--- title: Fixes in AM 7.0.x description: This page lists the cumulative fixes in AM 7.0.x releases: component: pingam version: release-notes page_id: pingam::fixes-7.0 canonical_url: https://docs.pingidentity.com/pingam/release-notes/fixes-7.0.html section_ids: am_7_0_2: AM 7.0.2 am_7_0_1: AM 7.0.1 am_7_0_0: AM 7.0.0 --- # Fixes in AM 7.0.x This page lists the cumulative fixes in AM 7.0.x releases: ## AM 7.0.2 | | | | ------------ | -------------------------------------------------------------------------------------------------------------------------------- | | OPENAM-17689 | LDAPv3PersistentSearch should log when psearch connection is lost | | OPENAM-17688 | InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile | | OPENAM-17683 | Selfservice user registration auto login fails for a sub-realm | | OPENAM-17673 | Nodes within a Page node do not have access to secure state | | OPENAM-17672 | Page Node does not expose inner nodes inputs or outputs | | OPENAM-17630 | JMS Audit logging broken and cannot start up | | OPENAM-17591 | Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session | | OPENAM-17587 | OIDC bearer token authentication module requires context value setting for client secret | | OPENAM-17570 | OIDC request parameter decryption fails to find any applicable keys | | OPENAM-17555 | AM 7.x versions of Amster use Java 8 format of debug port | | OPENAM-17517 | JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error. | | OPENAM-17515 | Sub attribute in access token can be in wrong casing | | OPENAM-17483 | SecretsPlugin upgrade from 6.5.x failing | | OPENAM-17477 | Thread-safety issue in AMAuthenticationManager | | OPENAM-17436 | JS version of the OIDC Claims script does not work due to a casting error. | | OPENAM-17405 | Token introspection response not spec compliant | | OPENAM-17397 | ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check | | OPENAM-17365 | Checking agent type with caller token can cause deadlock | | OPENAM-17364 | prompt login / session upgrade / OIDC ACR looping with trees | | OPENAM-17361 | API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation | | OPENAM-17357 | Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope | | OPENAM-17349 | OIDC Refresh token - Ops token is deleted from the CTS during refresh | | OPENAM-17337 | Access token passed in request body results in failure | | OPENAM-17324 | Client credentials grant in FBC config with group inheritance causes User not Valid Error | | OPENAM-17322 | SAML2 bearer grant returns NoUserExistsException | | OPENAM-17321 | Prometheus Endpoint returns http 500 error when used with file based config | | OPENAM-17317 | A realm without any modules can cause increased thread count and slow response. | | OPENAM-17310 | 'ssoadm list-datastore-types' sub-command broken | | OPENAM-17277 | AM Recording with thread dump only shows depth of 8 | | OPENAM-17276 | AM recorder does not record anymore | | OPENAM-17274 | AM should not change the supported subject types for an existing install | | OPENAM-17271 | Typo for Realm in SAML/Federation debug | | OPENAM-17265 | Wrong authorized\_keys file updated | | OPENAM-17242 | OAuth2 Policy - Environment Condition AuthLevel >= doesn't work for ROPC grant | | OPENAM-17220 | OAuthLogout.jsp compilation error isGotoUrlValid method signature not found | | OPENAM-17199 | Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices' | | OPENAM-17175 | XUI OAuth2 consent page does not render when using themes | | OPENAM-17157 | Password reset via admin console with Proxied Authorization enabled is not possible | | OPENAM-17156 | Adaptive Risk checkGeoLocation null countryCode can cause module fail. | | OPENAM-17121 | Inefficient synchronized block in OAuth2ProviderSettingsFactory | | OPENAM-17117 | Service config XML dump consumes a lot of memory (whole config is read to memory) | | OPENAM-17114 | Save Consent check box always shown, even when not configured | | OPENAM-17102 | OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication | | OPENAM-17097 | Inconsistent scope policy evaluation between authorize and ROPC | | OPENAM-17089 | Forgot password flow not working after initial attempt to reset password fails | | OPENAM-17081 | OAuth2 client agent group settings are not taken into account | | OPENAM-17079 | Identities and Session: unexpected returned error when trying to request for unexisting identity | | OPENAM-17070 | SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication | | OPENAM-17066 | Unable to add server to existing deployment through UI | | OPENAM-17042 | User Self Registration REST API does not generate SSO token | | OPENAM-17019 | Allowing wildcards in OAuth 2.0 clients prevents exact matching from working | | OPENAM-17017 | REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config | | OPENAM-16998 | Poor logging around failures "Invalid Assertion Consumer Location specified" | | OPENAM-16997 | Device code grant implied consent fails if access\_token request performed before user authenticates | | OPENAM-16955 | When setCookieToAllDomains=false is used, a non matching request from other domain will fail | | OPENAM-16944 | LDAP Decision node fails if inetuserstatus does not exist | | OPENAM-16932 | PageNode does not pick up outcomes if ScriptedDecisionNode is used inside | | OPENAM-16910 | Can not create SAML entity with entity id including a semicolon ';' | | OPENAM-16904 | OIDC bearer module fails with NPE when id\_token does not contain kid | | OPENAM-16883 | AM ignores AuthnRequestsSigned property during SSO | | OPENAM-16881 | SAML federation library stopped supporting ACS URLs with query parameters | | OPENAM-16876 | Default ACR values on OIDC client profile is not honoured in order of preference | | OPENAM-16849 | WeChat Social Auth module broken (regression) | | OPENAM-16801 | SAML2 SP init SSO fails after upgrade to 7.0.0 | | OPENAM-16726 | Insufficient debug logging for OAuth2 error 'invalid\_client Server does not support this client's subject type' | | OPENAM-16651 | Default configuration fails if the trust store type JVM property is not defined for the JVM | | OPENAM-16638 | AM with embedded DS setup fails when Java system keystore properties is set | | OPENAM-16608 | AM with embedded DS setup fails with permission denied for truststore | | OPENAM-16581 | SAML Authentication Module on hosted SP gets SAML No authentication context error | | OPENAM-16556 | Radius Server's does not log IP address into AM Audit logs | | OPENAM-16515 | Social auth - insufficient debug logging for troubleshooting | | OPENAM-16472 | Proxied Authentication fallback may not work when user entry lack some attributes | | OPENAM-16364 | Macaroon access tokens don't work with the new any-realm token introspection | | OPENAM-16262 | Javadocs for IdUtils needs updating | | OPENAM-15963 | Historical retention files ( csv ) were not deleted | | OPENAM-15214 | Auth Tree - Clicking save with no changes causes render problem with node attributes inside page node | | OPENAM-14240 | FMSigProvider.verify does not tell if certificates are provided | | OPENAM-13783 | REST STS: Cannot add or modify nameID format in SAML config, and default value stated in help is incorrect | | OPENAM-13575 | Unhelpful log message when OIDC public client wants to use HMAC id token signing | ## AM 7.0.1 | | | | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | OPENAM-16935 | Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1 | | OPENAM-16934 | sm.getSchemaManager has a typo including a comma | | OPENAM-16907 | Kerberos Node in 7.0 does not work | | OPENAM-16877 | Error when creating AM "Self-service Trees" service in native admin ui | | OPENAM-16848 | Choice Collector and WDSSO node combination does not work if whitelisting is enabled | | OPENAM-16847 | AM email service failing with 'Start TLS' option | | OPENAM-16838 | AuthenticationApproachChecker does not handle session upgrade modules | | OPENAM-16823 | IDM Nodes does not send or propagate transactionId tracking when contacting IDM | | OPENAM-16802 | Upgrade from OpenAM 7.0 to 7.1.0 SNAPSHOT causes NPE | | OPENAM-16794 | Google KMS options missing after upgrade from 6.5 | | OPENAM-16791 | AMAccessAuditEventBuilder#forRequest can generate an entry with \|-1 for the port | | OPENAM-16769 | Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow | | OPENAM-16759 | Amster on windows AM does not restart properly after setup | | OPENAM-16758 | Cannot install AM 7 on Windows | | OPENAM-16745 | client\_id in access token ignores what's been registered when idm cache is disabled | | OPENAM-16703 | OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client\_secret\_basic used for credentials) | | OPENAM-16702 | Saving engine configuration in FBC mode makes that config non-readable | | OPENAM-16701 | The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent's ID token | | OPENAM-16697 | Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format | | OPENAM-16686 | Cannot create a User after upgrade from 6.5.2 to 7.0.1 | | OPENAM-16684 | OIDC Dynamic Registration client\_description cannot take String type | | OPENAM-16669 | IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo | | OPENAM-16650 | Authz Policy Subjects Policy.title is showing property name text | | OPENAM-16641 | OAuth2 provider supported grant types attribute missing localization property on XUI | | OPENAM-16606 | Missing "org.forgerock.openam.saml2.authenticatorlookup.skewAllowance" property in server defaults | | OPENAM-16594 | ssoadm help should be updated to reflect changes in AME-18650 / OPENAM-16155 | | OPENAM-16583 | Crucial information is missing when encountering LDAP connections issue. | | OPENAM-16555 | (audit) logging does not tell which policy allowed or denied a resource request | | OPENAM-16551 | Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token | | OPENAM-16545 | Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents | | OPENAM-16485 | 'Failed Login URL' is not picked up from the auth chain | | OPENAM-16483 | XUI - Typo in SAML SP "Default Relay State Url" label | | OPENAM-16368 | Settings of Mail and Scripting global service properties are overwritten at upgrade | | OPENAM-16367 | OIDC request\_uri response causes NPE while debug logging | | OPENAM-16354 | Concurrency bug in OAuth2ProviderSettingsFactory | | OPENAM-16338 | Failing REQUISITE module after SUFFICIENT Device Match doesn't fail chain properly | | OPENAM-16157 | Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive | | OPENAM-16152 | After upgrade, new Identity page has duplicate 'new identity' field and email address does not save | | OPENAM-16006 | Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented | | OPENAM-15671 | LoginContext is missing debug logging for troubleshooting | | OPENAM-15663 | UserInfoClaims is not part of public API | | OPENAM-14682 | Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2) | | OPENAM-14527 | Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2) | | OPENAM-11706 | Policies in a policy set are not visible in Internet Explorer IE | ## AM 7.0.0 | | | | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | | OPENAM-16433 | Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry. | | OPENAM-16425 | AM does not handle malformed/incorrect signature correctly | | OPENAM-16402 | The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change. | | OPENAM-16379 | URL fragments like # cause forbidden login in the XUI | | OPENAM-16284 | XUI does not handle Special Chars / UTF-8 in realms properly. | | OPENAM-16279 | AgentsRepo cannot recover when it fails especially on external Application store. | | OPENAM-16251 | OIDC authentication request with parameters 'prompt=none' and 'acr\_values=' triggers authentication | | OPENAM-16240 | REST STS under subrealm cannot generate id\_token with realm claim | | OPENAM-16233 | Policy evaluation fails when subject not found (even in ignore profile) | | OPENAM-16214 | Push Authentication Module does not work on Session Upgrade when User Cache disabled | | OPENAM-16184 | Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords | | OPENAM-16165 | social authmodule causes NullPointerException | | OPENAM-16164 | social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token | | OPENAM-16136 | queryFilter only matches against first entry in array | | OPENAM-16132 | When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates | | OPENAM-16032 | Unable to delete devices with Recovery Code Collector Decision Node | | OPENAM-16031 | Intermittent error message when concurrent obtain SSO Token ID with session quota constraints | | OPENAM-16014 | An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow | | OPENAM-16013 | Mismatched kid from Json Web Key URI when Specified Encryption Algorithm | | OPENAM-16009 | Windows Desktop SSO node full adoption and compliance with tree node specifications | | OPENAM-15989 | OAuth2 client\_id should be url-decoded when using basic auth | | OPENAM-15982 | OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied | | OPENAM-15970 | Access Token introspect Fails in subrealm after root realm modified | | OPENAM-15944 | WS-Federation - RPSignin Request fails because config data is used unchecked | | OPENAM-15905 | Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException | | OPENAM-15900 | Kerberos fails when used with IBM JDK | | OPENAM-15896 | WS-Federation relying party initiated passive request - stuck at Account Realm selection | | OPENAM-15881 | Custom AM User (amUser.xml) field does not use default values from the schema | | OPENAM-15858 | Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used | | OPENAM-15853 | External UMA store fails on resource creation | | OPENAM-15805 | idtokeninfo endpoint gives invalid signature error when ID Token is expired | | OPENAM-15785 | OIDC spec violation - HTTP POST can not be used to send Authentication Request | | OPENAM-15784 | Form elements in policy environment condition tab are displayed twice | | OPENAM-15766 | LoginState - account lockout is checkout although AM AccountLockout is disabled | | OPENAM-15758 | KeyStore Secret Store fails to start due to secretId having some characters. | | OPENAM-15750 | ERROR | | OAuth2Monitor | Unable to increment "oauth2.grant" metric for unknown grant type BACK\_CHANNEL | | OPENAM-15724 | SAML2 entities do not set amlbcookie if there is only one server | | OPENAM-15713 | AM SP drop the 80 characters RelayState silently for HTTP Redirect | | OPENAM-15698 | IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL' | | OPENAM-15697 | Default ACR values from OAuth2 provider not taken into account | | OPENAM-15694 | RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access | | OPENAM-15679 | The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling | | OPENAM-15670 | DeviceIdSave auth module initialization fails if username is null | | OPENAM-15667 | AM debug log does not tell which auth-module was handled - needed for troubleshooting | | OPENAM-15645 | The \&refresh=true\|false parameter for \_action=validate is not working as expected | | OPENAM-15632 | OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support | | OPENAM-15628 | Grant-Set Storage Scheme for CTS does not work with CIBA Flow | | OPENAM-15627 | Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One" | | OPENAM-15579 | AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)' | | OPENAM-15559 | OATH module broken in Japanese locale | | OPENAM-15533 | WS-Federation doesn't work with Authentication Trees | | OPENAM-15530 | OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS | | OPENAM-15520 | XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default | | OPENAM-15508 | moduleMessageEnabledInPasswordGrant does not apply to Trees | | OPENAM-15507 | 500 error when calling /revoke or /refresh endpoint with wrong token | | OPENAM-15501 | Xml encryption 1.1 namespaces aren't always mapped to prefixes correctly | | OPENAM-15494 | AM expects nonce request parameter in authorize request when no id\_token will be returned | | OPENAM-15491 | Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies. | | OPENAM-15489 | WebAuthN Auth Node Doesn't Respect UV=Discouraged During AuthN | | OPENAM-15465 | Sending HTTP Callback from Inner Tree Evaluator Fails Authentication | | OPENAM-15459 | When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error | | OPENAM-15425 | OIDC endsession - encrypted id\_tokens are not supported | | OPENAM-15374 | OpenID Client authentication with private\_key\_jwt and client\_secret\_jwt does not enforce required jti claims | | OPENAM-15355 | PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback | | OPENAM-15349 | Access Token request returns a 500 error | | OPENAM-15345 | at\_hash value generated does not take the latest modified access token | | OPENAM-15323 | ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree | | OPENAM-15307 | Trees Example is not working as expected OOTB to ?service=Example | | OPENAM-15303 | Claims with multiple values in issued\_token from REST STS represented inconsistently. | | OPENAM-15244 | AM configuration does not perform schema extension for identity store although it has the permissions | | OPENAM-15210 | Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules | | OPENAM-15164 | CDSSO with "ignore profile" throws "No OpenID Connect provider" | | OPENAM-15160 | LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind | | OPENAM-15150 | Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field | | OPENAM-15147 | HTTP 500 upon accessing openam/json/ | | OPENAM-15145 | OpenAM Scope Validator calls getUserInfo twice when creating IdToken | | OPENAM-15121 | Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed ) | | OPENAM-15117 | KeyVault KeyStoreType not supported | | OPENAM-15116 | Auth ID jwt can be modified to determine whether a realm exists or not | | OPENAM-15105 | Unable to get trusted devices using REST API | | OPENAM-15101 | Remove the ability to disable XUI | | OPENAM-15089 | SAML SLO - Allow RelayState to be a path-relative URL | | OPENAM-15076 | webAuthn config does not allow for multiple origins under the same rpId | | OPENAM-15044 | OpenID connect id\_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching | | OPENAM-15036 | Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file | | OPENAM-15028 | Cannot load metadata in ssoadm without extended metadata | | OPENAM-15012 | OIDC - JWT Request Parameter returns errors in query, not in the fragment | | OPENAM-14995 | IdP Initiated single logout only performs local logout if IdP session cannot be found in cache | | OPENAM-14991 | Changes to boot.json are overwritten | | OPENAM-14979 | NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade | | OPENAM-14977 | PKCE Code challenge method for Authorization Code if not set should use plain | | OPENAM-14966 | Performing access\_token with arbitrary text as trusted cert header causes server error | | OPENAM-14919 | Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file | | OPENAM-14901 | XUI - SAML2 module doesn't redirect to IDP if it's 2nd in the chain | | OPENAM-14895 | user identity creation fails with "Identity \|" of type user not found. | | OPENAM-14893 | XUI displays multiple error messages when an authentication session times out | | OPENAM-14889 | Upgrade of Peristent Cookie auth module fails | | OPENAM-14883 | OAuth2/OIDC - Issuing client secret to Public clients during registration | | OPENAM-14881 | AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123) | | OPENAM-14867 | AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree) | | OPENAM-14859 | ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty | | OPENAM-14858 | When NameIDPolicy does not contain `Format=..`, remoteEntityID is passed as null | | OPENAM-14848 | Insufficient debug logging in OpenID Connect authentication module | | OPENAM-14845 | user info endpoint does not correctly handle Certificate Bound Access Tokens | | OPENAM-14829 | AuthSchemeCondition doesn't return realm aware policy condition advice | | OPENAM-14825 | OAuth2 Dynamic Registration with Software Statement triggers objectClass=\| search | | OPENAM-14804 | Memory leak when running UMA RPT soak test | | OPENAM-14799 | Unable to update Agent profile using REST | | OPENAM-14794 | User privileges are removed from group if another group is given same privilege | | OPENAM-14786 | idpSingleLogoutPOST throws error 500 IllegalStateException on SLO | | OPENAM-14783 | PKCS11 KeyStore does not work on IBM JVM | | OPENAM-14782 | AuthTree created Session does not use per User Session Service settings | | OPENAM-14766 | introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens | | OPENAM-14717 | mailto attribute have space between '\|' and mail address | | OPENAM-14694 | Consent page still shows claim values even when supported claim description is omitted | | OPENAM-14651 | OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads | | OPENAM-14581 | handling ManageNameID fails if NameID does not include SPNameQualifier | | OPENAM-14578 | WDSSO failing but no fallback…​ | | OPENAM-14573 | amlbcookie is not secure when authenticating with trees | | OPENAM-14572 | prompt=login destroys and creates new session | | OPENAM-14570 | OAuth mTLS DN comparison fails when DER-encoding is different | | OPENAM-14548 | consent page still shows what's been granted/removed as a result of OAuth2 scope policy evaluation | | OPENAM-14546 | SSOADM access not audited to the ssoadm.access logs anymore | | OPENAM-14539 | SAML SLO with multi protocols | | OPENAM-14529 | UMA RPT expiry time incorrect in CTS | | OPENAM-14523 | NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding | | OPENAM-14503 | SAML2 - Key Transport Algorithm - RSA OAEP must be supported | | OPENAM-14483 | If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ | | OPENAM-14480 | AuthLoginException is lost | | OPENAM-14471 | Failed to create root realm for data store (External Policy | | Application) | OPENAM-14465 | | SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on | OPENAM-14464 | | XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used | OPENAM-14450 | | userinfo typo in Claims.java | OPENAM-14426 | | Unable to add external data store in AM (Policy \| Application) when using TLS/SSL | OPENAM-14419 | | Policy evaluation returns search results for all policies that match outside of specified application | OPENAM-14393 | | CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done | OPENAM-14391 | | Self Service Link not Display when Using Authentication Tree | OPENAM-14378 | | 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set | OPENAM-14369 | | Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure | OPENAM-14362 | | UMA load test fails with Invalid resource type error | OPENAM-14353 | | Error Message not Displayed when Change Password does not Meet Password Policy | OPENAM-14337 | | Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client | OPENAM-14313 | | Audit Logging - STS transformations create duplicate entries | OPENAM-14310 | | CheckSession page indicates the session is not valid | OPENAM-14294 | | am-external Git repository 6.5 have bad source | OPENAM-14281 | | IdP Proxy relays wrong AuthnContextClassRef | OPENAM-14239 | | FMSigProvider.verify NPE with null input for certificates | OPENAM-14233 | | updated\_at claim in the ID Token is returned as a string and not a number | OPENAM-14232 | | Performance issue when creating resource\_set in UMA with many existing resource\_set | OPENAM-14229 | | custom AuthorizeTemplate under theme not used | OPENAM-14213 | | Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute | OPENAM-14212 | | SAML redirect to login page fails if AM installed into the root context | OPENAM-14200 | | Social auth modules do not work when AM is installed into the root context | OPENAM-14189 | | effectiveRange of Time environment has issue | OPENAM-14175 | | CTS updates on multivalue attributes may throws Duplicate values exception | OPENAM-14174 | | AM shows Ldapter.delete exception when session expires is triggered | OPENAM-14167 | | HTML tags are shown part of the messages in Change Password section of AD Authentication module. | OPENAM-14147 | | arg=newsession in XUI just shows the "Loading…​" page | OPENAM-14115 | | Sample Auth module does not work in a chain when used with Shared-state | OPENAM-14112 | | Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie | OPENAM-14111 | | Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow | OPENAM-14062 | | Redirect to Failure URL does not occur when authentication tree is not interactive | OPENAM-14054 | | XUI Custom templates and Partials not applied consistently | OPENAM-14053 | | Cannot build AM UI in Windows for Yarn using mvn | OPENAM-14040 | | LdifUtils debug logging prints out wrong classname | OPENAM-14018 | | Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server | OPENAM-13999 | | Custom node containing ConfirmationCallbacks fails when dropped in a page node. | OPENAM-13991 | | 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm | OPENAM-13978 | | Session Upgrade - AuthLevel format changes | OPENAM-13942 | | SAML2 Circle of Trust - REST Update doesn't update the metadata of the provider | OPENAM-13934 | | saml2error.jsp fails with exception when malformed SAML2 response given | OPENAM-13900 | | OAuth2 Device flow - duplicate user\_code error after authenticating user | OPENAM-13892 | | Erroneous "Response's InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not | OPENAM-13890 | | Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext | OPENAM-13851 | | Rest STS cannot be created in the Console when upgrading to 6 | OPENAM-13831 | | RP-Initiated Logout does not handle state parameter | OPENAM-13779 | | Session API - \_action=refresh requires an admin token | OPENAM-13764 | | Monitoring logs in ERROR for "Agent.configAgentsOnly | agent type = OAuth2Client" | | OPENAM-13720 | Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals | | OPENAM-13490 | Software Publisher Agent - Secret is not saved when creating an Agent | | OPENAM-13465 | Dynamic client registration sets wrong subjectType | | OPENAM-13446 | Social Auth Service doesn't redirect if already using another chain | | OPENAM-13419 | LDAPPolicyFilterCondition doesn't set request timeout | | OPENAM-13324 | /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true" | | OPENAM-13064 | OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional | | OPENAM-13000 | Custom authentication module with a single ChoiceCallback value is processed without confirmation | | OPENAM-12955 | Resource Owner Password Credentials Grant does not work with trees | | OPENAM-12759 | max\_age should a number, not a string | | OPENAM-12574 | SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies | | OPENAM-12498 | Authorization Grant response returns scope(s) in the URL | | OPENAM-12228 | WebAgent REST API queryFilter expression does not work and acts all "true" | | OPENAM-12186 | Introspect endpoint for RPT does not check the authorization scheme | | OPENAM-11921 | Incorrect NameId Format offered for SAML2 auth module in console | | OPENAM-11863 | CORSFilter position in web.xml should come before most filters | | OPENAM-11778 | Getting accessToken using authorization\_code result in Unhandled exception | | OPENAM-11338 | OpenID Connect id\_token bearer auth module mixes up aud, azp during verification | | OPENAM-10869 | SAML2 Authentication module return "Unable to link local user to remote user" ambiguous. | | OPENAM-10843 | When generating an OIDC token through STS a "kid" value is not specified | | OPENAM-10127 | SessionMonitoringStore should only be instantiated when monitoring is enabled | | OPENAM-9931 | Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed) | | OPENAM-9777 | Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly | | OPENAM-9459 | 500 Internal Server Error from changePassword endpoint with AD repo | | OPENAM-5867 | Data Store LDAP server (admin-ordered) list is reordered by OpenAM |