---
title: Changes in AM 7.4.x
description: Two new fields, subject and issuer, replace the accountId field used by the jwtAssertion and jwtValidator script bindings. This lets you specify separate values for these JWT claims.
component: pingam
version: release-notes
page_id: pingam::changes-7.4
canonical_url: https://docs.pingidentity.com/pingam/release-notes/changes-7.4.html
section_ids:
  am_7_4_2: AM 7.4.2
  the_accountid_field_in_jwt_script_binding_operations: The accountId field in JWT script binding operations
  am_7_4_1: AM 7.4.1
  ws_federation_com_sun_identity_wsfederation_logout_wreply_url_validation: WS-Federation com.sun.identity.wsfederation.logout.wreply URL validation
  ws_federation_com_sun_identity_wsfederation_logout_wreply_url_validation_2: WS-Federation com.sun.identity.wsfederation.logout.wreply URL validation
  change_in_behavior_for_journeys_containing_a_certificate_collector_node: Change in behavior for journeys containing a Certificate Collector node
  change_to_oauth_2_0_refresh_token_introspection_response_types: Change to OAuth 2.0 refresh token introspection response types
  am_7_4: AM 7.4
  change-dsameuserpwd: Removal of dsameuserpwd from default keystore
  change-enable-data-store: Preconfigure policy and application data stores
  change-delete-auth-tree: Change in behavior when an authentication tree is deleted
  change-subjectattributes: Change in behavior of subjectattributes endpoint
  change-amadmin-password-secret-cache: Rotatable secrets for amAdmin password
  amster: Amster
---

# Changes in AM 7.4.x

## AM 7.4.2

### The `accountId` field in JWT script binding operations

Two new fields, `subject` and `issuer`, replace the `accountId` field used by the `jwtAssertion` and `jwtValidator` script bindings. This lets you specify separate values for these JWT claims.

If specified, the `accountId` is now used as the values for `issuer`, `stableId`, and `subject` when these values aren't provided.

Learn more in [Generate and validate JWTs](https://docs.pingidentity.com/pingam/7.4/scripting-guide/scripting-api-node.html#jwt-support).

## AM 7.4.1

### WS-Federation `com.sun.identity.wsfederation.logout.wreply` URL validation

### WS-Federation `com.sun.identity.wsfederation.logout.wreply` URL validation

To facilitate logging out of WS-Federation and multiprotocol environments (WS-Federation communicating with SAML 2.0), you must add the URL specified in the `com.sun.identity.wsfederation.logout.wreply` query parameter to the Valid goto URL Resources field in the validation service. If you don't add this URL, redirection fails.

Learn more in [Add a URL to the validation service](https://docs.pingidentity.com/pingam/7.4/authentication-guide/redirection-url-precedence.html#configure-validation-service).

### Change in behavior for journeys containing a [Certificate Collector node](https://docs.pingidentity.com/auth-node-ref/8.1/certificate-collector.html)

Previously, for journeys containing a [Certificate Collector node](https://docs.pingidentity.com/auth-node-ref/8.1/certificate-collector.html), AM would throw an exception in the following scenario:

* You set the node's Certificate Collection Method property to `Either` or `Header`

* You specified an HTTP header name

* The certificate was missing from the browser (and from the request if `Either` was selected)

Now, in this scenario, the journey continues down the `Not Collected` path.

### Change to OAuth 2.0 refresh token introspection response types

Previously, introspecting a stateful refresh token returned some claims as an array containing a single string.

For consistency, the following claims are now returned as strings:

* `realm`

* `userName`

* `authGrantId`

* `clientID`

## AM 7.4

### Removal of `dsameuserpwd` from default keystore

The alias of the `dsameuserpwd` has been removed from the default keystore. The `dsameUser` is an internal account that AM uses to connect to the configuration store. AM now generates the password for this account on startup, and you can't read or change it.

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | If you upgrade to AM 7.4 using the [upgrade wizard](https://docs.pingidentity.com/pingam/7.4/upgrade-guide/upgrade-servers.html#upgrade-wizard) and need to roll back the upgrade, you must *restore* the default keystore. The upgrade wizard removes the `dsameuserpwd` alias. If you don't restore this alias, the rolled back instance of AM won't start up.If you try to use a previous version of `ssoadm` with AM 7.4, the command will show an error `Can't open boot keystore` as it expects the `dsameuserpwd` to be there. To avoid this error, use the `ssoadm` version that is delivered with AM 7.4. |

### Preconfigure policy and application data stores

You can now *disable* [policy and application data stores](https://docs.pingidentity.com/pingam/7.4/setup-guide/setting-up-policy-and-app-stores.html) until you are ready to use them. This means that you can preconfigure a data store before the directory server is ready. When you want to use the data store configuration, you can enable it, at which point AM verifies that it can connect to the configured store.

All default policy and application data store configurations are *enabled*. A new custom external data store configuration is *disabled* by default. When you upgrade to AM 7.4, existing data store configurations are *enabled* by default.

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | The `dataStoreEnabled` property is mandatory if you're creating new data stores over REST (using `DataStoreService/config?_action=create`). It's also mandatory if you're updating data stores over REST with a PUT request. For backward compatibility, if you don't include this property in the JSON payload, the endpoint currently adds it to the configuration by default with a value of `true`.In the next AM release, the endpoint version will be incremented and the latest version will require the property to be present. |

### Change in behavior when an authentication tree is deleted

From this release, when you delete an authentication tree, any nodes referenced by that tree are also deleted, provided they aren't referenced by another tree.

This change eliminates *orphaned* nodes in the configuration and lets you delete the scripts referenced by those nodes.

### Change in behavior of `subjectattributes` endpoint

The behavior of queries to the `subjectattributes` endpoint has changed in this release.

To override the new behavior and revert to the previous behavior, set the [`org.forgerock.security.entitlement.enforce.realm`](https://docs.pingidentity.com/pingam/7.4/reference/deployment-configuration-reference.html#adv-property-entitlement-realm) advanced server property to `false`, then restart AM for the change to take effect.

For security reasons you should set this property back to `true` when you have updated your scripts.

### Rotatable secrets for `amAdmin` password

AM now caches the special secret used to store the password of `amAdmin` user. The expiry time of the cache is 900 seconds (15 minutes) by default. To change the expiry time, set the [org.forgerock.openam.secrets.special.user.secret.refresh.seconds](https://docs.pingidentity.com/pingam/7.4/reference/deployment-configuration-reference.html#secrets.special.user.secret.refresh.seconds) advanced server property.

For more information, refer to [Store the amAdmin password in a secret store](https://docs.pingidentity.com/pingam/7.4/security-guide/securing-administration.html#amadmin-password-secret-store).

### Amster

The .zip distribution now includes a root folder named `amster`.

This aligns the Amster delivery with the other products in the Ping Advanced Identity Software.