--- title: Known issues description: The following important issues remained open at the time of the latest release for each version. component: pingam version: release-notes page_id: pingam::known-issues canonical_url: https://docs.pingidentity.com/pingam/release-notes/known-issues.html section_ids: am_8_1_x: AM 8.1.x am_8_1_0: AM 8.1.0 am_8_0_x: AM 8.0.x am_8_0_2: AM 8.0.2 am_8_0_1: AM 8.0.1 am_8_0_0: AM 8.0.0 am_7_5_x: AM 7.5.x am_7_5_2: AM 7.5.2 am_7_5_1: AM 7.5.1 am_7_5_0: AM 7.5.0 am_7_4_x: AM 7.4.x am_7_4_2: AM 7.4.2 am_7_4_1: AM 7.4.1 am_7_4_0: AM 7.4.0 --- # Known issues The following important issues remained open at the time of the latest release for each version. Releases are cumulative, so if an issue in a previous version isn't listed as [fixed](fixes.html), it remains open in the latest version. ## AM 8.1.x ### AM 8.1.0 | | | | ------------ | ------------------------------------------------------------------------------------------------------------------------------- | | AME-33815 | Persistent Cookie tree generates a new cookie with different setup on success | | AME-31157 | OAuth 2.0 `/access_token` endpoint respects `response_mode` for error responses | | OPENAM-23778 | AM issues unindexed search when `ttlsupport.enabled=true` | | OPENAM-23703 | Custom and native claims in a refreshed, stateless access token don't match the parent modified stateless access token | | OPENAM-23680 | Server default settings may not be correctly updated on upgrade | | OPENAM-23607 | Composite advice `AuthenticateToTreeConditionAdvice` not behaving as expected | | OPENAM-21682 | OAuth 2.0: AM doesn't redirect back to the client if consent is denied and no `redirect_uri` is present in the query parameters | ## AM 8.0.x ### AM 8.0.2 | | | | ------------ | ------------------------------------------------------------------------------------------ | | OPENAM-25535 | FBC to FBC upgrade requires manual copy of `noninteractive-install.properties` file | | OPENAM-25326 | Successful login with unknown user causes error when account lockout enabled | | OPENAM-24327 | Server name not set as cookie domain when cookie domain global setting is empty | | OPENAM-23940 | Safari displays Server Error page using authentication tree with SAML2 Authentication node | | OPENAM-23680 | Upgrades may overwrite changes to server default properties | | OPENAM-23573 | Amster exports only specific UMA server settings, not the server defaults | | OPENAM-23565 | Global services requests fail after Amster import | | OPENAM-21100 | SAML 2.0 IDP SLO using HTTP redirect not working as expected on AM cluster | | OPENAM-20226 | The Agent Admin privilege doesn't allow creating/updating/reading of Agent profiles | ### AM 8.0.1 There are no new issues identified in AM 8.0.1. ### AM 8.0.0 | | | | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | AME-31109 | Amster 8.0 import fails with `NoSuchMethodError` | | OPENAM-25462 | In Node Designer, the `defaultValue` property doesn't work for custom nodes when using AM 8.0.0 or 8.0.1 with Java 21 | | OPENAM-23960 | Unable to build AM 8.0 or 8.0.1 due to `click-nodeps:2.3.0-forgerock-jakarta-2` dependency on `commons-fileupload` SNAPSHOT version | | OPENAM-23851 | The `AM-8.0.0.zip` (and `AM-8.0.1.zip`) Distribution Kits are missing several files required to build the sample base Docker image (`am-empty`). As a result, the [steps to build your own AM Docker images](https://docs.pingidentity.com/forgeops/2025.2/reference/base-docker-images.html#base-images) will fail.+ NOTE: This issue only affects self-managed Docker environments where you're attempting to build your own AM image. | | OPENAM-23770 | WebAuthn node flow causes exception instead of `Client Error` outcome when passkey prompt cancelled | | OPENAM-23763 | Next button not enabled on Configuration Data Store Settings page of install wizard | | OPENAM-23717 | Access token requests fail when default tree uses Set Persistent Cookie node | | OPENAM-23595 | A `redirect_uri` using a URN results in a malformed redirect location | | OPENAM-23582 | WebAuthn's `pubKeyCredParams` sequence isn't honored and changes on AM restart | | OPENAM-23322 | Formatting errors in SAML metadata certificate export | | OPENAM-23155 | Agent group inheritance settings are lost during Amster export/import | | OPENAM-17819 | AM admin UI doesn't show leading `.` for cookie domains | | OPENAM-17818 | Domain cookie with leading `.` is configured although no cookie domain is specified during install | ## AM 7.5.x ### AM 7.5.2 | | | | ------------ | -------------------------------------------------------------------------------------------------- | | OPENAM-23998 | RhinoJS Date() doesn't calculate DaylightSavingTime correctly in a next-generation script | | OPENAM-23481 | Token is allowed in raw JSON in introspect request | | OPENAM-23227 | OIDC ID Token Validator node doesn't work with proxy settings | | OPENAM-23035 | AM should preserve `setAttribute` multivalue update order | | OPENAM-22967 | Config upgrader uses OS file encoding causing issues with special characters | | OPENAM-22952 | SMSEntry class should throw exception to avoid NullPointerException | | OPENAM-22812 | Create Object node logs failure at debug level instead of error/warning | | OPENAM-22777 | Deploying AM 7.5.0 on Wildfly 26.x with JDK 17 fails | | OPENAM-22770 | Configuring AES Key Wrap encryption for Tomcat doesn't work | | OPENAM-22700 | OAuth 2.0 introspect: Multi-audience token only checks against first value | | OPENAM-22670 | DJLDAPv3Repo `getDN` may return broken cached DN | | OPENAM-22663 | WS-Federation SLO calls cleanup directive if issued | | OPENAM-22530 | OAUTH\_REQUEST\_ATTRIBUTES cookie is set for HTTP GET `/authorize` requests | | OPENAM-22505 | Scripted policy condition fails with "Exception from invocation expected to be handled by promise" | | OPENAM-22386 | Next-generation `idRepository` binding doesn't return null if identity isn't found | | OPENAM-22031 | LDAP Decision node no longer displays locked account message but redirects to failed login | | OPENAM-19968 | IdP-initiated SAML SLO doesn't invalidate SP-side session using integrated mode | ### AM 7.5.1 | | | | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | | OPENAM-23045 | Performance degradation and WS-Federation issues with Java 17 | | OPENAM-23022 | Transaction condition for policy evaluation fails with JWT subject | | OPENAM-22927 | WebAuthn Registration node should be able to use `user.name` as display attribute | | OPENAM-22616 | Upgrade from AM 6.5.5 to 7.5 using external CTS fails with error "Message:Service does not exist: GoogleSecretManagerSecretStoreProvider" | | OPENAM-22457 | Amster doesn't delete all default scripts when using `--clean` true flag | | OPENAM-22406 | Product ZIP file contains files prefixed with `openam` | | OPENAM-19453 | CTS authentication sessions may cause tree to fail if AM server is not configured for sticky load balancing | | OPENAM-14790 | OAuth 2.0 scope policy set fails with LDAP filter environment condition | ### AM 7.5.0 | | | | ------------ | ------------------------------------------------------------------------------------- | | OPENAM-22151 | Expiration of cache held in StatelessJWTCache could cause Internal Server Error | | OPENAM-22067 | Stateless Session denylist caching and bloomfilter layers removed on config change | | OPENAM-22031 | LDAP Decision node change of behavior when user is locked from password change screen | | OPENAM-21820 | Set policy result TTL to `0` when using Environment Policy Active Session | | OPENAM-21819 | Default value for LinkedIn configuration uses out of data scopes | | OPENAM-21683 | AM lets you create anonymous user when it already exists | | OPENAM-15948 | Update DS profiles to add VLV indexes for CTS use | ## AM 7.4.x ### AM 7.4.2 | | | | ------------ | ---------------------------------------------------------------------------------------------- | | OPENAM-23273 | Failure URL not handled using Safari Browser | | OPENAM-23182 | Failure URL not handled after Authentication Session times out using SAML2 Authentication node | | OPENAM-22158 | User creation attributes on LDAP Decision node don't work | ### AM 7.4.1 | | | | ------------ | --------------------------------------------------------------------------------------------------------------------------------------- | | OPENAM-22795 | SAML2 encryption method can't be changed using IDP remote SP host settings | | OPENAM-22674 | Unable to create encrypted PEM that works for Secrets ENCRYPTED\_PEM | | OPENAM-22656 | Setting `JWKs URI content cache timeout` to a small value throws an error | | OPENAM-22608 | Non-extractable secrets in HSM fail to work on AM for SAML v2.0 XML signing | | OPENAM-22479 | LDAPv3 Userstore Connection doesn't reconnect without Heartbeat enabled | | OPENAM-22151 | Expiration of cache held in StatelessJWTCache could cause Internal Server Error | | OPENAM-22102 | Adjusting `evalThreadSize` has no effect | | OPENAM-22009 | Providing an invalid alias to a secret store mapping breaks AM | | OPENAM-21959 | Unable to create next-generation script in XUI if default script language is Groovy | | OPENAM-21893 | Configurator not releasing resources on failure | | OPENAM-21823 | Page node with Scripted Decision node doesn't persist `withErrorMessage` value | | OPENAM-21741 | SSOADM fails to install or run due to `mtlsAlias` field in boot.json | | OPENAM-21636 | AM is unable to run in FIPS compliance mode due to RAW keys | | OPENAM-19810 | No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey' or cannot work with unextractable key when using HSM | | OPENAM-16797 | Allow Custom OATH/Push/WebAuthn device integrations to be managed by standard AM interface | | OPENAM-12197 | Custom methods `postSingleSignOnSuccess` and `postSingleSignOnFailure` aren't called by SAML Authentication module or node | | OPENAM-4201 | XUI returning messages based on localized responses from REST authentication interface | ### AM 7.4.0 | | | | ------------ | ------------------------------------------------------------------------------------------------------------------------------- | | OPENAM-21569 | Rapid policy evaluation using token of deleted user leads to HTTP 500 error | | OPENAM-21497 | Editing the mappings for an existing secret store throws an exception | | OPENAM-21441 | Policy evaluation with LDAPFilter condition uses config store user instead of identity store user | | OPENAM-21379 | Unable to read SMS config when request is too quick after changing configuration | | OPENAM-21363 | Unable to modify an external data store configuration when set as a global default data store but not referenced in a realm | | OPENAM-21311 | XUI performs logout of newly created session when resuming authentication with no further callbacks | | OPENAM-21294 | Remove openam-core from Soap STS server | | OPENAM-21284 | AM returns a 500 Internal Server Error response when providing an invalid `client_id` to the `deleteUserPasswords` agent action | | OPENAM-21178 | Social authentication "Secret" field not mandatory | | OPENAM-20927 | User info is still cached after removing privilege from group | | OPENAM-15948 | Update DS profiles to add VLV indexes for CTS use |