OTP SMS Sender Node.
2022-05-03	Added guidance on naming custom nodes. Corrected an error in the ForceAuth documentation for authentication trees. Corrected an error in the OIDC hybrid flow documentation. Described how to customize account lockout messages. Updated the documentation on custom post-authentication plugin hooks. Updated the documentation on the OAuth2 Device flow. Add information on overriding and customizing OIDC claims scripts. Clarified change to CORS filter configuration from AM 7 onwards. Documented the nonProxyHosts advanced server property for HTTP client connections.
2022-03-15	Release of AM 7.1.2 Added guidance on protecting user profile attributes. Updated Multi-Factor Authentication Nodes with details of the OATH nodes that replicate the existing OATH module functionality: OATH Registration Node OATH Token Verifier Node For information on how to create and test an authentication tree using the OATH nodes, refer to One-Time Password Authentication Using Trees.
2021-12-06	Release of AM 7.1.1 Updated the examples in the Accessing Shared State Data section. Added documentation in Supported Callbacks about the following callbacks: BooleanAttributeInputCallback BooleanAttributeInputCallback ConsentMappingCallback KbaCreateCallback NumberAttributeInputCallback StringAttributeInputCallback TermsAndConditionsCallback ValidatedCreatePasswordCallback ValidatedCreateUsernameCallback Updated the Preparing for Development section to specify that you must include a `nodeDescription` property in nodes to ensure that they appear in the authentication tree designer. Improved the procedure on mapping files in file system secret volumes to add more detail about how to encrypt and create filesystem-based secrets. Updated the Directory Server Requirements to indicate that DS 5.+ is required as External Directory Server for 7.1.+.
2021-11-15	Added a change in behavior to the logging on session timeout.
2021-05-12	Release of AM 7.1.

AM 7.0

Date	Description
2022-xx-xx	Release of AM 7.0.3. Updated Changes in AM 7.0.x with changes to the TreeContext class.
2021-05-27	Release of AM 7.0.2. Indicated that scripts should be upgraded as part of the upgrade process. Improved the documentation about the request parameter of the `/oauth2/authorize` endpoint. Noted support for Internet Explorer 11 ends August 17, 2021, in alignment with the announcement from Microsoft ending support for Internet Explorer 11. Updated Session Upgrade documentation to clarify that the `ForceAuth` parameter used with an authentication tree causes AM to issue a new session token, regardless of the security requirements.
2021-01-07	Updated the Supported Upgrade Paths section to remove the upgrade from OpenAM 13.X and add upgrade path from AM 7.x. Added a new section, Managing the Secure Cookie Filter. Removed information about Oracle Weblogic from the installation guide as it is not supported in this version. Added a new section, OAuth 2.0 Scopes Policy Script API Functionality. Updated the Scripting Environment documentation to show how to obtain the Groovy and JavaScript engine version that AM is using. As part of hardening the security around the SAML v2.0 implementation that occurred in AM 7, the URLs specified in the Assertion Consumer Service must exactly match the SP’s scheme, FQDN, and port. Added a new section, Setting Session Properties.
2020-11-04	Release of AM 7.0.1. Added documentation on Adding Audit Information. Improved the documentation on Tuning Authentication Node/Module LDAP Connections. Added information on determining if an existing session is present before using the Get Session Data Node. Added information on configuring the public key or HMAC secret in Authenticating Clients Using JWT Profiles. Added information on using the `ssoadm` command with secure connections in Setting Up Administration Tools. Updated Web or Java Agents SSO and SLO with Java Agent 5.7 and Web Agent 5.7 properties. Updated JVM tuning properties. Documented commands to export policy and application store LDIF files. Clarified documentation on OAuth 2.0 JWK URI cache settings in To Create and Configure a Client Profile. Clarified documentation on SAML v2.0 hosted SP attribute map in Hosted Service Provider Configuration Properties. Corrected the Device Tampering Verification documentation to indicate that the device determines the score, rather than the node or the ForgeRock SDKs. Updated how to create an HTTPS connector for Tomcat in Configuring AM’s Container for HTTPS. Corrected the account mapper classes in Example: Protecting a Web Site With OAuth 2.0. Added documentation about HTTP options when configuring a JVM proxy in front of AM in Preparing the Environment. Updated the Linking Identities Automatically with Auto-Federation section to use the new UI. Corrected the user required to perform policy evaluation with REST in To Evaluate a Policy. Corrected the procedure on SAML v2.0 chains, in Linking Identities by Using Authentication Trees or Chains.
2020-08-30	Initial release of AM 7.

Known issues

The following important issues remained open at the time of the latest release for each version:

AM 7.5.1

OPENAM-23045: Performance degradation and WS-Federation issues with Java 17
OPENAM-23022: Transaction condition for policy evaluation fails with JWT subject
OPENAM-22927: WebAuthn Registration node should be able to use user.name as display attribute
OPENAM-22616: Upgrade from AM 6.5.5 to 7.5 using external CTS fails with error "Message:Service does not exist: GoogleSecretManagerSecretStoreProvider"
OPENAM-22406: Product ZIP file contains files prefixed with openam
OPENAM-19453: CTS authentication sessions may cause tree to fail if AM server is not configured for sticky load balancing
OPENAM-14790: OAuth 2.0 scope policy set fails with LDAP filter environment condition

AM 7.5

OPENAM-22151: Expiration of cache held in StatelessJWTCache could cause Internal Server Error
OPENAM-22067: Stateless Session denylist caching and bloomfilter layers removed on config change
OPENAM-22031: LDAP Decision node change of behavior when user is locked from password change screen
OPENAM-21820: Set policy result TTL to 0 when using Environment Policy Active Session
OPENAM-21819: Default value for LinkedIn configuration uses out of data scopes
OPENAM-21683: AM lets you create anonymous user when it already exists
OPENAM-15948: Update DS profiles to add VLV indexes for CTS use

AM 7.4.1

OPENAM-22846: External application/policy store active/passive load balancing isn’t working
OPENAM-22795: SAML2 encryption method can’t be changed using IDP remote SP host settings
OPENAM-22674: Unable to create encrypted PEM that works for Secrets ENCRYPTED_PEM
OPENAM-22656: Setting JWKs URI content cache timeout to a small value throws an error
OPENAM-22608: Non-extractable secrets in HSM fail to work on AM for SAML v2.0 XML signing
OPENAM-22479: LDAPv3 Userstore Connection doesn’t reconnect without Heartbeat enabled
OPENAM-22151: Expiration of cache held in StatelessJWTCache could cause Internal Server Error
OPENAM-22102: Adjusting evalThreadSize has no effect
OPENAM-22009: Providing an invalid alias to a secret store mapping breaks AM
OPENAM-21959: Unable to create next-generation script in XUI if default script language is Groovy
OPENAM-21893: Configurator not releasing resources on failure
OPENAM-21823: Page node with Scripted Decision node doesn’t persist withErrorMessage value
OPENAM-21741: SSOADM fails to install or run due to mtlsAlias field in boot.json
OPENAM-21636: AM is unable to run in FIPS compliance mode due to RAW keys
OPENAM-19810: No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey' or cannot work with unextractable key when using HSM
OPENAM-16797: Allow Custom OATH/Push/WebauthN device integrations to be managed by standard AM interface
OPENAM-15834: Access token call fails when an unsupported claim is requested
OPENAM-12197: Custom methods postSingleSignOnSuccess and postSingleSignOnFailure aren’t called by SAML Authentication module or node
OPENAM-4201: XUI returning messages based on localized responses from REST authentication interface

AM 7.4

OPENAM-21609: OAuth2Provider service created immediately after install/restart isn’t available in code flow
OPENAM-21569: Rapid policy evaluation using token of deleted user leads to HTTP 500 error
OPENAM-21545: Unable to create a circle of trust in file-based configuration with external data store
OPENAM-21497: Editing the mappings for an existing secret store throws an exception
OPENAM-21441: Policy evaluation with LDAPFilter condition uses config store user instead of identity store user
OPENAM-21379: Unable to read SMS config when request is too quick after changing configuration
OPENAM-21363: Unable to modify an external data store configuration when set as a global default data store but not referenced in a realm
OPENAM-21311: XUI performs logout of newly created session when resuming authentication with no further callbacks
OPENAM-21294: Remove openam-core from Soap STS server
OPENAM-21284: AM returns a 500 Internal Server Error response when providing an invalid client_id to the deleteUserPasswords agent action
OPENAM-21178: Social authentication "Secret" field not mandatory
OPENAM-20927: User info is still cached after removing privilege from group
OPENAM-15948: Update DS profiles to add VLV indexes for CTS use

AM 7.3.2

OPENAM-23345: Performance issues when accessing SAML entity provider via the admin console with 5k entities
OPENAM-23022: Transaction condition for policy evaluation fails with JWT subject
OPENAM-22988: Failover doesn’t occur when heartbeat interval is set to 0
OPENAM-22927: WebAuthnRegister should be able to use user.name as display attribute
OPENAM-22846: External app/policy store active/passive LB isn’t working
OPENAM-22674: Unable to create encrypted PEM that works for ENCRYPTED_PEM secret
OPENAM-22608: Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing
OPENAM-22479: LDAPv3 Userstore connection doesn’t reconnect without Heartbeat enabled
OPENAM-22188: Heavy load leads to BLOCKED threads traced to the SecurityManager
OPENAM-22156: logoutByUser throws UnsupportedOperationException
OPENAM-22151: Expiration of cache held in StatelessJWTCache could cause Internal Server Error
OPENAM-21636: AM is unable to run in FIPS compliance mode due to RAW keys
OPENAM-21100: SAML2 IDP Single logout SLO using HTTP redirect needs Request stickiness and HA.
OPENAM-20927: User info is still cached after removing privilege from group
OPENAM-20754: SAML pages saml2-write.js and saml2-read.js can cause an error
OPENAM-20234: Setting LDAP Connection Heartbeat Interval to be zero breaks persistent search
OPENAM-20143: False alarms in debug logs when adding pointers in Field whitelist filters
OPENAM-19810: Error: "No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey"
OPENAM-19453: Using CTS Authentication Session may fail authentication journey if AM is not LB sticky
OPENAM-18307: Global services don’t reflect changes made by ssoadm
OPENAM-18293: AuthContext.login doesn’t work with trees when performing service-based authentication
OPENAM-18111: Second login attempt using InnerTreeEvaluatorNode gets previous transient state
OPENAM-17679: User text not showing up for IDM Provisioning Service
OPENAM-17340: Lack of integration for logger with logback configuration
OPENAM-12197: postSingleSignOnSuccess and postSingleSignOnFailure not called when using SAML2 athentication module or node
OPENAM-4201: XUI returns messages based on localized responses from REST authentication interface

AM 7.3.1

OPENAM-21972: SAML Artifact Binding is failing in load-balanced deployments such as K18S
OPENAM-21820: Set policy result TTL to 0 when using Environment Policy Active Session
OPENAM-21802: Email Service value Transport type is overwritten in the static config export
OPENAM-21773: The Secondary Configurations tab is missing from the Global Email service
OPENAM-21772: No OAuth 2.0 clients displayed in the UI when AM has more than 1000 clients
OPENAM-21743: WebAuthN Node with AM XUI: Error is rendered along with Recovery code button
OPENAM-21734: WebAuthn Registration Node: UserNotVerifiedException not caught leading to Node failure
OPENAM-21683: AM lets you create anonymous user when it already exists
OPENAM-21682: OAuth 2.0: AM doesn’t redirect back to the client if consent is denied and no redirect_uri is present in the query parameters
OPENAM-21535: The logout at AM’s GUI only target the root realm instead of the respective sub realm
OPENAM-21466: AM using social OIDC authentication fails to verify idtoken if the remote JWK_URIs have duplicate kid
OPENAM-21441: Policy evaluation with LDAPFilter condition uses config store user instead of identity store user
OPENAM-21407: External data store config min connection pool can be set higher than the max connection pool and the config can still be persisted
OPENAM-21406: Realm services are no longer accessible after deleting the “External Data Stores” service
OPENAM-21379: Unable to read SMS config when request is too quick after changing configuration
OPENAM-21363: Unable to modify an external data store config when it is set as a global default datastore but not referenced in any realm
OPENAM-21354: OAuth2 provider: Insufficient debug logging for SAML bearer authorization grant
OPENAM-21327: Unable to specify property name with a '-' when configuring policy environment conditions
OPENAM-21322: AM Console allows Entity Provider to be created with space at end of the name
OPENAM-21319: Policy and Application Store Cache is not updated in multiple server deployment when changes are made
OPENAM-21309: DefaultDataStoreConfigurationManager shouldn’t establish DS connection in FBC mode
OPENAM-21305: Dynamic Client Registration does not permit setting Client ID Token Public Encryption key
OPENAM-21294: Remove openam-core from Soap-STS server
OPENAM-21273: TOTP Registration information no longer contains Issuer in the otpauth’s PATH
OPENAM-21270: OAuth2 resource owner password credential grant (ROPC) token response does not tell reason for failure
OPENAM-21204: Scripted node - idRepository.setAttribute does not execute catch block when setting userPassword attribute fails
OPENAM-21193: AM-Config-upgrader amupgrade cannot work on Windows
OPENAM-21191: In AM 7.3, web agent sessions have a lifetime of 42 years
OPENAM-21187: AM agent UI fails when an agent configuration present in FBC and external store is used,
OPENAM-21127: Config Upgrader Exception CreateSecretStores at 6.5.x-to-7.x.x on Windows 2019
OPENAM-21114: Trusted JWT Issuer does not provider correct error and lack information on defined behaviour
OPENAM-21085: Undefined bindings in Groovy scripts are evaluated as defined
OPENAM-21076: KerberosNode and Window SSO module uses System.setProperty to set kerberos realm
OPENAM-21055: Unable to get AMIdentityRepository in custom code in 7.3
OPENAM-21053: UserId is missing from access.audit.json for JWT client authentication flow using org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false
OPENAM-21046: Insufficient logging in Create and Patch Object nodes
OPENAM-21003: IE11 not working during SAML tree authentication due to use of Arrow function
OPENAM-20976: Consent Collector node "Next" button text localization not working
OPENAM-20975: OATH Registration node "Next" button text localization not working
OPENAM-20937: Migration from OATH module to Auth Tree using OATH Token Verifier causes OathVerificationException: null
OPENAM-20920: NPE in SPSSOFederate#getSingleSignOnServiceEndpoint when binding is null and SSO endpoint list contains non-SAML2 entries
OPENAM-20899: ConfigurationAttributes class is exposed but there is no class file or Javadoc available for it
OPENAM-20896: Supported AMIdentity API getMembership and others changed
OPENAM-20809: IE11 doesn’t work with AM 7.2.1-RC1 and AM 7.3.0
OPENAM-20766: Insufficient debug logging to troubleshoot WS-Federation issuing party issue

OPENAM-20314: Social Provider Handler Node / Social Identity Provider Service - the search for existing link is hard coded to Sub claim (regression)
OPENAM-18111: Next attempt in InnerTreeEvaluatorNode will get previous transient state
OPENAM-17679: User text not showing up for IDM Provisioning Service
OPENAM-17340: AM 7 lack of integration for logger from config for logback
OPENAM-15948: Update DS profiles to add VLV indexes for CTS use
OPENAM-15410: Enable modifying Access Token audience claim in OIDC

AM 7.3

OPENAM-20751: Authentication errors with AM on Windows and connection errors in session log
OPENAM-20703: Tree secure state retained unnecessarily long
OPENAM-20647: Incorrect exception thrown when trying to access the static method of a non-allowlisted class
OPENAM-20572: End user password reset email field is not validated
OPENAM-20557: OATH recovery codes are not displayed if Registration node is followed by OATH Token Verifier node
OPENAM-20556: OATH recovery codes are not displayed if Store device data in shared state is selected in OATH Registration node
OPENAM-20543: Display page node header, description, and footer, in correct default language
OPENAM-20520: HttpClient sent request is not returning the correct response object
OPENAM-20517: Acceptable variance configuration not working for Device Match node
OPENAM-20516: Create tree command fails when using POST with _action=create
OPENAM-20515: Delete fails for Authentication node, when its _id is not a UUID
OPENAM-20513: Random login failure when using registration tree
OPENAM-20496: Null refresh_token for OAuth 2.0 token exchange delegation case
OPENAM-20324: Default install of AM does not have the updated identity classes in the policy script whitelist
OPENAM-20299: com.iplanet.am.session.agentSessionIdleTime is not honored using Agent authentication tree
OPENAM-20188: Using session cookie created before AM is restarted
OPENAM-20077: Access token modification script does not have access to client for client_credential grant flow if realm configured to ignore profile
OPENAM-19988: Using an id_token generated by AM in a policy condition does not work
OPENAM-19878: ArrayIndexOutOfBoundsException in SAML2
OPENAM-19829: Build fails on module openam-encryption-support when using JDK 18

AM 7.2.2

OPENAM-21441: Policy evaluation with LDAPFilter condition is done with config store user instead of identity store user
OPENAM-21683: AM lets you create anonymous user when it already exists
OPENAM-21682: OAuth 2.0: AM doesn’t redirect back to the client if consent is denied and no redirect_uri is present in the query parameters
OPENAM-21074: Amazon SNS client code doesn’t support external proxy authentication
OPENAM-20927: User info is still cached after removing privilege from group
OPENAM-20754: SAML pages saml2-write.js and saml2-read.js can cause error due to javascript
OPENAM-20442: Trim whitespace at the end of email input before validation in Attribute Collector node

AM 7.2.1

OPENAM-20546: Ensure AM handles an empty value for the authorization JWT response signing algorithm
OPENAM-20479: OIDC authentication request fails if request is sent as unsecured JWS
OPENAM-20457: DeviceLocationMatchNode fails when location service is disabled in browser and is unable to collect location information
OPENAM-20396: Authentication tree is selected by order of acr to tree mapping, not the default values and order is not preserved
OPENAM-20104: The fragment response_mode for the /oauth2/authorize endpoint is not working

AM 7.2

OPENAM-19619: NodeState keys API does not return all keys using a wildcard (*)
OPENAM-19613: PSearch is already removed error message should be warning
OPENAM-19567: InvalidCount variable does not update after successive failed attempts
OPENAM-19480: 500 Internal Server Error on /json/scripts with "not equal" CREST filter
OPENAM-19476: AbstractUpgradeHelper#updateChoiceValues does not handle i18nKey values
OPENAM-19451: When using Chrome WebAuthn simulator and WebAuthn set with attestation DIRECT fails
OPENAM-19422: KeepAlive search filter shouldn’t be Absolute True and False Filters
OPENAM-19375: Searching JavaDoc does not function correctly
OPENAM-19371: Updating an auth tree over REST requires all the nodes to be listed in the payload
OPENAM-19261: Introspect call for tokens obtained via the client credentials grant produces error, warning
OPENAM-19213: AM doesn’t work in Tomcat 10
OPENAM-19187: Unable to remove Saml2 IDP Attribute Mapper scripts using UI
OPENAM-19139: AM reports authorization errors using fragments on form_post requests
OPENAM-19118: Authentication audit events not logged when ScriptedDecisionNode script contains a syntax error
OPENAM-19084: Response does not comply to Standard when Requesting Claim that are Unavailable
OPENAM-19081: Modules of type OpenID Connect id_token bearer are not correctly handled in UI and in datastore
OPENAM-19030: AM Logs an Error if Resource Type cannot be found
OPENAM-19008: AuthTreesSecretsApiStep creates a potentially invalid secret mapping
OPENAM-18961: BasicOAuth2RequestImpl throws error at "ERROR" level
OPENAM-18935: Inconsistent behavior in ConfigProviderNode when omitting config properties
OPENAM-18544: AM Access Auditing Reports FAILURE on 302
OPENAM-18512: UMA resource set endpoint doesn’t list all relevant resource sets
OPENAM-18481: OIDC client mandates kid value in JOSE header
OPENAM-18469: Persistent Claims doc string references "RFC 123"
OPENAM-18394: Bazel fails to download Maven dependencies on first compilation
OPENAM-18375: Common password policy validation fails when using Registration Tree
OPENAM-18351: Form parameter is not recognized in access_token endpoint
OPENAM-18254: Attempting to create a user via Registration Tree fails after scaling up ds pods
OPENAM-18122: FBC rule written to remove reference to MAY_ACT default script set null instead of [Empty]
OPENAM-17957: Identify Existing User node fails with exception when more than one user is found
OPENAM-13329: Trees Display Character Encoding in Settings Dropdown Menu
OPENAM-12492: Identities: 500 Error when switch to Services tab on anonymous profile

AM 7.1.x

AM 7.1.4

OPENAM-21180: Amster should set file encoding to UTF-8 internally
OPENAM-21158: Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2
OPENAM-21155: Unable to remove OAuth 2.0 client with name that includes a period (.) in XUI
OPENAM-21100: SAML v2.0 IDP single logout (SLO) using HTTP redirect needs Request stickiness and HA.
OPENAM-21031: Google KMS secret store configured in AM exceeds the rate limit
OPENAM-20927: User info is still cached after removing privilege from group
OPENAM-20766: Insufficient debug logging to troubleshoot WS-Federation issuing party issue
OPENAM-20761: Create EngineConfiguration fails when using POST with action=create
OPENAM-20754: SAML v2.0 pages saml2-write.js and saml2-read.js can error out due to javascript
OPENAM-20753: With the LDAP authentication node, the username is incorrectly set for multi-valued attributes
OPENAM-20745: Insufficient debug logging to troubleshoot JWK_URI keys issue
OPENAM-20742: WS-Federation entities can not be managed through the AM UI
OPENAM-20728: Push log is noisy even when the Push Service is not used
OPENAM-20706: Unnecessary config store queries for services that don’t exist
OPENAM-20705: SAML v2.0 circle of trust status has no effect
OPENAM-20683: UI does not handle multi-valued attributes
OPENAM-20645: JWK_URI endpoint is not thread safe
OPENAM-20582: JWT client authentication: iss claim value must match sub claim value
OPENAM-20581: JWT Client authentication fails but the root cause can not be determined from the logs
OPENAM-20570: NullPointerException is thrown when searchAttribute is not available in the user identity
OPENAM-20539: Access Token to OIDC Id Token exchange fails for pairwise subject type
OPENAM-20505: OAuth 2.0 clients / groups list sort function is not working
OPENAM-20480: FBC/Amster config upgrade rules are missing for removed properties
OPENAM-20441: OATH Registration node generates Base32 padded secret
OPENAM-20405: Transient state that is populated in an inner tree is not available in the parent tree
OPENAM-20379: REST STS doesn’t work with com.iplanet.am.cookie.encode=true
OPENAM-20333: The Enable Cookies Message is inconsistent
OPENAM-20332: When the requested scope and consent scope are different, a server error occurs during JWT Bearer Authorization policy evaluation
OPENAM-20331: Policy scope evaluator does not work well with JWT Bearer Authorization grant
OPENAM-20308: Access token with auth_level changes does not persist after refreshing token
OPENAM-20271: Certificate Validation node fails when optional properties are not configured
OPENAM-20261: Problem with User/CTS affinity failover when the DS disk volume is detached
OPENAM-20254: When Hosted SP Default RelayState is specified, you shouldn’t need an entry in the Relay State URL List
OPENAM-20242: Certification Validation node: Certificate-based authentication requires LDAP
OPENAM-20239: Setting the keepalive or heartbeat interval to a negative value in the IdRepo config causes an error
OPENAM-20234: Setting the LDAP Connection Heartbeat Interval to zero breaks persistent search
OPENAM-20231: OAuth 2.0 token introspection - stacktrace is withheld
OPENAM-20216: Fixed size LDAP connection pool not properly established
OPENAM-20202: org.forgerock.services.cts.store.root.suffix CTS setting is used when CTS store mode is default
OPENAM-20177: Insufficient information in warning message to troubleshoot root cause
OPENAM-20143: Unnecessary ERRORs logged when adding pointers in the Field allowlist filters

AM 7.1.3

OPENAM-19749: Authentication failure when using a specific locale containing a _ character in Message node
OPENAM-19743: Message node allows empty value for locale name
OPENAM-18818: Persistent search error message shows wrong DS identifier
OPENAM-18613: Web upgrader fails during second instance upgrade
OPENAM-18558: OIDC Client Group Inheritance not honoured immediately
OPENAM-17768: Enabling allowlisting in trees causes an infinite redirect loop in the registration tree
OPENAM-17687: XUI selects wrong partials if a new partial exists with the same prefix
OPENAM-17418: OpenId account mapping fails because userInfo subject claim has value usr!demo
OPENAM-17315: Update defaults scripts with the change introduced in COMMONS-628
OPENAM-16449: Filter fields on the Scripts admin page do not work

AM 7.0.x

AM 7.0.2

OPENAM-17663: Improve the error response code for "Failed to revoke access token"
OPENAM-17452: SAML bearer grant flow using signed assertions fails - signature validation failure
OPENAM-17394: Callback types should be part of the supported API
OPENAM-17256: Text is overlapping buttons in configuration UI in Firefox while adding new server
OPENAM-16939: IDM nodes does not follow proxy settings
OPENAM-16561: OAuth Consent screen does not apply theming
OPENAM-16554: Misplaced bufferingEnabled checkbox in New Syslog configuration
OPENAM-16539: userinfo endpoint does not return expected user attributes
OPENAM-16522: Device Save Node failed on Platform environment
OPENAM-16491: SAML Update introduces javascript calls that aren’t available in IE8 and below (or IE11 using Enterprise mode)
OPENAM-16280: German login page translation is not complete
OPENAM-16261: Node dev guide - CoreWrapper is not supported API
OPENAM-16258: Resource login fails to work to Authenticate to Module instance
OPENAM-16229: Exceptions logged while upgrading to AM7
OPENAM-16202: Deleting SAML2 entities in console does not remove them from COT
OPENAM-16197: social authmodule does not send activaion email if un-authenticated SMTP server is used
OPENAM-16105: AM Login UI cannot handle self service and SDK authentication callbacks
OPENAM-16076: An auth node config marked @password (type char[]) cannot also be Optional
OPENAM-16068: Annotation based service implementation provides no way to deregister service listeners
OPENAM-15892: ScriptingSchemaStep clears whitelist customisations on upgrade
OPENAM-15879: openam > ui-admin > entire sessions view disappears when querying with asterisk
OPENAM-15861: NullPointerException in CollectionHelper.getServerMapAttrs
OPENAM-15860: IdP Init SAML SSO results in two set-cookie: amlbcookie headers in SP Consumer response
OPENAM-15812: WebAuthN Node for a user with a webauthn profile for another site causes authenticator to complain using wrong security key
OPENAM-15791: The /json/groups endpoint is not accessible to the Agents
OPENAM-15727: JWT minted by oauth2/authorize does not have correct acr claim when an upgraded SSO token is used
OPENAM-15699: _fields query parameter for API "Action" end point eg _action=refresh does not work as documented
OPENAM-15609: CorsService API Descriptor text doesn’t match functionality
OPENAM-15534: LDAP connection errors when using DS7 and rest2ldap test
OPENAM-15351: During Upgrade Scripts are not updated
OPENAM-15253: Upgrade fails if external data store for Applications and Policies is used
OPENAM-15037: React-select-multi component - when key pressed to add an entry the previously selected entry remains highlighted
OPENAM-15027: React-select-multi component - when enter is clicked on the 'x' of selected entry to delete, form is submitted
OPENAM-14897: Default values for JWKs URI content cache timeout and miss timeout are not set on upgrade
OPENAM-14887: TimerPool logs error during AM graceful shutdown
OPENAM-14882: OAuth2 do not log scopes while using device code flow
OPENAM-14838: Trusted JWT issuer cache is refreshed inefficiently affecting other lookups
OPENAM-14837: Trusted Issuer lookup does not pick up modified issuer values
OPENAM-14834: JWT bearer grant implementation finds trusted JWT issuers by performing an unindexed search
OPENAM-14755: NullPointerException if auth module callback xml file can not be retrieved by ResourceLookup
OPENAM-14666: XUI - InternalError: "too much recursion" error can appear when Adding/Viewing/Updating realms
OPENAM-14602: The API documentation for some Node API is missing methods/fields in 6.5/7
OPENAM-14594: Possible thread-safety issue in OIDC pairwise subject identifiers
OPENAM-14576: Configuration LDAP accessed when users endpoint accessed
OPENAM-14500: SAML SP-initiated SSO without existing SSO Session - value of 'goto' parameter not URLencoded
OPENAM-14499: SAML IdP-initiated SSO without existing SSO Session - value of 'goto' parameter not URLencoded
OPENAM-14494: In Firefox the text is cropped inside of the realm’s card on Dashboard
OPENAM-14404: Multiple calls being made to session endpoint by XUI when session cookie lost
OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration
OPENAM-14322: Servers → Directory Configuration API Can Be Broken With Crafted Payload
OPENAM-14290: Caching issue for 'users' REST endpoint
OPENAM-14263: Bad title for External Data Stores secondary configuration page
OPENAM-14207: NullPointerException AM Console if IDPSSODescriptor is missing attribute 'WantAuthnRequestsSigned'
OPENAM-13962: Errors during shutdown of AM
OPENAM-13513: Call Authentication Tree in a Radius Client
OPENAM-12207: Created OAuth2 client using curl request with defined scopes breaks the AM UI
OPENAM-11737: http.response.headers not populating in audit logs
OPENAM-11083: Delegated Admin cannot create Oauth2 Provider in realm
OPENAM-10696: Login screen does not show mobile users feedback on failure
OPENAM-10554: AM installation fails if BASE_DIR is different from the path in .openamcfg
OPENAM-10427: LDAP connections created by the configurator wizard are never closed
OPENAM-71: SAML2 error handling in HTTP POST and Redirect bindings

Limitations

The following limitations are inherent to the design, not bugs to be fixed.

Redundant files

The installation and upgrade wizards use three libraries that you should remove for security reasons.

When your installation or upgrade is complete, remove the following .jar files from the WEB-INF/lib directory:

click-extras-2.3.0.jar
click-nodeps-2.3.0.jar
velocity-1.7.jar

These files are used only by the wizards. Removing them will have no effect on your installed instance.

Evaluation installations

Sometimes, installing AM for evaluation purposes will fail with a message similar to the following if the JDK’s default truststore’s permissions are 444:

$JAVA_HOME/lib/security/cacerts (Permission denied), refer to install.log under /path/to/install.log for more information.

To work around this issue, locate the truststore that your container is using and change its permissions to 644 before installing AM:

$ sudo chmod 644 $JAVA_HOME/lib/security/cacerts

You can change the permissions to their original settings after you have installed AM.

Identity and data store scaling

The connection strings to the data or identity stores are static and not hot-swappable. This means that, if you expand or contract your DS affinity deployment, AM will not detect the change. To work around this, either:

Manually add or remove the instances from the connection string and restart AM or the container where it runs.
Configure a DS proxy in front of the DS instances to distribute data across many DS shards, and configure the proxy address in the connection string.

SAML v2.0 in the AM admin UI

The AM admin UI supports SAML v2.0 IDP and SP entities only. After upgrade, entities that don’t have IDP or SP roles are listed, but you can’t inspect or edit them in the UI. AM displays an error when you try to access these entities.

Entities that contain roles other than IDP or SP will only display the IDP or SP roles.

Web Authentication (WebAuthn)

AM doesn’t support the following functionality, as described in the Web Authentication specification:

Registration

AM doesn’t support Token Binding.
Web Authentication extensions aren’t supported.
Credential ID values aren’t verified against the credential IDs registered with all existing users.
The ECDAA signature of the Packed attestation format isn’t supported.

Authentication

Token Binding isn’t supported.
Web Authentication extensions aren’t supported.
Signature counters aren’t supported.

Refer to MFA: Web Authentication (WebAuthn) for more information.

RADIUS service only supports commons audit logging

The RADIUS service only supports Commons Audit Logging and can’t use the older Logging Service, available in releases before OpenAM 13.0.0.

AM admin UI access requires the `Realm Admin` privilege

In this version of AM, administrators can use the AM admin UI as follows:

Delegated administrators with the Realm Admin privilege can access full AM admin UI functionality within the realms they administer. In addition, delegated administrators in the Top Level Realm who have this privilege can access AM’s global configuration.
Administrators with fewer privileges, such as the Policy Admin privilege, can’t access the AM admin UI.
The top-level administrator, such as amAdmin, has access to full AM admin UI functionality in all realms and can access AM’s global configuration.

Specifying keys in JWT headers

AM ignores keys specified in JWT headers, such as jku and jwe. Configure the public keys or certificates in AM instead, as explained in the relevant sections of the documentation.

Different AM versions within a site

Different AM versions within a site aren’t supported. Don’t run different versions of AM together in the same AM site.

Special characters in policy, application, or referral names

Don’t use special characters in policy, application or referral names (for example, "my+referral"). AM returns a 400 Bad Request error. The special characters are:

double quotes (")
plus sign (+)
comma (,)
less than (<)
equals (=)
greater than (>)
backslash (\)
null (\u0000)

XACML policy import and export from different vendors

AM can only import XACML 3.0 files that were created by an AM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.

UMA

UMA is not currently supported in the Platform End User UI.

Interface stability

Interfaces labeled as Evolving in the documentation may change without warning. In addition, the following rules apply:

All Java APIs are Evolving, except com.* packages, which are Internal/Undocumented.
Interfaces that aren’t described in released product documentation should be considered Internal/Undocumented.
Also refer to the Deprecated and Removed features.

Product release levels

Ping Identity defines Major, Minor, Maintenance, and Patch product release levels. The version number reflects release level. The release level tells you what sort of compatibility changes to expect.

Release level definitions
Release Label	Version Numbers	Characteristics
Major	Version: x[.0.0] (trailing 0s are optional)	Bring major new features, minor features, and bug fixes. Can include changes even to Stable interfaces. Can remove previously Deprecated functionality, and in rare cases remove Evolving functionality that has not been explicitly Deprecated. Include changes present in previous Minor and Maintenance releases.
Minor	Version: x.y[.0] (trailing 0s are optional)	Bring minor features, and bug fixes. Can include backwards-compatible changes to Stable interfaces in the same Major release, and incompatible changes to Evolving interfaces. Can remove previously Deprecated functionality. Include changes present in previous Minor and Maintenance releases.
Maintenance, Patch	Version: x.y.z[.p] The optional p reflects a Patch version.	Bring bug fixes Are intended to be fully compatible with previous versions from the same Minor release.

Product stability labels

Ping Identity Platform software supports many features, protocols, APIs, GUIs, and command-line interfaces. Some of these are standard and very stable. Others offer new functionality that is continuing to evolve.

Ping Identity acknowledges that you invest in these features and interfaces, and therefore must know when and how Ping Identity expects them to change. For that reason, Ping Identity defines stability labels and uses these definitions in Ping Identity Platform products.

Stability label definitions
Stability Label	Definition
Stable	This documented feature or interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect.
Evolving	This documented feature or interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release. While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality.
Legacy	This feature or interface has been replaced with an improved version, and is no longer receiving development effort from Ping Identity. You should migrate to the newer version, however the existing functionality will remain. Legacy features or interfaces will be marked as Deprecated if they are scheduled to be removed from the product.
Deprecated	This feature or interface is deprecated, and likely to be removed in a future release. For previously stable features or interfaces, the change was likely announced in a previous release. Deprecated features or interfaces will be removed from Ping Identity products.
Removed	This feature or interface was deprecated in a previous release, and has now been removed from the product.
Technology Preview	Technology previews provide access to new features that are considered as new technology that is not yet supported. Technology preview features may be functionally incomplete, and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT. Customers are encouraged to test drive the technology preview features in a non-production environment, and are welcome to make comments and suggestions about the features in the associated forums. Ping Identity does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of Ping Identity Platform. Technology previews are provided on an “AS-IS” basis for evaluation purposes only, and Ping Identity accepts no liability or obligations for the use thereof.
Internal/Undocumented	Internal and undocumented features or interfaces can change without notice. If you depend on one of these features or interfaces, contact support to discuss your needs.

Getting support

Ping Identity provides support services, professional services, training, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see https://www.pingidentity.com.

Ping Identity has staff members around the globe who support our international customers and partners. For details on Ping Identity’s support offering, visit https://www.pingidentity.com/support.

Ping Identity publishes comprehensive documentation online:

The Ping Identity Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage Ping Identity Platform software.

While many articles are visible to everyone, Ping Identity customers have access to much more, including advanced information for customers using Ping Identity Platform software in a mission-critical capacity.
Ping Identity product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

Security advisories

Ping Identity issues security advisories in collaboration with our customers to address any security vulnerabilities transparently and rapidly.

Ping Identity’s security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

You can find security advisories in the Knowledge Base.

Release timeline

Release date	AM version	Release type⁽¹⁾
2024-12-18	7.3.2	Maintenance
2024-12-12	7.5.1	Maintenance
2024-08-28	7.4.1	Maintenance
2024-06-26	7.2.2	Maintenance
2024-04-02	7.5	Minor
2024-02-26	7.3.1	Maintenance
2023-10-02	7.4	Minor
2023-07-11	7.1.4	Maintenance
2023-04-04	7.3	Minor
2023-04-04	7.2.1	Maintenance
2022-10-13	7.1.3	Maintenance
2022-08-02	6.5.5	Maintenance
2022-06-27	7.2	Minor
2022-03-15	7.1.2	Maintenance
2021-12-06	7.1.1	Maintenance
2021-10-18	6.5.4	Maintenance
2021-05-27	7.0.2	Maintenance
2021-05-19	7.1	Minor
2020-11-03	7.0.1	Maintenance
2020-09-16	6.5.3	Maintenance
2020-08-10	7.0	Major
2020-04-30	5.5.2	Maintenance
2020-04-03	5.5.3	Maintenance
2020-02-17	6.5.2.3	Patch
2019-10-31	6.5.2.2	Patch
2019-08-27	6.5.2.1	Patch
2019-06-20	6.5.2	Maintenance
2019-06-04	6.0.0.7	Patch
2019-04-30	6.5.0.2	Maintenance
2019-04-11	6.5.1	Maintenance
2019-01-15	6.5.0.1	Maintenance
2018-12-06	6.0.0.6	Patch
2018-11-28	6.5	Minor
2018-10-24	6.0.0.5	Patch
2018-08-24	6.0.0.4	Patch
2018-07-30	6.0.0.3	Patch
2018-06-18	6.0.0.2	Patch
2018-05-25	6.0.0.1	Patch
2018-05-09	6.0	Major
2017-10-27	5.5.1	Maintenance
2017-10-23	5.5	Minor

⁽¹⁾ For details about the scope of expected changes for different release types, see Interface stability.

PingAM release notes

Release notes

What's new

Requirements

Compatibility

Fixes

Documentation

Support

Name changes for ForgeRock products

Requirements

Files to download

Operating systems

Web and Java agents

Java

Application containers

Directory servers

Third-party software

Supported clients

Special requests

What’s new

AM 7.5.1

New utility script binding

Backchannel logout token contains exp claim

System property for social provider sub claim uniqueness

New ssoadm commands update attributes in a realm service

AM 7.5

Support for storing secrets in secret stores

Support for mTLS connections

Configurable affinity for connections to the DS identity repository

Request Header node

Scalable OAuth 2.0 clients

SAML v2.0 NameID mapping configurable on the service provider (SP)

Use a tree hook to run actions on journey failure

Storing identified identities in the authentication session

Identity Assertion node and Identity Assertion service

PingOne Protect nodes and PingOne Worker service

Nodes in a Page node log individual audit events

AM 7.4.1

Storing identified identities in the authentication session

AM 7.4

Bind and verify user devices

Support for JSON output from /oauth2/device/user endpoint

Setting to disable the subname claim

Setting to permit client credentials in token endpoint query parameters

Restriction of access to inner trees

New nodeState.getObject method

X-ForgeRock-TransactionID available in HTTP client script binding

Customize account lockout message

Scripting enhancements

Scripting logger name change

Access request header values from OAuth 2.0 scripts

File-based configuration migration utililty

Support for mTLS authentication

Query Parameter node

Support for HTML in Email Suspend node

AM 7.3.2

Backchannel logout token contains exp claim

System property for social provider sub claim uniqueness

New ssoadm commands update attributes in a realm service

AM 7.3.1

Storing identified identities in the authentication session

Scripting logger name change

Customize account lockout message

Setting to permit client credentials in token endpoint query parameters

AM 7.3

Combined MFA Registration node

OIDC ID Token Validator node

OATH Device Storage node

Support for EdDSA for WebAuthn

Scripted support for SAML v2.0 SP adapter

Addition of prompt_values_supported to the OIDC exposed configuration

Support for multi-tenant social identity providers

Ability to invalidate sessions by username

Scripted JWT issuer

OAuth 2.0 authentication supported for email service

Cross-upgrade session reference property

Ability to specify location of REST STS instance

AM 7.2.2

Setting to permit client credentials in token endpoint query parameters

AM 7.2.1

Backchannel logout token contains `exp` claim

System property for social provider `sub` claim uniqueness

New `ssoadm` commands update attributes in a realm service

Support for JSON output from `/oauth2/device/user` endpoint

Setting to disable the `subname` claim

New `nodeState.getObject` method

`X-ForgeRock-TransactionID` available in HTTP client script binding

Backchannel logout token contains `exp` claim

System property for social provider `sub` claim uniqueness

New `ssoadm` commands update attributes in a realm service

Support for `EdDSA` for `WebAuthn`

Addition of `prompt_values_supported` to the OIDC exposed configuration

`org.forgerock.openam.encryption.padshortinputs` system property for AES Key Wrap encryption

`org.forgerock.openam.authentication.forceAuth.enabled` advanced server property for authentication chains

`live` and `ready` status endpoints

Extension Point to Customize Public Key ID (`kid`)

`id_token_hint` parameter on the OAuth 2.0/OpenID Connect authorization endpoint

DevOps-friendly way to change the password of the `amAdmin` user