Known issues

AME-31109

Amster 8.0 import fails with NoSuchMethodError

OPENAM-23851

The AM-8.0.0.zip (and AM-8.0.1.zip) Distribution Kits are missing several files required to build the sample base Docker image (am-empty). As a result, the steps to build your own AM Docker images will fail. + NOTE: This issue only affects self-managed Docker environments where you’re attempting to build your own AM image.

OPENAM-23770

WebAuthn node flow causes exception instead of Client Error outcome when passkey prompt cancelled

OPENAM-23763

Next button not enabled on Configuration Data Store Settings page of install wizard

OPENAM-23717

Access token requests fail when default tree uses Set Persistent Cookie node

OPENAM-23595

A redirect_uri using a URN results in a malformed redirect location

OPENAM-23582

WebAuthn’s pubKeyCredParams sequence isn’t honored and changes on AM restart

OPENAM-23322

Formatting errors in SAML metadata certificate export

OPENAM-23155

Agent group inheritance settings are lost during Amster export/import

OPENAM-17819

AM admin UI doesn’t show leading . for cookie domains

OPENAM-17818

Domain cookie with leading . is configured although no cookie domain is specified during install

OPENAM-23998

RhinoJS Date() doesn’t calculate DaylightSavingTime correctly in a next-generation script

OPENAM-23481

Token is allowed in raw JSON in introspect request

OPENAM-23227

OIDC ID Token Validator node doesn’t work with proxy settings

OPENAM-23035

AM should preserve setAttribute multivalue update order

OPENAM-22967

Config upgrader uses OS file encoding causing issues with special characters

OPENAM-22952

SMSEntry class should throw exception to avoid NullPointerException

OPENAM-22812

Create Object node logs failure at debug level instead of error/warning

OPENAM-22777

Deploying AM 7.5.0 on Wildfly 26.x with JDK 17 fails

OPENAM-22770

Configuring AES Key Wrap encryption for Tomcat doesn’t work

OPENAM-22700

OAuth 2.0 introspect: Multi-audience token only checks against first value

OPENAM-22670

DJLDAPv3Repo getDN may return broken cached DN

OPENAM-22663

WS-Federation SLO calls cleanup directive if issued

OPENAM-22530

OAUTH_REQUEST_ATTRIBUTES cookie is set for HTTP GET /authorize requests

OPENAM-22505

Scripted policy condition fails with "Exception from invocation expected to be handled by promise"

OPENAM-22386

Next-generation idRepository binding doesn’t return null if identity isn’t found

OPENAM-22031

LDAP Decision node no longer displays locked account message but redirects to failed login

OPENAM-19968

IdP-initiated SAML SLO doesn’t invalidate SP-side session using integrated mode

OPENAM-23045

Performance degradation and WS-Federation issues with Java 17

OPENAM-23022

Transaction condition for policy evaluation fails with JWT subject

OPENAM-22927

WebAuthn Registration node should be able to use user.name as display attribute

OPENAM-22616

Upgrade from AM 6.5.5 to 7.5 using external CTS fails with error "Message:Service does not exist: GoogleSecretManagerSecretStoreProvider"

OPENAM-22457

Amster doesn’t delete all default scripts when using --clean true flag

OPENAM-22406

Product ZIP file contains files prefixed with openam

OPENAM-19453

CTS authentication sessions may cause tree to fail if AM server is not configured for sticky load balancing

OPENAM-14790

OAuth 2.0 scope policy set fails with LDAP filter environment condition

OPENAM-22151

Expiration of cache held in StatelessJWTCache could cause Internal Server Error

OPENAM-22067

Stateless Session denylist caching and bloomfilter layers removed on config change

OPENAM-22031

LDAP Decision node change of behavior when user is locked from password change screen

OPENAM-21820

Set policy result TTL to 0 when using Environment Policy Active Session

OPENAM-21819

Default value for LinkedIn configuration uses out of data scopes

OPENAM-21683

AM lets you create anonymous user when it already exists

OPENAM-15948

Update DS profiles to add VLV indexes for CTS use

OPENAM-23273

Failure URL not handled using Safari Browser

OPENAM-23182

Failure URL not handled after Authentication Session times out using SAML2 Authentication node

OPENAM-22158

User creation attributes on LDAP Decision node don’t work

OPENAM-22795

SAML2 encryption method can’t be changed using IDP remote SP host settings

OPENAM-22674

Unable to create encrypted PEM that works for Secrets ENCRYPTED_PEM

OPENAM-22656

Setting JWKs URI content cache timeout to a small value throws an error

OPENAM-22608

Non-extractable secrets in HSM fail to work on AM for SAML v2.0 XML signing

OPENAM-22479

LDAPv3 Userstore Connection doesn’t reconnect without Heartbeat enabled

OPENAM-22151

Expiration of cache held in StatelessJWTCache could cause Internal Server Error

OPENAM-22102

Adjusting evalThreadSize has no effect

OPENAM-22009

Providing an invalid alias to a secret store mapping breaks AM

OPENAM-21959

Unable to create next-generation script in XUI if default script language is Groovy

OPENAM-21893

Configurator not releasing resources on failure

OPENAM-21823

Page node with Scripted Decision node doesn’t persist withErrorMessage value

OPENAM-21741

SSOADM fails to install or run due to mtlsAlias field in boot.json

OPENAM-21636

AM is unable to run in FIPS compliance mode due to RAW keys

OPENAM-19810

No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey' or cannot work with unextractable key when using HSM

OPENAM-16797

Allow Custom OATH/Push/WebAuthn device integrations to be managed by standard AM interface

OPENAM-12197

Custom methods postSingleSignOnSuccess and postSingleSignOnFailure aren’t called by SAML Authentication module or node

OPENAM-4201

XUI returning messages based on localized responses from REST authentication interface

OPENAM-21569

Rapid policy evaluation using token of deleted user leads to HTTP 500 error

OPENAM-21497

Editing the mappings for an existing secret store throws an exception

OPENAM-21441

Policy evaluation with LDAPFilter condition uses config store user instead of identity store user

OPENAM-21379

Unable to read SMS config when request is too quick after changing configuration

OPENAM-21363

Unable to modify an external data store configuration when set as a global default data store but not referenced in a realm

OPENAM-21311

XUI performs logout of newly created session when resuming authentication with no further callbacks

OPENAM-21294

Remove openam-core from Soap STS server

OPENAM-21284

AM returns a 500 Internal Server Error response when providing an invalid client_id to the deleteUserPasswords agent action

OPENAM-21178

Social authentication "Secret" field not mandatory

OPENAM-20927

User info is still cached after removing privilege from group

OPENAM-15948

Update DS profiles to add VLV indexes for CTS use

OPENAM-23778

AM issues unindexed search when ttlsupport.enabled=true

OPENAM-23703

Custom and native claims in a refreshed, stateless access token don’t match the parent modified stateless access token

OPENAM-23607

AuthenticateToTreeConditionAdvice composite_advice not working as expected

OPENAM-23345

Performance issues when accessing SAML entity provider via the admin console with 5k entities

OPENAM-23022

Transaction condition for policy evaluation fails with JWT subject

OPENAM-22988

Failover doesn’t occur when heartbeat interval is set to 0

OPENAM-22927

WebAuthnRegister should be able to use user.name as display attribute

OPENAM-22846

External app/policy store active/passive LB isn’t working

OPENAM-22674

Unable to create encrypted PEM that works for ENCRYPTED_PEM secret

OPENAM-22608

Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing

OPENAM-22479

LDAPv3 Userstore connection doesn’t reconnect without Heartbeat enabled

OPENAM-22188

Heavy load leads to BLOCKED threads traced to the SecurityManager

OPENAM-22156

logoutByUser throws UnsupportedOperationException

OPENAM-22151

Expiration of cache held in StatelessJWTCache could cause Internal Server Error

OPENAM-21636

AM is unable to run in FIPS compliance mode due to RAW keys

OPENAM-21100

SAML2 IDP Single logout SLO using HTTP redirect needs Request stickiness and HA.

OPENAM-20927

User info is still cached after removing privilege from group

OPENAM-20754

SAML pages saml2-write.js and saml2-read.js can cause an error

OPENAM-20234

Setting LDAP Connection Heartbeat Interval to be zero breaks persistent search

OPENAM-20143

False alarms in debug logs when adding pointers in Field whitelist filters

OPENAM-19810

Error: "No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey"

OPENAM-19453

Using CTS Authentication Session may fail authentication journey if AM is not LB sticky

OPENAM-18307

Global services don’t reflect changes made by ssoadm

OPENAM-18293

AuthContext.login doesn’t work with trees when performing service-based authentication

OPENAM-18111

Second login attempt using InnerTreeEvaluatorNode gets previous transient state

OPENAM-17679

User text not showing up for IDM Provisioning Service

OPENAM-17340

Lack of integration for logger with logback configuration

OPENAM-12197

postSingleSignOnSuccess and postSingleSignOnFailure not called when using SAML2 athentication module or node

OPENAM-4201

XUI returns messages based on localized responses from REST authentication interface

OPENAM-21972

SAML Artifact Binding is failing in load-balanced deployments such as K18S

OPENAM-21820

Set policy result TTL to 0 when using Environment Policy Active Session

OPENAM-21802

Email Service value Transport type is overwritten in the static config export

OPENAM-21773

The Secondary Configurations tab is missing from the Global Email service

OPENAM-21772

No OAuth 2.0 clients displayed in the UI when AM has more than 1000 clients

OPENAM-21743

WebAuthn Node with AM XUI: Error is rendered along with Recovery code button

OPENAM-21734

WebAuthn Registration Node: UserNotVerifiedException not caught leading to Node failure

OPENAM-21683

AM lets you create anonymous user when it already exists

OPENAM-21682

OAuth 2.0: AM doesn’t redirect back to the client if consent is denied and no redirect_uri is present in the query parameters

OPENAM-21535

The logout at AM’s GUI only target the root realm instead of the respective sub realm

OPENAM-21466

AM using social OIDC authentication fails to verify idtoken if the remote JWK_URIs have duplicate kid

OPENAM-21441

Policy evaluation with LDAPFilter condition uses config store user instead of identity store user

OPENAM-21407

External data store config min connection pool can be set higher than the max connection pool and the config can still be persisted

OPENAM-21406

Realm services are no longer accessible after deleting the “External Data Stores” service

OPENAM-21379

Unable to read SMS config when request is too quick after changing configuration

OPENAM-21363

Unable to modify an external data store config when it is set as a global default datastore but not referenced in any realm

OPENAM-21354

OAuth2 provider: Insufficient debug logging for SAML bearer authorization grant

OPENAM-21352

Amster read AuthTree doesn’t return nodes within a page node

OPENAM-21327

Unable to specify property name with a '-' when configuring policy environment conditions

OPENAM-21322

AM Console allows Entity Provider to be created with space at end of the name

OPENAM-21319

Policy and Application Store Cache is not updated in multiple server deployment when changes are made

OPENAM-21309

DefaultDataStoreConfigurationManager shouldn’t establish DS connection in FBC mode

OPENAM-21305

Dynamic Client Registration does not permit setting Client ID Token Public Encryption key

OPENAM-21294

Remove openam-core from Soap-STS server

OPENAM-21278

Amster doesn’t use console or accept piped input in interactive mode

OPENAM-21273

TOTP Registration information no longer contains Issuer in the otpauth’s PATH

OPENAM-21270

OAuth2 resource owner password credential grant (ROPC) token response does not tell reason for failure

OPENAM-21204

Scripted node - idRepository.setAttribute does not execute catch block when setting userPassword attribute fails

OPENAM-21193

AM-Config-upgrader amupgrade cannot work on Windows

OPENAM-21191

In AM 7.3, web agent sessions have a lifetime of 42 years

OPENAM-21187

AM agent UI fails when an agent configuration present in FBC and external store is used

OPENAM-21180

Amster should set file encoding to UTF-8 internally

OPENAM-21151

Amster command cannot operate on HostedSaml2EntityProvider

OPENAM-21137

Performing Amster import with --clean in FBC with external Data Store service fails with error

OPENAM-21127

Config Upgrader Exception CreateSecretStores at 6.5.x-to-7.x.x on Windows 2019

OPENAM-21125

Installing AM using Tomcat under local system account fails with Amster RSA file issue

OPENAM-21114

Trusted JWT Issuer does not provider correct error and lack information on defined behaviour

OPENAM-21085

Undefined bindings in Groovy scripts are evaluated as defined

OPENAM-21076

KerberosNode and Window SSO module uses System.setProperty to set kerberos realm

OPENAM-21055

Unable to get AMIdentityRepository in custom code in 7.3

OPENAM-21053

UserId is missing from access.audit.json for JWT client authentication flow using org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false

OPENAM-21046

Insufficient logging in Create and Patch Object nodes

OPENAM-21003

IE11 not working during SAML tree authentication due to use of Arrow function

OPENAM-20976

Consent Collector node "Next" button text localization not working

OPENAM-20975

OATH Registration node "Next" button text localization not working

OPENAM-20937

Migration from OATH module to Auth Tree using OATH Token Verifier causes OathVerificationException: null

OPENAM-20920

NPE in SPSSOFederate#getSingleSignOnServiceEndpoint when binding is null and SSO endpoint list contains non-SAML2 entries

OPENAM-20899

ConfigurationAttributes class is exposed but there is no class file or Javadoc available for it

OPENAM-20896

Supported AMIdentity API getMembership and others changed

OPENAM-20809

IE11 doesn’t work with AM 7.2.1-RC1 and AM 7.3.0

OPENAM-20766

Insufficient debug logging to troubleshoot WS-Federation issuing party issue

OPENAM-19998

Performing an Amster export on AM running in FBC mode generates new configuration which breaks the FBC upgrader ////

OPENAM-20751

Authentication errors with AM on Windows and Connect Error in Session log

OPENAM-20703

Tree secure state retained unnecessarily Long

OPENAM-20647

JavaScript throws wrong exception when trying to access a non-allowlisted class’s static method

OPENAM-20572

Enduser password reset email field is not validated

OPENAM-20557

OATH. Recovery codes are not displayed if Registration Node is followed by OATH Token Verifier Node

OPENAM-20556

OATH Recovery codes aren’t display when “Store device data in shared state” is selected in OATH Registration Node

OPENAM-20543

Display page node header, description and footer in correct default language

OPENAM-20520

httpClient sent request is not returning the correct response object

OPENAM-20517

Device Match Node - Acceptable Variance Configuration

OPENAM-20516

Create Tree command fails when using POST with _action=create

OPENAM-20515

Delete fails for Authentication Node, when its _id is not an UUID

OPENAM-20513

Random login failure when using registration tree

OPENAM-20496

Null refresh_token for OAuth 2.0 token exchange delegation case

OPENAM-20329

Forgerock JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) not spec compliant

OPENAM-20324

Default install of AM does not have the updated identity classes in the policy script whitelist ////

OPENAM-20234

Setting the LDAP Connection Heartbeat Interval to zero breaks persistent search

OPENAM-20314

Social Provider Handler Node / Social Identity Provider Service - the search for existing link is hard coded to Sub claim (regression)

OPENAM-18111

Next attempt in InnerTreeEvaluatorNode will get previous transient state

OPENAM-17679

User text not showing up for IDM Provisioning Service

OPENAM-17340

AM 7 lack of integration for logger from config for logback

OPENAM-15948

Update DS profiles to add VLV indexes for CTS use

OPENAM-15410

Enable modifying Access Token audience claim in OIDC

OPENAM-20751

Authentication errors with AM on Windows and connection errors in session log

OPENAM-20703

Tree secure state retained unnecessarily long

OPENAM-20647

Incorrect exception thrown when trying to access the static method of a non-allowlisted class

OPENAM-20572

End user password reset email field is not validated

OPENAM-20557

OATH recovery codes are not displayed if Registration node is followed by OATH Token Verifier node

OPENAM-20556

OATH recovery codes are not displayed if Store device data in shared state is selected in OATH Registration node

OPENAM-20543

Display page node header, description, and footer, in correct default language

OPENAM-20520

HttpClient sent request is not returning the correct response object

OPENAM-20517

Acceptable variance configuration not working for Device Match node

OPENAM-20516

Create tree command fails when using POST with _action=create

OPENAM-20515

Delete fails for Authentication node, when its _id is not a UUID

OPENAM-20513

Random login failure when using registration tree

OPENAM-20496

Null refresh_token for OAuth 2.0 token exchange delegation case

OPENAM-20324

Default install of AM does not have the updated identity classes in the policy script whitelist

OPENAM-20299

com.iplanet.am.session.agentSessionIdleTime is not honored using Agent authentication tree

OPENAM-20188

Using session cookie created before AM is restarted

OPENAM-20077

Access token modification script does not have access to client for client_credential grant flow if realm configured to ignore profile

OPENAM-19988

Using an id_token generated by AM in a policy condition does not work

OPENAM-19878

ArrayIndexOutOfBoundsException in SAML2

OPENAM-19829

Build fails on module openam-encryption-support when using JDK 18