PingAM release notes

Known issues

The following important issues remained open at the time of the latest release for each version.

Releases are cumulative, so if an issue in a previous version isn’t listed as fixed, it remains open in the latest version.

AM 7.3.x

AM 7.3.3

OPENAM-23778

AM issues unindexed search when ttlsupport.enabled=true

OPENAM-23703

Custom and native claims in a refreshed, stateless access token don’t match the parent modified stateless access token

OPENAM-23607

AuthenticateToTreeConditionAdvice composite_advice not working as expected

AM 7.3.2

OPENAM-23345

Performance issues when accessing SAML entity provider via the admin console with 5k entities

OPENAM-23022

Transaction condition for policy evaluation fails with JWT subject

OPENAM-22988

Failover doesn’t occur when heartbeat interval is set to 0

OPENAM-22927

WebAuthnRegister should be able to use user.name as display attribute

OPENAM-22846

External app/policy store active/passive LB isn’t working

OPENAM-22674

Unable to create encrypted PEM that works for ENCRYPTED_PEM secret

OPENAM-22608

Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing

OPENAM-22479

LDAPv3 Userstore connection doesn’t reconnect without Heartbeat enabled

OPENAM-22188

Heavy load leads to BLOCKED threads traced to the SecurityManager

OPENAM-22156

logoutByUser throws UnsupportedOperationException

OPENAM-22151

Expiration of cache held in StatelessJWTCache could cause Internal Server Error

OPENAM-21636

AM is unable to run in FIPS compliance mode due to RAW keys

OPENAM-21100

SAML2 IDP Single logout SLO using HTTP redirect needs Request stickiness and HA.

OPENAM-20927

User info is still cached after removing privilege from group

OPENAM-20754

SAML pages saml2-write.js and saml2-read.js can cause an error

OPENAM-20234

Setting LDAP Connection Heartbeat Interval to be zero breaks persistent search

OPENAM-20143

False alarms in debug logs when adding pointers in Field whitelist filters

OPENAM-19810

Error: "No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey"

OPENAM-19453

Using CTS Authentication Session may fail authentication journey if AM is not LB sticky

OPENAM-18307

Global services don’t reflect changes made by ssoadm

OPENAM-18293

AuthContext.login doesn’t work with trees when performing service-based authentication

OPENAM-18111

Second login attempt using InnerTreeEvaluatorNode gets previous transient state

OPENAM-17679

User text not showing up for IDM Provisioning Service

OPENAM-17340

Lack of integration for logger with logback configuration

OPENAM-12197

postSingleSignOnSuccess and postSingleSignOnFailure not called when using SAML2 athentication module or node

OPENAM-4201

XUI returns messages based on localized responses from REST authentication interface

AM 7.3.1

OPENAM-21972

SAML Artifact Binding is failing in load-balanced deployments such as K18S

OPENAM-21820

Set policy result TTL to 0 when using Environment Policy Active Session

OPENAM-21802

Email Service value Transport type is overwritten in the static config export

OPENAM-21773

The Secondary Configurations tab is missing from the Global Email service

OPENAM-21772

No OAuth 2.0 clients displayed in the UI when AM has more than 1000 clients

OPENAM-21743

WebAuthn Node with AM XUI: Error is rendered along with Recovery code button

OPENAM-21734

WebAuthn Registration Node: UserNotVerifiedException not caught leading to Node failure

OPENAM-21683

AM lets you create anonymous user when it already exists

OPENAM-21682

OAuth 2.0: AM doesn’t redirect back to the client if consent is denied and no redirect_uri is present in the query parameters

OPENAM-21535

The logout at AM’s GUI only target the root realm instead of the respective sub realm

OPENAM-21466

AM using social OIDC authentication fails to verify idtoken if the remote JWK_URIs have duplicate kid

OPENAM-21441

Policy evaluation with LDAPFilter condition uses config store user instead of identity store user

OPENAM-21407

External data store config min connection pool can be set higher than the max connection pool and the config can still be persisted

OPENAM-21406

Realm services are no longer accessible after deleting the “External Data Stores” service

OPENAM-21379

Unable to read SMS config when request is too quick after changing configuration

OPENAM-21363

Unable to modify an external data store config when it is set as a global default datastore but not referenced in any realm

OPENAM-21354

OAuth2 provider: Insufficient debug logging for SAML bearer authorization grant

OPENAM-21352

Amster read AuthTree doesn’t return nodes within a page node

OPENAM-21327

Unable to specify property name with a '-' when configuring policy environment conditions

OPENAM-21322

AM Console allows Entity Provider to be created with space at end of the name

OPENAM-21319

Policy and Application Store Cache is not updated in multiple server deployment when changes are made

OPENAM-21309

DefaultDataStoreConfigurationManager shouldn’t establish DS connection in FBC mode

OPENAM-21305

Dynamic Client Registration does not permit setting Client ID Token Public Encryption key

OPENAM-21294

Remove openam-core from Soap-STS server

OPENAM-21278

Amster doesn’t use console or accept piped input in interactive mode

OPENAM-21273

TOTP Registration information no longer contains Issuer in the otpauth’s PATH

OPENAM-21270

OAuth2 resource owner password credential grant (ROPC) token response does not tell reason for failure

OPENAM-21204

Scripted node - idRepository.setAttribute does not execute catch block when setting userPassword attribute fails

OPENAM-21193

AM-Config-upgrader amupgrade cannot work on Windows

OPENAM-21191

In AM 7.3, web agent sessions have a lifetime of 42 years

OPENAM-21187

AM agent UI fails when an agent configuration present in FBC and external store is used

OPENAM-21180

Amster should set file encoding to UTF-8 internally

OPENAM-21151

Amster command cannot operate on HostedSaml2EntityProvider

OPENAM-21137

Performing Amster import with --clean in FBC with external Data Store service fails with error

OPENAM-21127

Config Upgrader Exception CreateSecretStores at 6.5.x-to-7.x.x on Windows 2019

OPENAM-21125

Installing AM using Tomcat under local system account fails with Amster RSA file issue

OPENAM-21114

Trusted JWT Issuer does not provider correct error and lack information on defined behaviour

OPENAM-21085

Undefined bindings in Groovy scripts are evaluated as defined

OPENAM-21076

KerberosNode and Window SSO module uses System.setProperty to set kerberos realm

OPENAM-21055

Unable to get AMIdentityRepository in custom code in 7.3

OPENAM-21053

UserId is missing from access.audit.json for JWT client authentication flow using org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false

OPENAM-21046

Insufficient logging in Create and Patch Object nodes

OPENAM-21003

IE11 not working during SAML tree authentication due to use of Arrow function

OPENAM-20976

Consent Collector node "Next" button text localization not working

OPENAM-20975

OATH Registration node "Next" button text localization not working

OPENAM-20937

Migration from OATH module to Auth Tree using OATH Token Verifier causes OathVerificationException: null

OPENAM-20920

NPE in SPSSOFederate#getSingleSignOnServiceEndpoint when binding is null and SSO endpoint list contains non-SAML2 entries

OPENAM-20899

ConfigurationAttributes class is exposed but there is no class file or Javadoc available for it

OPENAM-20896

Supported AMIdentity API getMembership and others changed

OPENAM-20809

IE11 doesn’t work with AM 7.2.1-RC1 and AM 7.3.0

OPENAM-20766

Insufficient debug logging to troubleshoot WS-Federation issuing party issue

OPENAM-19998

Performing an Amster export on AM running in FBC mode generates new configuration which breaks the FBC upgrader ////

OPENAM-20751

Authentication errors with AM on Windows and Connect Error in Session log

OPENAM-20703

Tree secure state retained unnecessarily Long

OPENAM-20647

JavaScript throws wrong exception when trying to access a non-allowlisted class’s static method

OPENAM-20572

Enduser password reset email field is not validated

OPENAM-20557

OATH. Recovery codes are not displayed if Registration Node is followed by OATH Token Verifier Node

OPENAM-20556

OATH Recovery codes aren’t display when “Store device data in shared state” is selected in OATH Registration Node

OPENAM-20543

Display page node header, description and footer in correct default language

OPENAM-20520

httpClient sent request is not returning the correct response object

OPENAM-20517

Device Match Node - Acceptable Variance Configuration

OPENAM-20516

Create Tree command fails when using POST with _action=create

OPENAM-20515

Delete fails for Authentication Node, when its _id is not an UUID

OPENAM-20513

Random login failure when using registration tree

OPENAM-20496

Null refresh_token for OAuth 2.0 token exchange delegation case

OPENAM-20329

Forgerock JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) not spec compliant

OPENAM-20324

Default install of AM does not have the updated identity classes in the policy script whitelist ////

OPENAM-20234

Setting the LDAP Connection Heartbeat Interval to zero breaks persistent search

OPENAM-20314

Social Provider Handler Node / Social Identity Provider Service - the search for existing link is hard coded to Sub claim (regression)

OPENAM-18111

Next attempt in InnerTreeEvaluatorNode will get previous transient state

OPENAM-17679

User text not showing up for IDM Provisioning Service

OPENAM-17340

AM 7 lack of integration for logger from config for logback

OPENAM-15948

Update DS profiles to add VLV indexes for CTS use

OPENAM-15410

Enable modifying Access Token audience claim in OIDC

AM 7.3

OPENAM-20751

Authentication errors with AM on Windows and connection errors in session log

OPENAM-20703

Tree secure state retained unnecessarily long

OPENAM-20647

Incorrect exception thrown when trying to access the static method of a non-allowlisted class

OPENAM-20572

End user password reset email field is not validated

OPENAM-20557

OATH recovery codes are not displayed if Registration node is followed by OATH Token Verifier node

OPENAM-20556

OATH recovery codes are not displayed if Store device data in shared state is selected in OATH Registration node

OPENAM-20543

Display page node header, description, and footer, in correct default language

OPENAM-20520

HttpClient sent request is not returning the correct response object

OPENAM-20517

Acceptable variance configuration not working for Device Match node

OPENAM-20516

Create tree command fails when using POST with _action=create

OPENAM-20515

Delete fails for Authentication node, when its _id is not a UUID

OPENAM-20513

Random login failure when using registration tree

OPENAM-20496

Null refresh_token for OAuth 2.0 token exchange delegation case

OPENAM-20324

Default install of AM does not have the updated identity classes in the policy script whitelist

OPENAM-20299

com.iplanet.am.session.agentSessionIdleTime is not honored using Agent authentication tree

OPENAM-20188

Using session cookie created before AM is restarted

OPENAM-20077

Access token modification script does not have access to client for client_credential grant flow if realm configured to ignore profile

OPENAM-19988

Using an id_token generated by AM in a policy condition does not work

OPENAM-19878

ArrayIndexOutOfBoundsException in SAML2

OPENAM-19829

Build fails on module openam-encryption-support when using JDK 18

AM 7.2.x

AM 7.2.2

OPENAM-21441

Policy evaluation with LDAPFilter condition is done with config store user instead of identity store user

OPENAM-21683

AM lets you create anonymous user when it already exists

OPENAM-21682

OAuth 2.0: AM doesn’t redirect back to the client if consent is denied and no redirect_uri is present in the query parameters

OPENAM-21074

Amazon SNS client code doesn’t support external proxy authentication

OPENAM-20927

User info is still cached after removing privilege from group

OPENAM-20754

SAML pages saml2-write.js and saml2-read.js can cause error due to javascript

OPENAM-20442

Trim whitespace at the end of email input before validation in Attribute Collector node

AM 7.2.1

OPENAM-20546

Ensure AM handles an empty value for the authorization JWT response signing algorithm

OPENAM-20479

OIDC authentication request fails if request is sent as unsecured JWS

OPENAM-20457

DeviceLocationMatchNode fails when location service is disabled in browser and is unable to collect location information

OPENAM-20396

Authentication tree is selected by order of acr to tree mapping, not the default values and order is not preserved

OPENAM-20104

The fragment response_mode for the /oauth2/authorize endpoint is not working

AM 7.2

OPENAM-19619

NodeState keys API does not return all keys using a wildcard (\*)

OPENAM-19613

PSearch is already removed error message should be warning

OPENAM-19567

InvalidCount variable does not update after successive failed attempts

OPENAM-19480

500 Internal Server Error on /json/scripts with "not equal" CREST filter

OPENAM-19476

AbstractUpgradeHelper#updateChoiceValues does not handle i18nKey values

OPENAM-19451

When using Chrome WebAuthn simulator and WebAuthn set with attestation DIRECT fails

OPENAM-19422

KeepAlive search filter shouldn’t be Absolute True and False Filters

OPENAM-19375

Searching JavaDoc does not function correctly

OPENAM-19371

Updating an auth tree over REST requires all the nodes to be listed in the payload

OPENAM-19261

Introspect call for tokens obtained via the client credentials grant produces error, warning

OPENAM-19213

AM doesn’t work in Tomcat 10

OPENAM-19187

Unable to remove Saml2 IDP Attribute Mapper scripts using UI

OPENAM-19139

AM reports authorization errors using fragments on form_post requests

OPENAM-19118

Authentication audit events not logged when ScriptedDecisionNode script contains a syntax error

OPENAM-19084

Response does not comply to Standard when Requesting Claim that are Unavailable

OPENAM-19081

Modules of type OpenID Connect id_token bearer are not correctly handled in UI and in datastore

OPENAM-19039

Amster query command base64-encodes the _id attribute for Saml2Entities

OPENAM-19030

AM Logs an Error if Resource Type cannot be found

OPENAM-19008

AuthTreesSecretsApiStep creates a potentially invalid secret mapping

OPENAM-18961

BasicOAuth2RequestImpl throws error at "ERROR" level

OPENAM-18935

Inconsistent behavior in ConfigProviderNode when omitting config properties

OPENAM-18715

Due to an unresolved issue in the updated version of Groovy used by Amster, Amster cannot execute multi-line commands from a script while creating a realm using the :load option

Workaround : Use a single-line command instead. For example, instead of a multi-line command like this:

payload='{ \
        "name": "employeur-test", \
        "active": true, \
        "parentPath": "/", \
        "aliases": [] \
}'
create Realms --global --body payload

Create a single-line command like this:

+

create Realms --global --body '{ \
"name": "employeur-test", \
"active": true, \
"parentPath": "/", \
 "aliases": [] \ }'

OPENAM-18544

AM Access Auditing Reports FAILURE on 302

OPENAM-18512

UMA resource set endpoint doesn’t list all relevant resource sets

OPENAM-18481

OIDC client mandates kid value in JOSE header

OPENAM-18469

Persistent Claims doc string references "RFC 123"

OPENAM-18394

Bazel fails to download Maven dependencies on first compilation

OPENAM-18375

Common password policy validation fails when using Registration Tree

OPENAM-18351

Form parameter is not recognized in access_token endpoint

OPENAM-18254

Attempting to create a user via Registration Tree fails after scaling up ds pods

OPENAM-18122

FBC rule written to remove reference to MAY_ACT default script set null instead of [Empty]

OPENAM-17957

Identify Existing User node fails with exception when more than one user is found

OPENAM-13329

Trees Display Character Encoding in Settings Dropdown Menu

OPENAM-12492

Identities: 500 Error when switch to Services tab on anonymous profile

AM 7.1.x

AM 7.1.4

OPENAM-21180

Amster should set file encoding to UTF-8 internally

OPENAM-21158

Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2

OPENAM-21155

Unable to remove OAuth 2.0 client with name that includes a period (.) in XUI

OPENAM-21100

SAML v2.0 IDP single logout (SLO) using HTTP redirect needs Request stickiness and HA

OPENAM-21031

Google KMS secret store configured in AM exceeds the rate limit

OPENAM-20927

User info is still cached after removing privilege from group

OPENAM-20766

Insufficient debug logging to troubleshoot WS-Federation issuing party issue

OPENAM-20761

Create EngineConfiguration fails when using POST with action=create

OPENAM-20754

SAML v2.0 pages saml2-write.js and saml2-read.js can error out due to javascript

OPENAM-20753

With the LDAP authentication node, the username is incorrectly set for multi-valued attributes

OPENAM-20745

Insufficient debug logging to troubleshoot JWK_URI keys issue

OPENAM-20742

WS-Federation entities can not be managed through the AM UI

OPENAM-20728

Push log is noisy even when the Push Service is not used

OPENAM-20706

Unnecessary config store queries for services that don’t exist

OPENAM-20705

SAML v2.0 circle of trust status has no effect

OPENAM-20683

UI does not handle multi-valued attributes

OPENAM-20645

JWK_URI endpoint is not thread safe

OPENAM-20582

JWT client authentication: iss claim value must match sub claim value

OPENAM-20581

JWT Client authentication fails but the root cause can not be determined from the logs

OPENAM-20570

NullPointerException is thrown when searchAttribute is not available in the user identity

OPENAM-20539

Access Token to OIDC Id Token exchange fails for pairwise subject type

OPENAM-20505

OAuth 2.0 clients / groups list sort function is not working

OPENAM-20480

FBC/Amster config upgrade rules are missing for removed properties

OPENAM-20441

OATH Registration node generates Base32 padded secret

OPENAM-20405

Transient state that is populated in an inner tree is not available in the parent tree

OPENAM-20379

REST STS doesn’t work with com.iplanet.am.cookie.encode=true

OPENAM-20333

The Enable Cookies Message is inconsistent

OPENAM-20332

When the requested scope and consent scope are different, a server error occurs during JWT Bearer Authorization policy evaluation

OPENAM-20331

Policy scope evaluator does not work well with JWT Bearer Authorization grant

OPENAM-20308

Access token with auth_level changes does not persist after refreshing token

OPENAM-20271

Certificate Validation node fails when optional properties are not configured

OPENAM-20261

Problem with User/CTS affinity failover when the DS disk volume is detached

OPENAM-20254

When Hosted SP Default RelayState is specified, you shouldn’t need an entry in the Relay State URL List

OPENAM-20242

Certification Validation node: Certificate-based authentication requires LDAP

OPENAM-20239

Setting the keepalive or heartbeat interval to a negative value in the IdRepo config causes an error

OPENAM-20234

Setting the LDAP Connection Heartbeat Interval to zero breaks persistent search

OPENAM-20231

OAuth 2.0 token introspection - stacktrace is withheld

OPENAM-20216

Fixed size LDAP connection pool not properly established

OPENAM-20202

org.forgerock.services.cts.store.root.suffix CTS setting is used when CTS store mode is default

OPENAM-20177

Insufficient information in warning message to troubleshoot root cause

OPENAM-20143

Unnecessary ERRORs logged when adding pointers in the Field allowlist filters
AM 7.1.3

OPENAM-19749

Authentication failure when using a specific locale containing a _ character in Message node

OPENAM-19743

Message node allows empty value for locale name

OPENAM-18818

Persistent search error message shows wrong DS identifier

OPENAM-18613

Web upgrader fails during second instance upgrade

OPENAM-18558

OIDC Client Group Inheritance not honoured immediately

OPENAM-17768

Enabling allowlisting in trees causes an infinite redirect loop in the registration tree

OPENAM-17687

XUI selects wrong partials if a new partial exists with the same prefix

OPENAM-17418

OpenId account mapping fails because userInfo subject claim has value usr!demo

OPENAM-17315

Update defaults scripts with the change introduced in COMMONS-628

OPENAM-16449

Filter fields on the Scripts admin page do not work

AM 7.0.x

AM 7.0.2

OPENAM-17663

Improve the error response code for "Failed to revoke access token"

OPENAM-17452

SAML bearer grant flow using signed assertions fails - signature validation failure

OPENAM-17394

Callback types should be part of the supported API

OPENAM-17256

Text is overlapping buttons in configuration UI in Firefox while adding new server

OPENAM-16939

IDM nodes does not follow proxy settings

OPENAM-16561

OAuth Consent screen does not apply theming

OPENAM-16554

Misplaced bufferingEnabled checkbox in New Syslog configuration

OPENAM-16539

userinfo endpoint does not return expected user attributes

OPENAM-16522

Device Save Node failed on Platform environment

OPENAM-16491

SAML Update introduces javascript calls that aren’t available in IE8 and below (or IE11 using Enterprise mode)

OPENAM-16280

German login page translation is not complete

OPENAM-16261

Node dev guide - CoreWrapper is not supported API

OPENAM-16258

Resource login fails to work to Authenticate to Module instance

OPENAM-16229

Exceptions logged while upgrading to AM7

OPENAM-16202

Deleting SAML2 entities in console does not remove them from COT

OPENAM-16197

social authmodule does not send activaion email if un-authenticated SMTP server is used

OPENAM-16105

AM Login UI cannot handle self service and SDK authentication callbacks

OPENAM-16076

An auth node config marked @password (type char[]) cannot also be Optional

OPENAM-16068

Annotation based service implementation provides no way to deregister service listeners

OPENAM-15892

ScriptingSchemaStep clears whitelist customisations on upgrade

OPENAM-15879

openam > ui-admin > entire sessions view disappears when querying with asterisk

OPENAM-15861

NullPointerException in CollectionHelper.getServerMapAttrs

OPENAM-15860

IdP Init SAML SSO results in two set-cookie: amlbcookie headers in SP Consumer response

OPENAM-15812

WebAuthn Node for a user with a WebAuthn profile for another site causes authenticator to complain using wrong security key

OPENAM-15791

The /json/groups endpoint is not accessible to the Agents

OPENAM-15727

JWT minted by oauth2/authorize does not have correct acr claim when an upgraded SSO token is used

OPENAM-15699

_fields query parameter for API "Action" end point eg _action=refresh does not work as documented

OPENAM-15609

CorsService API Descriptor text doesn’t match functionality

OPENAM-15534

LDAP connection errors when using DS7 and rest2ldap test

OPENAM-15351

During Upgrade Scripts are not updated

OPENAM-15253

Upgrade fails if external data store for Applications and Policies is used

OPENAM-15037

React-select-multi component - when key pressed to add an entry the previously selected entry remains highlighted

OPENAM-15027

React-select-multi component - when enter is clicked on the 'x' of selected entry to delete, form is submitted

OPENAM-14897

Default values for JWKs URI content cache timeout and miss timeout are not set on upgrade

OPENAM-14887

TimerPool logs error during AM graceful shutdown

OPENAM-14882

OAuth2 do not log scopes while using device code flow

OPENAM-14838

Trusted JWT issuer cache is refreshed inefficiently affecting other lookups

OPENAM-14837

Trusted Issuer lookup does not pick up modified issuer values

OPENAM-14834

JWT bearer grant implementation finds trusted JWT issuers by performing an unindexed search

OPENAM-14755

NullPointerException if auth module callback xml file can not be retrieved by ResourceLookup

OPENAM-14666

XUI - InternalError: "too much recursion" error can appear when Adding/Viewing/Updating realms

OPENAM-14602

The API documentation for some Node API is missing methods/fields in 6.5/7

OPENAM-14594

Possible thread-safety issue in OIDC pairwise subject identifiers

OPENAM-14576

Configuration LDAP accessed when users endpoint accessed

OPENAM-14500

SAML SP-initiated SSO without existing SSO Session - value of 'goto' parameter not URLencoded

OPENAM-14499

SAML IdP-initiated SSO without existing SSO Session - value of 'goto' parameter not URLencoded

OPENAM-14494

In Firefox the text is cropped inside of the realm’s card on Dashboard

OPENAM-14404

Multiple calls being made to session endpoint by XUI when session cookie lost

OPENAM-14343

AM console - localisation issue for algorithms in global Common Federation Configuration

OPENAM-14322

Servers → Directory Configuration API Can Be Broken With Crafted Payload

OPENAM-14290

Caching issue for 'users' REST endpoint

OPENAM-14263

Bad title for External Data Stores secondary configuration page

OPENAM-14207

NullPointerException AM Console if IDPSSODescriptor is missing attribute 'WantAuthnRequestsSigned'

OPENAM-13962

Errors during shutdown of AM

OPENAM-13513

Call Authentication Tree in a Radius Client

OPENAM-12207

Created OAuth2 client using curl request with defined scopes breaks the AM UI

OPENAM-11737

http.response.headers not populating in audit logs

OPENAM-11083

Delegated Admin cannot create Oauth2 Provider in realm

OPENAM-10696

Login screen does not show mobile users feedback on failure

OPENAM-10554

AM installation fails if BASE_DIR is different from the path in .openamcfg

OPENAM-10427

LDAP connections created by the configurator wizard are never closed

OPENAM-71

SAML2 error handling in HTTP POST and Redirect bindings