PingAM Release Notes
Requirements
Files to download
PingAM software is available to download from Backstage.
The following table describes the files available for download.
File | Description |
---|---|
|
Cross-platform distribution including all software components. Find a list of the files in the |
|
Deployable web application archive file. |
|
The .zip file that contains tools to manage AM from the command line. |
|
The .zip file that contains tools to configure AM from the command line. |
|
The .zip file that contains the Amster command-line interface. |
Files for previous versions
File | AM 7.3 | AM 7.4 | AM 7.5 |
---|---|---|---|
AM |
AM-7.3.3.zip |
AM-7.4.2.zip |
AM-7.5.2.zip |
AM |
AM-7.3.3.war |
AM-7.4.2.war |
AM-7.5.2.war |
AM SSO Admin Tools |
SSOAdminTools-5.1.3.28.zip |
SSOAdminTools-5.1.3.29.zip |
SSOAdminTools-5.1.3.30.zip |
AM SSO Configurator Tools |
SSOConfiguratorTools-5.1.3.28.zip |
SSOConfiguratorTools-5.1.3.29.zip |
SSOConfiguratorTools-5.1.3.30.zip |
Amster |
Amster-7.3.3.zip |
Amster-7.4.2.zip |
Amster-7.5.2.zip |
Operating systems
AM 8 software is supported on actively maintained versions of the following operating systems:
-
Amazon Linux
-
Debian
-
Red Hat Enterprise Linux
-
Rocky Linux
-
SUSE Linux Enterprise
-
Ubuntu Linux
-
Windows Server 2019 and 2022
AM 7.5 and earlier software is supported on the following operating systems:
Operating system | AM 7.3 | AM 7.4 | AM 7.5 |
---|---|---|---|
Amazon Linux |
2018.03 |
2018.03, 2023 |
|
Debian Linux |
Not supported |
11 |
|
Red Hat Enterprise Linux |
8, 9 |
||
Rocky Linux |
8, 9 |
||
SuSE |
12, 15 |
15 |
|
Ubuntu |
18.04 LTS, 20.04 LTS, 22.04 LTS, 24.04 LTS |
||
Windows Server |
2016, 2019, 2022 |
Web and Java agents
The following table summarizes the minimum recommended version of web and Java agents:
Agent | Version |
---|---|
Web agents |
2023.11.2 |
Java agents |
2023.11.2 |
AM supports several versions of web agents and Java agents. You can find information about supported container versions and other platform requirements related to agents in the Web Agents Release Notes and the Java Agents Release Notes.
Java
PingAM software is supported on the following Java environments:
Vendor | AM 7.3 | AM 7.4 | AM 7.5 | AM 8.0 |
---|---|---|---|---|
OpenJDK (1) |
11, 17 |
17 |
17, 21 |
|
Oracle Java |
11, 17 |
17 |
17, 21 |
(1) AM supports OpenJDK-based distributions, including:
-
AdoptOpenJDK/Eclipse Temurin Java Development Kit (Adoptium)
-
Amazon Corretto
-
Azul Zulu
-
Red Hat OpenJDK
Ping Identity tests most extensively with AdoptOpenJDK/Eclipse Temurin. Use the HotSpot JVM, if possible.
Always use a JVM with the latest security fixes. |
Application containers
This table summarizes supported web application containers and their required versions:
Container | AM 7.3 | AM 7.4 | AM 7.5 | AM 8.0 |
---|---|---|---|---|
Apache Tomcat |
8.5, 9 |
10 |
||
IBM WebSphere Liberty |
22.0.0.4 |
24.0.0.6 |
||
JBoss Enterprise Application Platform |
7.4 |
8.x |
||
Wildfly |
15, 26 |
26 |
30 |
The web application container must be able to write to its own home directory, where AM stores configuration files.
Java Agents and Web Agents require the WebSocket protocol to communicate with AM. Make sure the container where AM runs, the web server/container where the agents run, and your network infrastructure all support the WebSocket protocol. Read your network infrastructure and web server/container documentation for more information about WebSocket support. |
Identity stores
You can configure AM to use any LDAPv3-compliant directory server as an identity store. This table lists the supported directory servers for storing AM identities.
You can find information on configuring these directory servers in identity stores.
|
Directory server | AM 7.3 | AM 7.4 | AM 7.5 | AM 8.0 |
---|---|---|---|---|
Embedded PingDS (1)(2) |
7.3 |
7.4 |
7.5 |
N/A |
External PingDS (2) |
6 and later |
7.3.1 and later |
||
PingDirectory |
9.3 |
|||
Oracle Unified Directory |
11g R2 |
12c |
||
Oracle Directory Server Enterprise Edition |
11g |
N/A |
||
Microsoft Active Directory |
2016, 2019 |
2019, 2022, 2025 |
||
IBM Tivoli Directory Server |
6.4 |
N/A |
(1) Demo and test environments only in AM 7.x. Unsupported since AM 8.
(2) PingDS, formerly named ForgeRock Directory Server.
Third-party software
Ping Identity supports using the following third-party software when logging Common Audit events:
Software | Version |
---|---|
Java Message Service (JMS) |
2.0 API |
MySQL JDBC Driver Connector/J |
8 (at least 8.0.19) |
Splunk |
8.0 (at least 8.0.2) |
Elasticsearch and Splunk have native or third-party tools to collect, transform, and route logs. Examples include Logstash and Fluentd. Consider using these alternatives as they have advanced, specialized features focused on getting log data into the target system. They decouple the solution from the Ping Advanced Identity Software systems and version, and provide inherent persistence and reliability. You can configure the tools to avoid losing audit messages if a Ping Advanced Identity Software service goes offline, or delivery issues occur. These tools can work with Common Audit logging:
|
Ping Identity supports using the following third-party software when monitoring AM servers:
Software | Version |
---|---|
Grafana |
5 (at least 5.0.2) |
Graphite |
1 |
Prometheus |
2.0 |
For hardware security module (HSM) support, AM requires a client library that conforms to the PKCS#11 standard v2.20 or later.
Supported browsers
AM supports the latest, stable versions of the following browsers:
-
Google Chrome
-
Microsoft Edge
-
Firefox
-
Safari
Ping Identity doesn’t provide support for these browsers:
Ping Identity optimizes its platform for modern browsers to ensure the best user experience, security, and performance. If you encounter issues while using the Ping Advanced Identity Software, ensure you use a supported, up-to-date browser for the optimal experience. |
What’s new
New in AM 8.0.x
AM 8.0.1
AM 8.0.1 is a maintenance release that introduces functional enhancements and fixes.
Ability to refresh device IDs
The Push Notification service and the Ping SDKs now support the ability to refresh device IDs in user device profiles, rather than having to delete and recreate device profiles when a device ID changes.
You can find more information in Refresh push device IDs.
AM 8.0
AM 8.0 is a major release that introduces new features, functional enhancements, and fixes.
AM 8 introduces many new features and changes, but some key changes to be aware of are:
Make sure you review Incompatible changes and Removed in addition to this section before upgrading. |
FBC in production deployments
Previous versions of AM provided a technology preview of the file-based configuration (FBC) migration utility.
In AM 8.0, FBC is supported in production deployments.
Learn more in the following topics:
Node Designer
AM 8.0 introduces a new way to create authentication node types that can be reused and shared across journeys and deployments.
The Node Designer lets you create scripted node types that have the following benefits:
-
Configurable bindings
-
Access to next-generation script bindings
-
Potential for less code repetition
-
Easier and quicker to innovate custom node types with scripting
Learn more in Custom scripted nodes.
Dynamic client registration script
You can configure AM to run a custom script after dynamic client registration. Create a next-generation script to modify a client profile after a successful create, update, or delete operation.
Learn more in Customize dynamic client registration.
Support for DER-formatted certificates for OAuth 2.0 client authentication
AM now accepts X.509 certificates in both PEM and DER format to authenticate OAuth 2.0 clients.
Learn more in Authenticate clients with mutual TLS.
RADIUS server configuration update
The RADIUS server service
has a new configuration property that enforces the inclusion of the Message-Authenticator
attribute in requests and
responses.
Use this attribute to verify incoming RADIUS access requests to prevent spoofing.
IDM policy condition
Authorization policies have a new environment condition type named IDM User. This condition type lets you query an IDM resource to form the basis of the policy evaluation. AM must be part of a Ping Advanced Identity Software deployment to use this environment condition.
Backchannel authentication
Backchannel authentication lets a third-party federation service initiate authentication with AM on behalf of a user. The federation service collects the user data and transmits this data directly to AM. AM redirects the user to complete the authentication process without having to re-enter the collected data.
Learn more in Backchannel authentication.
FIDO certification
PingAM is now a FIDO Certified Provider. PingAM has passed the FIDO Alliance’s rigorous testing program and meets their requirements regarding security and interoperability with other FIDO components.
Changes to PingAM in this regard include the new WebAuthn Metadata service and enhancements to the WebAuthn nodes.
Find more information about configuring AM for FIDO in Web authentication (WebAuthn).
WebAuthn Metadata service
The WebAuthn Metadata service lets you configure how AM obtains FIDO2 metadata at the journey level.
Use the WebAuthn Registration node’s FIDO Certification Level setting to force AM to check the metadata service for the device’s accepted certification level.
Learn more in WebAuthn Metadata service.
WebAuthn nodes
The following improvements have been made to the WebAuthn nodes:
- WebAuthn Authentication node
-
-
On successful authentication, the WebAuthn Authentication node now adds a
webauthnAssertionInfo
object to transient state that stores authenticator data. -
A new node setting, Detect sign count mismatch, lets you compare the authenticator’s sign count (signature counter) with the sign count stored in the user’s profile.
The sign count is useful for detecting potentially cloned devices.
If the authenticator sign count is less than or equal to the stored value, evaluation continues to the new
Sign Count Mismatch
outcome.
-
- WebAuthn Registration node
-
-
On successful registration, the WebAuthn Registration node now adds the following objects to transient state:
-
webauthnAttestationInfo
: Stores authenticator data. -
webauthnDeviceAaguid
: Stores the Authenticator Attestation Global Unique Identifier (AAGUID).
-
-
The new FIDO Certification Level setting lets you use the configured WebAuthn Metadata service to check the device’s FIDO certification level meets a minimum level requirement during registration.
-
Device profile settings
The following attributes are now stored in device profiles:
- WebAuthn device profile
-
-
signCount
The device sign count (signature counter).
-
- Push / WebAuthn / Oath device profiles
-
-
createdDate
: The date the device was registered and the profile created. -
lastAccessDate
: The date the device was last used to sign in successfully.
-
Ability to trace the request flow through Ping Advanced Identity Software
When a user interacts with Ping Advanced Identity Software, the request can travel through multiple services before it completes. Distributed tracing lets you monitor the request flow through Ping Advanced Identity Software.
Tracing provides a single view of a request’s journey and makes it easier to locate bottlenecks and errors.
Learn more in Trace incoming and outgoing requests.
Improved REST API for transactional authorization
For transactional authorization requests, you
can now provide an authIndexType
of transaction
and an authIndexValue
of transactionId
to the authenticate
endpoint. This new parameter lets you complete transactional authorization without sending
URL-encoded XML over REST.
For example:
curl \
--cookie "iPlanetDirectoryPro=sso-cookie" \
--request POST \
--header "Content-Type: application/json" \
--header "Accept-API-Version: resource=2.0, protocol=1.0" \
'https://am.example.com:8443/am/json/realms/root/authenticate?authIndexType=transaction&authIndexValue=transactionId'
The behavior of the new parameter is identical to the existing parameter:
…/authenticate?authIndexType=composite_advice&authIndexValue=URL-encoded-XML,
The existing parameter remains supported.
Certificate Collector node supports DER certificates
For certificates supplied in HTTP headers, the Certificate Collector node now supports certificates in DER format in addition to PEM format. There are no configuration changes in the node itself.
The certificate format is inferred from the encoded certificate contents. The supported DER format encoding is compliant with RFC 9440.
OAuth 2.0 application journeys
You can now associate an OAuth 2.0 client with a specific authentication journey (tree).
The associated journey is always run, regardless of existing sessions or configured
authentication context class reference (acr
) values.
You can only associate a tree with OAuth 2.0 applications configured for the
Authorization Code
, Implicit
, and Device Code
grant types.
To access information about the incoming OAuth 2.0 request, configure your tree to include a Scripted Decision node that queries the oauthApplication script binding.
Learn more in client application registration.
SAML 2.0 application journeys
Configure the remote SP so that a specific authentication journey (tree) is always run for users authenticating with your SAML 2.0 app. The federation flow invokes the associated journey regardless of any existing sessions or configured authentication context.
You can access the requested authentication context and configured mappings by including
a Scripted Decision node in the journey that queries the new samlApplication
script binding.
Learn more in Configure a SAML 2.0 application journey.
Customize SAML NameID mapping with a script
You can now use a script to customize the NameID attribute in the SAML 2.0 assertion per SP.
Create a next-generation script of type Saml2 NameID Mapper
and configure the remote SP entity to use the custom script.
You can find more information in NameID mapper.
Http Client service
The new Http Client service lets you create named instances that you can reference from a next-generation script using the httpclient
binding.
On each instance, define secret labels that map to certificates in secret stores and are used during mTLS connections.
The service also provides settings to override connection and response timeouts for HTTP requests and to configure certificate checks per instance.
Learn more in Http Client service.
Default trees
The following new default trees have been added to AM:
-
ldapService
: replaces theldapService
authentication chain. -
Agent
: replaces theApplication
module. -
amsterService
: replaces theamsterService
authentication chain.
These trees provide direct replacements for the corresponding default modules and chains. This ensures any authentication processes that rely on them are unaffected by the removal of modules and chains in this release.
Learn more about these trees in Default trees.
Configure trees to run to completion
Set the mustRun
property to force trees to always run to completion regardless of the existing user sessions.
Learn more in Configure an authentication tree to always complete.
Configure no session trees
Set the noSession
property to create trees that don’t result in an authenticated session when they successfully complete.
Learn more in Configure a no session tree.
Session duration and timeout control
We’ve made changes to AM to provide greater control over journey session duration and authenticated session timeouts.
- Journey session duration
-
You can now override global and realm level duration values in a tree or a node:
-
For the maximum duration, you can override timeout settings using the new Update Journey Timeout node or by setting the
treeTimeout
property in the tree configuration. -
For the suspended duration, you can override the suspended duration in the Email Suspend node or in a Scripted Decision node using the
action
object. Learn more in Suspend and resume journeys.
Find out how AM derives the journey session duration as a result of these changes in Configure suspended authentication.
-
- Authenticated session timeouts
-
You can now override global and realm level timeout settings (
maximum session time
andmaximum idle time
) in a tree or a node.-
In nodes, you can override the session timeouts in the Set Session Properties node or in a Scripted Decision node using the
withMaxIdleTime
andwithMaxSessionTime
methods. Learn more in Set authenticated session timeouts. -
In a tree, you can override the session timeouts by setting the
maximumSessionTime
andmaximumIdleTime
properties in the tree configuration.
Find out how AM derives the authenticated session timeouts as a result of these changes in Configure authenticated session timeout settings.
-
LINE login support
You can now configure a social provider authentication with LINE login. There are two new social provider configuration profiles, LINE (Browser) and LINE (Native), for browser and mobile app integrations.
The LINE (Browser) integration must not reference a well-known endpoint to ensure AM verifies signatures using the client secret instead.
Next-generation script bindings
The following next-generation script bindings have been improved for this release:
Common bindings
-
cookieName
: Access the name of the cookie as a string to perform session actions such as ending all sessions for a user. -
httpClient
:-
Use the new
form
attribute to send url-encoded form requests. -
Reference an instance of the new Http Client service to enable mTLS connections to external services.
-
-
policy
: Lets you access the policy engine API and evaluate policies from within scripts. -
secrets
: Reference secrets and credentials stored in secret stores. -
utils
: Use this new utility binding to perform functions such as:-
Base64 encode/decode strings
-
Generate random values and UUIDs
-
Encrypt and decrypt values
-
Compute hash values
-
Sign and verify data
-
Make sure you don’t use the same name for a local variable as that of a common binding in your script. These names are reserved for common bindings only. If you have already defined a local variable with the same name as one that’s added to common bindings
in a more recent version of PingAM; for example, |
Learn more in Script bindings.
Scripted decision node bindings
-
action
:-
Use the new
suspend(String message)
andsuspend(String message, SuspensionLogic logic)
methods to suspend the current authentication session and send a message to the user.You can also implement custom logic with the resume URI, for example, to send an email or SMS using the HTTP client service.
-
You can now access the following methods through the ActionWrapper object to return additional information to the client:
-
withHeader(String header)
-
withDescription(String description)
-
withStage(String stage)
-
-
-
jwtAssertion
andjwtValuation
:-
You can now generate JWT assertions with custom non-registered claims.
-
Data fields are more aligned with the JWT specification, so you can now specify separate values for
issuer
andsubject
. These replace the existingaccountId
. -
The bindings work with
RS256
orHS256
signed JWTs, and JWTs that are encrypted using the A128CBC-HS256 algorithm.
-
-
nodeState
: You can now merge data, includingobjectAttributes
values, into existing state with the newmergeShared
andmergeTransient
methods. -
oauthApplication
: Access request and application information if the node is part of a journey associated with an OAuth 2.0 client application. -
requestCookies
: Use this new decision node script binding to access request cookies directly. -
samlApplication
: Access request and application information if the node is part of a journey associated with a SAML 2.0 client application.
Learn more in the Scripted Decision node API.
Library scripts
Library scripts now have access to all common bindings.
Learn more in Library scripts.
Next-generation script types
The following existing script types are now enabled for the next-generation script engine:
-
Configuration Provider node scripts
-
Device Match node scripts
-
Policy condition scripts
Scripted Decision node and Device Match node scripts now have different
context types depending on the script engine.
For legacy scripts, the context is |
Access PingOne Verify transaction data
The verifyTransactionsHelper
next-generation binding lets you manage
PingOne Verify
user transactions and PingOne user accounts.
Enable Device Management node
The Enable Device Management node lets you relax or remove restrictions placed upon users who want to reset or remove registered MFA devices.
Use this node in a journey to change the authentication strategy required for removing registered devices.
Flow Control node
The Flow Control node lets you control the authentication flow by randomly sending traffic down different paths of a tree (journey). This means you can use the node to evaluate changes before rolling them out to a production environment.
For example, configure the node to direct a percentage of requests to a new authentication journey to observe the user experience and check for potential failures.
Customize the JSON in the authentication response
The following nodes are new for this release.
Set Success Details node
The Set Success Details node lets you add details to the JSON response on successful authentication.
You can add either or both of the following:
-
Success Details: Lets you add static
key:value
fields to the JSON response. -
Session Properties: Lets you add
key:value
fields to the JSON response, wherevalue
corresponds to the value of the specified session property.
Set Failure Details node
The Set Failure Details node lets you add details to the JSON response on authentication failure.
You can add either or both of the following:
-
Failure Message: Lets you add a custom, localized message to display to the user and return in the JSON response.
-
Failure Details: Lets you add
key:value
fields to the JSON response.
Set Error Details node
The Set Error Details node lets you add details to the JSON response when a journey ends in an error.
You can add either or both of the following:
-
Error Message: Lets you add a custom, localized message to display to the user and return in the JSON response.
-
Error Details: Lets you add
key:value
fields to the JSON response.
Configurable clock skew for OIDC ID token expiry time
The org.forgerock.openam.oauth2.tokenexpiry.skewAllowance advanced server property lets you configure the period, in seconds, during which an OIDC ID token remains valid after its expiry time.
This property allows for clock skews between servers.
In previous releases, the clock skew for ID token expiry times was hard coded to 5 minutes. For compatibility purposes, this is the default value of the new property.
Update signing certificate in remote SP metadata
You can now update the signing or encryption certificate for an existing SP without needing to delete and recreate the entire SP configuration.
Learn more in Update remote SP certificate.
Configure client certificate in SP metadata
You can now configure the hosted SP to exclude the client certificate from metadata.
To override the default behavior, enable the Exclude Client Certificate from Metadata option in the SP’s configuration.
Consistent errors when refreshing tokens
The following new methods ensure consistent error messages when refreshing tokens:
com.sun.identity.idm.IdRepoListener
-
-
objectChanged(String name, String previous, IdType idType, int changeType, Map cMap)
-
com.sun.identity.idm.IdEventListener
-
-
identityRenamed(String universalId, String previousUniversalId)
-
If a token is refreshed but the username has changed since the original refresh token was issued, the following error is now shown with these methods:
{
"error_description" : "grant is invalid",
"error" : "invalid_grant"
}
Configuration Provider node
The following improvements have been made to the Configuration Provider node:
-
Previously, you could only use the Configuration Provider node to imitate nodes with fixed outcomes. Now, you can also imitate nodes with variable outcomes from a predefined list.
This change makes the following nodes available to the Configuration Provider node:
To ensure custom nodes are available to the Configuration Provider node, write an outcome provider class that implements the
StaticOutcomeProvider
orBoundedOutcomeProvider
interfaces. -
The following nodes with fixed outcomes are also now available to the Configuration Provider node:
-
You can now generate configuration provider template scripts with default values.
Call the node API endpoint with the
configProviderScript
action to generate a JavaScript or Groovy script for the type of node you want to imitate.Learn more in the Configuration Provider node.
Backchannel logout token contains exp
claim
The logout token generated during backchannel logout now contains an exp
claim.
Learn more in Backchannel logout.
New ssoadm
commands update attributes in a realm service
A fix to the deprecated ssoadm
tool adds the following new commands:
-
add-realm-default-attributes
-
set-realm-default-attributtes
-
remove-realm-default-attributes
-
get-realm-default-attributes
These commands work on realm defaults from AM 7 onwards.
New in AM 7.5.x
AM 7.5.1
AM 7.5.1 is a maintenance release that introduces functional enhancements and fixes.
New utility script binding
Use the utils
binding to base64 encode/decode strings and
generate random values and UUIDs in your next-generation scripts.
Learn more in Script bindings.
Backchannel logout token contains exp
claim
The logout token generated during backchannel logout now contains an exp
claim.
Learn more in Backchannel logout.
System property for social provider sub
claim uniqueness
A new system property (org.forgerock.openam.oidc.SocialProvider.sub.claim.is.not.unique
) indicates that
the OIDC social provider doesn’t return a unique value for the sub
claim.
This is false by default.
New ssoadm
commands update attributes in a realm service
A fix to the deprecated ssoadm
tool adds the following new commands:
-
add-realm-default-attributes
-
set-realm-default-attributtes
-
remove-realm-default-attributes
-
get-realm-default-attributes
These commands work on realm defaults from AM 7 onwards.
AM 7.5
AM 7.5 is a minor release that introduces new features, functional enhancements, and fixes.
Support for storing secrets in secret stores
The following features now support storing their secrets in a secret store instead of in the configuration. For greater security, move these secrets to a secret store when convenient.
- Services
- Authentication nodes
- Agents
- Authentication
-
-
AM password encryption key
-
HTTP outbound request authentication password (advanced server setting)
-
Password capture and replay
-
Client-side sessions:
-
The HMAC signing key
-
The
am.global.services.session.clientbased.signing
mapping is deprecated and replaced by algorithm-specific mappings -
The
am.global.services.session.clientbased.encryption
mapping is deprecated and replaced byam.global.services.session.clientbased.encryption.RSA
andam.global.services.session.clientbased.encryption.AES
-
- SAML v2.0
-
-
Remote SP and IDP basic authentication for SOAP-based binding
-
SP authentication with mTLS for artifact resolve requests
-
- OAuth 2.0
-
-
OAuth 2.0 client authentication secrets
-
OAuth 2.0 client mTLS self-signed certificate
-
OAuth 2.0 client ID token public encryption key
-
OAuth 2.0 client JWT bearer public key
-
OAuth 2.0 provider salting of hashes
-
In addition, you can now rotate secrets in file system secret volumes.
Learn more in Map and rotate secrets.
Support for mTLS connections
The following services now support certificate-based connections to the backend LDAP store using mTLS:
Configurable affinity for connections to the DS identity repository
The DS identity repository configuration now includes an Affinity Level setting that lets you specify the operations for which AM should use affinity-based load balancing.
In previous AM releases, you configured affinity only with the Affinity Enabled property, so it was
either on or off. With Affinity Enabled set to true
, ALL
operations to the DS repository used
affinity. With Affinity Enabled set to false
, the equivalent affinity level was NONE
(no operations used
affinity).
The new setting introduces the BIND
level as a middle ground. When you set the affinity level to BIND
, only user
authentication requests use affinity. This setting provides a small but significant performance improvement in
deployments with multiple replicated DS identity stores.
In addition, the LDAP Decision node has been updated with a new property, affinityLevel
(NONE
, BIND
, and ALL
). This is separate to the configuration setting.
The Data Store Decision node uses the identity repository configuration. As such, affinity settings configured for the identity repository will impact connections to the DS server made by this node. |
Request Header node
The new Request Header node lets customers inject values into shared state based on request header values. You can use the node to get information about a journey or the user from an external system or even customize the branding of a journey.
Learn more in Request Header node.
Scalable OAuth 2.0 clients
The scalable OAuth 2.0 clients feature lets you create and manage large numbers of OAuth 2.0 clients without impacting system performance. Once you have enabled the feature, create clients as usual through dynamic registration or in the AM admin UI, and then use the AM administration OAuth 2.0 client REST endpoint to search for clients and filter and page query results.
Learn more in Scalable OAuth 2.0 clients.
SAML v2.0 NameID mapping configurable on the service provider (SP)
You can now configure NameID mapping on a remote SP. The SP configuration overrides the NameID Value Map on the IDP, letting you define different name requirements for each SP.
Learn more about NameID value mapping in the Remote service provider configuration properties.
Use a tree hook to run actions on journey failure
Override the new acceptFailure
method to run actions on journey failure.
Learn more about the TreeHook
interface in the
Public API Javadoc.
Storing identified identities in the authentication session
The following new methods let you record users and agents verified to exist in an identity store:
org.forgerock.openam.auth.node.api.Action
-
-
public ActionBuilder withIdentifiedIdentity(AMIdentity id)
-
public ActionBuilder withIdentifiedIdentity(String username, IdType id)
-
org.forgerock.openam.auth.nodes.script.ActionWrapper
-
-
public ActionWrapper withIdentifiedAgent(String agentName)
-
public ActionWrapper withIdentifiedUser(String username)
-
A new advanced server property, org.forgerock.am.auth.trees.authenticate.identified.identity
determines
whether AM uses these stored identified identities when deciding which user to log in.
This lets custom nodes and decision node scripts correctly resolve identities that have the same username. For more information, refer to advanced server properties.
Identity Assertion node and Identity Assertion service
The new Identity Assertion node and supporting service lets AM use PingGateway to manage authentication through a third party such as Windows Desktop SSO or Kerberos.
Learn more in Identity Assertion node and Identity Assertion service.
PingOne Protect nodes and PingOne Worker service
The new PingOne Protect nodes and supporting PingOne Worker service let you integrate with PingOne Protect. Leverage risk predictors and route your journeys based on calculated risk scores.
You can add these nodes to your authentication, registration, and self-service journeys to combat account takeover, new account fraud, and MFA fatigue.
Learn more:
Nodes in a Page node log individual audit events
Nodes contained in a Page node now log individual AM-NODE-LOGIN-COMPLETED
audit events.
Learn more about audit logging in Audit log events.
New in AM 7.4.x
AM 7.4.2
AM 7.4.2 is a minor release that introduces new features, functional enhancements, and fixes.
Backchannel logout token contains exp
claim
The logout token generated during backchannel logout now contains an exp
claim.
Learn more in Backchannel logout.
New ssoadm
commands update attributes in a realm service
A fix to the deprecated ssoadm
tool adds the following new commands:
-
add-realm-default-attributes
-
set-realm-default-attributtes
-
remove-realm-default-attributes
-
get-realm-default-attributes
These commands work on realm defaults from AM 7 onwards.
System property for social provider sub
claim uniqueness
A new system property (org.forgerock.openam.oidc.SocialProvider.sub.claim.is.not.unique
) indicates that
the OIDC social provider doesn’t return a unique value for the sub
claim.
This is false by default.
Improvements to JWT operations in scripts
The jwtAssertion
and jwtValidator
script bindings now let you include non-registered
claims.
The values that you can specify to generate and validate JWTs have been updated to
include new fields such as issuer
and subject
. These replace the existing accountId
to let you specify different values for these fields.
The bindings work with RS256
or HS256
signed JWTs, and JWTs that are encrypted using the A128CBC-HS256 algorithm.
Learn more in Generate and validate JWTs.
AM 7.4.1
AM 7.4.1 is a maintenance release.
Storing identified identities in the authentication session
The following new methods let you record users and agents verified to exist in an identity store:
org.forgerock.openam.auth.node.api.Action
-
-
public ActionBuilder withIdentifiedIdentity(AMIdentity id)
-
public ActionBuilder withIdentifiedIdentity(String username, IdType id)
-
org.forgerock.openam.auth.nodes.script.ActionWrapper
-
-
public ActionWrapper withIdentifiedAgent(String agentName)
-
public ActionWrapper withIdentifiedUser(String username)
-
A new advanced server property, org.forgerock.am.auth.trees.authenticate.identified.identity
determines
whether AM uses these stored identified identities when deciding which user to log in.
This lets custom nodes and decision node scripts correctly resolve identities that have the same username.
AM 7.4
AM 7.4 is a minor release that introduces new features, functional enhancements, and fixes.
Bind and verify user devices
The ForgeRock SDKs for Android and iOS can cryptographically bind a mobile device to a user account.
Registered devices generate a key pair and a key ID. The SDK sends the public key and key ID to your AM server for storage in the user’s profile.
The SDK stores the private key on the device in the Android KeyStore or the iOS Secure Enclave. Access to the private keys is protected by biometric security or a PIN.
A user can bind multiple devices to their account, and each device can bind to multiple users.
After binding a device, your authentication journeys can verify ownership of the bound device by requesting that it signs a challenge using its private key, and verifying it corresponds to the public key.
For details, refer to the Device Binding node, Device Binding Storage node, and Device Signing Verifier node.
Support for JSON output from /oauth2/device/user
endpoint
REST calls to the /oauth2/device/user
endpoint return an HTML response by default.
This release adds support for an Accept: application/json
header that returns the response in JSON format.
For details, refer to the Device authorization grant.
Setting to disable the subname
claim
AM adds the subname
claim to access and ID tokens by default.
You can now change this behavior by disabling the OAuth2 Provider service property,
Include subname claim in tokens issued by the OAuth2 Provider.
The value of the subname
claim matches the value of the sub
claim used in versions of AM earlier than 7.1.
It also matches the value of the sub
claim if you disable the org.forgerock.security.oauth2.enforce.sub.claim.uniqueness
property.
Setting to permit client credentials in token endpoint query parameters
The OAuth 2.0 Provider service includes a new advanced property, Allow Client Credentials in Token Endpoint Query Parameters, that lets you include client credentials as query parameters in OAuth 2.0 token endpoint requests.
In previous AM versions, you could supply client credentials (the client_id
and client_secret
) as query
parameters in POST requests to the /oauth2/access_token
endpoint. From AM 7.4 onwards, this is prohibited by
default and you must include the credentials within the POST request body.
The new Allow Client Credentials in Token Endpoint Query Parameters setting controls this behavior and is false
by default in new deployments. For security reasons, keep this property disabled to prevent client credentials from being
included as query parameters.
When you upgrade an existing deployment to AM 7.4, this property is initially set to true
for legacy support.
After upgrading, you should update your scripts and clients to support the new behavior then set the property to false
.
Restriction of access to inner trees
The new innerTreeOnly
property of an authentication tree lets you specify that the tree is only an inner tree and
can’t be accessed directly.
For details, refer to Disable direct access through an inner tree.
New nodeState.getObject
method
The new nodeState.getObject(String key)
method lets scripted decision nodes retrieve variables stored
in both shared and secure state.
For details, refer to Access shared state data.
X-ForgeRock-TransactionID
available in HTTP client script binding
The httpClient
script binding now automatically adds the current transaction ID
as an HTTP header. This lets you correlate caller and receiver logs when you use httpClient
from a script, such as a decision node script, to make requests to other proprietary products and services.
For details, refer to Access HTTP services.
Customize account lockout message
Use the new ActionBuilder.withLockoutMessage(String lockoutMessage)
method in a Scripted Decision node
to customize the message displayed to an end user when their account is locked or inactive.
For details, refer to Set script outcome.
Scripting enhancements
AM 7.4 introduces the Next Generation scripting engine, which offers the following benefits:
- Stability
-
-
A stable set of enhanced bindings, available to decision node scripts, that reduces the need to allowlist Java classes to access common functionality.
-
- Ease of use
-
-
Simplify your scripts with fewer imports and more intuitive return types that require less code.
-
Debug efficiently with clear log messages and a simple logging interface based on SLF4J.
-
Make requests to other APIs from within scripts more easily with a more intuitive HTTP client.
-
- Reduced complexity
-
-
Simplify and modularize your scripts with library scripts by reusing common code snippets as CommonJS modules.
Reference library scripts from a decision node script.
-
Access identity management information seamlessly through the
openidm
binding.
-
For more information, refer to:
Scripting logger name change
Scripts that log debug messages create loggers that now include the name of the script.
The name of a scripting logger uses the format scripts.<context>.<script UUID>.(<script name>)
;
for example, scripts.OIDC_CLAIMS.36863ffb-40ec-48b9-94b1-9a99f71cc3b5.(OIDC Claims Script)
.
Refer to Debug logging.
Access request header values from OAuth 2.0 scripts
You can now access the requestHeaders
binding in the following OAuth 2.0 scripts:
-
OIDC user info claims (
OIDC_CLAIMS
) -
Access token modification (
OAUTH2_ACCESS_TOKEN_MODIFICATION
) -
Token exchange (
OAUTH2_MAY_ACT
)
For details, refer to the available objects for each script type.
File-based configuration migration utililty
In a future release, AM will read its configuration only from JSON files, not directory servers. Using LDAP data stores for configuration will be deprecated and file-based configuration (FBC) will be the only supported configuration storage mechanism. Dynamic data will continue to be stored in LDAP directories.
To prepare to migrate your configuration from LDAP directories to JSON files, AM 7.4 provides a
technology preview of a configuration migration utility based on the existing amupgrade
command.
The purpose of this technology preview is to let you test migrating custom configuration to FBC.
For details, refer to Migrate to a file-based configuration.
The interface stability for the file-based configuration (FBC) migration utility is Technology Preview. Technology previews offer access to new technology that is not yet supported. Technology preview features may be functionally incomplete and subject to change without notice. For details, refer to Interface stability. The purpose of this technology preview is to allow you to test the migration of your configuration data. The technology preview should function correctly but may highlight areas that need improvement before the supported release of this feature. AM configuration stored in DS remains supported as documented for AM 7.4. In a future AM release, LDAP configuration stores will be deprecated in favor of FBC. |
Support for mTLS authentication
AM now supports mTLS authentication to the following external data stores:
mTLS uses certificates to authenticate and is more secure than username/password authentication. For more security, you should rotate certificates periodically.
Due to a known issue in OpenJDK, you can’t configure mTLS
authentication to data stores if you’re using Java version 11.0.2. If you’re using this Java version and attempt to
authenticate with mTLS, the connection fails and the DS server generates the following error in the
AM then enters an invalid state. To work around this issue, upgrade to Java 11.0.3 or higher, or authenticate using simple authentication. |
Query Parameter node
The Query Parameter node lets you insert query parameter values from a journey URL into configurable node state properties. This lets you customize journeys based on the query parameter values.
Support for HTML in Email Suspend node
The |Email Suspend Message of the Email Suspend node now supports HTML code in addition to plain text.
This lets you add HTML components, including links and graphics, to the message displayed to end users.
New in AM 7.3.x
AM 7.3.2
AM 7.3.2 is a maintenance release that introduces functional enhancements and fixes.
Backchannel logout token contains exp
claim
The logout token generated during backchannel logout now contains an exp
claim.
Learn more in Backchannel logout.
System property for social provider sub
claim uniqueness
A new system property (org.forgerock.openam.oidc.SocialProvider.sub.claim.is.not.unique
) indicates that
the OIDC social provider doesn’t return a unique value for the sub
claim.
This is false by default.
New ssoadm
commands update attributes in a realm service
A fix to the deprecated ssoadm
tool adds the following new commands:
-
add-realm-default-attributes
-
set-realm-default-attributtes
-
remove-realm-default-attributes
-
get-realm-default-attributes
These commands work on realm defaults from AM 7 onwards.
AM 7.3.1
AM 7.3.1 is a maintenance release that introduces functional enhancements and fixes.
Storing identified identities in the authentication session
The following new methods let you record users and agents verified to exist in an identity store:
org.forgerock.openam.auth.node.api.Action
-
-
public ActionBuilder withIdentifiedIdentity(AMIdentity id)
-
public ActionBuilder withIdentifiedIdentity(String username, IdType id)
-
org.forgerock.openam.auth.nodes.script.ActionWrapper
-
-
public ActionWrapper withIdentifiedAgent(String agentName)
-
public ActionWrapper withIdentifiedUser(String username)
-
A new advanced server property, org.forgerock.am.auth.trees.authenticate.identified.identity
determines
whether AM uses these stored identified identities when deciding which user to log in.
This lets custom nodes and decision node scripts correctly resolve identities that have the same username.
For more information, refer to advanced server properties.
Scripting logger name change
Scripts that log debug messages create loggers that now include the name of the script.
The name of a scripting logger uses the format scripts.<context>.<script UUID>.(<script name>)
;
for example, scripts.OIDC_CLAIMS.36863ffb-40ec-48b9-94b1-9a99f71cc3b5.(OIDC Claims Script)
.
Refer to Debug logging.
Customize account lockout message
Use the new ActionBuilder.withLockoutMessage(String lockoutMessage)
method in a Scripted Decision node
to customize the message displayed to an end user when their account is locked or inactive.
For details, refer to Scripted decision node API.
Setting to permit client credentials in token endpoint query parameters
The OAuth 2.0 Provider service includes a new advanced property, Allow Client Credentials in Token Endpoint Query Parameters, that lets you include client credentials as query parameters in OAuth 2.0 token endpoint requests.
In previous AM versions, you could supply client credentials (the client_id
and client_secret
) as query
parameters in POST requests to the /oauth2/access_token
endpoint. This is now prohibited by
default and you must include the credentials within the POST request body.
The new Allow Client Credentials in Token Endpoint Query Parameters setting controls this behavior and is false
by default in new deployments. For security reasons, keep this property disabled to prevent client credentials from being
included as query parameters.
When you upgrade an existing deployment to AM 7.3.1, this property is initially set to true
for legacy support.
After upgrading, you should update your scripts and clients to support the new behavior then set the property to false
.
AM 7.3
AM 7.3 is a minor release that introduces new features, functional enhancements, and fixes.
An issue was discovered in the 7.3.0 release of DS that has the potential to corrupt static groups. To ensure data integrity, we highly recommend upgrading to DS 7.3.1. This issue affects the stability and reliability of static groups only. Continuing to use DS 7.3.0 may lead to data corruption and other unintended consequences. The necessary fixes were made in DS 7.3.1; however if you deployed AM with DS 7.3.0, and you use static groups, you must contact Support for assistance with resolving the data corruption. |
Combined MFA Registration node
The Combined MFA Registration node lets an authenticated user register a device, such as a mobile phone, for multi-factor authentication with a push notification and an OATH one-time password in a single step.
For details, refer to Combined MFA Registration node.
OIDC ID Token Validator node
The OIDC ID Token Validator node provides similar functionality to the OpenID Connect id_token bearer module. It evaluates whether the ID token is valid, according to the OIDC specification to let AM rely on an OIDC provider (OP)'s ID token to authenticate an end user.
For details, refer to OIDC ID Token Validator.
OATH Device Storage node
The OATH Device Storage node stores devices in the user profile after an OATH Registration node records them in the shared state.
For details, refer to OATH Device Storage node.
Support for EdDSA
for WebAuthn
The WebAuthn Registration node now supports EdDSA as a signing algorithm. Devices that provide EdDSA-signed attestation data in packed format during registration (specifically EdDSA with the Ed25519 curve, as required by the WebAuthn specification) are now supported.
Scripted support for SAML v2.0 SP adapter
You can now customise the SP adapter with a script. Create a script of type SAML2_SP_ADAPTER
and configure the hosted SP entity to use the custom script.
For details, refer to SP adapter.
Addition of prompt_values_supported
to the OIDC exposed configuration
The OpenID Connect well-known/openid-configuration
endpoint has been enhanced to expose the prompt_values_supported
parameter of the provider configuration.
Support for multi-tenant social identity providers
Social identity provider configuration now lets you specify a regular expression to evaluate the issuer claim in ID tokens.
For details, refer to the Issuer comparison check setting.
For details, refer to Advanced properties.
Ability to invalidate sessions by username
The new logoutByUser
action on the json/sessions
endpoint lets you log out all sessions for a specified user. This
action is available for server-side and client-side sessions but is disabled for client-side sessions by default.
For more information, refer to Invalidate all sessions for a user.
This action introduces a new audit notification topic The The
Consumers cannot rely on new events having identical syntax and should check the |
Scripted JWT issuer
For the JWT profile for OAuth 2.0 authorization grant, AM now lets you provide dynamic trusted JWT issuers via a script as an alternative to static configuration.
For details, refer to Configure a scripted JWT issuer.
OAuth 2.0 authentication supported for email service
Microsoft are deprecating SMTP Basic authentication. AM 7.3 introduces the option in the email service to select REST-based OAuth 2.0 authentication using Microsoft Graph API, in addition to supporting the legacy SMTP authentication.
For details, refer to Configure the email service.
Cross-upgrade session reference property
To track the session through upgrade, enable the cross-upgrade session reference property, which retains its value throughout the session lifecycle.
This unique and constant session reference is recorded in the audit logs for session creation and upgrade events.
Refer to the Enable Cross Upgrade Session Reference property for details.
Ability to specify location of REST STS instance
AM 7.3 includes a new option in the REST STS configuration that lets you specify whether the STS instance is running on the AM host or as a separate, remote Java process.
Refer to the STS Instance is running as remote instance property for details.
Fixes
Fixes in AM 8.0.x
This page lists the cumulative fixes in AM 8.0.x releases:
AM 8.0.1
AME-31120 |
Prevent using library scripts in Node Designer scripts |
AME-31114 |
Change the case of the SNS push message |
AME-31109 |
Amster 8.0 import fails with |
OPENAM-23770 |
WebAuthn node flow causes exception instead of |
AM 8.0
OPENAM-23581 |
Configuration Provider node doesn’t accept duration values as integers |
OPENAM-23537 |
Configuration Provider node fails to get inputs for Inner Tree node |
OPENAM-23519 |
Android devices without a screen lock throw an error with WebAuthn registration |
OPENAM-23518 |
AuthenticateToTreeConditionAdvice doesn’t work with Inner Tree as first node |
OPENAM-23516 |
Timeout node configuration properties no longer accept negative numbers |
OPENAM-23441 |
Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working |
OPENAM-23427 |
Composite advice with Auth Level fails when the realm contains a broken journey |
OPENAM-23228 |
Fix file leak when receiving large response from next-generation scripting |
OPENAM-23095 |
Reduced default OAuth2 denylist poll interval to ensure access token is correctly reported invalid |
OPENAM-23091 |
Fix for |
OPENAM-23077 |
The |
OPENAM-23059 |
|
OPENAM-22988 |
Failover doesn’t occur when heartbeat interval is set to 0 |
OPENAM-22966 |
AM should accept |
OPENAM-22955 |
Set Persistent Cookie node before tree failure causes 500 error instead of 401 |
OPENAM-22865 |
Stateful refresh token revoke race condition |
OPENAM-22846 |
External app/policy store active/passive LB isn’t working |
OPENAM-22811 |
Unable to modify |
OPENAM-22708 |
Loop back to the same node causes exception when the journey runs |
OPENAM-22688 |
Page node localization for header, description and footer isn’t working as expected |
OPENAM-22675 |
Next-generation scripting |
OPENAM-22657 |
JWT validation fails when signed using the RS256 algorithm |
OPENAM-22652 |
Some authentication nodes missing from am-external after IDM node seperation |
OPENAM-22630 |
Empty webhooks property key results in NullPointerException |
OPENAM-22608 |
Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing |
OPENAM-22298 |
NullPointerException in |
OPENAM-22297 |
Saml2Node doesn’t log whether SP and IDP descriptor were retrieved |
OPENAM-22270 |
No OAuth clients shown when scalable agents enabled |
OPENAM-22264 |
AM doesn’t use global service schema properties set by |
OPENAM-22171 |
Forgotten Password flow fails when AM searches for the identity to modify |
OPENAM-22146 |
Request object failure not logged even when debug logging is set to highest level |
OPENAM-22120 |
Backchannel logout tokens now include the |
OPENAM-22009 |
Providing an invalid alias to a secret store mapping breaks AM |
OPENAM-21974 |
Social Identity Provider Service: LinkedIn template is out of date |
OPENAM-21913 |
When doing Session upgrade the Session property |
OPENAM-21617 |
Exception thrown by scope validator script not whitelisted in script engine configuration |
OPENAM-21545 |
Unable to create a circle of trust in file-based configuration with external data store |
OPENAM-21003 |
IE11 not working during SAML tree authentication due to use of Arrow function |
OPENAM-18252 |
Let nodes update the universal ID for impersonation and peer authentication |
OPENAM-15834 |
Access token call fails when an unsupported claim is requested |
OPENAM-15410 |
Audience claim not able to customize if scope with openid and profile |
OPENAM-14438 |
Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster |
OPENAM-14217 |
Add more debug when getSessionInfo v2.1 fails with Internal Server Error |
AM 7.5.x
AM 7.5.2
OPENAM-24543 |
The PingOne Protect Initialization node displays an unnecessary form to the end user |
OPENAM-24349 |
"Unable to determine key size for key" error occurs when signing an assertion with an explicit signing algorithm configured in the SP |
OPENAM-24335 |
The |
OPENAM-24125 |
OAuth 2.0 or agent service fails to recover after schema reload required for external app store |
OPENAM-24109 |
LDAPFilterCondition uses search time limit for request timeout |
OPENAM-23716 |
Policy lookup doesn’t error when cache isn’t populated and policy store is down |
OPENAM-23595 |
Redirect using a URN loses the scheme-specific part |
OPENAM-23767 |
The |
OPENAM-23766 |
Adapter Environment under SP role in the GUI isn’t working properly |
OPENAM-23519 |
Android devices without a screen lock not working with WebAuthn registration |
OPENAM-23518 |
AuthenticateToTreeConditionAdvice does not work with innerTree as first node |
OPENAM-23441 |
Enabling OAuth 2.0 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working |
OPENAM-23341 |
AM doesn’t log errors for OIDC or OAuth 2.0 failures |
OPENAM-23283 |
SecretReferenceCache not used for |
OPENAM-23091 |
Fix for |
OPENAM-22988 |
Failover doesn’t occur when heartbeat interval is set to |
OPENAM-22846 |
External app/policy store active/passive LB isn’t working |
OPENAM-22657 |
JWT validation fails when signed using the RS256 algorithm |
OPENAM-22654 |
BooleanAttributeInputCallback renders an enabled checkbox in AM XUI |
OPENAM-22630 |
Empty webhooks property key results in a NullPointerException |
OPENAM-22608 |
Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing |
OPENAM-22520 |
WebAuthN (FIDO Certification): TPM attestation failing when |
OPENAM-22346 |
The RP |
OPENAM-22298 |
NullPointerException in |
OPENAM-22281 |
NameIdFormat values populated for remote IdP |
OPENAM-22120 |
Backchannel logout tokens now include the |
OPENAM-20776 |
Enable private key jwt audience to be configurable |
OPENAM-20239 |
Setting the |
OPENAM-20089 |
Configuration Provider nodes don’t take integer values |
OPENAM-15834 |
Access token call fails when an unsupported claim is requested |
OPENAM-15410 |
Audience claim not customizable when scope set to |
AM 7.5.1
IAM-5473 |
Always save UI environment variables to |
IAM-6429 |
Failure URL node not working as expected on Safari when used with a Message node |
OPENAM-23059 |
SSOADM doesn’t work for realm defaults |
OPENAM-22955 |
Set Persistent Cookie node causes 500 error before failure |
OPENAM-22847 |
Nodes that use a tree hook with an injection annotation cause an error when the tree fails |
OPENAM-22836 |
Unable to update KBA security questions using XUI |
OPENAM-22753 |
Destroy All session may fail to work |
OPENAM-22717 |
SP-initiated SSO fails with "Illegal character in scheme name" when the IdP entity name has a special character |
OPENAM-22715 |
|
OPENAM-22708 |
Loop back to the same node causes exception when tree is executed |
OPENAM-22696 |
Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes |
OPENAM-22676 |
|
OPENAM-22675 |
Unable to set a default value for NameCallback in next-generation |
OPENAM-22672 |
Configuring SAML entities with invalid secret label mappings break SAML flows for other entities |
OPENAM-22656 |
Setting |
OPENAM-22632 |
|
OPENAM-22620 |
Slow response from access token endpoint using client credentials grant |
OPENAM-22602 |
OIDC ID Token Validator Node isn’t using inbuilt |
OPENAM-22465 |
Unexpected error when |
OPENAM-22391 |
Issues with |
OPENAM-22322 |
ArtifactResponse Assertion that is signed cannot be verified and fails |
OPENAM-22318 |
OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication |
OPENAM-22289 |
Session quota action may fail when the session is not updateable but should be fine to proceed. |
OPENAM-22281 |
NameIdFormat values populated for remote IdP |
OPENAM-22181 |
Approve UMA request fails with 500 error when AM deployed as a platform |
OPENAM-22171 |
Forgotten password fails when AM searches for the identity to modify |
OPENAM-22146 |
OAuth 2.0 request object failure not logged for POST requests even when full debug logging is enabled |
OPENAM-22120 |
Backchannel logout tokens now include the |
OPENAM-22109 |
The expiry time of OPS token in 7.x fails to update correctly |
OPENAM-22009 |
Providing an invalid alias to a secret store mapping breaks AM |
OPENAM-21972 |
SAML artifact binding is failing in load-balanced deployments |
OPENAM-21951 |
No option to set the |
OPENAM-21897 |
Creation order determines policy evaluate and evaluateTree results |
OPENAM-21864 |
No option to enable the |
OPENAM-21852 |
Failure when reading input from next-generation SelectIDPCallback |
OPENAM-21609 |
OAuth2Provider service created immediately after install/restart isn’t available in code flow |
OPENAM-21191 |
Web agent sessions have a long session lifetime of 42 years |
OPENAM-21158 |
Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2 |
OPENAM-20945 |
Unable to trace token revocation back to resource owner because of missing |
OPENAM-20609 |
Inconsistent error message getting access token when using refresh token after changing username |
OPENAM-20314 |
Social Provider Handler node and Social IdP service use the |
OPENAM-14438 |
Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster |
AM 7.5
OPENAM-22206 |
AM upgrade fails for 7.1.4 and older: Creating UMA PCT Encryption Secret Failed |
OPENAM-22191 |
JUnit jars are bundled in the AM.war release |
OPENAM-22119 |
"Access to Java class ScriptedLoggerWrapper prohibited" exception |
OPENAM-22101 |
UI admin tests are failing since updating secret ID to secret label |
OPENAM-22060 |
am-config-upgrader: poor performance |
OPENAM-22035 |
Page Nodes don’t delete contained nodes when a tree is deleted |
OPENAM-22017 |
ConfigProviderNode creates node class dynamically leading to native memory leak |
OPENAM-21976 |
Single point of locking contention when doing Client-based session logout |
OPENAM-21941 |
Unable to edit policies in the UI |
OPENAM-21937 |
Quota Enforcement affecting agents sessions that authenticate by tree |
OPENAM-21936 |
Unable to use Legacy and Next Generation Script in the same authentication tree |
OPENAM-21912 |
OAuth2/OIDC signing slow with RSA keys when using Google Secret Manager |
OPENAM-21856 |
Introspecting stateless token with IG/Web agents will cause OAuth2ChfException |
OPENAM-21854 |
TermsAndConditionsCallback fails with error on XUI |
OPENAM-21840 |
Warning for missing mapping in dynamic secret doesn’t warn for missing secret label identifier |
OPENAM-21803 |
CertificateUserExtractorNode cannot resolve wrong name when UPN SubjectAltNameExt |
OPENAM-21780 |
Next generation scripting |
OPENAM-21748 |
Next generation scripting missing "get" wrapper function for HiddenValueCallback |
OPENAM-21747 |
Amster not working after connecting when AM REST call has extra |
OPENAM-21739 |
Running the am-config-upgrader on an empty directory results in unexpected addition of library scripting service |
OPENAM-21707 |
file-functional-tests: OAuth2Provider doesn’t allow setting of default consent agent when scalableAgents are enabled |
OPENAM-21693 |
Remove default global library script |
OPENAM-21664 |
Upgrade fails to AM 7.4 with an uncaught exception when initialising the PrivilegeIndexStore class |
OPENAM-21506 |
Inner Evaluator Tree with Data Store Decision node fails with correct password on first pass when used with Retry Decision node |
OPENAM-21484 |
OAuth2 tokenintrospection response has different claim value types when refresh tokens are introspected |
OPENAM-21473 |
Certificate collector node: getPortalStyleCert throws exception when cert/header not present |
OPENAM-21389 |
Searching algorithm for calculating the reachability of a node in a tree returns incorrect result |
OPENAM-21277 |
Running Amster in debug mode doesn’t work on Windows |
OPENAM-21053 |
User ID is missing from access.audit.json for JWT client authentication flow using |
OPENAM-20924 |
Reentry cookie when set causes the user to redirect to an incorrect IdP |
OPENAM-20490 |
AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes" |
OPENAM-20329 |
Forgerock JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) not spec compliant |
OPENAM-19999 |
ID token as AM session doesn’t work with |
OPENAM-19889 |
Policy evaluation fails with Agent access token JWT as subject |
OPENAM-17816 |
500 Internal Server Error (from NPE) returned for a missing Content-Type header |
OPENAM-17315 |
Update defaults scripts with the change introduced in COMMONS-628 |
AM 7.4.x
AM 7.4.2
OPENAM-23441 |
Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working |
OPENAM-23091 |
Fix for |
OPENAM-23059 |
|
OPENAM-22988 |
Failover doesn’t occur when |
OPENAM-22846 |
External app/policy store active/passive LB isn’t working |
OPENAM-22836 |
Unable to update KBA security questions using XUI |
OPENAM-22717 |
SP-initiated SSO fails with "Illegal character in scheme name" when the IdP entity name has a special character |
OPENAM-22657 |
JWT validation fails when signed using the RS256 algorithm |
OPENAM-22632 |
AMSetupServlet install error with Windows multi-domain environment |
OPENAM-22608 |
Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing |
OPENAM-22465 |
Unexpected error when request_uri client doesn’t match request parameter client in PAR authorise request |
OPENAM-22391 |
Issues with |
OPENAM-22346 |
The RP |
OPENAM-22322 |
Signed ArtifactResponse Assertion can’t be verified and fails |
OPENAM-22318 |
OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication |
OPENAM-22298 |
NullPointerException in |
OPENAM-22264 |
Add global attribute handling to |
OPENAM-22120 |
Backchannel logout tokens now include the |
OPENAM-21951 |
No option to set the |
OPENAM-21926 |
Lockout message is not applied when using Identity Store Decision node |
OPENAM-21897 |
Creation order determines policy |
OPENAM-21864 |
No option to enable the |
OPENAM-21748 |
Next-generation scripting missing "get" wrapper function for HiddenValueCallback |
OPENAM-21609 |
OAuth2Provider service created immediately after install/restart isn’t available in code flow |
OPENAM-21545 |
Unable to create a circle of trust in file-based configuration with external data store |
OPENAM-20945 |
Unable to trace token revocation back to resource owner because of missing |
OPENAM-20314 |
Social Provider Handler node and Social IdP service use the |
OPENAM-20239 |
Setting the |
OPENAM-15834 |
Access token call fails when an unsupported claim is requested |
OPENAM-14438 |
Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster |
AM 7.4.1
OPENAM-22753 |
Destroy All session may fail to work |
OPENAM-22715 |
PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder is not escaping values correctly |
OPENAM-22696 |
Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes |
OPENAM-22620 |
Slow response from access token endpoint using client credentials grant |
OPENAM-22602 |
OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL |
OPENAM-22421 |
Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2 |
OPENAM-22289 |
Session quota action may fail when the session isn’t updatable but should be fine to proceed |
OPENAM-22181 |
Approve UMA request fails with 500 error when AM deployed as a platform |
OPENAM-22171 |
Forgotten password fails when AM searches for the identity to modify |
OPENAM-22119 |
"Access to Java class ScriptedLoggerWrapper prohibited" exception |
OPENAM-22109 |
The expiry time of OPS token in 7.x doesn’t change with the time of tokens created |
OPENAM-22017 |
Configuration Provider node creates node class dynamically leading to native memory leak |
OPENAM-21976 |
Single point of locking contention when doing client-based session logout |
OPENAM-21972 |
SAML artifact binding is using crosstalk for artifact resolution |
OPENAM-21941 |
Unable to edit policies in the UI |
OPENAM-21937 |
Quota enforcement affects agent sessions that authenticate by tree |
OPENAM-21936 |
Unable to use legacy and next-generation scripts in the same authentication tree |
OPENAM-21868 |
ssoadm |
OPENAM-21854 |
TermsAndConditionsCallback fails with error on XUI |
OPENAM-21803 |
Certificate User Extractor node cannot resolve wrong name when UPN SubjectAltNameExt |
OPENAM-21780 |
Next-generation |
OPENAM-21747 |
Amster not working after connecting when AM REST call has extra |
OPENAM-21664 |
Upgrade fails to AM 7.4.0 with an uncaught exception when initializing the PrivilegeIndexStore class |
OPENAM-21484 |
OAuth 2.0 token introspection response has different claim value types when introspecting refresh tokens |
OPENAM-21473 |
Certificate Collector node: getPortalStyleCert throws exception when cert/header not present |
OPENAM-21466 |
AM using OIDC social authentication fails to verify ID token if remote JWK_URIs have duplicate KID |
OPENAM-21277 |
Running Amster in debug mode doesn’t work on Windows |
OPENAM-21191 |
Web agent sessions have a long session lifetime of 42 years |
OPENAM-20609 |
Inconsistent error message when generating access token using refresh token after changing username |
OPENAM-19999 |
ID token as AM session doesn’t work with |
OPENAM-19889 |
Policy evaluation fails with agent access token JWT as subject |
OPENAM-17816 |
500 Internal Server Error (from NPE) returned for a missing Content-Type header |
AM 7.4
OPENAM-21476 |
Persistent Cookie isn’t created when using Configuration Provider node |
OPENAM-21421 |
Scripting logger name isn’t based on logging hierarchy convention |
OPENAM-21390 |
Fix caching error when a journey switches backend instances to correctly provide data to |
OPENAM-21360 |
Add |
OPENAM-21323 |
LDAP (inline) upgrade fails due to policy creation of UssSelfWriteAttributes |
OPENAM-21304 |
Retain request URI values specified during dynamic client registration |
OPENAM-21164 |
Fix type issue of XML String in SAML responses when using a custom adapter |
OPENAM-21160 |
Make sure secure state values are retained when navigating the authentication tree |
OPENAM-21158 |
Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2 |
OPENAM-21085 |
Undefined bindings are incorrectly evaluated in Groovy scripts |
OPENAM-21069 |
WindowsDesktopSSO authentication is failing |
OPENAM-21053 |
Missing |
OPENAM-21030 |
Amster CLI doesn’t work on Windows |
OPENAM-21010 |
Social authentication user profile corrupted when remote OIDC server provides non-English identity claims |
OPENAM-21004 |
AM will always look for valid session when |
OPENAM-21001 |
SAML IdPAccountMapper isn’t correctly determined |
OPENAM-20980 |
OIDC social provider uses configured issuer instead of wellknown endpoint issuer when using regex comparison |
OPENAM-20953 |
Return subject attributes correctly when evaluating a policy using a |
OPENAM-20920 |
Improve handling of SAML2 IDP metadata that uses SSO endpoint entries other than HTTP-POST or HTTP-Redirect bindings when binding is null |
OPENAM-20897 |
Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others |
OPENAM-20895 |
Newly created Maven archetype project for building custom authentication nodes fails to build |
OPENAM-20851 |
Existing registered devices unable to use push notifications when AWS SNS credentials are updated |
OPENAM-20784 |
TestUMAPolicy fails for users that will cause LocalizedIllegalArgumentException |
OPENAM-20756 |
Social authentication request for Apple fails due to duplicated |
OPENAM-20691 |
Fix rare race condition in session quota destroy next expiring action that can lead to the oldest session not being destroyed |
OPENAM-20682 |
Unable to encrypt from |
OPENAM-20490 |
AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes" |
OPENAM-20451 |
Fix to display user-friendly account name during WebAuthn device registration |
OPENAM-20299 |
Fix to make agent authentication honor |
OPENAM-20230 |
Class allowlisting denies access to permitted classes after running for an extended period of time |
OPENAM-20026 |
Social IDP with trailing whitespace in the name can’t be deleted using the UI |
OPENAM-20024 |
Improve debug logging when login to XUI fails with HTTP 404 JsonValueException from endpoint |
OPENAM-19282 |
Recovery Code Display Node works only immediately after Registration node |
OPENAM-19261 |
Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant |
OPENAM-18709 |
New |
OPENAM-18685 |
New realm-level configuration setting to remove or skip |
OPENAM-18004 |
Support sequential transaction IDs to improve audit logging for HTTP requests to IDM |
OPENAM-17331 |
Push Notifications: User with disabled endpoint is not able to login |
OPENAM-17179 |
Deleting an authentication tree leaves orphaned nodes that prevent deletion of referenced scripts |
AM 7.3.x
AM 7.3.3
OPENAM-23519 |
Android devices without a screen lock not working with WebAuthn registration |
OPENAM-23518 |
AuthenticateToTreeConditionAdvice doesn’t work with Inner Tree as first node |
OPENAM-23441 |
Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working |
OPENAM-22846 |
External app/policy store active/passive LB isn’t working |
OPENAM-22654 |
BooleanAttributeInputCallback renders an enabled checkbox in AM XUI |
OPENAM-22608 |
Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing |
OPENAM-21026 |
OAuth Clients don’t work when the redirect uri list contains an invalid uri |
OPENAM-20451 |
Fix to display user-friendly account name during WebAuthn device registration |
OPENAM-15834 |
Access token call fails when an unsupported claim is requested |
AM 7.3.2
OPENAM-22836 |
Unable to update KBA Security questions using XUI |
OPENAM-22753 |
Destroy All session may fail to work |
OPENAM-22717 |
SP-initiated SSO fails with "Illegal character in scheme name" when IdP name contains a special character |
OPENAM-22696 |
Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes |
OPENAM-22656 |
Setting |
OPENAM-22632 |
AMSetupServlet install error with Windows multi-domain environment |
OPENAM-22602 |
OIDC ID Token Validator node uses own |
OPENAM-22421 |
Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2 |
OPENAM-22391 |
Issues with |
OPENAM-22322 |
Unable to verify signed ArtifactResponse Assertion leading to failure |
OPENAM-22318 |
OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication |
OPENAM-22289 |
Session quota action may fail when the session isn’t updatable but should be fine to proceed |
OPENAM-22288 |
Amster upgrade 7.3.0-to-7.3.x fails with Groovy Exception |
OPENAM-22181 |
Approve UMA request fails with 500 error when AM deployed as a platform |
OPENAM-22120 |
Backchannel logout token doesn’t contain |
OPENAM-21972 |
SAML artifact binding is failing in load-balanced deployments |
OPENAM-21937 |
Quota enforcement affects agent sessions that authenticate by tree |
OPENAM-21897 |
Creation order determines policy evaluate and evaluateTree results |
OPENAM-21473 |
Certificate collector node: |
OPENAM-21322 |
AM console allows creation of entity provider with space at the end of the name |
OPENAM-21191 |
Web agent sessions have a long session lifetime of 42 years |
OPENAM-21085 |
Undefined bindings are incorrectly evaluated in Groovy scripts |
OPENAM-20945 |
Unable to trace token revocation back to resource owner because of missing |
OPENAM-20314 |
Social Provider Handler node and Social IdP service use the |
OPENAM-20299 |
Fix to make agent authentication honor |
OPENAM-19261 |
Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant |
AM 7.3.1
OPENAM-22017 |
ConfigProviderNode creates node class dynamically leading to native memory leak |
OPENAM-21976 |
Single point of locking contention when performing client-based session logout |
OPENAM-21941 |
Unable to edit policies in the UI |
OPENAM-21854 |
TermsAndConditionsCallback fails with error on XUI |
OPENAM-21747 |
Rest SDK and Amster send cookies if request has cookie header |
OPENAM-21728 |
Certificate module fails using JDK 11.0.21 and later with undefined access to private method |
OPENAM-21484 |
Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response |
OPENAM-21421 |
Scripting logger name isn’t based on logging hierarchy convention |
OPENAM-21390 |
ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment |
OPENAM-21304 |
OAuth 2.0 dynamic client registrations don’t retain |
OPENAM-21277 |
Running Amster in debug mode doesn’t work on Windows |
OPENAM-21164 |
Calling |
OPENAM-21160 |
Inconsistent values in secure state when navigating an authentication tree |
OPENAM-21158 |
Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2 |
OPENAM-21069 |
WindowsDesktopSSO authentication is failing |
OPENAM-21030 |
Amster 7.3.0 CLI isn’t working on Windows |
OPENAM-21010 |
Social authentication for remote OIDC server for user profile non-english words corrupted |
OPENAM-21004 |
AM will always look for valid session when scope=openid |
OPENAM-21001 |
IdPAccountMapper is not correctly determined |
OPENAM-20980 |
Unable to use issuer comparison check regex in oidc social provider |
OPENAM-20897 |
Debug logs not showing info for |
OPENAM-20895 |
Newly-created Maven archetype project fails to build |
OPENAM-20756 |
OIDC social authentication request (Apple) fails due to duplicate |
OPENAM-20691 |
Destroy oldest session may fail to work |
OPENAM-20682 |
Unable to encrypt from |
OPENAM-20490 |
AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes" |
OPENAM-20026 |
Trailing whitespace prevents social provider deletion via UI |
OPENAM-19999 |
ID token as AM session doesn’t work with |
OPENAM-19889 |
Policy evaluation fails with agent access token JWT as subject |
OPENAM-19282 |
Recovery Code Display Node works only immediately after Registration node |
OPENAM-18599 |
Allow for custom error message if user account is locked |
AM 7.3
OPENAM-20396 |
Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved |
OPENAM-20360 |
Ampersand is double encoded in the Destination of a SAML Assertion |
OPENAM-20260 |
Unable to log into AM when external application store is down |
OPENAM-20230 |
Class allowlisting fails with permission denied after an extended period |
OPENAM-20181 |
AD account notification fails |
OPENAM-20159 |
Upgrader adds requestObjectProcessing to OAuth2Provider subconfigs |
OPENAM-20104 |
The |
OPENAM-20085 |
STS token generation does not work with clustered docker pods |
OPENAM-20082 |
Locked out users are shown a misleading error message |
OPENAM-19868 |
Correctly handle multi-line text in Email Suspend nodes |
OPENAM-19866 |
Excessive logging when accessing protected resources |
OPENAM-19726 |
The |
OPENAM-19665 |
Wrong Java version in Amster README file |
OPENAM-19515 |
Unable to update session service with read only identity store |
OPENAM-19411 |
Amster installation failure with authorizedKey parameter when trying to overwrite an existing configuration |
OPENAM-18818 |
Persistent search error message shows wrong DS identifier |
OPENAM-18488 |
Windows Hello with TPM/platform authenticator returns two certificates |
OPENAM-18172 |
Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level |
OPENAM-17215 |
Policy debug log fills up at very high pace if the config store is not found |
OPENAM-13766 |
No configuration found for login with SessionConditionAdvice=deny |
Fixes in AM 7.5.x
This page lists the cumulative fixes in AM 7.5.x releases:
AM 7.5.2
OPENAM-24543 |
The PingOne Protect Initialization node displays an unnecessary form to the end user |
OPENAM-24349 |
"Unable to determine key size for key" error occurs when signing an assertion with an explicit signing algorithm configured in the SP |
OPENAM-24335 |
The |
OPENAM-24125 |
OAuth 2.0 or agent service fails to recover after schema reload required for external app store |
OPENAM-24109 |
LDAPFilterCondition uses search time limit for request timeout |
OPENAM-23716 |
Policy lookup doesn’t error when cache isn’t populated and policy store is down |
OPENAM-23595 |
Redirect using a URN loses the scheme-specific part |
OPENAM-23767 |
The |
OPENAM-23766 |
Adapter Environment under SP role in the GUI isn’t working properly |
OPENAM-23519 |
Android devices without a screen lock not working with WebAuthn registration |
OPENAM-23518 |
AuthenticateToTreeConditionAdvice does not work with innerTree as first node |
OPENAM-23441 |
Enabling OAuth 2.0 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working |
OPENAM-23341 |
AM doesn’t log errors for OIDC or OAuth 2.0 failures |
OPENAM-23283 |
SecretReferenceCache not used for |
OPENAM-23091 |
Fix for |
OPENAM-22988 |
Failover doesn’t occur when heartbeat interval is set to |
OPENAM-22846 |
External app/policy store active/passive LB isn’t working |
OPENAM-22657 |
JWT validation fails when signed using the RS256 algorithm |
OPENAM-22654 |
BooleanAttributeInputCallback renders an enabled checkbox in AM XUI |
OPENAM-22630 |
Empty webhooks property key results in a NullPointerException |
OPENAM-22608 |
Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing |
OPENAM-22520 |
WebAuthN (FIDO Certification): TPM attestation failing when |
OPENAM-22346 |
The RP |
OPENAM-22298 |
NullPointerException in |
OPENAM-22281 |
NameIdFormat values populated for remote IdP |
OPENAM-22120 |
Backchannel logout tokens now include the |
OPENAM-20776 |
Enable private key jwt audience to be configurable |
OPENAM-20239 |
Setting the |
OPENAM-20089 |
Configuration Provider nodes don’t take integer values |
OPENAM-15834 |
Access token call fails when an unsupported claim is requested |
OPENAM-15410 |
Audience claim not customizable when scope set to |
AM 7.5.1
IAM-5473 |
Always save UI environment variables to |
IAM-6429 |
Failure URL node not working as expected on Safari when used with a Message node |
OPENAM-23059 |
SSOADM doesn’t work for realm defaults |
OPENAM-22955 |
Set Persistent Cookie node causes 500 error before failure |
OPENAM-22847 |
Nodes that use a tree hook with an injection annotation cause an error when the tree fails |
OPENAM-22836 |
Unable to update KBA security questions using XUI |
OPENAM-22753 |
Destroy All session may fail to work |
OPENAM-22717 |
SP-initiated SSO fails with "Illegal character in scheme name" when the IdP entity name has a special character |
OPENAM-22715 |
|
OPENAM-22708 |
Loop back to the same node causes exception when tree is executed |
OPENAM-22696 |
Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes |
OPENAM-22676 |
|
OPENAM-22675 |
Unable to set a default value for NameCallback in next-generation |
OPENAM-22672 |
Configuring SAML entities with invalid secret label mappings break SAML flows for other entities |
OPENAM-22656 |
Setting |
OPENAM-22632 |
|
OPENAM-22620 |
Slow response from access token endpoint using client credentials grant |
OPENAM-22602 |
OIDC ID Token Validator Node isn’t using inbuilt |
OPENAM-22465 |
Unexpected error when |
OPENAM-22391 |
Issues with |
OPENAM-22322 |
ArtifactResponse Assertion that is signed cannot be verified and fails |
OPENAM-22318 |
OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication |
OPENAM-22289 |
Session quota action may fail when the session is not updateable but should be fine to proceed. |
OPENAM-22281 |
NameIdFormat values populated for remote IdP |
OPENAM-22181 |
Approve UMA request fails with 500 error when AM deployed as a platform |
OPENAM-22171 |
Forgotten password fails when AM searches for the identity to modify |
OPENAM-22146 |
OAuth 2.0 request object failure not logged for POST requests even when full debug logging is enabled |
OPENAM-22120 |
Backchannel logout tokens now include the |
OPENAM-22109 |
The expiry time of OPS token in 7.x fails to update correctly |
OPENAM-22009 |
Providing an invalid alias to a secret store mapping breaks AM |
OPENAM-21972 |
SAML artifact binding is failing in load-balanced deployments |
OPENAM-21951 |
No option to set the |
OPENAM-21897 |
Creation order determines policy evaluate and evaluateTree results |
OPENAM-21864 |
No option to enable the |
OPENAM-21852 |
Failure when reading input from next-generation SelectIDPCallback |
OPENAM-21609 |
OAuth2Provider service created immediately after install/restart isn’t available in code flow |
OPENAM-21191 |
Web agent sessions have a long session lifetime of 42 years |
OPENAM-21158 |
Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2 |
OPENAM-20945 |
Unable to trace token revocation back to resource owner because of missing |
OPENAM-20609 |
Inconsistent error message getting access token when using refresh token after changing username |
OPENAM-20314 |
Social Provider Handler node and Social IdP service use the |
OPENAM-14438 |
Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster |
AM 7.5
OPENAM-22206 |
AM upgrade fails for 7.1.4 and older: Creating UMA PCT Encryption Secret Failed |
OPENAM-22191 |
JUnit jars are bundled in the AM.war release |
OPENAM-22119 |
"Access to Java class ScriptedLoggerWrapper prohibited" exception |
OPENAM-22101 |
UI admin tests are failing since updating secret ID to secret label |
OPENAM-22060 |
am-config-upgrader: poor performance |
OPENAM-22035 |
Page Nodes don’t delete contained nodes when a tree is deleted |
OPENAM-22017 |
ConfigProviderNode creates node class dynamically leading to native memory leak |
OPENAM-21976 |
Single point of locking contention when doing Client-based session logout |
OPENAM-21941 |
Unable to edit policies in the UI |
OPENAM-21937 |
Quota Enforcement affecting agents sessions that authenticate by tree |
OPENAM-21936 |
Unable to use Legacy and Next Generation Script in the same authentication tree |
OPENAM-21912 |
OAuth2/OIDC signing slow with RSA keys when using Google Secret Manager |
OPENAM-21856 |
Introspecting stateless token with IG/Web agents will cause OAuth2ChfException |
OPENAM-21854 |
TermsAndConditionsCallback fails with error on XUI |
OPENAM-21840 |
Warning for missing mapping in dynamic secret doesn’t warn for missing secret label identifier |
OPENAM-21803 |
CertificateUserExtractorNode cannot resolve wrong name when UPN SubjectAltNameExt |
OPENAM-21780 |
Next generation scripting |
OPENAM-21748 |
Next generation scripting missing "get" wrapper function for HiddenValueCallback |
OPENAM-21747 |
Amster not working after connecting when AM REST call has extra |
OPENAM-21739 |
Running the am-config-upgrader on an empty directory results in unexpected addition of library scripting service |
OPENAM-21707 |
file-functional-tests: OAuth2Provider doesn’t allow setting of default consent agent when scalableAgents are enabled |
OPENAM-21693 |
Remove default global library script |
OPENAM-21664 |
Upgrade fails to AM 7.4 with an uncaught exception when initialising the PrivilegeIndexStore class |
OPENAM-21506 |
Inner Evaluator Tree with Data Store Decision node fails with correct password on first pass when used with Retry Decision node |
OPENAM-21484 |
OAuth2 tokenintrospection response has different claim value types when refresh tokens are introspected |
OPENAM-21473 |
Certificate collector node: getPortalStyleCert throws exception when cert/header not present |
OPENAM-21389 |
Searching algorithm for calculating the reachability of a node in a tree returns incorrect result |
OPENAM-21277 |
Running Amster in debug mode doesn’t work on Windows |
OPENAM-21053 |
User ID is missing from access.audit.json for JWT client authentication flow using |
OPENAM-20924 |
Reentry cookie when set causes the user to redirect to an incorrect IdP |
OPENAM-20490 |
AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes" |
OPENAM-20329 |
Forgerock JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) not spec compliant |
OPENAM-19999 |
ID token as AM session doesn’t work with |
OPENAM-19889 |
Policy evaluation fails with Agent access token JWT as subject |
OPENAM-17816 |
500 Internal Server Error (from NPE) returned for a missing Content-Type header |
OPENAM-17315 |
Update defaults scripts with the change introduced in COMMONS-628 |
AM 7.4.x
AM 7.4.2
OPENAM-23441 |
Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working |
OPENAM-23091 |
Fix for |
OPENAM-23059 |
|
OPENAM-22988 |
Failover doesn’t occur when |
OPENAM-22846 |
External app/policy store active/passive LB isn’t working |
OPENAM-22836 |
Unable to update KBA security questions using XUI |
OPENAM-22717 |
SP-initiated SSO fails with "Illegal character in scheme name" when the IdP entity name has a special character |
OPENAM-22657 |
JWT validation fails when signed using the RS256 algorithm |
OPENAM-22632 |
AMSetupServlet install error with Windows multi-domain environment |
OPENAM-22608 |
Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing |
OPENAM-22465 |
Unexpected error when request_uri client doesn’t match request parameter client in PAR authorise request |
OPENAM-22391 |
Issues with |
OPENAM-22346 |
The RP |
OPENAM-22322 |
Signed ArtifactResponse Assertion can’t be verified and fails |
OPENAM-22318 |
OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication |
OPENAM-22298 |
NullPointerException in |
OPENAM-22264 |
Add global attribute handling to |
OPENAM-22120 |
Backchannel logout tokens now include the |
OPENAM-21951 |
No option to set the |
OPENAM-21926 |
Lockout message is not applied when using Identity Store Decision node |
OPENAM-21897 |
Creation order determines policy |
OPENAM-21864 |
No option to enable the |
OPENAM-21748 |
Next-generation scripting missing "get" wrapper function for HiddenValueCallback |
OPENAM-21609 |
OAuth2Provider service created immediately after install/restart isn’t available in code flow |
OPENAM-21545 |
Unable to create a circle of trust in file-based configuration with external data store |
OPENAM-20945 |
Unable to trace token revocation back to resource owner because of missing |
OPENAM-20314 |
Social Provider Handler node and Social IdP service use the |
OPENAM-20239 |
Setting the |
OPENAM-15834 |
Access token call fails when an unsupported claim is requested |
OPENAM-14438 |
Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster |
AM 7.4.1
OPENAM-22753 |
Destroy All session may fail to work |
OPENAM-22715 |
PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder is not escaping values correctly |
OPENAM-22696 |
Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes |
OPENAM-22620 |
Slow response from access token endpoint using client credentials grant |
OPENAM-22602 |
OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL |
OPENAM-22421 |
Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2 |
OPENAM-22289 |
Session quota action may fail when the session isn’t updatable but should be fine to proceed |
OPENAM-22181 |
Approve UMA request fails with 500 error when AM deployed as a platform |
OPENAM-22171 |
Forgotten password fails when AM searches for the identity to modify |
OPENAM-22119 |
"Access to Java class ScriptedLoggerWrapper prohibited" exception |
OPENAM-22109 |
The expiry time of OPS token in 7.x doesn’t change with the time of tokens created |
OPENAM-22017 |
Configuration Provider node creates node class dynamically leading to native memory leak |
OPENAM-21976 |
Single point of locking contention when doing client-based session logout |
OPENAM-21972 |
SAML artifact binding is using crosstalk for artifact resolution |
OPENAM-21941 |
Unable to edit policies in the UI |
OPENAM-21937 |
Quota enforcement affects agent sessions that authenticate by tree |
OPENAM-21936 |
Unable to use legacy and next-generation scripts in the same authentication tree |
OPENAM-21868 |
ssoadm |
OPENAM-21854 |
TermsAndConditionsCallback fails with error on XUI |
OPENAM-21803 |
Certificate User Extractor node cannot resolve wrong name when UPN SubjectAltNameExt |
OPENAM-21780 |
Next-generation |
OPENAM-21747 |
Amster not working after connecting when AM REST call has extra |
OPENAM-21664 |
Upgrade fails to AM 7.4.0 with an uncaught exception when initializing the PrivilegeIndexStore class |
OPENAM-21484 |
OAuth 2.0 token introspection response has different claim value types when introspecting refresh tokens |
OPENAM-21473 |
Certificate Collector node: getPortalStyleCert throws exception when cert/header not present |
OPENAM-21466 |
AM using OIDC social authentication fails to verify ID token if remote JWK_URIs have duplicate KID |
OPENAM-21277 |
Running Amster in debug mode doesn’t work on Windows |
OPENAM-21191 |
Web agent sessions have a long session lifetime of 42 years |
OPENAM-20609 |
Inconsistent error message when generating access token using refresh token after changing username |
OPENAM-19999 |
ID token as AM session doesn’t work with |
OPENAM-19889 |
Policy evaluation fails with agent access token JWT as subject |
OPENAM-17816 |
500 Internal Server Error (from NPE) returned for a missing Content-Type header |
AM 7.4
OPENAM-21476 |
Persistent Cookie isn’t created when using Configuration Provider node |
OPENAM-21421 |
Scripting logger name isn’t based on logging hierarchy convention |
OPENAM-21390 |
Fix caching error when a journey switches backend instances to correctly provide data to |
OPENAM-21360 |
Add |
OPENAM-21323 |
LDAP (inline) upgrade fails due to policy creation of UssSelfWriteAttributes |
OPENAM-21304 |
Retain request URI values specified during dynamic client registration |
OPENAM-21164 |
Fix type issue of XML String in SAML responses when using a custom adapter |
OPENAM-21160 |
Make sure secure state values are retained when navigating the authentication tree |
OPENAM-21158 |
Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2 |
OPENAM-21085 |
Undefined bindings are incorrectly evaluated in Groovy scripts |
OPENAM-21069 |
WindowsDesktopSSO authentication is failing |
OPENAM-21053 |
Missing |
OPENAM-21030 |
Amster CLI doesn’t work on Windows |
OPENAM-21010 |
Social authentication user profile corrupted when remote OIDC server provides non-English identity claims |
OPENAM-21004 |
AM will always look for valid session when |
OPENAM-21001 |
SAML IdPAccountMapper isn’t correctly determined |
OPENAM-20980 |
OIDC social provider uses configured issuer instead of wellknown endpoint issuer when using regex comparison |
OPENAM-20953 |
Return subject attributes correctly when evaluating a policy using a |
OPENAM-20920 |
Improve handling of SAML2 IDP metadata that uses SSO endpoint entries other than HTTP-POST or HTTP-Redirect bindings when binding is null |
OPENAM-20897 |
Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others |
OPENAM-20895 |
Newly created Maven archetype project for building custom authentication nodes fails to build |
OPENAM-20851 |
Existing registered devices unable to use push notifications when AWS SNS credentials are updated |
OPENAM-20784 |
TestUMAPolicy fails for users that will cause LocalizedIllegalArgumentException |
OPENAM-20756 |
Social authentication request for Apple fails due to duplicated |
OPENAM-20691 |
Fix rare race condition in session quota destroy next expiring action that can lead to the oldest session not being destroyed |
OPENAM-20682 |
Unable to encrypt from |
OPENAM-20490 |
AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes" |
OPENAM-20451 |
Fix to display user-friendly account name during WebAuthn device registration |
OPENAM-20299 |
Fix to make agent authentication honor |
OPENAM-20230 |
Class allowlisting denies access to permitted classes after running for an extended period of time |
OPENAM-20026 |
Social IDP with trailing whitespace in the name can’t be deleted using the UI |
OPENAM-20024 |
Improve debug logging when login to XUI fails with HTTP 404 JsonValueException from endpoint |
OPENAM-19282 |
Recovery Code Display Node works only immediately after Registration node |
OPENAM-19261 |
Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant |
OPENAM-18709 |
New |
OPENAM-18685 |
New realm-level configuration setting to remove or skip |
OPENAM-18004 |
Support sequential transaction IDs to improve audit logging for HTTP requests to IDM |
OPENAM-17331 |
Push Notifications: User with disabled endpoint is not able to login |
OPENAM-17179 |
Deleting an authentication tree leaves orphaned nodes that prevent deletion of referenced scripts |
AM 7.3.x
AM 7.3.3
OPENAM-23519 |
Android devices without a screen lock not working with WebAuthn registration |
OPENAM-23518 |
AuthenticateToTreeConditionAdvice doesn’t work with Inner Tree as first node |
OPENAM-23441 |
Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working |
OPENAM-22846 |
External app/policy store active/passive LB isn’t working |
OPENAM-22654 |
BooleanAttributeInputCallback renders an enabled checkbox in AM XUI |
OPENAM-22608 |
Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing |
OPENAM-21026 |
OAuth Clients don’t work when the redirect uri list contains an invalid uri |
OPENAM-20451 |
Fix to display user-friendly account name during WebAuthn device registration |
OPENAM-15834 |
Access token call fails when an unsupported claim is requested |
AM 7.3.2
OPENAM-22836 |
Unable to update KBA Security questions using XUI |
OPENAM-22753 |
Destroy All session may fail to work |
OPENAM-22717 |
SP-initiated SSO fails with "Illegal character in scheme name" when IdP name contains a special character |
OPENAM-22696 |
Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes |
OPENAM-22656 |
Setting |
OPENAM-22632 |
AMSetupServlet install error with Windows multi-domain environment |
OPENAM-22602 |
OIDC ID Token Validator node uses own |
OPENAM-22421 |
Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2 |
OPENAM-22391 |
Issues with |
OPENAM-22322 |
Unable to verify signed ArtifactResponse Assertion leading to failure |
OPENAM-22318 |
OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication |
OPENAM-22289 |
Session quota action may fail when the session isn’t updatable but should be fine to proceed |
OPENAM-22288 |
Amster upgrade 7.3.0-to-7.3.x fails with Groovy Exception |
OPENAM-22181 |
Approve UMA request fails with 500 error when AM deployed as a platform |
OPENAM-22120 |
Backchannel logout token doesn’t contain |
OPENAM-21972 |
SAML artifact binding is failing in load-balanced deployments |
OPENAM-21937 |
Quota enforcement affects agent sessions that authenticate by tree |
OPENAM-21897 |
Creation order determines policy evaluate and evaluateTree results |
OPENAM-21473 |
Certificate collector node: |
OPENAM-21322 |
AM console allows creation of entity provider with space at the end of the name |
OPENAM-21191 |
Web agent sessions have a long session lifetime of 42 years |
OPENAM-21085 |
Undefined bindings are incorrectly evaluated in Groovy scripts |
OPENAM-20945 |
Unable to trace token revocation back to resource owner because of missing |
OPENAM-20314 |
Social Provider Handler node and Social IdP service use the |
OPENAM-20299 |
Fix to make agent authentication honor |
OPENAM-19261 |
Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant |
AM 7.3.1
OPENAM-22017 |
ConfigProviderNode creates node class dynamically leading to native memory leak |
OPENAM-21976 |
Single point of locking contention when performing client-based session logout |
OPENAM-21941 |
Unable to edit policies in the UI |
OPENAM-21854 |
TermsAndConditionsCallback fails with error on XUI |
OPENAM-21747 |
Rest SDK and Amster send cookies if request has cookie header |
OPENAM-21728 |
Certificate module fails using JDK 11.0.21 and later with undefined access to private method |
OPENAM-21484 |
Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response |
OPENAM-21421 |
Scripting logger name isn’t based on logging hierarchy convention |
OPENAM-21390 |
ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment |
OPENAM-21304 |
OAuth 2.0 dynamic client registrations don’t retain |
OPENAM-21277 |
Running Amster in debug mode doesn’t work on Windows |
OPENAM-21164 |
Calling |
OPENAM-21160 |
Inconsistent values in secure state when navigating an authentication tree |
OPENAM-21158 |
Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2 |
OPENAM-21069 |
WindowsDesktopSSO authentication is failing |
OPENAM-21030 |
Amster 7.3.0 CLI isn’t working on Windows |
OPENAM-21010 |
Social authentication for remote OIDC server for user profile non-english words corrupted |
OPENAM-21004 |
AM will always look for valid session when scope=openid |
OPENAM-21001 |
IdPAccountMapper is not correctly determined |
OPENAM-20980 |
Unable to use issuer comparison check regex in oidc social provider |
OPENAM-20897 |
Debug logs not showing info for |
OPENAM-20895 |
Newly-created Maven archetype project fails to build |
OPENAM-20756 |
OIDC social authentication request (Apple) fails due to duplicate |
OPENAM-20691 |
Destroy oldest session may fail to work |
OPENAM-20682 |
Unable to encrypt from |
OPENAM-20490 |
AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes" |
OPENAM-20026 |
Trailing whitespace prevents social provider deletion via UI |
OPENAM-19999 |
ID token as AM session doesn’t work with |
OPENAM-19889 |
Policy evaluation fails with agent access token JWT as subject |
OPENAM-19282 |
Recovery Code Display Node works only immediately after Registration node |
OPENAM-18599 |
Allow for custom error message if user account is locked |
AM 7.3
OPENAM-20396 |
Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved |
OPENAM-20360 |
Ampersand is double encoded in the Destination of a SAML Assertion |
OPENAM-20260 |
Unable to log into AM when external application store is down |
OPENAM-20230 |
Class allowlisting fails with permission denied after an extended period |
OPENAM-20181 |
AD account notification fails |
OPENAM-20159 |
Upgrader adds requestObjectProcessing to OAuth2Provider subconfigs |
OPENAM-20104 |
The |
OPENAM-20085 |
STS token generation does not work with clustered docker pods |
OPENAM-20082 |
Locked out users are shown a misleading error message |
OPENAM-19868 |
Correctly handle multi-line text in Email Suspend nodes |
OPENAM-19866 |
Excessive logging when accessing protected resources |
OPENAM-19726 |
The |
OPENAM-19665 |
Wrong Java version in Amster README file |
OPENAM-19515 |
Unable to update session service with read only identity store |
OPENAM-19411 |
Amster installation failure with authorizedKey parameter when trying to overwrite an existing configuration |
OPENAM-18818 |
Persistent search error message shows wrong DS identifier |
OPENAM-18488 |
Windows Hello with TPM/platform authenticator returns two certificates |
OPENAM-18172 |
Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level |
OPENAM-17215 |
Policy debug log fills up at very high pace if the config store is not found |
OPENAM-13766 |
No configuration found for login with SessionConditionAdvice=deny |
Fixes in AM 7.4.x
This page lists the cumulative fixes in AM 7.4.x releases:
AM 7.4.2
OPENAM-23441 |
Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working |
OPENAM-23091 |
Fix for |
OPENAM-23059 |
|
OPENAM-22988 |
Failover doesn’t occur when |
OPENAM-22846 |
External app/policy store active/passive LB isn’t working |
OPENAM-22836 |
Unable to update KBA security questions using XUI |
OPENAM-22717 |
SP-initiated SSO fails with "Illegal character in scheme name" when the IdP entity name has a special character |
OPENAM-22657 |
JWT validation fails when signed using the RS256 algorithm |
OPENAM-22632 |
AMSetupServlet install error with Windows multi-domain environment |
OPENAM-22608 |
Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing |
OPENAM-22465 |
Unexpected error when request_uri client doesn’t match request parameter client in PAR authorise request |
OPENAM-22391 |
Issues with |
OPENAM-22346 |
The RP |
OPENAM-22322 |
Signed ArtifactResponse Assertion can’t be verified and fails |
OPENAM-22318 |
OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication |
OPENAM-22298 |
NullPointerException in |
OPENAM-22264 |
Add global attribute handling to |
OPENAM-22120 |
Backchannel logout tokens now include the |
OPENAM-21951 |
No option to set the |
OPENAM-21926 |
Lockout message is not applied when using Identity Store Decision node |
OPENAM-21897 |
Creation order determines policy |
OPENAM-21864 |
No option to enable the |
OPENAM-21748 |
Next-generation scripting missing "get" wrapper function for HiddenValueCallback |
OPENAM-21609 |
OAuth2Provider service created immediately after install/restart isn’t available in code flow |
OPENAM-21545 |
Unable to create a circle of trust in file-based configuration with external data store |
OPENAM-20945 |
Unable to trace token revocation back to resource owner because of missing |
OPENAM-20314 |
Social Provider Handler node and Social IdP service use the |
OPENAM-20239 |
Setting the |
OPENAM-15834 |
Access token call fails when an unsupported claim is requested |
OPENAM-14438 |
Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster |
AM 7.4.1
OPENAM-22753 |
Destroy All session may fail to work |
OPENAM-22715 |
PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder is not escaping values correctly |
OPENAM-22696 |
Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes |
OPENAM-22620 |
Slow response from access token endpoint using client credentials grant |
OPENAM-22602 |
OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL |
OPENAM-22421 |
Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2 |
OPENAM-22289 |
Session quota action may fail when the session isn’t updatable but should be fine to proceed |
OPENAM-22181 |
Approve UMA request fails with 500 error when AM deployed as a platform |
OPENAM-22171 |
Forgotten password fails when AM searches for the identity to modify |
OPENAM-22119 |
"Access to Java class ScriptedLoggerWrapper prohibited" exception |
OPENAM-22109 |
The expiry time of OPS token in 7.x doesn’t change with the time of tokens created |
OPENAM-22017 |
Configuration Provider node creates node class dynamically leading to native memory leak |
OPENAM-21976 |
Single point of locking contention when doing client-based session logout |
OPENAM-21972 |
SAML artifact binding is using crosstalk for artifact resolution |
OPENAM-21941 |
Unable to edit policies in the UI |
OPENAM-21937 |
Quota enforcement affects agent sessions that authenticate by tree |
OPENAM-21936 |
Unable to use legacy and next-generation scripts in the same authentication tree |
OPENAM-21868 |
ssoadm |
OPENAM-21854 |
TermsAndConditionsCallback fails with error on XUI |
OPENAM-21803 |
Certificate User Extractor node cannot resolve wrong name when UPN SubjectAltNameExt |
OPENAM-21780 |
Next-generation |
OPENAM-21747 |
Amster not working after connecting when AM REST call has extra |
OPENAM-21664 |
Upgrade fails to AM 7.4.0 with an uncaught exception when initializing the PrivilegeIndexStore class |
OPENAM-21484 |
OAuth 2.0 token introspection response has different claim value types when introspecting refresh tokens |
OPENAM-21473 |
Certificate Collector node: getPortalStyleCert throws exception when cert/header not present |
OPENAM-21466 |
AM using OIDC social authentication fails to verify ID token if remote JWK_URIs have duplicate KID |
OPENAM-21277 |
Running Amster in debug mode doesn’t work on Windows |
OPENAM-21191 |
Web agent sessions have a long session lifetime of 42 years |
OPENAM-20609 |
Inconsistent error message when generating access token using refresh token after changing username |
OPENAM-19999 |
ID token as AM session doesn’t work with |
OPENAM-19889 |
Policy evaluation fails with agent access token JWT as subject |
OPENAM-17816 |
500 Internal Server Error (from NPE) returned for a missing Content-Type header |
AM 7.4
OPENAM-21476 |
Persistent Cookie isn’t created when using Configuration Provider node |
OPENAM-21421 |
Scripting logger name isn’t based on logging hierarchy convention |
OPENAM-21390 |
Fix caching error when a journey switches backend instances to correctly provide data to |
OPENAM-21360 |
Add |
OPENAM-21323 |
LDAP (inline) upgrade fails due to policy creation of UssSelfWriteAttributes |
OPENAM-21304 |
Retain request URI values specified during dynamic client registration |
OPENAM-21164 |
Fix type issue of XML String in SAML responses when using a custom adapter |
OPENAM-21160 |
Make sure secure state values are retained when navigating the authentication tree |
OPENAM-21158 |
Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2 |
OPENAM-21085 |
Undefined bindings are incorrectly evaluated in Groovy scripts |
OPENAM-21069 |
WindowsDesktopSSO authentication is failing |
OPENAM-21053 |
Missing |
OPENAM-21030 |
Amster CLI doesn’t work on Windows |
OPENAM-21010 |
Social authentication user profile corrupted when remote OIDC server provides non-English identity claims |
OPENAM-21004 |
AM will always look for valid session when |
OPENAM-21001 |
SAML IdPAccountMapper isn’t correctly determined |
OPENAM-20980 |
OIDC social provider uses configured issuer instead of wellknown endpoint issuer when using regex comparison |
OPENAM-20953 |
Return subject attributes correctly when evaluating a policy using a |
OPENAM-20920 |
Improve handling of SAML2 IDP metadata that uses SSO endpoint entries other than HTTP-POST or HTTP-Redirect bindings when binding is null |
OPENAM-20897 |
Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others |
OPENAM-20895 |
Newly created Maven archetype project for building custom authentication nodes fails to build |
OPENAM-20851 |
Existing registered devices unable to use push notifications when AWS SNS credentials are updated |
OPENAM-20784 |
TestUMAPolicy fails for users that will cause LocalizedIllegalArgumentException |
OPENAM-20756 |
Social authentication request for Apple fails due to duplicated |
OPENAM-20691 |
Fix rare race condition in session quota destroy next expiring action that can lead to the oldest session not being destroyed |
OPENAM-20682 |
Unable to encrypt from |
OPENAM-20490 |
AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes" |
OPENAM-20451 |
Fix to display user-friendly account name during WebAuthn device registration |
OPENAM-20299 |
Fix to make agent authentication honor |
OPENAM-20230 |
Class allowlisting denies access to permitted classes after running for an extended period of time |
OPENAM-20026 |
Social IDP with trailing whitespace in the name can’t be deleted using the UI |
OPENAM-20024 |
Improve debug logging when login to XUI fails with HTTP 404 JsonValueException from endpoint |
OPENAM-19282 |
Recovery Code Display Node works only immediately after Registration node |
OPENAM-19261 |
Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant |
OPENAM-18709 |
New |
OPENAM-18685 |
New realm-level configuration setting to remove or skip |
OPENAM-18004 |
Support sequential transaction IDs to improve audit logging for HTTP requests to IDM |
OPENAM-17331 |
Push Notifications: User with disabled endpoint is not able to login |
OPENAM-17179 |
Deleting an authentication tree leaves orphaned nodes that prevent deletion of referenced scripts |
AM 7.3.x
AM 7.3.3
OPENAM-23519 |
Android devices without a screen lock not working with WebAuthn registration |
OPENAM-23518 |
AuthenticateToTreeConditionAdvice doesn’t work with Inner Tree as first node |
OPENAM-23441 |
Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working |
OPENAM-22846 |
External app/policy store active/passive LB isn’t working |
OPENAM-22654 |
BooleanAttributeInputCallback renders an enabled checkbox in AM XUI |
OPENAM-22608 |
Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing |
OPENAM-21026 |
OAuth Clients don’t work when the redirect uri list contains an invalid uri |
OPENAM-20451 |
Fix to display user-friendly account name during WebAuthn device registration |
OPENAM-15834 |
Access token call fails when an unsupported claim is requested |
AM 7.3.1
OPENAM-22017 |
ConfigProviderNode creates node class dynamically leading to native memory leak |
OPENAM-21976 |
Single point of locking contention when performing client-based session logout |
OPENAM-21941 |
Unable to edit policies in the UI |
OPENAM-21854 |
TermsAndConditionsCallback fails with error on XUI |
OPENAM-21747 |
Rest SDK and Amster send cookies if request has cookie header |
OPENAM-21728 |
Certificate module fails using JDK 11.0.21 and later with undefined access to private method |
OPENAM-21484 |
Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response |
OPENAM-21421 |
Scripting logger name isn’t based on logging hierarchy convention |
OPENAM-21390 |
ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment |
OPENAM-21304 |
OAuth 2.0 dynamic client registrations don’t retain |
OPENAM-21277 |
Running Amster in debug mode doesn’t work on Windows |
OPENAM-21164 |
Calling |
OPENAM-21160 |
Inconsistent values in secure state when navigating an authentication tree |
OPENAM-21158 |
Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2 |
OPENAM-21069 |
WindowsDesktopSSO authentication is failing |
OPENAM-21030 |
Amster 7.3.0 CLI isn’t working on Windows |
OPENAM-21010 |
Social authentication for remote OIDC server for user profile non-english words corrupted |
OPENAM-21004 |
AM will always look for valid session when scope=openid |
OPENAM-21001 |
IdPAccountMapper is not correctly determined |
OPENAM-20980 |
Unable to use issuer comparison check regex in oidc social provider |
OPENAM-20897 |
Debug logs not showing info for |
OPENAM-20895 |
Newly-created Maven archetype project fails to build |
OPENAM-20756 |
OIDC social authentication request (Apple) fails due to duplicate |
OPENAM-20691 |
Destroy oldest session may fail to work |
OPENAM-20682 |
Unable to encrypt from |
OPENAM-20490 |
AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes" |
OPENAM-20026 |
Trailing whitespace prevents social provider deletion via UI |
OPENAM-19999 |
ID token as AM session doesn’t work with |
OPENAM-19889 |
Policy evaluation fails with agent access token JWT as subject |
OPENAM-19282 |
Recovery Code Display Node works only immediately after Registration node |
OPENAM-18599 |
Allow for custom error message if user account is locked |
AM 7.3
OPENAM-20396 |
Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved |
OPENAM-20360 |
Ampersand is double encoded in the Destination of a SAML Assertion |
OPENAM-20260 |
Unable to log into AM when external application store is down |
OPENAM-20230 |
Class allowlisting fails with permission denied after an extended period |
OPENAM-20181 |
AD account notification fails |
OPENAM-20159 |
Upgrader adds requestObjectProcessing to OAuth2Provider subconfigs |
OPENAM-20104 |
The |
OPENAM-20085 |
STS token generation does not work with clustered docker pods |
OPENAM-20082 |
Locked out users are shown a misleading error message |
OPENAM-19868 |
Correctly handle multi-line text in Email Suspend nodes |
OPENAM-19866 |
Excessive logging when accessing protected resources |
OPENAM-19726 |
The |
OPENAM-19665 |
Wrong Java version in Amster README file |
OPENAM-19515 |
Unable to update session service with read only identity store |
OPENAM-19411 |
Amster installation failure with authorizedKey parameter when trying to overwrite an existing configuration |
OPENAM-18818 |
Persistent search error message shows wrong DS identifier |
OPENAM-18488 |
Windows Hello with TPM/platform authenticator returns two certificates |
OPENAM-18172 |
Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level |
OPENAM-17215 |
Policy debug log fills up at very high pace if the config store is not found |
OPENAM-13766 |
No configuration found for login with SessionConditionAdvice=deny |
Fixes in AM 7.3.x
This page lists the cumulative fixes in AM 7.3.x releases:
AM 7.3.3
OPENAM-23519 |
Android devices without a screen lock not working with WebAuthn registration |
OPENAM-23518 |
AuthenticateToTreeConditionAdvice doesn’t work with Inner Tree as first node |
OPENAM-23441 |
Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working |
OPENAM-22846 |
External app/policy store active/passive LB isn’t working |
OPENAM-22654 |
BooleanAttributeInputCallback renders an enabled checkbox in AM XUI |
OPENAM-22608 |
Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing |
OPENAM-21026 |
OAuth Clients don’t work when the redirect uri list contains an invalid uri |
OPENAM-20451 |
Fix to display user-friendly account name during WebAuthn device registration |
OPENAM-15834 |
Access token call fails when an unsupported claim is requested |
AM 7.3.2
OPENAM-22836 |
Unable to update KBA Security questions using XUI |
OPENAM-22753 |
Destroy All session may fail to work |
OPENAM-22717 |
SP-initiated SSO fails with "Illegal character in scheme name" when IdP name contains a special character |
OPENAM-22696 |
Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes |
OPENAM-22656 |
Setting |
OPENAM-22632 |
AMSetupServlet install error with Windows multi-domain environment |
OPENAM-22602 |
OIDC ID Token Validator node uses own |
OPENAM-22421 |
Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2 |
OPENAM-22391 |
Issues with |
OPENAM-22322 |
Unable to verify signed ArtifactResponse Assertion leading to failure |
OPENAM-22318 |
OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication |
OPENAM-22289 |
Session quota action may fail when the session isn’t updatable but should be fine to proceed |
OPENAM-22288 |
Amster upgrade 7.3.0-to-7.3.x fails with Groovy Exception |
OPENAM-22181 |
Approve UMA request fails with 500 error when AM deployed as a platform |
OPENAM-22120 |
Backchannel logout token doesn’t contain |
OPENAM-21972 |
SAML artifact binding is failing in load-balanced deployments |
OPENAM-21937 |
Quota enforcement affects agent sessions that authenticate by tree |
OPENAM-21897 |
Creation order determines policy evaluate and evaluateTree results |
OPENAM-21473 |
Certificate collector node: |
OPENAM-21322 |
AM console allows creation of entity provider with space at the end of the name |
OPENAM-21191 |
Web agent sessions have a long session lifetime of 42 years |
OPENAM-21085 |
Undefined bindings are incorrectly evaluated in Groovy scripts |
OPENAM-20945 |
Unable to trace token revocation back to resource owner because of missing |
OPENAM-20314 |
Social Provider Handler node and Social IdP service use the |
OPENAM-20299 |
Fix to make agent authentication honor |
OPENAM-19261 |
Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant |
AM 7.3.1
OPENAM-22017 |
ConfigProviderNode creates node class dynamically leading to native memory leak |
OPENAM-21976 |
Single point of locking contention when performing client-based session logout |
OPENAM-21941 |
Unable to edit policies in the UI |
OPENAM-21854 |
TermsAndConditionsCallback fails with error on XUI |
OPENAM-21747 |
Rest SDK and Amster send cookies if request has cookie header |
OPENAM-21728 |
Certificate module fails using JDK 11.0.21 and later with undefined access to private method |
OPENAM-21484 |
Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response |
OPENAM-21421 |
Scripting logger name isn’t based on logging hierarchy convention |
OPENAM-21390 |
ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment |
OPENAM-21304 |
OAuth 2.0 dynamic client registrations don’t retain |
OPENAM-21277 |
Running Amster in debug mode doesn’t work on Windows |
OPENAM-21164 |
Calling |
OPENAM-21160 |
Inconsistent values in secure state when navigating an authentication tree |
OPENAM-21158 |
Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2 |
OPENAM-21069 |
WindowsDesktopSSO authentication is failing |
OPENAM-21030 |
Amster 7.3.0 CLI isn’t working on Windows |
OPENAM-21010 |
Social authentication for remote OIDC server for user profile non-english words corrupted |
OPENAM-21004 |
AM will always look for valid session when scope=openid |
OPENAM-21001 |
IdPAccountMapper is not correctly determined |
OPENAM-20980 |
Unable to use issuer comparison check regex in oidc social provider |
OPENAM-20897 |
Debug logs not showing info for |
OPENAM-20895 |
Newly-created Maven archetype project fails to build |
OPENAM-20756 |
OIDC social authentication request (Apple) fails due to duplicate |
OPENAM-20691 |
Destroy oldest session may fail to work |
OPENAM-20682 |
Unable to encrypt from |
OPENAM-20490 |
AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes" |
OPENAM-20026 |
Trailing whitespace prevents social provider deletion via UI |
OPENAM-19999 |
ID token as AM session doesn’t work with |
OPENAM-19889 |
Policy evaluation fails with agent access token JWT as subject |
OPENAM-19282 |
Recovery Code Display Node works only immediately after Registration node |
OPENAM-18599 |
Allow for custom error message if user account is locked |
AM 7.3
OPENAM-20396 |
Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved |
OPENAM-20360 |
Ampersand is double encoded in the Destination of a SAML Assertion |
OPENAM-20260 |
Unable to log into AM when external application store is down |
OPENAM-20230 |
Class allowlisting fails with permission denied after an extended period |
OPENAM-20181 |
AD account notification fails |
OPENAM-20159 |
Upgrader adds requestObjectProcessing to OAuth2Provider subconfigs |
OPENAM-20104 |
The |
OPENAM-20085 |
STS token generation does not work with clustered docker pods |
OPENAM-20082 |
Locked out users are shown a misleading error message |
OPENAM-19868 |
Correctly handle multi-line text in Email Suspend nodes |
OPENAM-19866 |
Excessive logging when accessing protected resources |
OPENAM-19726 |
The |
OPENAM-19665 |
Wrong Java version in Amster README file |
OPENAM-19515 |
Unable to update session service with read only identity store |
OPENAM-19411 |
Amster installation failure with authorizedKey parameter when trying to overwrite an existing configuration |
OPENAM-18818 |
Persistent search error message shows wrong DS identifier |
OPENAM-18488 |
Windows Hello with TPM/platform authenticator returns two certificates |
OPENAM-18172 |
Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level |
OPENAM-17215 |
Policy debug log fills up at very high pace if the config store is not found |
OPENAM-13766 |
No configuration found for login with SessionConditionAdvice=deny |
Removed
The functionality listed here was removed.
AM 8.0
- Authentication modules and chains
-
We’ve removed authentication modules and chains. They were deprecated in AM 7.
For this release only, it’s possible to temporarily re-enable modules and chains for migration purposes. Learn more in Authentication modules and chains.
- Embedded DS
-
The embedded DS server has been removed.
It was deprecated in AM 7 for use in production.
- Legacy audit logging service
-
The legacy audit logging service was deprecated in AM 7.2 and is no longer supported.
- SOAP STS service
-
The SOAP STS service has been removed.
It was deprecated in AM 7.
AM 7.5
- Java 11
-
AM 7.5 removes support for Java 11. Only Java 17 is supported in this release.
- SNMP monitoring
-
SNMP monitoring was deprecated in AM 7.3 and is no longer supported.
AM 7.3
- Removal of CTS worker pool
-
The
org.forgerock.services.cts.async.queue.size
andorg.forgerock.services.cts.async.queue.timeout
advanced configuration properties were removed.For details, refer to: Removal of CTS worker thread pool.
Changes
Changes in AM 8.0.x
AM 8.0
Support for Tomcat 10
AM 8.0 supports Apache Tomcat 10 as a web application container. If you use Apache Tomcat, you must upgrade to at least version 10 before you upgrade to AM 8.0.
Find more information in Upgrade Tomcat.
As part of this change, you should rewrite scripts that used the javax.servlet.request.X509Certificate
attribute in the servlet request to obtain the client certificate. Your updated scripts should use the jakarta.servlet.request.X509Certificate
attribute instead.
Authentication modules and chains
Authentication modules and chains have been removed in AM 8.0. If you’re still using modules and chains for authentication, you must migrate to nodes and trees as soon as possible.
It’s recommended that you migrate to nodes and trees before upgrading to AM 8. If that’s not possible, and you need access to modules and chains for migration purposes, you can temporarily re-enable them in AM 8.0. |
Re-enable modules and chains
-
Go to Configure > Server Defaults > Advanced in the AM admin UI.
-
Add the
org.forgerock.am.authentication.chains.enabled
property and set it totrue
. -
Save your changes.
-
Restart AM or the container where it runs.
You can now access modules and chains through the REST endpoints. Modules and chains aren’t accessible through the AM admin UI.
The option to re-enable modules and chains is only for migration purposes in AM 8.0. Authentication modules and chains will be removed completely in an upcoming release. |
Providing OAuth 2.0 client certificates to AM
Clients can provide mTLS certificates to AM using trusted headers. AM now supports certificates in Base64-encoded PEM and DER format.
The corresponding value of the TLS Client Certificate Header Format configuration property on the OAuth2 Provider service has
therefore changed from URLENCODED_PEM
to BASE64_ENCODED_CERT
.
Change in behavior for WebAuthn flows
Previously, for WebAuthn flows, if an authenticator provided an attestation that included the certificate authority (CA) root certificate, AM would remove and silently ignore the certificate. This behavior has changed in AM 8.0.
Now, if the authenticator provides an attestation that contains an invalid certificate chain (including the root CA
certificate in the chain), PingAM rejects the attestation and throws an InvalidDataException
error. The root
certificate must be issued and securely distributed by a CA.
Endpoint for monitoring server activity with Prometheus
To monitor server activity with Prometheus, use one of the new endpoints:
-
/metrics/prometheus
The path of this endpoint is format-agnostic, but the response payload is identical to that from the
/json/metrics/prometheus
endpoint.Although this endpoint is new, it is also deprecated in this release and support for its use will be removed in a future release. Move to the
/metrics/prometheus/0.0.4
endpoint as soon as convenient. -
/metrics/prometheus/0.0.4
The path of this endpoint is format-agnostic, but the response payload is slightly different to that from the
/metrics/prometheus
endpoint.
Learn more in Monitor with Prometheus.
Sessions terminology
Sessions that are created to track progress through an authentication tree were previously referred to as authentication sessions, and sessions that are created after a user has authenticated were just referred to as sessions.
This release introduces the following new terminology to clarify and simplify the distinction between these session types:
-
Journey session (previously called authentication session)
-
Authenticated session (previously called session).
This change is reflected in the documentation.
Change to custom OIDC Social IDP configuration
You no longer need to specify a well-known endpoint when configuring a custom OIDC Social Identity Provider service.
If the well-known endpoint isn’t specified, AM verifies signatures using the JWK location, keystore location, or the client secret.
Changes to audit logging
-
The following events have been added to the audit log:
-
AM-TREE-LOGIN-STARTED
Logged when authentication through a tree starts.
-
AM-TREE-LOGIN-COMPLETED
withexception
Learn more in the Audit logging reference.
-
-
The
org.forgerock.openam.audit.identity.activity.events.blacklist
advanced server property contains a comma-separated list of audit events that won’t be logged. In previous releases, you could only add theAM-ACCESS-ATTEMPT
,AM-IDENTITY-CHANGE
, andAM-GROUP-CHANGE
events to this list. From AM 8.0, you can prevent logging of any event.Logging all events can impact performance. You should log only those events you intend to monitor.
WS-Federation com.sun.identity.wsfederation.logout.wreply
URL validation
To facilitate logging out of WS-Federation and multiprotocol environments (WS-Federation communicating with SAML 2.0),
you must add the URL specified in the com.sun.identity.wsfederation.logout.wreply
query parameter to the
Valid goto URL Resources field in the validation service. If you don’t add this URL, redirection fails.
Learn more in Add a URL to the validation service.
Changes to LinkedIn social identity provider configuration
The OAuth 2.0 version of the LinkedIn social identity provider configuration profile is deprecated by LinkedIn.
This deprecated version has been renamed to LinkedIn (Legacy)
.
To configure your social identity provider with the latest OIDC version of the LinkedIn profile,
use the LinkedIn
profile.
SOAP STS service
The SOAP STS service has been removed in this release. If you’re still using the SOAP STS, you must migrate to the REST STS.
When you upgrade to AM 8, the SOAP STS agents and configuration are deleted. Make sure you retain anything useful to your migration prior to upgrading.
The accountId
field in JWT script binding operations
Two new fields, subject
and issuer
, replace the accountId
field used by the jwtAssertion
and jwtValidator
script bindings. This lets you specify separate values for these JWT claims.
If specified, the accountId
is now used as the values for issuer
, stableId
, and subject
when these values aren’t provided.
Learn more in Generate and validate JWTs.
Device authorization grant behavior
The behavior of the device authorization grant has changed slightly. Previously, AM didn’t consult the default ACRs until after consent was granted by the user. This meant that the user had already been prompted to authenticate through the default realm authentication mechanism and was sometimes required to authenticate twice if the default ACRs dictated a different mechanism.
The /oauth2/device/user
endpoint checks for a user_code
during the initial request. From AM 8.0, if a user_code
is supplied, AM uses it to retrieve the associated device code to determine if any ACRs were requested. If ACRs were requested, they guide the authentication mechanism.
This change improves the user experience by reducing redundant authentication prompts.
You can find more information in Device authorization grant.
Changes in AM 7.5.x
AM 7.5
Change in behavior for journeys containing a Certificate Collector node
Previously, for journeys containing a Certificate Collector node, AM would throw an exception in the following scenario:
-
You set the node’s Certificate Collection Method property to
Either
orHeader
-
You specified an HTTP header name
-
The certificate was missing from the browser (and from the request if
Either
was selected)
Now, in this scenario, the journey continues down the Not Collected
path.
Default setting for AES key wrap encryption
The system property org.forgerock.openam.encryption.padshortinputs
is now true
by default.
This property pads short inputs (less than 8 bytes). If you’re using AES key wrap encryption, do one of the following before you upgrade to AM 7.5:
-
Check that any passwords encrypted with AES key wrap encryption are longer than eight characters. AM won’t be able to decrypt shorter values.
-
Set
org.forgerock.openam.encryption.padshortinputs
totrue
and re-save any short passwords to update the padding.
Changes in AM 7.4.x
AM 7.4.2
The accountId
field in JWT script binding operations
Two new fields, subject
and issuer
, replace the accountId
field used by the jwtAssertion
and jwtValidator
script bindings. This lets you specify separate values for these JWT claims.
If specified, the accountId
is now used as the values for issuer
, stableId
, and subject
when these values aren’t provided.
Learn more in Generate and validate JWTs.
AM 7.4.1
WS-Federation com.sun.identity.wsfederation.logout.wreply
URL validation
To facilitate logging out of WS-Federation and multiprotocol environments (WS-Federation communicating with SAML 2.0),
you must add the URL specified in the com.sun.identity.wsfederation.logout.wreply
query parameter to the
Valid goto URL Resources field in the validation service. If you don’t add this URL, redirection fails.
Learn more in Add a URL to the validation service.
Change in behavior for journeys containing a Certificate Collector node
Previously, for journeys containing a Certificate Collector node, AM would throw an exception in the following scenario:
-
You set the node’s Certificate Collection Method property to
Either
orHeader
-
You specified an HTTP header name
-
The certificate was missing from the browser (and from the request if
Either
was selected)
Now, in this scenario, the journey continues down the Not Collected
path.
AM 7.4
Removal of dsameuserpwd
from default keystore
The alias of the dsameuserpwd
has been removed from the default keystore. The dsameUser
is an internal account that
AM uses to connect to the configuration store. AM now generates the password for this account on startup,
and you can’t read or change it.
If you upgrade to AM 7.4 using the upgrade wizard
and need to roll back the upgrade, you must restore the default keystore. The upgrade wizard removes the If you try to use a previous version of |
Preconfigure policy and application data stores
You can now disable policy and application data stores until you are ready to use them. This means that you can preconfigure a data store before the directory server is ready. When you want to use the data store configuration, you can enable it, at which point AM verifies that it can connect to the configured store.
All default policy and application data store configurations are enabled. A new custom external data store configuration is disabled by default. When you upgrade to AM 7.4, existing data store configurations are enabled by default.
The In the next AM release, the endpoint version will be incremented and the latest version will require the property to be present. |
Change in behavior when an authentication tree is deleted
From this release, when you delete an authentication tree, any nodes referenced by that tree are also deleted, provided they aren’t referenced by another tree.
This change eliminates orphaned nodes in the configuration and lets you delete the scripts referenced by those nodes.
Change in behavior of subjectattributes
endpoint
The behavior of queries to the subjectattributes
endpoint has changed in this release.
To override the new behavior and revert to the previous behavior, set the org.forgerock.security.entitlement.enforce.realm
advanced server property to false
, then restart AM for the change to
take effect.
For security reasons you should set this property back to true
when you have updated your scripts.
Rotatable secrets for amAdmin
password
AM now caches the special secret used to store the password of amAdmin
user. The expiry time of the
cache is 900 seconds (15 minutes) by default. To change the expiry time, set the
org.forgerock.openam.secrets.special.user.secret.refresh.seconds
advanced server property.
For more information, refer to Store the amAdmin password in a secret store.
Changes in AM 7.3.x
AM 7.3.2
Change in behavior for journeys containing a Certificate Collector node
Previously, for journeys containing a Certificate Collector node, AM would throw an exception in the following scenario:
-
You set the node’s Certificate Collection Method property to
Either
orHeader
-
You specified an HTTP header name
-
The certificate was missing from the browser (and from the request if
Either
was selected)
Now, in this scenario, the journey continues down the Not Collected
path.
AM 7.3
Artifact updates
If your custom code uses the following supported Java classes, you must update your build dependencies to include these modules:
Class / interface | Module |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AMIdentity
constructor
The supported constructor, public AMIdentity(SSOToken token, String universalId) throws IdRepoException
,
no longer throws an IllegalArgumentException
if the provided string is not a valid representation of a DN.
Instead, these exceptions are now converted to instances of IdRepoException
.
Deletion of site data on logout
For security reasons, AM now instructs the browser to clear site data such as locally cached data and cookies when a user successfully logs out. This behavior can be disabled for compatibility purposes. Refer to the Add clear-site-data Header on Logout property in the Core authentication attributes for more information.
Session condition advice behavior
Previously, a Session
condition failure resulted in a No configuration found
error. This behavior has been changed
as follows:
-
If
terminateSession
istrue
and policy evaluation is requested, AM sends the session advice to the Java, Web, or Identity Gateway agent when themaxSessionTime
elapses and the user is required to reauthenticate. -
If
terminateSession
isfalse
and policy evaluation is requested, AM does not send the session advice to the Java, Web, or Identity Gateway agent when themaxSessionTime
elapses. Instead of being redirected to the login page, the user receives a 403 Forbidden response for the protected resource.
Password change messages can now be returned in sentence case
Previously, all password change and password reset messages were transformed to upper case; for example,
YOU MUST RESET YOUR PASSWORD
. The LDAP Decision node now provide an option
to disable this transformation, letting messages be returned in the case in which they are configured; for example
You must reset your password
.
This option is disabled by default.
Base URL X-Forwarded-*
headers
-
Previously, if you set the Base URL source to
X-Forwarded-* headers
and noX-Forwarded-Proto
header was provided, the generated URL would have a protocol ofnull
, for examplenull://host
, which would result in a broken URL.From this release, if no
X-Forwarded-Proto
header is provided, a fallback scheme is used, based on the URI of the request. -
You can now specify a port in the Base URL, using the
X-Forwarded-Port
header. -
If multiple
X-Forwarded-Host
headers are specified, the outermost proxy host is used.
org.forgerock.openam.services.email.MailServer
interface
The supported interface, org.forgerock.openam.services.email.MailServer
has moved from the openam-core
module to mail-api
.
You need to update the dependencies to recompile your implementation of this interface.
Removal of CTS worker thread pool
To simplify AM behavior, CTS operations are now performed as part of the HTTP worker thread created by the HTTP container. This refactoring introduces the following changes:
-
The
org.forgerock.services.cts.async.queue.size
andorg.forgerock.services.cts.async.queue.timeout
advanced configuration properties are no longer used. -
The following monitoring metrics have been replaced:
-
Old:
cts.task.queue
andcts.task.queue.size
-
New:
cts.connection.state.out
andcts.connection.state.pending
For details, refer to CTS metrics.
-
-
The primary way to tune the CTS connection pool is to use the
org.forgerock.services.cts.store.max.connections
property. The default value has been increased from10
to100
. Existing deployments will be upgraded to whichever is greater:100
or the original value. -
In previous AM releases, calls to the
/json/health/ready
endpoint returned anHTTP 200 OK
response if the CTS queue was below the configured threshold, even if the CTS data store was unavailable.The CTS queue has been removed in AM 7.3 as part of optimizing connections to the CTS store. If the CTS data store is unavailable, calls to the
/json/health/ready
endpoint now return anHTTP 503 Service Unavailable
error.
Deprecated
The functionality listed here is deprecated, and likely to be removed in a future release.
Deprecated since AM 8.0
Monitoring
- Interface endpoint for monitoring server activity with Prometheus
-
The
/json/metrics/prometheus
endpoint is deprecated in this release.To monitor server activity with Prometheus, use one of the new endpoints instead:
-
/metrics/prometheus
-
/metrics/prometheus/0.0.4
Although the
/metrics/prometheus
endpoint is new, it is also deprecated in this release and support for its use will be removed in a future release. Move to the/metrics/prometheus/0.0.4
endpoint as soon as convenient.Learn more in Monitor with Prometheus.
-
- MBean and JMX interfaces
-
Support for the legacy MBean and the JMX monitoring interfaces is deprecated in this release.
AM supports other options for monitoring servers, including Graphite. Learn more in Monitor AM instances.
Audit event handlers
The following audit event handlers are deprecated and will be removed in a future release:
-
CSV
-
Syslog
-
JDBC
-
JMS
Use the JSON audit event handler instead.
Deprecated since AM 7.5
Secret label mappings
The following secret label mappings are deprecated in this release:
-
am.global.services.session.clientbased.encryption
-
am.global.services.session.clientbased.signing
Learn more about changes to secret label mappings in Support for storing secrets in secret stores.
Configuration replaced by secret labels
Feature | Deprecated field |
---|---|
|
|
|
|
Encrypted device storage services: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Changes to Action
class
The following org.forgerock.openam.auth.node.api.Action
methods are deprecated in this release:
-
public ActionBuilder withUniversalId(String universalId)
-
public ActionBuilder withUniversalId(Optional<String> universalId)
Use the new public ActionBuilder withIdentifiedIdentity(String username, IdType identityType)
and
public ActionBuilder withIdentifiedIdentity(AMIdentity identity)
methods instead.
The Optional <String> universalId
field is also deprecated, and is replaced by Optional<IdentifiedIdentity> identifiedIdentity
.
Legacy Social Provider node
The Legacy Social Provider Handler node has been marked as deprecated and will be removed in a future release. This node is replaced by a new Social Provider Handler node that resolves issues related to reentry cookies. The legacy node remains supported in existing journeys. If you’re creating new journeys, use the new Social Provider Handler node instead.
Deprecated since AM 7.3
Changes to SAML v2.0 classes
The following classes are deprecated and will be removed in a future release:
Deprecated | Replacement |
---|---|
|
|
|
|
|
|
|
|
The following methods are deprecated and will be removed in a future release:
-
InitializePlugin.java
:default void initialize(String, String)
Use initialize(Map)
instead.
-
IDPAuthnContextMapper.java
:public IDPAuthnContextInfo getIDPAuthnContextInfo(AuthnRequest, String, String) throws SAML2Exception
Use getIDPAuthnContextInfo(AuthnRequest, String, String, String)
instead.
SNMP monitoring
Support for SNMP monitoring is deprecated in this release.
AM provides better options for monitoring servers, including support for Prometheus, Graphite, and JMX. Learn more in Monitor AM instances.
Documentation updates
In addition to the changes described elsewhere in these release notes, the published documentation for each AM version includes the following important changes.
The Amster release notes have been combined into the AM release notes. These release notes now include Amster changes since AM 7.2. |
AM 8.0.x
AM 8.0.1
-
AME-31340: Document ability of Push Notification service to reset device ID
-
AME-31138: Document removal of library scripts from custom scripted nodes
-
OPENAM-23714: Indicate that only one secret can be active for any secret label mapping
-
OPENAM-23616: Client secret not required for OAuth 2.0 client update request
AM 8.0
-
AME-31026: Deprecate audit event handlers
-
AME-30978: Add the Set Error Details node to nodes list and add details about the acceptException() method
-
AME-30936: Mark legacy monitoring as deprecated
-
AME-30901: Document dynamic client registration scripting
-
AME-30890: OPENAM-23637: Add documentation for No Session Trees and update session text where necessary
-
AME-30857: Config Provider node script enabled for next-gen scripting engine
-
AME-30819: Upgrade instructions for Tomcat 10
-
AME-30789: Remove SNMP properties from the documentation
-
AME-30457: Document updated TLS Client Certificate Header Format option value
-
AME-30442: OPENAM-22904: Overhaul STS guide - remove SOAP STS and modules and chains
-
AME-30393: Document new next-generation cookieName binding
-
AME-30392: Document next-generation context for policy condition scripts
-
AME-30344: Document DER-formatted certificates for OAuth2: Client authentication
-
AME-30333: Document IDM Environment Condition
-
AME-30291: SAML certificate metadata update
-
AME-30249: Document backchannel authentication
-
AME-30229: Document the Message-Authenticator attribute config for RADIUS servers
-
AME-30173: Update Evaluation guide to use external DS
-
AME-30154: Document prevent use of mustRun trees as realm default
-
AME-30046: AM: Document the Flow Control node
-
AME-30026: Document new next-gen scripting utils.crypto.subtle binding
-
AME-29963: AME-30155: Document OIDC application journeys
-
AME-29951: Document back-channel logout exp claim
-
AME-29759: Document new next-generation script method to get random values
-
AME-29757: Document removal of custom Social IdP UI configuration properties
-
AME-29754: Document new suspend and resume functionality in Scripted Decision node
-
AME-29685: Revise the section about post-authentication tree hooks
-
AME-29619: Add navigation for the new Success Details node
-
AME-29538: Update next-generation scripting documentation with exception handling scenarios
-
AME-29511: Document the WebAuthn metadata service and related secret label for FIDO certification
-
AME-29485: Document
samlApplication
script binding -
AME-29415: Document the Failure Details node
-
AME-29406: AME-29431: Document new prometheus endpoints
-
AME-29326: Document property to indicate OIDC provider doesn’t return unique value for the
sub
claim -
AME-29179: Document additional Config Provider node options
-
AME-29168: Add section on node security
-
AME-29165: Added "Send an HTTP request" section
-
AME-29164: Update Maintain Authentication nodes
-
AME-29163: Update Plugin Class
-
AME-29162: Update Handle Errors
-
AME-29161: AME-29141: Reorganise node developer guide
-
AME-29160: Update Action Class
-
AME-29159: Update Inject Objects into a node
-
AME-29155: Document new NodeState merge state methods
-
AME-29133: Config Interface @Attribute Improvements
-
AME-29132: Node Metadata Improvements
-
AME-29131: Node Class Improvements
-
AME-29129: AME-29127: AME-29130: Updates to nodes 'Prepare for development' page
-
AME-29072: Document change in behavior for self-signed root CA provided in WebAuthN attestation
-
AME-28883: Document grace period for client-side sessions in one-to-one storage scheme
-
AME-28726: Documentation for custom LINE OIDC config
-
AME-28682: Outdated options in DS command-line examples
-
AME-28614: Documentation of fix for validateJwtClaims failing when using a RS256: Alg signature
-
AME-28596: Document add entity configuration to enable journey association
-
AME-28322: Document new scripting monitoring metrics
-
AME-28264: Document new advanced server property for configurable ID token clock skew time
-
AME-28256: Document configure journey to always run to completion
-
AME-28057: Document Distributed Tracing
-
AME-27982: Add Customize account lockout message example from KB
-
AME-27965: Add KB content from How do I add a roles claim to the OIDC Claims Script in AM?
-
AME-27964: Add KB content from How do I add a session property claim to the OIDC Claims Script?
-
AME-27963: Adding salient info from How do I add custom claims to the OIDC Claims Script in AM?
-
AME-27962: Add content from How do I override claims in the OIDC ID token in Identity Cloud or AM?
-
AME-27953: Documentation for enabling mTLS for HTTP Client script binding
-
AME-27930: Docs on preparing a truststore should use DS 7.x security model
-
AME-27878: Document customizing SAML NameID with a script
-
AME-27846: Document the addition of encodeURI form body for
httpClient
-
AME-27845: Document the Scripted Decision node access to
context.request.cookies
-
AME-27844: Document new functions added to ActionWrapper next-generation script binding
-
AME-27843: Document rotation of the http proxy password without server restart
-
AME-27841: Document availability of utility classes in library scripts
-
AME-27840: Documentation for new utility class script bindings
-
AME-27838: Document
secrets
binding for all next-generation scripts -
AME-27834: Client certificate in SP metadata is configurable
-
AME-27774: AME-27792: Document audit logging changes for trees
-
AME-27726: Add more information for activity audit log events
-
AME-27697: Document jwtAssertion and jwtValidator next-generation scripting improvements
-
AME-27609: Document renaming of OAuth2: Client ID Token Public Encryption Key property
-
DOCS-7931: Rename ForgeRock SDKs to Ping SDKs
-
OPENAM-28565: Add note to docs about reserved binding names
-
OPENAM-23662: Document the Amster Jwt Decision node
-
OPENAM-23660: Update docs to include info on default trees that exist in AM 8
-
OPENAM-23620: Update REST version messages
-
OPENAM-23558: Provide more info on the am_authentication_count metric
-
OPENAM-23549: Error in documentation on scope validation
-
OPENAM-23547: Remove deprecated openam-legacy-debug-slf4j module from docs
-
OPENAM-23513: Update supported directory stores
-
OPENAM-23463: Docs for Journey Timeout settings for authenticated sessions
-
OPENAM-23461: Docs for Journey Timeout settings for pre-authentication sessions
-
OPENAM-23411: Document changes to default denylist poll interval
-
OPENAM-23410: Document changes to mergeShared and mergeTransient nodeState methods
-
OPENAM-23407: Updated Localize AM section to make it clearer that you have to download the UI first
-
OPENAM-23362: Success Redirect order is incorrect
-
OPENAM-23278: Clarify docs on CTS token types
-
OPENAM-23277: Update Amster upgrade section to include 7.5
-
OPENAM-23188: Correct steps for accessing am-external in auth node developer guide
-
OPENAM-23171: Errors in SAML 2.0: profile OAuth 2: Grant docs
-
OPENAM-23104: authLib script context missing from docs
-
OPENAM-23081: Document improvements to transactional authorization
-
OPENAM-23078: Update steps for letting DS manage CTS tokens
-
OPENAM-23066: Update amr claims section to use OIDC claims script instead of module mapping
-
OPENAM-23036: Incorrect example used in Configure scr claims
-
OPENAM-23005: Add section on creating trees using REST
-
OPENAM-22887- 22906: Remove deprecated modules and chains from the documentation
-
OPENAM-22899: Add notes to the Radius guide about reenabling modules and chains
-
OPENAM-22878: Document the settings for OCSP verification
-
OPENAM-22871: Wrong default value for
STS Instance is running as remote instance
-
OPENAM-22841: Document new OIDC LinkedIn social identity provider configuration
-
OPENAM-22813: Remove AM 6.x references including for supported upgrades
-
OPENAM-22741: Adding missing step in "Configure amr claims" procedure
-
OPENAM-22641: Corrected token terminology per feedback
-
OPENAM-22635: Rework pruning CTS tokens
-
OPENAM-22607: Link to DS docs for appropriate tuning info
-
OPENAM-22549: Add references for Set State node
-
OPENAM-22525: Add HSM support info from KB
-
OPENAM-22515: Document Logout Webhook key WebhookEventType
-
OPENAM-22417: Add link to max length property for goTo URL
-
OPENAM-22385: Document default values for Session properties
-
OPENAM-22356: Include a more useful link in Release Notes for custom auth node secrets enablement
-
OPENAM-22343: Document method return types for the script binding
-
OPENAM-22339: Provide example
systemd
script for AM -
OPENAM-22327: Remove mention of Internet Explorer from AM docs
-
OPENAM-22254: Update browser support table for WebAuthn
-
OPENAM-22157: Clarify version support in upgrade instructions
-
OPENAM-22152: Additional information required in token exchange impersonation
-
OPENAM-22100: OPENAM-22049: OPENAM-22885: OPENAM-21325: Various improvements to upgrading servers section
-
OPENAM-22099: Remove misleading information about unsupported custom callbacks
-
OPENAM-22045: Corrected default log level
-
OPENAM-21935: Document the maximum JWT token liftime accepted by AM
-
OPENAM-21907: Added a tip to the setup guide for finding server and site IDs
-
OPENAM-21857: Document security hardening for UMA confusable homoglyphs
-
OPENAM-21763: Update terminology around "sessions" to use authenticated and pre-authentication
-
OPENAM-21763: Changed pre-authentication session terminology to journey session
-
OPENAM-21744: Removed incorrect statement about invalidating client-side auth session
-
OPENAM-21591: Document
checkIssuerForIdTokenInfo
advanced server property -
OPENAM-20673: Clarify device reset with WebAuthn
-
OPENAM-20591: Prevent ClassNotFoundException when removing
click-*
jars -
OPENAM-19899: Remove all instances of /UI/login
-
OPENAM-19575: OIDC guide feedback: Check algorithm statement for
/oauth2/connect/jwk_uri
-
OPENAM-19533: Remove unnecessary images from installation steps
-
OPENAM-19395: Distinguish between general mail server and self-service mail service
-
SDKS-3759: Added
verifyTransactionsHelper
script binding docs from AIC. -
SDKS-3173: The PingOne Worker service requires a configured OAuth2 provider service.
-
SDKS-2959: Document PingOne Protect-related callbacks
-
SDKS-2953: Document PingOne Worker service
-
SDKS-2864: Adding new nodes to catalog page in AM
-
SDKS-2861: Add PingOne Protect nodes to the list of nodes
AM 7.5.x
AM 7.5.2
-
AME-32653: Document support for PingDirectory as an identity store
-
OPENAM-24374: Correct docs for validators in Auth Node dev guide
-
OPENAM-24320: Indicate support for other third-party authenticator apps
-
OPENAM-24300: Update AM docs regarding PKCS12 keystore support
-
OPENAM-24225: Fully integrate Amster docs into AM docs
-
OPENAM-24196: SAML documentation improvements
-
OPENAM-24158: Address feedback on the ForgeRock Authenticator app
-
OPENAM-24092: Transactional authorization policies aren’t supported for the JwtClaim subject type
-
OPENAM-24067: Created a single drawio.png which includes the vector
-
OPENAM-24067: Add documentation on how to rename MFA devices & update push diagram
-
OPENAM-24018: Improve IdP adapter custom script
-
OPENAM-24014: Fix encoding for auth header example
-
OPENAM-23959: Fix error in default secret alias name
-
OPENAM-23920: Clarify requirements for environment condition and difference from subject condition
-
OPENAM-23855: JDBC Audit log table note about VARCHAR limits
-
OPENAM-23746: Incorrect
sub
value in mayAct script for delegation -
OPENAM-23714: Indicate only one secret can be active for any secret label mapping
-
OPENAM-23638: Fix DATA_STORE setting for silent install should be dirServer
-
OPENAM-23620: Update docs for error logging in Rest API
-
OPENAM-23616: Client secret not required for OAuth 2.0 client update request
-
OPENAM-23549: Error in documentation on scope validation
-
OPENAM-23485: Add more info on how locale is used
-
OPENAM-23407: Updated Localize AM section to make it clearer that you have to download the UI first
-
OPENAM-23394: Clarify usage of FBC at install time
-
OPENAM-23362: Success redirect order is incorrect
-
OPENAM-23359: Added note about FBC not being supported
-
OPENAM-23281: Document bindings for Social IdP Profile transformation script type
-
OPENAM-23126: Incorrect guidance on setSessionProperty
-
OPENAM-22853: Add description for Token Endpoint Authentication Method is none
-
OPENAM-22849: The DS rebuild-index command doesn’t have a
--useSsl
option -
OPENAM-22576: Updating links for the push auth nodes
-
OPENAM-22576: Update MFA related screenshots
-
OPENAM-22173: Provide more detail for
httpClient
script binding -
OPENAM-22100: Improvements to upgrading servers section
-
OPENAM-21858: Document the fields available for SAML Name ID Mapping
-
OPENAM-21849: Configure same key for two AMs using AES
-
OPENAM-21779: Fixed errors in legacy OAuth 2.0 endpoint docs
-
OPENAM-21744: Removed an incorrect statement about invalidating the client-side auth session
-
OPENAM-21655: Updated docs to reflect correct default setting for HTTP only cookies
-
OPENAM-21638: Clarified the valid values for the default lockout attribute
-
OPENAM-21455: Added more info around SAML 2.0 algorithms
-
OPENAM-21454: Provide sample SAML metadata files
-
OPENAM-21452: Made AES Keywrap note specific to SOAP STS
-
OPENAM-20974: Update path to incremental upgrade for amUpgrade tool
-
OPENAM-19503: Fixed CustomIdRepoConfig
idRepoClass
method name -
SDKS-2793: Add bound devices to list of upgrade LDIF files.
AM 7.5.1
-
AME-29538: Update next-generation scripting documentation with exception handling scenarios
-
AME-28883: Add info from KB about different token types in the CTS
-
AME-28766: Documentation for new utility class script binding
-
AME-28682: Update options in DS command-line examples
-
AME-27982: Add customize account lockout message example from Knowledge Base
-
AME-27930: Documentation on preparing a truststore should use DS 7.x security model
-
AME-27726: Add more information for activity audit log events
-
AME-22545:
com.sun.identity.sm.filebased_embedded_enabled
must be set to false after migration -
AMAGENTS-6487: Update info about web agent and session cookie name in line with changes to web agent docs
-
FRAAS-20042: Add content from How do I check what MFA devices are registered to a user in Identity Cloud and AM?
-
OPENAM-23277: Update Amster upgrade section to include 7.5
-
OPENAM-23188: Correct steps for accessing
am-external
in auth node developer guide -
OPENAM-23078: Update steps for letting DS manage CTS tokens
-
OPENAM-23005: Add section on creating trees using REST
-
OPENAM-22972: Request to add a statement on async in doc
-
OPENAM-22931: Two callbacks are incorrectly named in the documentation
-
OPENAM-22871: Wrong default value for
STS instance is running as remote instance
-
OPENAM-22741: Add missing step in "Configure amr claims" procedure
-
OPENAM-22641: Correct token terminology per feedback
-
OPENAM-22635: Rework pruning CTS tokens
-
OPENAM-22607: Link to DS docs for appropriate tuning info
-
OPENAM-22515: Document Logout Webhook key WebhookEventType
-
OPENAM-22356: Include a more useful link in Release Notes for custom auth node secrets enablement
-
OPENAM-22343: Document method return types for the script binding
-
OPENAM-22339: Provide example systemd script for AM
-
OPENAM-22327: Remove mention of Internet Explorer from AM documentation
-
OPENAM-22254: Update browser support table for WebAuthn
-
OPENAM-22157: Clarify version support in upgrade instructions
-
OPENAM-22099: Remove misleading information about unsupported custom callbacks
-
OPENAM-22045: Correct default log level
-
OPENAM-21935: Document the maximum JWT token lifetime accepted by AM
-
OPENAM-21907: Added a tip to the Setup guide for finding server and site IDs
-
OPENAM-21778: Error in documentation on modifying access tokens
-
OPENAM-20673: Clarify device reset with WebAuthn
-
OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars
-
OPENAM-19899: Remove all instances of /UI/login
-
OPENAM-19575: OIDC guide feedback: Check algorithm statement for /oauth2/connect/jwk_uri
-
OPENAM-19533: Remove unnecessary images from installation steps
-
OPENAM-19395: Distinguish between general mail server and self-service mail service
-
SDKS-3173: The PingOne Worker service requires a configured OAuth 2.0 provider service
-
SDKS-2861: Add PingOne Protect nodes to the list of nodes
AM 7.5
-
OPENAM-22207: List HiddenValueCallback as interactive not read-only
-
OPENAM-22098: Additional information required in JWT validation example
-
OPENAM-22065: Fix Knowledge Base link in documentation
-
OPENAM-22061: The Get Session Data Node updates the objectAttributes
-
OPENAM-21964: Update and align documentation for secret default mappings
-
OPENAM-21914: Clarify deprecation and replacement of shared and transient state bindings
-
OPENAM-21900: The Identify Existing User Node updates the shared state username
-
OPENAM-21885: Clarify statement on realms in the API Explorer docs
-
OPENAM-21882: Document minimum OTP length for HOTP Generator node
-
OPENAM-21851: Clarify use of setting for the IdP
-
OPENAM-21801: Next generation scripting: Update nodeState.getObject
-
OPENAM-21798: Next generation scripting: Document "get" wrapper functions
-
OPENAM-21759: Clarify use of Java class allowlisting in next-generation scripting
-
OPENAM-21754: Add warning to library scrips about use of third party libraries
-
OPENAM-21723: Attribute Present Decision node: Add note about case-sensitivity
-
OPENAM-21711: Incorrect
acr_values
step in Backchannel request grant -
OPENAM-21706: Policy evaluation will succeed for failed transactional authorization under certain conditions
-
OPENAM-21699: Fix example for authenticating to specific services
-
OPENAM-21696: Add a note to the Set Custom Cookie node docs around host vs domain cookies
-
OPENAM-21670: Setup guide: Check and update link to affinity load balancing
-
OPENAM-21667: Sessions guide: Set JWT token expiry if you update max session TTL
-
OPENAM-21622: Retry limit decision node: Wrong shared state property name
-
OPENAM-21620: Node development: Improve and correct Node class documentation
-
OPENAM-21603: Missing spaces in catalina opts example prevents tomcat starting
-
OPENAM-21504: List Prometheus output with better description.
-
OPENAM-21418: Fix numbering in JWT profile sequence diagram
-
OPENAM-21413: Sample script in SAML docs does not work
-
OPENAM-21344: Update profile data scripting examples with try-catch blocks
-
OPENAM-20906: Artifact changes in AM 7.3 are not documented in Release Notes
-
OPENAM-20752: OAuth2 scripted policy condition variables needs updating
-
OPENAM-20522: State in docs that Sector Identifier URI is needed for Pairwise OAuth2Client profile
-
OPENAM-20349: Add detail to the Device Match node docs
-
OPENAM-19204: Customer cannot rely on Transient Node data for WebAuthN Authentication Node
-
OPENAM-18095: Update documentation with all available audit log fields
AM 7.4.x
AM 7.4.2
-
AME-29951: Document back-channel logout
exp
claim -
AME-29538: Update next-generation scripting documentation with exception handling scenarios
-
AME-27726: Add more information for activity audit log events
-
AME-27697: Document
jwtAssertion
andjwtValidator
next-generation scripting improvements -
AME-27432: SAML Artifact flow fails when running AM with JRE 17
-
AME-22545:
com.sun.identity.sm.filebased_embedded_enabled
must be set to false after migration -
OPENAM-23394: Clarify usage of FBC at install time
-
OPENAM-23362: Success redirect order is incorrect
-
OPENAM-23359: Added note about FBC not being supported
-
OPENAM-23188: Correct steps for accessing am-external in node developer guide
-
OPENAM-23078: Update steps for letting DS manage CTS tokens
-
OPENAM-22972: Request to add a statement on async in doc
-
OPENAM-22871: Wrong default value for
STS instance is running as remote instance
-
OPENAM-22741: Adding missing step in "Configure amr claims" procedure
-
OPENAM-22635: Procedure for enabling the AM reaper is incorrect
-
OPENAM-22515: Document Logout Webhook key WebhookEventType
-
OPENAM-22327: Remove mention of Internet Explorer from AM docs
-
OPENAM-22254: Update browser support table for WebAuthn
-
OPENAM-22207: List HiddenValueCallback as interactive not read-only
-
OPENAM-22157: Clarify version support in upgrade instructions
-
OPENAM-22100 OPENAM-22049 OPENAM-22885 OPENAM-21325: Improvements to upgrading servers section
-
OPENAM-22099: Remove misleading information about unsupported custom callbacks
-
OPENAM-22045: Corrected default log level
-
OPENAM-21935: Document the maximum JWT token liftime accepted by AM
-
OPENAM-21907: Added a tip to the setup guide for finding server and site IDs
-
OPENAM-21744: Removed an incorrect statement about invalidating client-side auth session
-
OPENAM-21650: Updated base DN for AM configuration data
-
OPENAM-21165: Request for a sample script to be added to the docs
-
OPENAM-20673: Clarify device reset with WebAuthn
-
OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars
-
OPENAM-19899: Remove all instances of /UI/login
-
OPENAM-19575: OIDC guide feedback: Check algorithm statement for
/oauth2/connect/jwk_uri
-
OPENAM-19533: Remove unnecessary images from install steps
-
OPENAM-19395: Distinguish between general mail server and self-service mail service
AM 7.4.1
-
AME-27930: Prepare truststore should use 7.x DS security model
-
AME-27531: Incorrect description for Scripting Engine configuration for Thread pool queue size
-
AME-25385: Document the HTTP client asynchronous feature
-
OPENAM-22635: Procedure for enabling the AM reaper is incorrect
-
OPENAM-22207: List HiddenValueCallback as interactive not read-only
-
OPENAM-22099: Remove misleading information about unsupported custom callbacks
-
OPENAM-22098: Additional information required in JWT validation example
-
OPENAM-22066: Document Social Provider Handler node
nodeState
updates -
OPENAM-22065: Fix Knowledge Base link in documentation
-
OPENAM-21914: Clarify deprecation and replacement of shared and transient state bindings
-
OPENAM-21851: Clarify use of
Single SignOn Service
setting for the IdP -
OPENAM-21801: Next generation scripting: Update
nodeState.getObject
-
OPENAM-21798: Next generation scripting: Document "get" wrapper functions
-
OPENAM-21754: Add warning to library scrips about use of third party libraries
-
OPENAM-21699: Fix example for authenticating to specific services
-
OPENAM-21696: Add a note to the Set Custom Cookie node docs around host vs domain cookies
-
OPENAM-21667: Sessions guide: Set JWT token expiry if you update max session TTL
-
OPENAM-21666: Security guide: Byte and MB values of request body limit don’t match
-
OPENAM-21620: Node development: Improve and correct Node class documentation
-
OPENAM-21603: Missing spaces in catalina opts example prevents tomcat starting
-
OPENAM-21457: Clarify where the Failure node routes a user
-
OPENAM-21419: Security guide: Attach Java examples for custom secret stores
-
OPENAM-21413: Fix sample script in SAML docs
-
OPENAM-21344: Update profile data scripting examples with try-catch blocks
-
OPENAM-20752: OAuth 2.0 scripted policy condition variables need updating
-
OPENAM-20522: State that Sector Identifier URI is needed for Pairwise OAuth2Client profile
-
OPENAM-18598: Clarify account linking in Social Provider Handler Node documentation
-
OPENAM-18095: List all usable audit log attributes
AM 7.4
-
Corrected name of
SSOResponse
binding in SAML SP adapter sample script. -
Added links to Knowledge Base articles about restricting access to endpoints.
-
Updated social identity provider configuration reference with more information about transformation scripts and added realm to redirect URL example.
-
Provided more detail about audit log events.
-
Corrected error in WDSSO REST call in Authentication guide.
-
Note added about a
SESSION_BLACKLIST
token that exists for client-side authentication sessions. -
Clarified documentation for the OIDC user info plugin that the
/userinfo
retrieves claims from theprofile
scope only. -
Added explanation for audit filtering example in the Security guide.
-
Amended wording describing the Amster version used for upgrading exported configuration.
-
Updated instructions to download the UI source.
-
Documented changes to the OAuth 2.0 device authorization grant.
-
Updated format of scripting logger names
-
Fixed error in Device Profile Collector node documentation.
-
Clarified information around tuning the CTS connection pool.
-
Added note to caution that a certificate must exist in the keystore before mapping secrets to that keystore.
-
Removed references to unsupported CoreWrapper API from the documentation.
-
Improved the information about the bindings available to OAuth 2.0 scripted extensions.
-
Added more information for the following authentication nodes:
-
Corrected information about storing device data in shared state for OATH Registration node.
-
Updated Node development documentation with a note that OTP Email Sender node supports plain text notifications only.
-
Added note to advise installers and upgraders to remove
web.xml
entry to prevent a click-servlet exception. -
Documented the new
org.forgerock.openam.ldap.secure.protocol.version
advanced property for defining the protocols AM uses to connect to a secure LDAP server. -
Added new REST STS configuration property,
STS Instance is running as remote instance
. For details, refer to REST STS configuration -
Updated Authentication guide with links to WS-Federation implementation steps in Knowledge Base.
-
Clarified supported claims when requesting policy decisions.
-
Added a table to list the certificates used in SAML 2.0 flows with their corresponding secret mappings. For details, refer to Certificates and secrets.
-
Clarified the steps to remove an AM instance in the installation guide.
-
Added the default path for audit logs on Windows.
-
Added a note about adding urls to Valid WReply List to ensure successful WS-Federation sign-on flow.
-
Added Inner Tree Node capabilities and restrictions.
-
Corrected an error in the deployment diagram. Refer to Example deployment topology.
-
Updated module information to refer readers to Knowledge Base articles about certificate authentication.
-
Fixed a documentation error relating to OAuth 2.0 email service configuration values.
-
Documented authentication session state management scheme differences and concerns. For details, refer to Server-side sessions and Client-side sessions.
-
Updated instructions for setting CATALINA_OPTS on Windows.
-
Documented the setting to configure the rotatable amadmin secret cache expiry time. Refer to
org.forgerock.openam.secrets.special.user.secret.refresh.seconds
. -
Documented the new
Enabled
setting for external data stores.
AM 7.3.x
AM 7.3.3
-
OPENAM-23746: Incorrect
sub
value in mayAct script for delegation -
OPENAM-23714: Indicate that only one secret can be active for any secret label mapping
-
OPENAM-23638: Update DATA_STORE setting for silent install to
dirServer
-
OPENAM-23620: Update documentation for error logging in Rest API
-
OPENAM-23616: Client secret not required for OAuth 2.0 client update request
-
OPENAM-23549: Error in documentation on scope validation
-
OPENAM-23362: Success redirect URL order of precedence is incorrect
-
OPENAM-21779: Fix errors in legacy OAuth 2 endpoint docs
-
OPENAM-21744: Remove statement about invalidating the client-side authentication session
-
OPENAM-21452: Update AES Keywrap note to apply only to SOAP STS
-
OPENAM-20974: Update path to incremental upgrade for amUpgrade tool
-
OPENAM-20859: Update SAML v2.0 reference section
AM 7.3.2
-
OPENAM-23188: Correct steps for accessing
am-external
in Node developer guide -
OPENAM-23139: Fix links to Agent docs from AM
-
OPENAM-23065: Update Knowledge links to Salesforce location
-
OPENAM-22871: Wrong default value for
STS instance is running as remote instance
-
OPENAM-22741: Add missing step in "Configure amr claims" procedure
-
OPENAM-22635: Procedure for enabling the AM reaper is incorrect
-
OPENAM-22515: Document Logout Webhook key WebhookEventType
-
OPENAM-22449: Add Combined MFA Registration node to 7.3.x documentation
-
OPENAM-22327: Remove mention of Internet Explorer from AM docs
-
OPENAM-22254: Update browser support table for WebAuthn
-
OPENAM-22207: List HiddenValueCallback as interactive not read-only
-
OPENAM-22099: Remove misleading information about unsupported custom callbacks
-
OPENAM-22078: Update OATH Device Storage node
-
OPENAM-22045: Correct default log level
-
OPENAM-21935: Document the maximum JWT token liftime accepted by AM
-
OPENAM-21851: Clarify use of
Single SignOn Service
setting for the IdP -
OPENAM-21650: Update base DN for AM configuration data
-
OPENAM-21051: Update logger names with new format
-
OPENAM-20987: Document OAuth 2.0 provider setting
Allow Client Credentials in Token Endpoint Query Parameters
-
OPENAM-20673: Clarify device reset with WebAuthn
-
OPENAM-19899: Remove all instances of
/UI/login
-
OPENAM-19575: Correct algorithm statement for
/oauth2/connect/jwk_uri
-
OPENAM-19533: Remove unnecessary images from install steps
-
OPENAM-18598: Clarify account linking in Social Provider Handler node documentation
AM 7.3.1
-
AME-25154: Update the CATALINA_OPTS in setenv.bat for Windows
-
OPENAM-21851: Clarify use of
Single SignOn Service
setting for the IdP -
OPENAM-21699: Fix example for authenticating to specific services
-
OPENAM-21620: Node development: Improve and correct Node class documentation
-
OPENAM-21580: Improve documentation on updating OAuth 2.0 clients
-
OPENAM-21579: Java keystores require ASCII passwords
-
OPENAM-21573: Amster upgrade documentation description contains an error
-
OPENAM-21383: Instructions to download the UI source code are out of date
-
OPENAM-21344: Update profile data scripting examples with try-catch blocks
-
OPENAM-21254: Complete note in Invalidate all sessions for a user section
-
OPENAM-21081: Clarify version support in Amster release notes
-
OPENAM-21051: Update logger name and review debug logging page
-
OPENAM-21048: Error in Device Profile Collector node documentation
-
OPENAM-20925: Inaccurate documentation on CTS tuning
-
OPENAM-20911:
Corewrapper
object no longer accessible in authentication nodes -
OPENAM-20909: Align multi-version release notes with content of previous versions
-
OPENAM-20906: Artifact changes in AM 7.3 aren’t documented in Release Notes
-
OPENAM-20903: Clarify audit filtering example
-
OPENAM-20870: Access token script API is incomplete
-
OPENAM-20835: Explain the
SESSION_BLACKLIST
token that exists for client-side authentication sessions -
OPENAM-20666: Caution against duplicate OIDC ACR mappings
-
OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars
-
OPENAM-20522: State that Sector Identifier URI is needed for Pairwise OAuth2Client profile
-
OPENAM-20311: Document AM property for LDAPS protocol
-
OPENAM-20038: Document which URLs for REST STS are made locally/remotely
-
OPENAM-19215: Missing documentation for WS Federation in Admin guide
-
OPENAM-19214: Authorization guide: Clarify supported claims in requesting policy decisions
-
OPENAM-19149: Clarify SAML certificates and secrets usage
-
OPENAM-18606: The documentation to remove an AM instance is misleading
-
OPENAM-18495: Provide details of each audit log event name in the AM documentation
-
OPENAM-18468: Maintenance guide: Update config store connection pool values
-
OPENAM-18099: Explanation of rawProfile information and mappings
-
OPENAM-18092: Provide better explanation on default Social Identity Provider configuration
-
OPENAM-18078: Review documentation on endpoints
-
OPENAM-17906: State default path for audit logs on windows
-
OPENAM-17580: Document configuration settings needed for AM 6.5.3+ for WS-Federation token issuer endpoints
-
OPENAM-17535: Authorization guide: Building the sample plugin is showing outdated info
-
OPENAM-16325: Inner Tree node capabilities and restrictions
-
OPENAM-16311: Rework transactional authorization over REST
-
OPENAM-16191: Deployment images lost accuracy between release 13.5 and 6
-
OPENAM-15083: Certificate Auth module needs detailed documentation
AM 7.3
-
Removed instructions on using deprecated chains and modules to set up push authentication. Use authentication trees instead, as described in Push authentication journeys.
-
Updated the format of these release notes to list cumulative changes, instead of reflecting only the changes for the current release.
-
Clarified that AM truncates sequences of whitespace with a single whitespace when creating SAML v2.0 values such as entity IDs.
-
Removed use of deprecated
with
method from Scripted decision node API callbacks. -
Documented new
Use mixed case for password change messages
property for the LDAP Decision node. -
Added missing HTTP connector settings to WildFly setup instructions.
-
Updated information about
--acceptLicense
parameter in the Set up administration tools steps. -
Removed access token from header in call to /oauth2/connect/endSession.
-
Documented how to mark configuration properties as passwords in the Node development guide.
-
Improved documentation for dynamic client registration.
-
Improved description of the
Transformation Script
field for the Social Provider Handler node. -
Documented how to use the amupgrade tool to upgrade configuration.
-
Improved navigation of the authentication nodes configuration reference.
-
Clarified that the ForgeRock Authenticator app supports JPEG and PNG image formats.
-
Clarified location of
setenv
script in the Evaluation guide. -
Updated installation and deployment graphics to show less complex DS installations.
-
Described the role of the
Latest Access Time Update Frequency
property in session management.
Known issues
The following important issues remained open at the time of the latest release for each version.
Releases are cumulative, so if an issue in a previous version isn’t listed as fixed, it remains open in the latest version.
AM 8.0.x
AM 8.0
AME-31109 |
Amster 8.0 import fails with |
OPENAM-23851 |
The |
OPENAM-23770 |
WebAuthn node flow causes exception instead of |
OPENAM-23763 |
Next button not enabled on Configuration Data Store Settings page of install wizard |
OPENAM-23717 |
Access token requests fail when default tree uses Set Persistent Cookie node |
OPENAM-23595 |
A |
OPENAM-23582 |
WebAuthn’s |
OPENAM-23322 |
Formatting errors in SAML metadata certificate export |
OPENAM-23155 |
Agent group inheritance settings are lost during Amster export/import |
OPENAM-17819 |
AM admin UI doesn’t show leading |
OPENAM-17818 |
Domain cookie with leading |
AM 7.5.x
AM 7.5.2
OPENAM-23998 |
RhinoJS Date() doesn’t calculate DaylightSavingTime correctly in a next-generation script |
OPENAM-23481 |
Token is allowed in raw JSON in introspect request |
OPENAM-23227 |
OIDC ID Token Validator node doesn’t work with proxy settings |
OPENAM-23035 |
AM should preserve |
OPENAM-22967 |
Config upgrader uses OS file encoding causing issues with special characters |
OPENAM-22952 |
SMSEntry class should throw exception to avoid NullPointerException |
OPENAM-22812 |
Create Object node logs failure at debug level instead of error/warning |
OPENAM-22777 |
Deploying AM 7.5.0 on Wildfly 26.x with JDK 17 fails |
OPENAM-22770 |
Configuring AES Key Wrap encryption for Tomcat doesn’t work |
OPENAM-22700 |
OAuth 2.0 introspect: Multi-audience token only checks against first value |
OPENAM-22670 |
DJLDAPv3Repo |
OPENAM-22663 |
WS-Federation SLO calls cleanup directive if issued |
OPENAM-22530 |
OAUTH_REQUEST_ATTRIBUTES cookie is set for HTTP GET |
OPENAM-22505 |
Scripted policy condition fails with "Exception from invocation expected to be handled by promise" |
OPENAM-22386 |
Next-generation |
OPENAM-22031 |
LDAP Decision node no longer displays locked account message but redirects to failed login |
OPENAM-19968 |
IdP-initiated SAML SLO doesn’t invalidate SP-side session using integrated mode |
AM 7.5.1
OPENAM-23045 |
Performance degradation and WS-Federation issues with Java 17 |
OPENAM-23022 |
Transaction condition for policy evaluation fails with JWT subject |
OPENAM-22927 |
WebAuthn Registration node should be able to use |
OPENAM-22616 |
Upgrade from AM 6.5.5 to 7.5 using external CTS fails with error "Message:Service does not exist: GoogleSecretManagerSecretStoreProvider" |
OPENAM-22457 |
Amster doesn’t delete all default scripts when using |
OPENAM-22406 |
Product ZIP file contains files prefixed with |
OPENAM-19453 |
CTS authentication sessions may cause tree to fail if AM server is not configured for sticky load balancing |
OPENAM-14790 |
OAuth 2.0 scope policy set fails with LDAP filter environment condition |
AM 7.5
OPENAM-22151 |
Expiration of cache held in StatelessJWTCache could cause Internal Server Error |
OPENAM-22067 |
Stateless Session denylist caching and bloomfilter layers removed on config change |
OPENAM-22031 |
LDAP Decision node change of behavior when user is locked from password change screen |
OPENAM-21820 |
Set policy result TTL to |
OPENAM-21819 |
Default value for LinkedIn configuration uses out of data scopes |
OPENAM-21683 |
AM lets you create anonymous user when it already exists |
OPENAM-15948 |
Update DS profiles to add VLV indexes for CTS use |
AM 7.4.x
AM 7.4.2
OPENAM-23273 |
Failure URL not handled using Safari Browser |
OPENAM-23182 |
Failure URL not handled after Authentication Session times out using SAML2 Authentication node |
OPENAM-22158 |
User creation attributes on LDAP Decision node don’t work |
AM 7.4.1
OPENAM-22795 |
SAML2 encryption method can’t be changed using IDP remote SP host settings |
OPENAM-22674 |
Unable to create encrypted PEM that works for Secrets ENCRYPTED_PEM |
OPENAM-22656 |
Setting |
OPENAM-22608 |
Non-extractable secrets in HSM fail to work on AM for SAML v2.0 XML signing |
OPENAM-22479 |
LDAPv3 Userstore Connection doesn’t reconnect without Heartbeat enabled |
OPENAM-22151 |
Expiration of cache held in StatelessJWTCache could cause Internal Server Error |
OPENAM-22102 |
Adjusting |
OPENAM-22009 |
Providing an invalid alias to a secret store mapping breaks AM |
OPENAM-21959 |
Unable to create next-generation script in XUI if default script language is Groovy |
OPENAM-21893 |
Configurator not releasing resources on failure |
OPENAM-21823 |
Page node with Scripted Decision node doesn’t persist |
OPENAM-21741 |
SSOADM fails to install or run due to |
OPENAM-21636 |
AM is unable to run in FIPS compliance mode due to RAW keys |
OPENAM-19810 |
No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey' or cannot work with unextractable key when using HSM |
OPENAM-16797 |
Allow Custom OATH/Push/WebAuthn device integrations to be managed by standard AM interface |
OPENAM-12197 |
Custom methods |
OPENAM-4201 |
XUI returning messages based on localized responses from REST authentication interface |
AM 7.4
OPENAM-21569 |
Rapid policy evaluation using token of deleted user leads to HTTP 500 error |
OPENAM-21497 |
Editing the mappings for an existing secret store throws an exception |
OPENAM-21441 |
Policy evaluation with LDAPFilter condition uses config store user instead of identity store user |
OPENAM-21379 |
Unable to read SMS config when request is too quick after changing configuration |
OPENAM-21363 |
Unable to modify an external data store configuration when set as a global default data store but not referenced in a realm |
OPENAM-21311 |
XUI performs logout of newly created session when resuming authentication with no further callbacks |
OPENAM-21294 |
Remove openam-core from Soap STS server |
OPENAM-21284 |
AM returns a 500 Internal Server Error response when providing an invalid |
OPENAM-21178 |
Social authentication "Secret" field not mandatory |
OPENAM-20927 |
User info is still cached after removing privilege from group |
OPENAM-15948 |
Update DS profiles to add VLV indexes for CTS use |
AM 7.3.x
AM 7.3.3
OPENAM-23778 |
AM issues unindexed search when |
OPENAM-23703 |
Custom and native claims in a refreshed, stateless access token don’t match the parent modified stateless access token |
OPENAM-23607 |
AuthenticateToTreeConditionAdvice composite_advice not working as expected |
AM 7.3.2
OPENAM-23345 |
Performance issues when accessing SAML entity provider via the admin console with 5k entities |
OPENAM-23022 |
Transaction condition for policy evaluation fails with JWT subject |
OPENAM-22988 |
Failover doesn’t occur when heartbeat interval is set to 0 |
OPENAM-22927 |
WebAuthnRegister should be able to use |
OPENAM-22846 |
External app/policy store active/passive LB isn’t working |
OPENAM-22674 |
Unable to create encrypted PEM that works for ENCRYPTED_PEM secret |
OPENAM-22608 |
Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing |
OPENAM-22479 |
LDAPv3 Userstore connection doesn’t reconnect without Heartbeat enabled |
OPENAM-22188 |
Heavy load leads to BLOCKED threads traced to the SecurityManager |
OPENAM-22156 |
|
OPENAM-22151 |
Expiration of cache held in StatelessJWTCache could cause Internal Server Error |
OPENAM-21636 |
AM is unable to run in FIPS compliance mode due to RAW keys |
OPENAM-21100 |
SAML2 IDP Single logout SLO using HTTP redirect needs Request stickiness and HA. |
OPENAM-20927 |
User info is still cached after removing privilege from group |
OPENAM-20754 |
SAML pages |
OPENAM-20234 |
Setting |
OPENAM-20143 |
False alarms in debug logs when adding pointers in |
OPENAM-19810 |
Error: "No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey" |
OPENAM-19453 |
Using CTS Authentication Session may fail authentication journey if AM is not LB sticky |
OPENAM-18307 |
Global services don’t reflect changes made by |
OPENAM-18293 |
|
OPENAM-18111 |
Second login attempt using InnerTreeEvaluatorNode gets previous transient state |
OPENAM-17679 |
User text not showing up for IDM Provisioning Service |
OPENAM-17340 |
Lack of integration for logger with logback configuration |
OPENAM-12197 |
|
OPENAM-4201 |
XUI returns messages based on localized responses from REST authentication interface |
AM 7.3.1
OPENAM-21972 |
SAML Artifact Binding is failing in load-balanced deployments such as K18S |
OPENAM-21820 |
Set policy result TTL to 0 when using Environment Policy Active Session |
OPENAM-21802 |
Email Service value Transport type is overwritten in the static config export |
OPENAM-21773 |
The Secondary Configurations tab is missing from the Global Email service |
OPENAM-21772 |
No OAuth 2.0 clients displayed in the UI when AM has more than 1000 clients |
OPENAM-21743 |
WebAuthn Node with AM XUI: Error is rendered along with Recovery code button |
OPENAM-21734 |
WebAuthn Registration Node: UserNotVerifiedException not caught leading to Node failure |
OPENAM-21683 |
AM lets you create anonymous user when it already exists |
OPENAM-21682 |
OAuth 2.0: AM doesn’t redirect back to the client if consent is denied and no redirect_uri is present in the query parameters |
OPENAM-21535 |
The logout at AM’s GUI only target the root realm instead of the respective sub realm |
OPENAM-21466 |
AM using social OIDC authentication fails to verify |
OPENAM-21441 |
Policy evaluation with LDAPFilter condition uses config store user instead of identity store user |
OPENAM-21407 |
External data store config min connection pool can be set higher than the max connection pool and the config can still be persisted |
OPENAM-21406 |
Realm services are no longer accessible after deleting the “External Data Stores” service |
OPENAM-21379 |
Unable to read SMS config when request is too quick after changing configuration |
OPENAM-21363 |
Unable to modify an external data store config when it is set as a global default datastore but not referenced in any realm |
OPENAM-21354 |
OAuth2 provider: Insufficient debug logging for SAML bearer authorization grant |
OPENAM-21352 |
Amster |
OPENAM-21327 |
Unable to specify property name with a '-' when configuring policy environment conditions |
OPENAM-21322 |
AM Console allows Entity Provider to be created with space at end of the name |
OPENAM-21319 |
Policy and Application Store Cache is not updated in multiple server deployment when changes are made |
OPENAM-21309 |
DefaultDataStoreConfigurationManager shouldn’t establish DS connection in FBC mode |
OPENAM-21305 |
Dynamic Client Registration does not permit setting Client ID Token Public Encryption key |
OPENAM-21294 |
Remove openam-core from Soap-STS server |
OPENAM-21278 |
Amster doesn’t use console or accept piped input in interactive mode |
OPENAM-21273 |
TOTP Registration information no longer contains Issuer in the otpauth’s PATH |
OPENAM-21270 |
OAuth2 resource owner password credential grant (ROPC) token response does not tell reason for failure |
OPENAM-21204 |
Scripted node - idRepository.setAttribute does not execute catch block when setting userPassword attribute fails |
OPENAM-21193 |
AM-Config-upgrader amupgrade cannot work on Windows |
OPENAM-21191 |
In AM 7.3, web agent sessions have a lifetime of 42 years |
OPENAM-21187 |
AM agent UI fails when an agent configuration present in FBC and external store is used |
OPENAM-21180 |
Amster should set file encoding to UTF-8 internally |
OPENAM-21151 |
Amster command cannot operate on HostedSaml2EntityProvider |
OPENAM-21137 |
Performing Amster import with |
OPENAM-21127 |
Config Upgrader Exception CreateSecretStores at 6.5.x-to-7.x.x on Windows 2019 |
OPENAM-21125 |
Installing AM using Tomcat under local system account fails with Amster RSA file issue |
OPENAM-21114 |
Trusted JWT Issuer does not provider correct error and lack information on defined behaviour |
OPENAM-21085 |
Undefined bindings in Groovy scripts are evaluated as defined |
OPENAM-21076 |
KerberosNode and Window SSO module uses System.setProperty to set kerberos realm |
OPENAM-21055 |
Unable to get AMIdentityRepository in custom code in 7.3 |
OPENAM-21053 |
UserId is missing from |
OPENAM-21046 |
Insufficient logging in Create and Patch Object nodes |
OPENAM-21003 |
IE11 not working during SAML tree authentication due to use of Arrow function |
OPENAM-20976 |
Consent Collector node "Next" button text localization not working |
OPENAM-20975 |
OATH Registration node "Next" button text localization not working |
OPENAM-20937 |
Migration from OATH module to Auth Tree using OATH Token Verifier causes OathVerificationException: null |
OPENAM-20920 |
NPE in |
OPENAM-20899 |
ConfigurationAttributes class is exposed but there is no class file or Javadoc available for it |
OPENAM-20896 |
Supported AMIdentity API getMembership and others changed |
OPENAM-20809 |
IE11 doesn’t work with AM 7.2.1-RC1 and AM 7.3.0 |
OPENAM-20766 |
Insufficient debug logging to troubleshoot WS-Federation issuing party issue |
OPENAM-19998 |
Performing an Amster export on AM running in FBC mode generates new configuration which breaks the FBC upgrader //// |
OPENAM-20751 |
Authentication errors with AM on Windows and Connect Error in Session log |
OPENAM-20703 |
Tree secure state retained unnecessarily Long |
OPENAM-20647 |
JavaScript throws wrong exception when trying to access a non-allowlisted class’s static method |
OPENAM-20572 |
Enduser password reset email field is not validated |
OPENAM-20557 |
OATH. Recovery codes are not displayed if Registration Node is followed by OATH Token Verifier Node |
OPENAM-20556 |
OATH Recovery codes aren’t display when “Store device data in shared state” is selected in OATH Registration Node |
OPENAM-20543 |
Display page node header, description and footer in correct default language |
OPENAM-20520 |
httpClient sent request is not returning the correct response object |
OPENAM-20517 |
Device Match Node - Acceptable Variance Configuration |
OPENAM-20516 |
Create Tree command fails when using POST with |
OPENAM-20515 |
Delete fails for Authentication Node, when its _id is not an UUID |
OPENAM-20513 |
Random login failure when using registration tree |
OPENAM-20496 |
Null refresh_token for OAuth 2.0 token exchange delegation case |
OPENAM-20329 |
Forgerock JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) not spec compliant |
OPENAM-20324 |
Default install of AM does not have the updated identity classes in the policy script whitelist //// |
OPENAM-20234 |
Setting the LDAP Connection Heartbeat Interval to zero breaks persistent search |
OPENAM-20314 |
Social Provider Handler Node / Social Identity Provider Service - the search for existing link is hard coded to Sub claim (regression) |
OPENAM-18111 |
Next attempt in InnerTreeEvaluatorNode will get previous transient state |
OPENAM-17679 |
User text not showing up for IDM Provisioning Service |
OPENAM-17340 |
AM 7 lack of integration for logger from config for logback |
OPENAM-15948 |
Update DS profiles to add VLV indexes for CTS use |
OPENAM-15410 |
Enable modifying Access Token audience claim in OIDC |
AM 7.3
OPENAM-20751 |
Authentication errors with AM on Windows and connection errors in session log |
OPENAM-20703 |
Tree secure state retained unnecessarily long |
OPENAM-20647 |
Incorrect exception thrown when trying to access the static method of a non-allowlisted class |
OPENAM-20572 |
End user password reset email field is not validated |
OPENAM-20557 |
OATH recovery codes are not displayed if Registration node is followed by OATH Token Verifier node |
OPENAM-20556 |
OATH recovery codes are not displayed if |
OPENAM-20543 |
Display page node header, description, and footer, in correct default language |
OPENAM-20520 |
HttpClient sent request is not returning the correct response object |
OPENAM-20517 |
Acceptable variance configuration not working for Device Match node |
OPENAM-20516 |
Create tree command fails when using POST with |
OPENAM-20515 |
Delete fails for Authentication node, when its |
OPENAM-20513 |
Random login failure when using registration tree |
OPENAM-20496 |
Null |
OPENAM-20324 |
Default install of AM does not have the updated identity classes in the policy script whitelist |
OPENAM-20299 |
|
OPENAM-20188 |
Using session cookie created before AM is restarted |
OPENAM-20077 |
Access token modification script does not have access to client for client_credential grant flow if realm configured to ignore profile |
OPENAM-19988 |
Using an |
OPENAM-19878 |
ArrayIndexOutOfBoundsException in SAML2 |
OPENAM-19829 |
Build fails on module |
Limitations
The following limitations are inherent to the design, not bugs to be fixed.
Redundant files
The installation and upgrade wizards use three libraries that you should remove for security reasons.
When your installation or upgrade is complete, remove the following .jar
files from the WEB-INF/lib
directory:
-
click-extras-2.3.0.jar
-
click-nodeps-2.3.0.jar
-
velocity-1.7.jar
These files are used only by the wizards. Removing them will have no effect on your installed instance.
Evaluation installations
Sometimes, installing AM for evaluation purposes will fail with a message similar to the following
if the JDK’s default truststore’s permissions are 444
:
$JAVA_HOME/lib/security/cacerts (Permission denied), refer to install.log under /path/to/install.log for more information.
To work around this issue, locate the truststore that your container is using and change its permissions to 644
before
installing AM:
$ sudo chmod 644 $JAVA_HOME/lib/security/cacerts
You can change the permissions to their original settings after you have installed AM.
Identity and data store scaling
The connection strings to the data or identity stores are static and not hot-swappable. This means that, if you expand or contract your DS affinity deployment, AM will not detect the change. To work around this, either:
-
Manually add or remove the instances from the connection string and restart AM or the container where it runs.
-
Configure a DS proxy in front of the DS instances to distribute data across many DS shards, and configure the proxy address in the connection string.
Web Authentication (WebAuthn)
AM doesn’t support the following functionality, as described in the Web Authentication specification:
- Registration
-
-
AM doesn’t support Token Binding.
-
Web Authentication extensions aren’t supported.
-
Credential ID values aren’t verified against the credential IDs registered with all existing users.
-
The ECDAA signature of the Packed attestation format isn’t supported.
-
- Authentication
-
-
Token Binding isn’t supported.
-
Web Authentication extensions aren’t supported.
-
Signature counters aren’t supported.
-
Refer to MFA: Web Authentication (WebAuthn) for more information.
AM admin UI access requires the Realm Admin
privilege
In this version of AM, administrators can use the AM admin UI as follows:
-
Delegated administrators with the
Realm Admin
privilege can access full AM admin UI functionality within the realms they administer. In addition, delegated administrators in the Top Level Realm who have this privilege can access AM’s global configuration. -
Administrators with fewer privileges, such as the
Policy Admin
privilege, can’t access the AM admin UI. -
The top-level administrator, such as
amAdmin
, has access to full AM admin UI functionality in all realms and can access AM’s global configuration.
Specifying keys in JWT headers
AM ignores keys specified in JWT headers, such as jku
and jwe
. Configure the public keys or certificates in
AM instead, as explained in the relevant sections of the documentation.
Different AM versions within a site
Different AM versions within a site aren’t supported. Don’t run different versions of AM together in the same AM site.
Special characters in policy, application, or referral names
Don’t use special characters in policy, application or referral names (for example, "my+referral"). AM returns a 400 Bad Request error. The special characters are:
-
double quotes (")
-
plus sign (+)
-
comma (,)
-
less than (<)
-
equals (=)
-
greater than (>)
-
backslash (\)
-
null (\u0000)
XACML policy import and export from different vendors
AM can only import XACML 3.0 files that were created by an AM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.
Amster
Amster has the following known limitations:
-
No support for load balanced deployments
Amster can’t connect to a load balancer URL. You must connect Amster directly to a single AM instance. Using a load balancer could send sequential commands to different AM instances, and could result in concurrency issues when writing to the underlying configuration store.
-
Bulk import to external application stores with affinity
If affinity is enabled for an external application data store, bulk import intermittently fails with errors similar to the following:
Resource path 'http////////eea87a38e3ca476fa93a3669375ada3a' contains empty path elements
Before using Amster for a bulk import to an application store, disable data store affinity, or remove the load balancer from the application store deployment. You can re-enable affinity when the import has completed.
-
Importing resources containing slash characters can fail
Some PingAM resources have names that can contain slash characters (/), for example policy names, application names, and SAML v2.0 entities. These slash characters can cause unexpected behavior and failures in Amster when importing into PingAM instances running on Apache Tomcat.
To workaround this issue, configure Apache Tomcat 8.5 or 9 to allow encoded slash characters by updating the
CATALINA_OPTS
environment variable. For example:On Unix/Linux systems:
$ export CATALINA_OPTS= \ "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true" $ startup.sh
On Windows systems:
C:\> set CATALINA_OPTS= ^ "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true" C:\> startup.bat
It’s strongly recommended that you do not enable org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH
when running AM in production as it introduces a security risk on Apache Tomcat. Additionally, this setting isn’t supported on Apache Tomcat 10.Learn more in How do I safely enable the org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH setting in PingAM? in the Knowledge Base.
-
[INFO] messages showing on SuSE on Amster start up
Running Amster on SuSE may produce
[INFO]
messages, for example:# ./amster [INFO] Unable to bind key for unsupported operation: up-history [INFO] Unable to bind key for unsupported operation: down-history [INFO] Unable to bind key for unsupported operation: up-history [INFO] Unable to bind key for unsupported operation: down-history OpenAM Shell (version build build, JVM: version) Type ':help' or ':h' for help. ----------------------------------------------------- am>
These messages are caused by the keyboard mappings configured in the
/etc/inputrc
file and can safely be ignored, as they don’t affect functionality.
Interface stability
Interfaces labeled as Evolving in the documentation may change without warning. In addition, the following rules apply:
-
All Java APIs are Evolving, except
com.*
packages, which are Internal/Undocumented. -
Interfaces that aren’t described in released product documentation should be considered Internal/Undocumented.
-
Also refer to the Deprecated and Removed features.
Product release levels
Ping Identity defines Major, Minor, Maintenance, and Patch product release levels. The version number reflects the release level. The release level tells you what sort of compatibility changes to expect.
Release Label | Version Numbers | Characteristics |
---|---|---|
Major |
Version: x[.0.0] (trailing 0s are optional) |
|
Minor |
Version: x.y[.0] (trailing 0s are optional) |
|
Maintenance, Patch |
Version: x.y.z[.p] The optional p reflects a Patch version. |
|
Product stability labels
Ping Advanced Identity Software software supports many features, protocols, APIs, GUIs, and command-line interfaces. Some of these are standard and very stable. Others offer new functionality that is continuing to evolve.
Ping Identity acknowledges you invest in these features and interfaces and so need to understand when they are expected to change. For that reason, we define stability labels and use these definitions in Ping Advanced Identity Software products.
Stability Label | Definition |
---|---|
Stable |
This documented feature or interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect. |
Evolving |
This documented feature or interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release. While new protocols and APIs are still in the process of standardization, they are Evolving. This applies, for example, to recent Internet-Draft implementations and to newly developed functionality. |
Legacy |
This feature or interface has been replaced with an improved version, and is no longer receiving development effort from Ping Identity. You should migrate to the newer version, however the existing functionality will remain. Legacy features or interfaces will be marked as Deprecated if they are scheduled to be removed from the product. |
Deprecated |
This feature or interface is deprecated, and likely to be removed in a future release. For previously stable features or interfaces, the change was likely announced in a previous release. Deprecated features or interfaces will be removed from Ping Identity products. |
Removed |
This feature or interface was deprecated in a previous release, and has now been removed from the product. |
Technology Preview |
Technology previews provide access to new features that are considered as new technology that is not yet supported. Technology preview features may be functionally incomplete, and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT. Customers are encouraged to test drive the technology preview features in a non-production environment, and are welcome to make comments and suggestions about the features in the associated forums. Ping Identity does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of Ping Advanced Identity Software. Technology previews are provided on an “AS-IS” basis for evaluation purposes only, and Ping Identity accepts no liability or obligations for the use thereof. |
Internal/Undocumented |
Internal and undocumented features or interfaces can change without notice. If you depend on one of these features or interfaces, contact support to discuss your needs. |
Getting support
Ping Identity provides support services, professional services, training, and partner services to assist you in setting up and maintaining your deployments. Find a general overview of these services at https://www.pingidentity.com.
Ping Identity has staff members around the globe who support our international customers and partners. For details on Ping Identity’s support offering, visit https://www.pingidentity.com/support.
Ping Identity publishes comprehensive documentation online:
-
The Ping Identity Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage Ping Advanced Identity Software software.
While many articles are visible to everyone, Ping Identity customers have access to much more, including advanced information for customers using Ping Advanced Identity Software software in a mission-critical capacity.
-
Ping Identity product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.
Security advisories
Ping Identity issues security advisories in collaboration with our customers to address any security vulnerabilities transparently and rapidly.
Ping Identity’s security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.
You can find security advisories in the Knowledge Base.
Release timeline
Release date | AM version | Release type(1) |
---|---|---|
2025-01-10 |
7.5.2 |
Maintenance |
2025-06-17 |
7.3.3 |
Maintenance |
2025-04-17 |
7.4.2 |
Maintenance |
2025-04-17 |
8.0.1 |
Maintenance |
2025-04-07 |
8.0 |
Major |
2024-12-18 |
7.3.2 |
Maintenance |
2024-12-12 |
7.5.1 |
Maintenance |
2024-08-28 |
7.4.1 |
Maintenance |
2024-06-26 |
7.2.2 |
Maintenance |
2024-04-02 |
7.5 |
Minor |
2024-02-26 |
7.3.1 |
Maintenance |
2023-10-02 |
7.4 |
Minor |
2023-07-11 |
7.1.4 |
Maintenance |
2023-04-04 |
7.3 |
Minor |
2023-04-04 |
7.2.1 |
Maintenance |
2022-10-13 |
7.1.3 |
Maintenance |
2022-08-02 |
6.5.5 |
Maintenance |
2022-06-27 |
7.2 |
Minor |
2022-03-15 |
7.1.2 |
Maintenance |
2021-12-06 |
7.1.1 |
Maintenance |
2021-10-18 |
6.5.4 |
Maintenance |
2021-05-27 |
7.0.2 |
Maintenance |
2021-05-19 |
7.1 |
Minor |
2020-11-03 |
7.0.1 |
Maintenance |
2020-09-16 |
6.5.3 |
Maintenance |
2020-08-10 |
7.0 |
Major |
2020-04-30 |
5.5.2 |
Maintenance |
2020-04-03 |
5.5.3 |
Maintenance |
2020-02-17 |
6.5.2.3 |
Patch |
2019-10-31 |
6.5.2.2 |
Patch |
2019-08-27 |
6.5.2.1 |
Patch |
2019-06-20 |
6.5.2 |
Maintenance |
2019-06-04 |
6.0.0.7 |
Patch |
2019-04-30 |
6.5.0.2 |
Maintenance |
2019-04-11 |
6.5.1 |
Maintenance |
2019-01-15 |
6.5.0.1 |
Maintenance |
2018-12-06 |
6.0.0.6 |
Patch |
2018-11-28 |
6.5 |
Minor |
2018-10-24 |
6.0.0.5 |
Patch |
2018-08-24 |
6.0.0.4 |
Patch |
2018-07-30 |
6.0.0.3 |
Patch |
2018-06-18 |
6.0.0.2 |
Patch |
2018-05-25 |
6.0.0.1 |
Patch |
2018-05-09 |
6.0 |
Major |
2017-10-27 |
5.5.1 |
Maintenance |
2017-10-23 |
5.5 |
Minor |
(1) For details about the scope of expected changes for different release types, see Interface stability.