PingAM release notes

Documentation updates

In addition to the changes described elsewhere in these release notes, the published documentation for each AM version includes the following important changes.

AM 7.2.x

AM 7.2.2

  • OPENAM-22207: List HiddenValueCallback as interactive not read-only

  • OPENAM-22099: Remove misleading information about unsupported custom callbacks

  • OPENAM-22065: Fix Knowledge Base link in documentation

  • OPENAM-21851: Clarify use of Single SignOn Service setting for the IdP

  • OPENAM-21815: Clarify how transient state is removed after next callback

  • OPENAM-21383: Instructions to download the UI source code are out of date

  • OPENAM-21081: Clarify version support in Amster release notes

  • OPENAM-21071: Add more information for LDAP availability (KeepAlive) changes

  • OPENAM-21048: Error in Device Profile Collector node documentation

  • OPENAM-20929: Switch to multi-version release notes

  • OPENAM-20835: Explain the SESSION_BLACKLIST token that exists for client-side authentication sessions

  • OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars

  • OPENAM-20522: State that Sector Identifier URI is needed for Pairwise OAuth2Client profile

  • OPENAM-20311: Document AM property for LDAPS protocol

  • OPENAM-19215: Missing documentation for WS Federation in Admin guide

  • OPENAM-19214: Authorization Guide: Clarify supported claims in Requesting Policy Decisions

  • OPENAM-19149: Clarify SAML certificates and secrets usage

  • OPENAM-18606: The documentation to remove an AM instance is misleading

  • OPENAM-18468: Maintenance guide: Update config store connection pool values

  • OPENAM-18099: Explanation of rawProfile information and mappings

  • OPENAM-17580: Document configuration settings needed for AM 6.5.3+ for WS-Federation token issuer endpoints

  • OPENAM-17535: Authorization guide: Building the sample plugin is showing outdated info

  • OPENAM-16325: Inner Tree node capabilities and restrictions

  • OPENAM-15083: Certificate Auth module needs detailed documentation

AM 7.2.1

AM 7.2

  • Updated the Choice Collector node documentation to clarify that the default choice is the first in the list if no default choice is specified.

  • Recommended the removal of the velocity-1.7.jar library after install or upgrade.

  • Added a step to the instructions on building custom nodes.

  • Added Logback.jsp logger names to the Debug logging documentation.

AM 7.1.x

AM 7.1.4
  • Cautioned that host-based cookies should be used for security reasons (Securing the Session Cookie)

  • Changed the default expiry time of server-side agent sessions (com.iplanet.am.session.agentSessionIdleTime)

  • Updated docs to indicate that the failureUrl is not included in REST responses if it is empty

  • Clarified SAML certificates and secrets usage

  • Clarified supported claims when requesting policy decisions over REST

  • Fixed an error in the Device Profile Collector node docs

  • Documented settings for WS-Federation token issuer endpoints (Federation Authentication Module)

  • Added Inner Tree Node capabilities and restrictions

  • Documented AM property for LDAPS protocol org.forgerock.openam.ldap.secure.protocol.version)

  • Advised that changes to Authentication Naming Attribute after setup require existing identities to be updated

  • Enhanced the documentation of the Provision Dynamic Account node

  • Advised administrators to increase DS search limits for large numbers of SAML entities SAML Deployment Considerations)

  • Documented evalThreadSize setting as tuning parameter for policy evaluation

  • Clarified that SAML assertion must be signed when using HTTP-POST

  • Clarified use of auditEntryDetail for scripted decision node

  • Added missing HTTP connector setting to JBoss setup instructions

  • Updated instructions on validating a goto URL

  • Enhanced the documentation on the LDAP availability / KeepAlive changes, new in 7.1.3

  • Removed incorrect wording about namespaces in the node development docs

  • Noted that the JavaScript Origins property of an OAuth2 client does not support non-standard headers

  • Creating a SAML2 entity with a double space results in SAML2 entity with a single space

  • Updated Changes in AM 7.1.x with changes to the TreeContext class

  • Updated the upgrade instructions with information on custom server default properties

AM 7.1.3
  • Updated Changes in AM 7.1.x with changes to the TreeContext class.

  • Added the org.forgerock.openam.introspect.token.query.param.allowed advanced server property.

  • Added the org.forgerock.openam.ldap.dncache.expire.time advanced server property, which sets the DN cache timeout.

  • Updated the OATH Registration node and Push Registration node documentation for the customizable QR code message.

  • Updated the Remote consent documentation to describe the new JWKs URI.

  • Clarified the limitation on using ID tokens as access tokens. For details, refer to Additional Use Cases for ID Tokens.

  • Improved the logback documentation.

  • Updated the documentation on scripted policy conditions.

  • Documented the crypto settings in the IDM Provisioning service.

  • Added information on specifying remote entity encryption methods.

  • Added subject and body to the OTP Email Sender Node and OTP SMS Sender Node.

  • Added guidance on naming custom nodes.

  • Corrected an error in the ForceAuth documentation for authentication trees.

  • Corrected an error in the OIDC hybrid flow documentation.

  • Described how to customize account lockout messages.

  • Updated the documentation on custom post-authentication plugin hooks.

  • Updated the documentation on the OAuth2 Device flow.

  • Add information on overriding and customizing OIDC claims scripts.

  • Clarified change to CORS filter configuration from AM 7 onwards.

  • Documented the nonProxyHosts advanced server property for HTTP client connections.

AM 7.1.2
  • Added guidance on protecting user profile attributes.

  • Updated Multi-Factor Authentication Nodes with details of the OATH nodes that replicate the existing OATH module functionality:

    • OATH Registration Node

    • OATH Token Verifier Node

For information on how to create and test an authentication tree using the OATH nodes, refer to One-Time Password Authentication Using Trees.

AM 7.1.1
  • Updated the examples in the Accessing Shared State Data section.

  • Added documentation in Supported Callbacks about the following callbacks:

    • BooleanAttributeInputCallback

    • BooleanAttributeInputCallback

    • ConsentMappingCallback

    • KbaCreateCallback

    • NumberAttributeInputCallback

    • StringAttributeInputCallback

    • TermsAndConditionsCallback

    • ValidatedCreatePasswordCallback

    • ValidatedCreateUsernameCallback

  • Updated the Preparing for Development section to specify that you must include a nodeDescription property in nodes to ensure that they appear in the authentication tree designer.

  • Improved the procedure on mapping files in file system secret volumes to add more detail about how to encrypt and create filesystem-based secrets.

  • Updated the Directory Server Requirements to indicate that DS 5.+ is required as External Directory Server for 7.1.+.

  • Added a change in behavior to the logging on session timeout.

AM 7.1
  • Initial release of AM 7.1.

AM 7.0.x

AM 7.0.3
AM 7.0.2
  • Indicated that scripts should be upgraded as part of the upgrade process.

  • Improved the documentation about the request parameter of the /oauth2/authorize endpoint.

  • Noted support for Internet Explorer 11 ends August 17, 2021, in alignment with the announcement from Microsoft ending support for Internet Explorer 11.

  • Updated Session Upgrade documentation to clarify that the ForceAuth parameter used with an authentication tree causes AM to issue a new session token, regardless of the security requirements.

  • Updated the Supported Upgrade Paths section to remove the upgrade from OpenAM 13.X and add upgrade path from AM 7.x.

  • Added a new section, Managing the Secure Cookie Filter.

  • Removed information about Oracle Weblogic from the installation guide as it is not supported in this version.

  • Added a new section, OAuth 2.0 Scopes Policy Script API Functionality.

  • Updated the Scripting Environment documentation to show how to obtain the Groovy and JavaScript engine version that AM is using.

  • As part of hardening the security around the SAML v2.0 implementation that occurred in AM 7, the URLs specified in the Assertion Consumer Service must exactly match the SP’s scheme, FQDN, and port.

  • Added a new section, Setting Session Properties.

AM 7.0.1
  • Added documentation on Adding Audit Information.

  • Improved the documentation on Tuning Authentication Node/Module LDAP Connections.

  • Added information on determining if an existing session is present before using the Get Session Data Node.

  • Added information on configuring the public key or HMAC secret in Authenticating Clients Using JWT Profiles.

  • Added information on using the ssoadm command with secure connections in Setting Up Administration Tools.

  • Updated Web or Java Agents SSO and SLO with Java Agent 5.7 and Web Agent 5.7 properties.

  • Updated JVM tuning properties.

  • Documented commands to export policy and application store LDIF files.

  • Clarified documentation on OAuth 2.0 JWK URI cache settings in To Create and Configure a Client Profile.

  • Clarified documentation on SAML v2.0 hosted SP attribute map in Hosted Service Provider Configuration Properties.

  • Corrected the Device Tampering Verification documentation to indicate that the device determines the score, rather than the node or the ForgeRock SDKs.

  • Updated how to create an HTTPS connector for Tomcat in Configuring AM’s Container for HTTPS.

  • Corrected the account mapper classes in Example: Protecting a Web Site With OAuth 2.0.

  • Added documentation about HTTP options when configuring a JVM proxy in front of AM in Preparing the Environment.

  • Updated the Linking Identities Automatically with Auto-Federation section to use the new UI.

  • Corrected the user required to perform policy evaluation with REST in To Evaluate a Policy.

  • Corrected the procedure on SAML v2.0 chains, in Linking Identities by Using Authentication Trees or Chains.

AM 7.0
  • Initial release of AM 7.