PingAM Release Notes

Requirements

Files to download

PingAM software is available to download from Backstage.

The following table describes the files available for download.

PingAM software
File	Description
`AM-8.0.1.zip`	Cross-platform distribution including all software components. Find a list of the files in the `.zip` archive in Download AM.
`AM-8.0.1.war`	Deployable web application archive file.
`AM-SSOAdminTools-5.1.3.29.zip`	The .zip file that contains tools to manage AM from the command line.
`AM-SSOConfiguratorTools-5.1.3.29.zip`	The .zip file that contains tools to configure AM from the command line.
`Amster-8.0.1.zip`	The .zip file that contains the Amster command-line interface.

Files for previous versions

File AM 7.3 AM 7.4 AM 7.5

File	AM 7.3	AM 7.4	AM 7.5
AM `.zip`	AM-7.3.3.zip	AM-7.4.2.zip	AM-7.5.2.zip
AM `.war`	AM-7.3.3.war	AM-7.4.2.war	AM-7.5.2.war
AM SSO Admin Tools	SSOAdminTools-5.1.3.28.zip	SSOAdminTools-5.1.3.29.zip	SSOAdminTools-5.1.3.30.zip
AM SSO Configurator Tools	SSOConfiguratorTools-5.1.3.28.zip	SSOConfiguratorTools-5.1.3.29.zip	SSOConfiguratorTools-5.1.3.30.zip
Amster `.zip`	Amster-7.3.3.zip	Amster-7.4.2.zip	Amster-7.5.2.zip

AM .zip

AM-7.3.3.zip

AM-7.4.2.zip

AM-7.5.2.zip

AM .war

AM-7.3.3.war

AM-7.4.2.war

AM-7.5.2.war

AM SSO Admin Tools

SSOAdminTools-5.1.3.28.zip

SSOAdminTools-5.1.3.29.zip

SSOAdminTools-5.1.3.30.zip

AM SSO Configurator Tools

SSOConfiguratorTools-5.1.3.28.zip

SSOConfiguratorTools-5.1.3.29.zip

SSOConfiguratorTools-5.1.3.30.zip

Amster .zip

Amster-7.3.3.zip

Amster-7.4.2.zip

Amster-7.5.2.zip

Operating systems

AM 8 software is supported on actively maintained versions of the following operating systems:

Amazon Linux
Debian
Red Hat Enterprise Linux
Rocky Linux
SUSE Linux Enterprise
Ubuntu Linux
Windows Server 2019 and 2022

AM 7.5 and earlier software is supported on the following operating systems:

Operating system	AM 7.3	AM 7.4
Amazon Linux	2018.03	2018.03, 2023
Debian Linux	Not supported	11
Red Hat Enterprise Linux	8, 9
Rocky Linux	8, 9
SuSE	12, 15	15
Ubuntu	18.04 LTS, 20.04 LTS, 22.04 LTS, 24.04 LTS
Windows Server	2016, 2019, 2022

Web and Java agents

The following table summarizes the minimum recommended version of web and Java agents:

Minimum agent version recommended
Agent	Version
Web agents	2023.11.2
Java agents	2023.11.2

AM supports several versions of web agents and Java agents. You can find information about supported container versions and other platform requirements related to agents in the Web Agents Release Notes and the Java Agents Release Notes.

Java

PingAM software is supported on the following Java environments:

Vendor	AM 7.3	AM 7.4	AM 7.5	AM 8.0
OpenJDK ⁽¹⁾	11, 17		17	17, 21
Oracle Java	11, 17		17	17, 21

⁽¹⁾ AM supports OpenJDK-based distributions, including:

AdoptOpenJDK/Eclipse Temurin Java Development Kit (Adoptium)
Amazon Corretto
Azul Zulu
Red Hat OpenJDK

Ping Identity tests most extensively with AdoptOpenJDK/Eclipse Temurin. Use the HotSpot JVM, if possible.

Always use a JVM with the latest security fixes.

Application containers

This table summarizes supported web application containers and their required versions:

Container	AM 7.3	AM 7.5	AM 8.0
Apache Tomcat	8.5, 9		10
IBM WebSphere Liberty	22.0.0.4		24.0.0.6
JBoss Enterprise Application Platform	7.4		8.x
Wildfly	15, 26	26	30

The web application container must be able to write to its own home directory, where AM stores configuration files.

Java Agents and Web Agents require the WebSocket protocol to communicate with AM.

Make sure the container where AM runs, the web server/container where the agents run, and your network infrastructure all support the WebSocket protocol.

Read your network infrastructure and web server/container documentation for more information about WebSocket support.

Identity stores

You can configure AM to use any LDAPv3-compliant directory server as an identity store. This table lists the supported directory servers for storing AM identities.

You can find information on configuring these directory servers in identity stores.

Policies, applications, CTS tokens, and UMA-related information can only be stored in a PingDS directory server.
Static configuration can be stored in a PingDS directory server or, from AM 8.0, in JSON files on the local file system.

Supported identity stores
Directory server	AM 7.3	AM 7.4	AM 7.5	AM 8.0
Embedded PingDS ⁽¹⁾⁽²⁾	7.3	7.4	7.5	N/A
External PingDS ⁽²⁾	6 and later			7.3.1 and later
PingDirectory	9.3
Oracle Unified Directory	11g R2			12c
Oracle Directory Server Enterprise Edition	11g			N/A
Microsoft Active Directory	2016, 2019			2019, 2022, 2025
IBM Tivoli Directory Server	6.4			N/A

⁽¹⁾ Demo and test environments only in AM 7.x. Unsupported since AM 8.
⁽²⁾ PingDS, formerly named ForgeRock Directory Server.

Third-party software

Ping Identity supports using the following third-party software when logging Common Audit events:

Third-party logging software
Software	Version
Java Message Service (JMS)	2.0 API
MySQL JDBC Driver Connector/J	8 (at least 8.0.19)
Splunk	8.0 (at least 8.0.2)

Elasticsearch and Splunk have native or third-party tools to collect, transform, and route logs. Examples include Logstash and Fluentd.

Consider using these alternatives as they have advanced, specialized features focused on getting log data into the target system. They decouple the solution from the Ping Advanced Identity Software systems and version, and provide inherent persistence and reliability. You can configure the tools to avoid losing audit messages if a Ping Advanced Identity Software service goes offline, or delivery issues occur.

These tools can work with Common Audit logging:

Configure the server to log messages to standard output, and route from there.
Configure the server to log to files, and use log collection and routing for the log files.

Ping Identity supports using the following third-party software when monitoring AM servers:

Third-party monitoring software
Software	Version
Grafana	5 (at least 5.0.2)
Graphite	1
Prometheus	2.0

For hardware security module (HSM) support, AM requires a client library that conforms to the PKCS#11 standard v2.20 or later.

Supported browsers

AM supports the latest, stable versions of the following browsers:

Google Chrome
Microsoft Edge
Firefox
Safari

Ping Identity doesn’t provide support for these browsers:

Internet Explorer 11
Microsoft Edge in Internet Explorer compatibility mode
Embedded browsers within any application (for example, within Citrix environments or Office 365)

Ping Identity optimizes its platform for modern browsers to ensure the best user experience, security, and performance. If you encounter issues while using the Ping Advanced Identity Software, ensure you use a supported, up-to-date browser for the optimal experience.

Special requests

If you have a special request regarding support for a combination not listed here, contact support.

What’s new

New in AM 8.0.x

AM 8.0.1

AM 8.0.1 is a maintenance release that introduces functional enhancements and fixes.

Ability to refresh device IDs

The Push Notification service and the Ping SDKs now support the ability to refresh device IDs in user device profiles, rather than having to delete and recreate device profiles when a device ID changes.

You can find more information in Refresh push device IDs.

AM 8.0

AM 8.0 is a major release that introduces new features, functional enhancements, and fixes.

AM 8 introduces many new features and changes, but some key changes to be aware of are:

Tomcat 10 is the only supported Tomcat version.
Authentication modules and chains have been removed.
Embedded DS has been removed.

Make sure you review Incompatible changes and Removed in addition to this section before upgrading.

FBC in production deployments

Previous versions of AM provided a technology preview of the file-based configuration (FBC) migration utility.

In AM 8.0, FBC is supported in production deployments.

Learn more in the following topics:

Node Designer

AM 8.0 introduces a new way to create authentication node types that can be reused and shared across journeys and deployments.

The Node Designer lets you create scripted node types that have the following benefits:

Configurable bindings
Access to next-generation script bindings
Potential for less code repetition
Easier and quicker to innovate custom node types with scripting

Learn more in Custom scripted nodes.

Dynamic client registration script

You can configure AM to run a custom script after dynamic client registration. Create a next-generation script to modify a client profile after a successful create, update, or delete operation.

Learn more in Customize dynamic client registration.

Support for DER-formatted certificates for OAuth 2.0 client authentication

AM now accepts X.509 certificates in both PEM and DER format to authenticate OAuth 2.0 clients.

Learn more in Authenticate clients with mutual TLS.

RADIUS server configuration update

The RADIUS server service has a new configuration property that enforces the inclusion of the Message-Authenticator attribute in requests and responses.

Use this attribute to verify incoming RADIUS access requests to prevent spoofing.

IDM policy condition

Authorization policies have a new environment condition type named IDM User. This condition type lets you query an IDM resource to form the basis of the policy evaluation. AM must be part of a Ping Advanced Identity Software deployment to use this environment condition.

Backchannel authentication

Backchannel authentication lets a third-party federation service initiate authentication with AM on behalf of a user. The federation service collects the user data and transmits this data directly to AM. AM redirects the user to complete the authentication process without having to re-enter the collected data.

Learn more in Backchannel authentication.

FIDO certification

PingAM is now a FIDO Certified Provider. PingAM has passed the FIDO Alliance’s rigorous testing program and meets their requirements regarding security and interoperability with other FIDO components.

Changes to PingAM in this regard include the new WebAuthn Metadata service and enhancements to the WebAuthn nodes.

Find more information about configuring AM for FIDO in Web authentication (WebAuthn).

WebAuthn Metadata service

The WebAuthn Metadata service lets you configure how AM obtains FIDO2 metadata at the journey level.

Use the WebAuthn Registration node’s FIDO Certification Level setting to force AM to check the metadata service for the device’s accepted certification level.

Learn more in WebAuthn Metadata service.

WebAuthn nodes

The following improvements have been made to the WebAuthn nodes:

WebAuthn Authentication node

On successful authentication, the WebAuthn Authentication node now adds a webauthnAssertionInfo object to transient state that stores authenticator data.
A new node setting, Detect sign count mismatch, lets you compare the authenticator’s sign count (signature counter) with the sign count stored in the user’s profile.

The sign count is useful for detecting potentially cloned devices.

If the authenticator sign count is less than or equal to the stored value, evaluation continues to the new Sign Count Mismatch outcome.

WebAuthn Registration node

On successful registration, the WebAuthn Registration node now adds the following objects to transient state:
- webauthnAttestationInfo: Stores authenticator data.
- webauthnDeviceAaguid: Stores the Authenticator Attestation Global Unique Identifier (AAGUID).
The new FIDO Certification Level setting lets you use the configured WebAuthn Metadata service to check the device’s FIDO certification level meets a minimum level requirement during registration.

Device profile settings

The following attributes are now stored in device profiles:

WebAuthn device profile

signCount The device sign count (signature counter).

Push / WebAuthn / Oath device profiles

createdDate: The date the device was registered and the profile created.
lastAccessDate: The date the device was last used to sign in successfully.

Ability to trace the request flow through Ping Advanced Identity Software

When a user interacts with Ping Advanced Identity Software, the request can travel through multiple services before it completes. Distributed tracing lets you monitor the request flow through Ping Advanced Identity Software.

Tracing provides a single view of a request’s journey and makes it easier to locate bottlenecks and errors.

Learn more in Trace incoming and outgoing requests.

Improved REST API for transactional authorization

For transactional authorization requests, you can now provide an authIndexType of transaction and an authIndexValue of transactionId to the authenticate endpoint. This new parameter lets you complete transactional authorization without sending URL-encoded XML over REST.

For example:

curl \
--cookie "iPlanetDirectoryPro=sso-cookie" \
--request POST \
--header "Content-Type: application/json" \
--header "Accept-API-Version: resource=2.0, protocol=1.0" \
'https://am.example.com:8443/am/json/realms/root/authenticate?authIndexType=transaction&authIndexValue=transactionId'

The behavior of the new parameter is identical to the existing parameter:

…/authenticate?authIndexType=composite_advice&authIndexValue=URL-encoded-XML,

The existing parameter remains supported.

Certificate Collector node supports DER certificates

For certificates supplied in HTTP headers, the Certificate Collector node now supports certificates in DER format in addition to PEM format. There are no configuration changes in the node itself.

The certificate format is inferred from the encoded certificate contents. The supported DER format encoding is compliant with RFC 9440.

OAuth 2.0 application journeys

You can now associate an OAuth 2.0 client with a specific authentication journey (tree). The associated journey is always run, regardless of existing sessions or configured authentication context class reference (acr) values.

You can only associate a tree with OAuth 2.0 applications configured for the Authorization Code, Implicit, and Device Code grant types.

To access information about the incoming OAuth 2.0 request, configure your tree to include a Scripted Decision node that queries the oauthApplication script binding.

Learn more in client application registration.

SAML 2.0 application journeys

Configure the remote SP so that a specific authentication journey (tree) is always run for users authenticating with your SAML 2.0 app. The federation flow invokes the associated journey regardless of any existing sessions or configured authentication context.

You can access the requested authentication context and configured mappings by including a Scripted Decision node in the journey that queries the new samlApplication script binding.

Learn more in Configure a SAML 2.0 application journey.

Customize SAML NameID mapping with a script

You can now use a script to customize the NameID attribute in the SAML 2.0 assertion per SP. Create a next-generation script of type Saml2 NameID Mapper and configure the remote SP entity to use the custom script.

You can find more information in NameID mapper.

Http Client service

The new Http Client service lets you create named instances that you can reference from a next-generation script using the httpclient binding.

On each instance, define secret labels that map to certificates in secret stores and are used during mTLS connections.

The service also provides settings to override connection and response timeouts for HTTP requests and to configure certificate checks per instance.

Learn more in Http Client service.

Default trees

The following new default trees have been added to AM:

ldapService: replaces the ldapService authentication chain.
Agent: replaces the Application module.
amsterService: replaces the amsterService authentication chain.

These trees provide direct replacements for the corresponding default modules and chains. This ensures any authentication processes that rely on them are unaffected by the removal of modules and chains in this release.

Learn more about these trees in Default trees.

Configure trees to run to completion

Set the mustRun property to force trees to always run to completion regardless of the existing user sessions.

Learn more in Configure an authentication tree to always complete.

Configure no session trees

Set the noSession property to create trees that don’t result in an authenticated session when they successfully complete.

Learn more in Configure a no session tree.

Session duration and timeout control

We’ve made changes to AM to provide greater control over journey session duration and authenticated session timeouts.

Journey session duration

You can now override global and realm level duration values in a tree or a node:

For the maximum duration, you can override timeout settings using the new Update Journey Timeout node or by setting the treeTimeout property in the tree configuration.
For the suspended duration, you can override the suspended duration in the Email Suspend node or in a Scripted Decision node using the action object. Learn more in Suspend and resume journeys.

Find out how AM derives the journey session duration as a result of these changes in Configure suspended authentication.

Authenticated session timeouts

You can now override global and realm level timeout settings (maximum session time and maximum idle time) in a tree or a node.

In nodes, you can override the session timeouts in the Set Session Properties node or in a Scripted Decision node using the withMaxIdleTime and withMaxSessionTime methods. Learn more in Set authenticated session timeouts.
In a tree, you can override the session timeouts by setting the maximumSessionTime and maximumIdleTime properties in the tree configuration.

Find out how AM derives the authenticated session timeouts as a result of these changes in Configure authenticated session timeout settings.

You can now configure a social provider authentication with LINE login. There are two new social provider configuration profiles, LINE (Browser) and LINE (Native), for browser and mobile app integrations.

The LINE (Browser) integration must not reference a well-known endpoint to ensure AM verifies signatures using the client secret instead.

Next-generation script bindings

The following next-generation script bindings have been improved for this release:

Common bindings

cookieName: Access the name of the cookie as a string to perform session actions such as ending all sessions for a user.
httpClient:
- Use the new form attribute to send url-encoded form requests.
- Reference an instance of the new Http Client service to enable mTLS connections to external services.
policy: Lets you access the policy engine API and evaluate policies from within scripts.
secrets: Reference secrets and credentials stored in secret stores.
utils: Use this new utility binding to perform functions such as:
- Base64 encode/decode strings
- Generate random values and UUIDs
- Encrypt and decrypt values
- Compute hash values
- Sign and verify data

Make sure you don’t use the same name for a local variable as that of a common binding in your script. These names are reserved for common bindings only.

If you have already defined a local variable with the same name as one that’s added to common bindings in a more recent version of PingAM; for example, utils, you must rename the variable in your scripts before you upgrade.

Learn more in Script bindings.

Scripted decision node bindings

action:
- Use the new suspend(String message) and suspend(String message, SuspensionLogic logic) methods to suspend the current authentication session and send a message to the user.
  
  You can also implement custom logic with the resume URI, for example, to send an email or SMS using the HTTP client service.
- You can now access the following methods through the ActionWrapper object to return additional information to the client:
  - withHeader(String header)
  - withDescription(String description)
  - withStage(String stage)
jwtAssertion and jwtValuation:
- You can now generate JWT assertions with custom non-registered claims.
- Data fields are more aligned with the JWT specification, so you can now specify separate values for issuer and subject. These replace the existing accountId.
- The bindings work with RS256 or HS256 signed JWTs, and JWTs that are encrypted using the A128CBC-HS256 algorithm.
nodeState: You can now merge data, including objectAttributes values, into existing state with the new mergeShared and mergeTransient methods.
oauthApplication: Access request and application information if the node is part of a journey associated with an OAuth 2.0 client application.
requestCookies: Use this new decision node script binding to access request cookies directly.
samlApplication: Access request and application information if the node is part of a journey associated with a SAML 2.0 client application.

Learn more in the Scripted Decision node API.

Library scripts

Library scripts now have access to all common bindings.

Learn more in Library scripts.

Next-generation script types

The following existing script types are now enabled for the next-generation script engine:

Scripted Decision node and Device Match node scripts now have different context types depending on the script engine. For legacy scripts, the context is AUTHENTICATION_TREE_DECISION_NODE, and for next-generation scripts, the contexts are SCRIPTED_DECISION_NODE and DEVICE_MATCH_NODE respectively.

Access PingOne Verify transaction data

The verifyTransactionsHelper next-generation binding lets you manage PingOne Verify user transactions and PingOne user accounts.

Learn more in Access PingOne Verify transactions and manage associated user

Enable Device Management node

The Enable Device Management node lets you relax or remove restrictions placed upon users who want to reset or remove registered MFA devices.

Use this node in a journey to change the authentication strategy required for removing registered devices.

Flow Control node

The Flow Control node lets you control the authentication flow by randomly sending traffic down different paths of a tree (journey). This means you can use the node to evaluate changes before rolling them out to a production environment.

For example, configure the node to direct a percentage of requests to a new authentication journey to observe the user experience and check for potential failures.

Customize the JSON in the authentication response

The following nodes are new for this release.

Set Success Details node

The Set Success Details node lets you add details to the JSON response on successful authentication.

You can add either or both of the following:

Success Details: Lets you add static key:value fields to the JSON response.
Session Properties: Lets you add key:value fields to the JSON response, where value corresponds to the value of the specified session property.

Set Failure Details node

The Set Failure Details node lets you add details to the JSON response on authentication failure.

You can add either or both of the following:

Failure Message: Lets you add a custom, localized message to display to the user and return in the JSON response.
Failure Details: Lets you add key:value fields to the JSON response.

Set Error Details node

The Set Error Details node lets you add details to the JSON response when a journey ends in an error.

You can add either or both of the following:

Error Message: Lets you add a custom, localized message to display to the user and return in the JSON response.
Error Details: Lets you add key:value fields to the JSON response.

Configurable clock skew for OIDC ID token expiry time

The org.forgerock.openam.oauth2.tokenexpiry.skewAllowance advanced server property lets you configure the period, in seconds, during which an OIDC ID token remains valid after its expiry time.

This property allows for clock skews between servers.

In previous releases, the clock skew for ID token expiry times was hard coded to 5 minutes. For compatibility purposes, this is the default value of the new property.

Update signing certificate in remote SP metadata

You can now update the signing or encryption certificate for an existing SP without needing to delete and recreate the entire SP configuration.

Learn more in Update remote SP certificate.

Configure client certificate in SP metadata

You can now configure the hosted SP to exclude the client certificate from metadata.

To override the default behavior, enable the Exclude Client Certificate from Metadata option in the SP’s configuration.

Consistent errors when refreshing tokens

The following new methods ensure consistent error messages when refreshing tokens:

com.sun.identity.idm.IdRepoListener

objectChanged(String name, String previous, IdType idType, int changeType, Map cMap)

com.sun.identity.idm.IdEventListener

identityRenamed(String universalId, String previousUniversalId)

If a token is refreshed but the username has changed since the original refresh token was issued, the following error is now shown with these methods:

{
   "error_description" : "grant is invalid",
   "error" : "invalid_grant"
}

Configuration Provider node

The following improvements have been made to the Configuration Provider node:

Previously, you could only use the Configuration Provider node to imitate nodes with fixed outcomes. Now, you can also imitate nodes with variable outcomes from a predefined list.

This change makes the following nodes available to the Configuration Provider node:
To ensure custom nodes are available to the Configuration Provider node, write an outcome provider class that implements the StaticOutcomeProvider or BoundedOutcomeProvider interfaces.
The following nodes with fixed outcomes are also now available to the Configuration Provider node:
You can now generate configuration provider template scripts with default values.

Call the node API endpoint with the configProviderScript action to generate a JavaScript or Groovy script for the type of node you want to imitate.

Learn more in the Configuration Provider node.

Backchannel logout token contains `exp` claim

The logout token generated during backchannel logout now contains an exp claim.

Learn more in Backchannel logout.

New `ssoadm` commands update attributes in a realm service

A fix to the deprecated ssoadm tool adds the following new commands:

add-realm-default-attributes
set-realm-default-attributtes
remove-realm-default-attributes
get-realm-default-attributes

These commands work on realm defaults from AM 7 onwards.

System property for social provider `sub` claim uniqueness

A new system property (org.forgerock.openam.oidc.SocialProvider.sub.claim.is.not.unique) indicates that the OIDC social provider doesn’t return a unique value for the sub claim.

This is false by default.

New in AM 7.5.x

AM 7.5.2

There are no new features in AM or Amster 7.5.2, only bug fixes.

AM 7.5.1

AM 7.5.1 is a maintenance release that introduces functional enhancements and fixes.

New utility script binding

Use the utils binding to base64 encode/decode strings and generate random values and UUIDs in your next-generation scripts.

Learn more in Script bindings.

Backchannel logout token contains `exp` claim

The logout token generated during backchannel logout now contains an exp claim. Learn more in Backchannel logout.

System property for social provider `sub` claim uniqueness

A new system property (org.forgerock.openam.oidc.SocialProvider.sub.claim.is.not.unique) indicates that the OIDC social provider doesn’t return a unique value for the sub claim.

This is false by default.

New `ssoadm` commands update attributes in a realm service

A fix to the deprecated ssoadm tool adds the following new commands:

add-realm-default-attributes
set-realm-default-attributtes
remove-realm-default-attributes
get-realm-default-attributes

These commands work on realm defaults from AM 7 onwards.

AM 7.5

AM 7.5 is a minor release that introduces new features, functional enhancements, and fixes.

Support for storing secrets in secret stores

The following features now support storing their secrets in a secret store instead of in the configuration. For greater security, move these secrets to a secret store when convenient.

Services

Authentication nodes

CAPTCHA node
OIDC ID Token Validator
OTP Email Sender node and OTP SMS Sender node
Persistent Cookie Decision node and Set Persistent Cookie node signing and encryption
Custom authentication node

Agents

Authentication

Authentication signing secret
AM password encryption key
HTTP outbound request authentication password (advanced server setting)
Password capture and replay
Client-side sessions:
- The HMAC signing key
- The am.global.services.session.clientbased.signing mapping is deprecated and replaced by algorithm-specific mappings
- The am.global.services.session.clientbased.encryption mapping is deprecated and replaced by am.global.services.session.clientbased.encryption.RSA and am.global.services.session.clientbased.encryption.AES

SAML v2.0

Remote SP and IDP basic authentication for SOAP-based binding
SP authentication with mTLS for artifact resolve requests

OAuth 2.0

OAuth 2.0 client authentication secrets
OAuth 2.0 client mTLS self-signed certificate
OAuth 2.0 client ID token public encryption key
OAuth 2.0 client JWT bearer public key
OAuth 2.0 provider salting of hashes

In addition, you can now rotate secrets in file system secret volumes.

Learn more in Map and rotate secrets.

Support for mTLS connections

The following services now support certificate-based connections to the backend LDAP store using mTLS:

Configurable affinity for connections to the DS identity repository

The DS identity repository configuration now includes an Affinity Level setting that lets you specify the operations for which AM should use affinity-based load balancing.

In previous AM releases, you configured affinity only with the Affinity Enabled property, so it was either on or off. With Affinity Enabled set to true, ALL operations to the DS repository used affinity. With Affinity Enabled set to false, the equivalent affinity level was NONE (no operations used affinity).

The new setting introduces the BIND level as a middle ground. When you set the affinity level to BIND, only user authentication requests use affinity. This setting provides a small but significant performance improvement in deployments with multiple replicated DS identity stores.

In addition, the LDAP Decision node has been updated with a new property, affinityLevel (NONE, BIND, and ALL). This is separate to the configuration setting.

The Data Store Decision node uses the identity repository configuration. As such, affinity settings configured for the identity repository will impact connections to the DS server made by this node.

Request Header node

The new Request Header node lets customers inject values into shared state based on request header values. You can use the node to get information about a journey or the user from an external system or even customize the branding of a journey.

Learn more in Request Header node.

Scalable OAuth 2.0 clients

The scalable OAuth 2.0 clients feature lets you create and manage large numbers of OAuth 2.0 clients without impacting system performance. Once you have enabled the feature, create clients as usual through dynamic registration or in the AM admin UI, and then use the AM administration OAuth 2.0 client REST endpoint to search for clients and filter and page query results.

Learn more in Scalable OAuth 2.0 clients.

SAML v2.0 NameID mapping configurable on the service provider (SP)

You can now configure NameID mapping on a remote SP. The SP configuration overrides the NameID Value Map on the IDP, letting you define different name requirements for each SP.

Learn more about NameID value mapping in the Remote service provider configuration properties.

Use a tree hook to run actions on journey failure

Override the new acceptFailure method to run actions on journey failure.

Learn more about the TreeHook interface in the Public API Javadoc.

Storing identified identities in the authentication session

The following new methods let you record users and agents verified to exist in an identity store:

org.forgerock.openam.auth.node.api.Action

public ActionBuilder withIdentifiedIdentity(AMIdentity id)
public ActionBuilder withIdentifiedIdentity(String username, IdType id)

org.forgerock.openam.auth.nodes.script.ActionWrapper

public ActionWrapper withIdentifiedAgent(String agentName)
public ActionWrapper withIdentifiedUser(String username)

A new advanced server property, org.forgerock.am.auth.trees.authenticate.identified.identity determines whether AM uses these stored identified identities when deciding which user to log in.

This lets custom nodes and decision node scripts correctly resolve identities that have the same username. For more information, refer to advanced server properties.

Identity Assertion node and Identity Assertion service

The new Identity Assertion node and supporting service lets AM use PingGateway to manage authentication through a third party such as Windows Desktop SSO or Kerberos.

Learn more in Identity Assertion node and Identity Assertion service.

PingOne Protect nodes and PingOne Worker service

The new PingOne Protect nodes and supporting PingOne Worker service let you integrate with PingOne Protect. Leverage risk predictors and route your journeys based on calculated risk scores.

You can add these nodes to your authentication, registration, and self-service journeys to combat account takeover, new account fraud, and MFA fatigue.

Learn more:

Nodes in a Page node log individual audit events

Nodes contained in a Page node now log individual AM-NODE-LOGIN-COMPLETED audit events.

Learn more about audit logging in Audit log events.

New in AM 7.4.x

AM 7.4.2

AM 7.4.2 is a minor release that introduces new features, functional enhancements, and fixes.

Backchannel logout token contains `exp` claim

The logout token generated during backchannel logout now contains an exp claim.

Learn more in Backchannel logout.

New `ssoadm` commands update attributes in a realm service

A fix to the deprecated ssoadm tool adds the following new commands:

add-realm-default-attributes
set-realm-default-attributtes
remove-realm-default-attributes
get-realm-default-attributes

These commands work on realm defaults from AM 7 onwards.

System property for social provider `sub` claim uniqueness

A new system property (org.forgerock.openam.oidc.SocialProvider.sub.claim.is.not.unique) indicates that the OIDC social provider doesn’t return a unique value for the sub claim.

This is false by default.

Improvements to JWT operations in scripts

The jwtAssertion and jwtValidator script bindings now let you include non-registered claims.

The values that you can specify to generate and validate JWTs have been updated to include new fields such as issuer and subject. These replace the existing accountId to let you specify different values for these fields.

The bindings work with RS256 or HS256 signed JWTs, and JWTs that are encrypted using the A128CBC-HS256 algorithm.

Learn more in Generate and validate JWTs.

AM 7.4.1

AM 7.4.1 is a maintenance release.

Storing identified identities in the authentication session

The following new methods let you record users and agents verified to exist in an identity store:

org.forgerock.openam.auth.node.api.Action

public ActionBuilder withIdentifiedIdentity(AMIdentity id)
public ActionBuilder withIdentifiedIdentity(String username, IdType id)

org.forgerock.openam.auth.nodes.script.ActionWrapper

public ActionWrapper withIdentifiedAgent(String agentName)
public ActionWrapper withIdentifiedUser(String username)

A new advanced server property, org.forgerock.am.auth.trees.authenticate.identified.identity determines whether AM uses these stored identified identities when deciding which user to log in.

This lets custom nodes and decision node scripts correctly resolve identities that have the same username.

AM 7.4

AM 7.4 is a minor release that introduces new features, functional enhancements, and fixes.

Bind and verify user devices

The ForgeRock SDKs for Android and iOS can cryptographically bind a mobile device to a user account.

Registered devices generate a key pair and a key ID. The SDK sends the public key and key ID to your AM server for storage in the user’s profile.

The SDK stores the private key on the device in the Android KeyStore or the iOS Secure Enclave. Access to the private keys is protected by biometric security or a PIN.

A user can bind multiple devices to their account, and each device can bind to multiple users.

After binding a device, your authentication journeys can verify ownership of the bound device by requesting that it signs a challenge using its private key, and verifying it corresponds to the public key.

For details, refer to the Device Binding node, Device Binding Storage node, and Device Signing Verifier node.

Support for JSON output from `/oauth2/device/user` endpoint

REST calls to the /oauth2/device/user endpoint return an HTML response by default.

This release adds support for an Accept: application/json header that returns the response in JSON format.

For details, refer to the Device authorization grant.

Setting to disable the `subname` claim

AM adds the subname claim to access and ID tokens by default. You can now change this behavior by disabling the OAuth2 Provider service property, Include subname claim in tokens issued by the OAuth2 Provider.

The value of the subname claim matches the value of the sub claim used in versions of AM earlier than 7.1. It also matches the value of the sub claim if you disable the org.forgerock.security.oauth2.enforce.sub.claim.uniqueness property.

Setting to permit client credentials in token endpoint query parameters

The OAuth 2.0 Provider service includes a new advanced property, Allow Client Credentials in Token Endpoint Query Parameters, that lets you include client credentials as query parameters in OAuth 2.0 token endpoint requests.

In previous AM versions, you could supply client credentials (the client_id and client_secret) as query parameters in POST requests to the /oauth2/access_token endpoint. From AM 7.4 onwards, this is prohibited by default and you must include the credentials within the POST request body.

The new Allow Client Credentials in Token Endpoint Query Parameters setting controls this behavior and is false by default in new deployments. For security reasons, keep this property disabled to prevent client credentials from being included as query parameters.

When you upgrade an existing deployment to AM 7.4, this property is initially set to true for legacy support. After upgrading, you should update your scripts and clients to support the new behavior then set the property to false.

Restriction of access to inner trees

The new innerTreeOnly property of an authentication tree lets you specify that the tree is only an inner tree and can’t be accessed directly.

For details, refer to Disable direct access through an inner tree.

New `nodeState.getObject` method

The new nodeState.getObject(String key) method lets scripted decision nodes retrieve variables stored in both shared and secure state.

For details, refer to Access shared state data.

`X-ForgeRock-TransactionID` available in HTTP client script binding

The httpClient script binding now automatically adds the current transaction ID as an HTTP header. This lets you correlate caller and receiver logs when you use httpClient from a script, such as a decision node script, to make requests to other proprietary products and services.

For details, refer to Access HTTP services.

Customize account lockout message

Use the new ActionBuilder.withLockoutMessage(String lockoutMessage) method in a Scripted Decision node to customize the message displayed to an end user when their account is locked or inactive.

For details, refer to Set script outcome.

Scripting enhancements

AM 7.4 introduces the Next Generation scripting engine, which offers the following benefits:

Stability

A stable set of enhanced bindings, available to decision node scripts, that reduces the need to allowlist Java classes to access common functionality.

Ease of use

Simplify your scripts with fewer imports and more intuitive return types that require less code.
Debug efficiently with clear log messages and a simple logging interface based on SLF4J.
Make requests to other APIs from within scripts more easily with a more intuitive HTTP client.

Reduced complexity

Simplify and modularize your scripts with library scripts by reusing common code snippets as CommonJS modules.

Reference library scripts from a decision node script.
Access identity management information seamlessly through the openidm binding.

For more information, refer to:

Scripting logger name change

Scripts that log debug messages create loggers that now include the name of the script.

The name of a scripting logger uses the format scripts.<context>.<script UUID>.(<script name>); for example, scripts.OIDC_CLAIMS.36863ffb-40ec-48b9-94b1-9a99f71cc3b5.(OIDC Claims Script).

Refer to Debug logging.

Access request header values from OAuth 2.0 scripts

You can now access the requestHeaders binding in the following OAuth 2.0 scripts:

OIDC user info claims (OIDC_CLAIMS)
Access token modification (OAUTH2_ACCESS_TOKEN_MODIFICATION)
Token exchange (OAUTH2_MAY_ACT)

For details, refer to the available objects for each script type.

File-based configuration migration utililty

In a future release, AM will read its configuration only from JSON files, not directory servers. Using LDAP data stores for configuration will be deprecated and file-based configuration (FBC) will be the only supported configuration storage mechanism. Dynamic data will continue to be stored in LDAP directories.

To prepare to migrate your configuration from LDAP directories to JSON files, AM 7.4 provides a technology preview of a configuration migration utility based on the existing amupgrade command. The purpose of this technology preview is to let you test migrating custom configuration to FBC.

For details, refer to Migrate to a file-based configuration.

The interface stability for the file-based configuration (FBC) migration utility is Technology Preview. Technology previews offer access to new technology that is not yet supported. Technology preview features may be functionally incomplete and subject to change without notice. For details, refer to Interface stability.

The purpose of this technology preview is to allow you to test the migration of your configuration data. The technology preview should function correctly but may highlight areas that need improvement before the supported release of this feature.

AM configuration stored in DS remains supported as documented for AM 7.4. In a future AM release, LDAP configuration stores will be deprecated in favor of FBC.

Support for mTLS authentication

AM now supports mTLS authentication to the following external data stores:

mTLS uses certificates to authenticate and is more secure than username/password authentication. For more security, you should rotate certificates periodically.

Due to a known issue in OpenJDK, you can’t configure mTLS authentication to data stores if you’re using Java version 11.0.2. If you’re using this Java version and attempt to authenticate with mTLS, the connection fails and the DS server generates the following error in the ldap-access.audit.json log:

"failureReason":"The SASL EXTERNAL bind request could not be processed because the client did not present a certificate
chain during SSL/TLS negotiation"

AM then enters an invalid state.

To work around this issue, upgrade to Java 11.0.3 or higher, or authenticate using simple authentication.

Query Parameter node

The Query Parameter node lets you insert query parameter values from a journey URL into configurable node state properties. This lets you customize journeys based on the query parameter values.

Support for HTML in Email Suspend node

The |Email Suspend Message of the Email Suspend node now supports HTML code in addition to plain text.

This lets you add HTML components, including links and graphics, to the message displayed to end users.

New in AM 7.3.x

AM 7.3.3

AM 7.3.3 is a maintenance release that introduces functional enhancements and fixes.

AM 7.3.2

AM 7.3.2 is a maintenance release that introduces functional enhancements and fixes.

Backchannel logout token contains `exp` claim

The logout token generated during backchannel logout now contains an exp claim.

Learn more in Backchannel logout.

System property for social provider `sub` claim uniqueness

A new system property (org.forgerock.openam.oidc.SocialProvider.sub.claim.is.not.unique) indicates that the OIDC social provider doesn’t return a unique value for the sub claim.

This is false by default.

New `ssoadm` commands update attributes in a realm service

A fix to the deprecated ssoadm tool adds the following new commands:

add-realm-default-attributes
set-realm-default-attributtes
remove-realm-default-attributes
get-realm-default-attributes

These commands work on realm defaults from AM 7 onwards.

AM 7.3.1

AM 7.3.1 is a maintenance release that introduces functional enhancements and fixes.

Storing identified identities in the authentication session

The following new methods let you record users and agents verified to exist in an identity store:

org.forgerock.openam.auth.node.api.Action

public ActionBuilder withIdentifiedIdentity(AMIdentity id)
public ActionBuilder withIdentifiedIdentity(String username, IdType id)

org.forgerock.openam.auth.nodes.script.ActionWrapper

public ActionWrapper withIdentifiedAgent(String agentName)
public ActionWrapper withIdentifiedUser(String username)

A new advanced server property, org.forgerock.am.auth.trees.authenticate.identified.identity determines whether AM uses these stored identified identities when deciding which user to log in.

This lets custom nodes and decision node scripts correctly resolve identities that have the same username.

For more information, refer to advanced server properties.

Scripting logger name change

Scripts that log debug messages create loggers that now include the name of the script.

The name of a scripting logger uses the format scripts.<context>.<script UUID>.(<script name>); for example, scripts.OIDC_CLAIMS.36863ffb-40ec-48b9-94b1-9a99f71cc3b5.(OIDC Claims Script).

Refer to Debug logging.

Customize account lockout message

Use the new ActionBuilder.withLockoutMessage(String lockoutMessage) method in a Scripted Decision node to customize the message displayed to an end user when their account is locked or inactive.

For details, refer to Scripted decision node API.

Setting to permit client credentials in token endpoint query parameters

In previous AM versions, you could supply client credentials (the client_id and client_secret) as query parameters in POST requests to the /oauth2/access_token endpoint. This is now prohibited by default and you must include the credentials within the POST request body.

When you upgrade an existing deployment to AM 7.3.1, this property is initially set to true for legacy support. After upgrading, you should update your scripts and clients to support the new behavior then set the property to false.

AM 7.3

AM 7.3 is a minor release that introduces new features, functional enhancements, and fixes.

An issue was discovered in the 7.3.0 release of DS that has the potential to corrupt static groups. To ensure data integrity, we highly recommend upgrading to DS 7.3.1. This issue affects the stability and reliability of static groups only. Continuing to use DS 7.3.0 may lead to data corruption and other unintended consequences.

The necessary fixes were made in DS 7.3.1; however if you deployed AM with DS 7.3.0, and you use static groups, you must contact Support for assistance with resolving the data corruption.

Combined MFA Registration node

The Combined MFA Registration node lets an authenticated user register a device, such as a mobile phone, for multi-factor authentication with a push notification and an OATH one-time password in a single step.

For details, refer to Combined MFA Registration node.

OIDC ID Token Validator node

The OIDC ID Token Validator node provides similar functionality to the OpenID Connect id_token bearer module. It evaluates whether the ID token is valid, according to the OIDC specification to let AM rely on an OIDC provider (OP)'s ID token to authenticate an end user.

For details, refer to OIDC ID Token Validator.

OATH Device Storage node

The OATH Device Storage node stores devices in the user profile after an OATH Registration node records them in the shared state.

For details, refer to OATH Device Storage node.

Support for `EdDSA` for `WebAuthn`

The WebAuthn Registration node now supports EdDSA as a signing algorithm. Devices that provide EdDSA-signed attestation data in packed format during registration (specifically EdDSA with the Ed25519 curve, as required by the WebAuthn specification) are now supported.

Scripted support for SAML v2.0 SP adapter

You can now customise the SP adapter with a script. Create a script of type SAML2_SP_ADAPTER and configure the hosted SP entity to use the custom script.

For details, refer to SP adapter.

Addition of `prompt_values_supported` to the OIDC exposed configuration

The OpenID Connect well-known/openid-configuration endpoint has been enhanced to expose the prompt_values_supported parameter of the provider configuration.

Support for multi-tenant social identity providers

Social identity provider configuration now lets you specify a regular expression to evaluate the issuer claim in ID tokens.

For details, refer to the Issuer comparison check setting.

For details, refer to Advanced properties.

Ability to invalidate sessions by username

The new logoutByUser action on the json/sessions endpoint lets you log out all sessions for a specified user. This action is available for server-side and client-side sessions but is disabled for client-side sessions by default. For more information, refer to Invalidate all sessions for a user.

This action introduces a new audit notification topic /agent/session.v2. Subscribers to this topic receive the same notifications available from the /agent/session topic with an additional notification message for a LOGOUT_USER_TOKEN event. This event is created in the activity audit log whenever logoutByUser is invoked. The action is CREATE or UPDATE depending on whether a token for the user being logged out exists.

The userId component of this entry is that of the caller, not of the target. For example, if an administrative user logs out another user, the userId is that of the administrative user, not that of the user being logged out. The objectId indicates the target of the operation.

The LOGOUT_USER_TOKEN event notification has a different syntax. Instead of a sessionuuid, it contains the user’s universalId. For example:

{
  "topic": "/agent/session.v2",
  "timestamp": "2022-11-14T09:56:56.814Z",
  "body": {
    "universalId": "id=demo,ou=user,dc=openam,dc=forgerock,dc=org",
    "eventType": "LOGOUT_USER_TOKEN"
  }
}

Consumers cannot rely on new events having identical syntax and should check the eventType before deciding how to process the event.

Scripted JWT issuer

For the JWT profile for OAuth 2.0 authorization grant, AM now lets you provide dynamic trusted JWT issuers via a script as an alternative to static configuration.

For details, refer to Configure a scripted JWT issuer.

OAuth 2.0 authentication supported for email service

Microsoft are deprecating SMTP Basic authentication. AM 7.3 introduces the option in the email service to select REST-based OAuth 2.0 authentication using Microsoft Graph API, in addition to supporting the legacy SMTP authentication.

For details, refer to Configure the email service.

Cross-upgrade session reference property

To track the session through upgrade, enable the cross-upgrade session reference property, which retains its value throughout the session lifecycle.

This unique and constant session reference is recorded in the audit logs for session creation and upgrade events.

Refer to the Enable Cross Upgrade Session Reference property for details.

Ability to specify location of REST STS instance

AM 7.3 includes a new option in the REST STS configuration that lets you specify whether the STS instance is running on the AM host or as a separate, remote Java process.

Refer to the STS Instance is running as remote instance property for details.

Fixes

Fixes in AM 8.0.x

This page lists the cumulative fixes in AM 8.0.x releases:

AM 8.0.1

AME-31120

Prevent using library scripts in Node Designer scripts

AME-31114

Change the case of the SNS push message GCM_PRIORITY field to lowercase

AME-31109

Amster 8.0 import fails with NoSuchMethodError

OPENAM-23770

WebAuthn node flow causes exception instead of Client Error outcome when passkey prompt cancelled

AM 8.0

OPENAM-23581

Configuration Provider node doesn’t accept duration values as integers

OPENAM-23537

Configuration Provider node fails to get inputs for Inner Tree node

OPENAM-23519

Android devices without a screen lock throw an error with WebAuthn registration

OPENAM-23518

AuthenticateToTreeConditionAdvice doesn’t work with Inner Tree as first node

OPENAM-23516

Timeout node configuration properties no longer accept negative numbers

OPENAM-23441

Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working

OPENAM-23427

Composite advice with Auth Level fails when the realm contains a broken journey

OPENAM-23228

Fix file leak when receiving large response from next-generation scripting httpClient request

OPENAM-23095

Reduced default OAuth2 denylist poll interval to ensure access token is correctly reported invalid

OPENAM-23091

Fix for systemEnv.getProperty() in next-generation scripting

OPENAM-23077

The /access_token endpoint sets the wrong error code when code_verifier isn’t supplied

OPENAM-23059

ssoadm doesn’t work against realm defaults

OPENAM-22988

Failover doesn’t occur when heartbeat interval is set to 0

OPENAM-22966

AM should accept NONE as a valid client authentication method for social IdPs

OPENAM-22955

Set Persistent Cookie node before tree failure causes 500 error instead of 401

OPENAM-22865

Stateful refresh token revoke race condition

OPENAM-22846

External app/policy store active/passive LB isn’t working

OPENAM-22811

Unable to modify objectAttributes when present in shared and transient state

OPENAM-22708

Loop back to the same node causes exception when the journey runs

OPENAM-22688

Page node localization for header, description and footer isn’t working as expected

OPENAM-22675

Next-generation scripting callbacksBuilder can’t set value for NameCallback

OPENAM-22657

JWT validation fails when signed using the RS256 algorithm

OPENAM-22652

Some authentication nodes missing from am-external after IDM node seperation

OPENAM-22630

Empty webhooks property key results in NullPointerException

OPENAM-22608

Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing

OPENAM-22298

NullPointerException in SAML2Utils.verifyNameIDFormat method

OPENAM-22297

Saml2Node doesn’t log whether SP and IDP descriptor were retrieved

OPENAM-22270

No OAuth clients shown when scalable agents enabled

OPENAM-22264

AM doesn’t use global service schema properties set by ssoadm

OPENAM-22171

Forgotten Password flow fails when AM searches for the identity to modify

OPENAM-22146

Request object failure not logged even when debug logging is set to highest level

OPENAM-22120

Backchannel logout tokens now include the exp claim

OPENAM-22009

Providing an invalid alias to a secret store mapping breaks AM

OPENAM-21974

Social Identity Provider Service: LinkedIn template is out of date

OPENAM-21913

When doing Session upgrade the Session property Host doesn’t change from original value

OPENAM-21617

Exception thrown by scope validator script not whitelisted in script engine configuration

OPENAM-21545

Unable to create a circle of trust in file-based configuration with external data store

OPENAM-21003

IE11 not working during SAML tree authentication due to use of Arrow function

OPENAM-18252

Let nodes update the universal ID for impersonation and peer authentication

OPENAM-15834

Access token call fails when an unsupported claim is requested

OPENAM-15410

Audience claim not able to customize if scope with openid and profile

OPENAM-14438

Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster

OPENAM-14217

Add more debug when getSessionInfo v2.1 fails with Internal Server Error

AM 7.5.x

AM 7.5.2

OPENAM-24543

The PingOne Protect Initialization node displays an unnecessary form to the end user

OPENAM-24349

"Unable to determine key size for key" error occurs when signing an assertion with an explicit signing algorithm configured in the SP

OPENAM-24335

The _queryFilter Parameter doesn’t work for advancedOAuth2ClientConfig when scalable OAuth 2.0 clients are enabled

OPENAM-24125

OAuth 2.0 or agent service fails to recover after schema reload required for external app store

OPENAM-24109

LDAPFilterCondition uses search time limit for request timeout

OPENAM-23716

Policy lookup doesn’t error when cache isn’t populated and policy store is down

OPENAM-23595

Redirect using a URN loses the scheme-specific part

OPENAM-23767

The acr_sig value is read from the PAR object instead of the query parameter

OPENAM-23766

Adapter Environment under SP role in the GUI isn’t working properly

OPENAM-23519

Android devices without a screen lock not working with WebAuthn registration

OPENAM-23518

AuthenticateToTreeConditionAdvice does not work with innerTree as first node

OPENAM-23441

Enabling OAuth 2.0 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working

OPENAM-23341

AM doesn’t log errors for OIDC or OAuth 2.0 failures

OPENAM-23283

SecretReferenceCache not used for am.applications.oauth2.client.%s.secret labels

OPENAM-23091

Fix for systemEnv.getProperty() in next-generation scripting

OPENAM-22988

Failover doesn’t occur when heartbeat interval is set to 0

OPENAM-22846

External app/policy store active/passive LB isn’t working

OPENAM-22657

JWT validation fails when signed using the RS256 algorithm

OPENAM-22654

BooleanAttributeInputCallback renders an enabled checkbox in AM XUI

OPENAM-22630

Empty webhooks property key results in a NullPointerException

OPENAM-22608

Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing

OPENAM-22520

WebAuthN (FIDO Certification): TPM attestation failing when pubArea.nameAlg doesn’t match the hash used to generate the attested name

OPENAM-22346

The RP form_post endpoint doesn’t handle POST data well when OP returns error

OPENAM-22298

NullPointerException in SAML2Utils.verifyNameIDFormat method

OPENAM-22281

NameIdFormat values populated for remote IdP

OPENAM-22120

Backchannel logout tokens now include the exp claim

OPENAM-20776

Enable private key jwt audience to be configurable

OPENAM-20239

Setting the keepalive or heartbeat interval to a negative value in the IdRepo config causes an error

OPENAM-20089

Configuration Provider nodes don’t take integer values

OPENAM-15834

Access token call fails when an unsupported claim is requested

OPENAM-15410

Audience claim not customizable when scope set to openid and profile

AM 7.5.1

IAM-5473

Always save UI environment variables to .env file when using yarn start

IAM-6429

Failure URL node not working as expected on Safari when used with a Message node

OPENAM-23059

SSOADM doesn’t work for realm defaults

OPENAM-22955

Set Persistent Cookie node causes 500 error before failure

OPENAM-22847

Nodes that use a tree hook with an injection annotation cause an error when the tree fails

OPENAM-22836

Unable to update KBA security questions using XUI

OPENAM-22753

Destroy All session may fail to work

OPENAM-22717

SP-initiated SSO fails with "Illegal character in scheme name" when the IdP entity name has a special character

OPENAM-22715

PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder isn’t escaping values correctly

OPENAM-22708

Loop back to the same node causes exception when tree is executed

OPENAM-22696

Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes

OPENAM-22676

SecretsProviderFacadeFactory is not a supported API but is the only valid way to create the SecretsProviderFacade

OPENAM-22675

Unable to set a default value for NameCallback in next-generation callbacksBuilder

OPENAM-22672

Configuring SAML entities with invalid secret label mappings break SAML flows for other entities

OPENAM-22656

Setting JWKs URI content cache timeout to a small value throws an error

OPENAM-22632

AMSetupServlet installation error on Windows multi-domain environment

OPENAM-22620

Slow response from access token endpoint using client credentials grant

OPENAM-22602

OIDC ID Token Validator Node isn’t using inbuilt httpClient settings to connect to JWK or well-known URL

OPENAM-22465

Unexpected error when request_uri client doesn’t match request parameter client in PAR authorise request

OPENAM-22391

Issues with evaluateTree when using wildcard policies

OPENAM-22322

ArtifactResponse Assertion that is signed cannot be verified and fails

OPENAM-22318

OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication

OPENAM-22289

Session quota action may fail when the session is not updateable but should be fine to proceed.

OPENAM-22281

NameIdFormat values populated for remote IdP

OPENAM-22181

Approve UMA request fails with 500 error when AM deployed as a platform

OPENAM-22171

Forgotten password fails when AM searches for the identity to modify

OPENAM-22146

OAuth 2.0 request object failure not logged for POST requests even when full debug logging is enabled

OPENAM-22120

Backchannel logout tokens now include the exp claim

OPENAM-22109

The expiry time of OPS token in 7.x fails to update correctly

OPENAM-22009

Providing an invalid alias to a secret store mapping breaks AM

OPENAM-21972

SAML artifact binding is failing in load-balanced deployments

OPENAM-21951

No option to set the selectedIndex on a ChoiceCallback

OPENAM-21897

Creation order determines policy evaluate and evaluateTree results

OPENAM-21864

No option to enable the trackingCookie with next-generation callbacksBuilder

OPENAM-21852

Failure when reading input from next-generation SelectIDPCallback

OPENAM-21609

OAuth2Provider service created immediately after install/restart isn’t available in code flow

OPENAM-21191

Web agent sessions have a long session lifetime of 42 years

OPENAM-21158

Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2

OPENAM-20945

Unable to trace token revocation back to resource owner because of missing trackingID field

OPENAM-20609

Inconsistent error message getting access token when using refresh token after changing username

OPENAM-20314

Social Provider Handler node and Social IdP service use the sub claim to search for links to existing accounts

OPENAM-14438

Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster

AM 7.5

OPENAM-22206

AM upgrade fails for 7.1.4 and older: Creating UMA PCT Encryption Secret Failed

OPENAM-22191

JUnit jars are bundled in the AM.war release

OPENAM-22119

"Access to Java class ScriptedLoggerWrapper prohibited" exception

OPENAM-22101

UI admin tests are failing since updating secret ID to secret label

OPENAM-22060

am-config-upgrader: poor performance

OPENAM-22035

Page Nodes don’t delete contained nodes when a tree is deleted

OPENAM-22017

ConfigProviderNode creates node class dynamically leading to native memory leak

OPENAM-21976

Single point of locking contention when doing Client-based session logout

OPENAM-21941

Unable to edit policies in the UI

OPENAM-21937

Quota Enforcement affecting agents sessions that authenticate by tree

OPENAM-21936

Unable to use Legacy and Next Generation Script in the same authentication tree

OPENAM-21912

OAuth2/OIDC signing slow with RSA keys when using Google Secret Manager

OPENAM-21856

Introspecting stateless token with IG/Web agents will cause OAuth2ChfException

OPENAM-21854

TermsAndConditionsCallback fails with error on XUI

OPENAM-21840

Warning for missing mapping in dynamic secret doesn’t warn for missing secret label identifier

OPENAM-21803

CertificateUserExtractorNode cannot resolve wrong name when UPN SubjectAltNameExt

OPENAM-21780

Next generation scripting httpClient adds "null" as entity to GET requests

OPENAM-21748

Next generation scripting missing "get" wrapper function for HiddenValueCallback

OPENAM-21747

Amster not working after connecting when AM REST call has extra set-cookie headers

OPENAM-21739

Running the am-config-upgrader on an empty directory results in unexpected addition of library scripting service

OPENAM-21707

file-functional-tests: OAuth2Provider doesn’t allow setting of default consent agent when scalableAgents are enabled

OPENAM-21693

Remove default global library script

OPENAM-21664

Upgrade fails to AM 7.4 with an uncaught exception when initialising the PrivilegeIndexStore class

OPENAM-21506

Inner Evaluator Tree with Data Store Decision node fails with correct password on first pass when used with Retry Decision node

OPENAM-21484

OAuth2 tokenintrospection response has different claim value types when refresh tokens are introspected

OPENAM-21473

Certificate collector node: getPortalStyleCert throws exception when cert/header not present

OPENAM-21389

Searching algorithm for calculating the reachability of a node in a tree returns incorrect result

OPENAM-21277

Running Amster in debug mode doesn’t work on Windows

OPENAM-21053

User ID is missing from access.audit.json for JWT client authentication flow using org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false

OPENAM-20924

Reentry cookie when set causes the user to redirect to an incorrect IdP

OPENAM-20490

AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"

OPENAM-20329

Forgerock JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) not spec compliant

OPENAM-19999

ID token as AM session doesn’t work with /authorize when openid scope is requested

OPENAM-19889

Policy evaluation fails with Agent access token JWT as subject

OPENAM-17816

500 Internal Server Error (from NPE) returned for a missing Content-Type header

OPENAM-17315

Update defaults scripts with the change introduced in COMMONS-628

AM 7.4.x

AM 7.4.2

OPENAM-23441

Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working

OPENAM-23091

Fix for systemEnv.getProperty() in next-generation scripting

OPENAM-23059

ssoadm doesn’t work against realm defaults

OPENAM-22988

Failover doesn’t occur when heartbeat interval is set to 0

OPENAM-22846

External app/policy store active/passive LB isn’t working

OPENAM-22836

Unable to update KBA security questions using XUI

OPENAM-22717

SP-initiated SSO fails with "Illegal character in scheme name" when the IdP entity name has a special character

OPENAM-22657

JWT validation fails when signed using the RS256 algorithm

OPENAM-22632

AMSetupServlet install error with Windows multi-domain environment

OPENAM-22608

Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing

OPENAM-22465

Unexpected error when request_uri client doesn’t match request parameter client in PAR authorise request

OPENAM-22391

Issues with evaluateTree when using wildcard policies

OPENAM-22346

The RP form_post endpoint doesn’t handle POST data well when OP returns error

OPENAM-22322

Signed ArtifactResponse Assertion can’t be verified and fails

OPENAM-22318

OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication

OPENAM-22298

NullPointerException in SAML2Utils.verifyNameIDFormat method

OPENAM-22264

Add global attribute handling to ssoadm

OPENAM-22120

Backchannel logout tokens now include the exp claim

OPENAM-21951

No option to set the selectedIndex on a ChoiceCallback

OPENAM-21926

Lockout message is not applied when using Identity Store Decision node

OPENAM-21897

Creation order determines policy evaluate and evaluateTree results

OPENAM-21864

No option to enable the trackingCookie with callbacksBuilder

OPENAM-21748

Next-generation scripting missing "get" wrapper function for HiddenValueCallback

OPENAM-21609

OAuth2Provider service created immediately after install/restart isn’t available in code flow

OPENAM-21545

Unable to create a circle of trust in file-based configuration with external data store

OPENAM-20945

Unable to trace token revocation back to resource owner because of missing trackingID field

OPENAM-20314

Social Provider Handler node and Social IdP service use the sub claim to search for links to existing accounts

OPENAM-20239

Setting the keepalive or heartbeat interval to a negative value in the IdRepo config causes an error

OPENAM-15834

Access token call fails when an unsupported claim is requested

OPENAM-14438

Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster

AM 7.4.1

OPENAM-22753

Destroy All session may fail to work

OPENAM-22715

PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder is not escaping values correctly

OPENAM-22696

Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes

OPENAM-22620

Slow response from access token endpoint using client credentials grant

OPENAM-22602

OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL

OPENAM-22421

Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2

OPENAM-22289

Session quota action may fail when the session isn’t updatable but should be fine to proceed

OPENAM-22181

Approve UMA request fails with 500 error when AM deployed as a platform

OPENAM-22171

Forgotten password fails when AM searches for the identity to modify

OPENAM-22119

"Access to Java class ScriptedLoggerWrapper prohibited" exception

OPENAM-22109

The expiry time of OPS token in 7.x doesn’t change with the time of tokens created

OPENAM-22017

Configuration Provider node creates node class dynamically leading to native memory leak

OPENAM-21976

Single point of locking contention when doing client-based session logout

OPENAM-21972

SAML artifact binding is using crosstalk for artifact resolution

OPENAM-21941

Unable to edit policies in the UI

OPENAM-21937

Quota enforcement affects agent sessions that authenticate by tree

OPENAM-21936

Unable to use legacy and next-generation scripts in the same authentication tree

OPENAM-21868

ssoadm create-sub-cfg not working for AM 7.2+ due to the context= field

OPENAM-21854

TermsAndConditionsCallback fails with error on XUI

OPENAM-21803

Certificate User Extractor node cannot resolve wrong name when UPN SubjectAltNameExt

OPENAM-21780

Next-generation httpClient script binding adds "null" as entity to GET requests

OPENAM-21747

Amster not working after connecting when AM REST call has extra set-cookie headers

OPENAM-21664

Upgrade fails to AM 7.4.0 with an uncaught exception when initializing the PrivilegeIndexStore class

OPENAM-21484

OAuth 2.0 token introspection response has different claim value types when introspecting refresh tokens

OPENAM-21473

Certificate Collector node: getPortalStyleCert throws exception when cert/header not present

OPENAM-21466

AM using OIDC social authentication fails to verify ID token if remote JWK_URIs have duplicate KID

OPENAM-21277

Running Amster in debug mode doesn’t work on Windows

OPENAM-21191

Web agent sessions have a long session lifetime of 42 years

OPENAM-20609

Inconsistent error message when generating access token using refresh token after changing username

OPENAM-19999

ID token as AM session doesn’t work with /authorize when openid scope is requested

OPENAM-19889

Policy evaluation fails with agent access token JWT as subject

OPENAM-17816

500 Internal Server Error (from NPE) returned for a missing Content-Type header

AM 7.4

OPENAM-21476

Persistent Cookie isn’t created when using Configuration Provider node

OPENAM-21421

Scripting logger name isn’t based on logging hierarchy convention

OPENAM-21390

Fix caching error when a journey switches backend instances to correctly provide data to nodeState

OPENAM-21360

Add java.util.concurrent.ExecutionException to AM scripting class allowlist

OPENAM-21323

LDAP (inline) upgrade fails due to policy creation of UssSelfWriteAttributes

OPENAM-21304

Retain request URI values specified during dynamic client registration

OPENAM-21164

Fix type issue of XML String in SAML responses when using a custom adapter

OPENAM-21160

Make sure secure state values are retained when navigating the authentication tree

OPENAM-21158

Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2

OPENAM-21085

Undefined bindings are incorrectly evaluated in Groovy scripts

OPENAM-21069

WindowsDesktopSSO authentication is failing

OPENAM-21053

Missing userId from Access audit log when org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false in JWT client authentication flow

OPENAM-21030

Amster CLI doesn’t work on Windows

OPENAM-21010

Social authentication user profile corrupted when remote OIDC server provides non-English identity claims

OPENAM-21004

AM will always look for valid session when scope=openid

OPENAM-21001

SAML IdPAccountMapper isn’t correctly determined

OPENAM-20980

OIDC social provider uses configured issuer instead of wellknown endpoint issuer when using regex comparison

OPENAM-20953

Return subject attributes correctly when evaluating a policy using a JwtClaim as subject type

OPENAM-20920

Improve handling of SAML2 IDP metadata that uses SSO endpoint entries other than HTTP-POST or HTTP-Redirect bindings when binding is null

OPENAM-20897

Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others

OPENAM-20895

Newly created Maven archetype project for building custom authentication nodes fails to build

OPENAM-20851

Existing registered devices unable to use push notifications when AWS SNS credentials are updated

OPENAM-20784

TestUMAPolicy fails for users that will cause LocalizedIllegalArgumentException

OPENAM-20756

Social authentication request for Apple fails due to duplicated response_mode=form_post request parameter

OPENAM-20691

Fix rare race condition in session quota destroy next expiring action that can lead to the oldest session not being destroyed

OPENAM-20682

Unable to encrypt from jwk_uri where there are multiple JWKs with the same kid but different algorithms

OPENAM-20490

AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"

OPENAM-20451

Fix to display user-friendly account name during WebAuthn device registration

OPENAM-20299

Fix to make agent authentication honor com.iplanet.am.session.agentSessionIdleTime

OPENAM-20230

Class allowlisting denies access to permitted classes after running for an extended period of time

OPENAM-20026

Social IDP with trailing whitespace in the name can’t be deleted using the UI

OPENAM-20024

Improve debug logging when login to XUI fails with HTTP 404 JsonValueException from endpoint

OPENAM-19282

Recovery Code Display Node works only immediately after Registration node

OPENAM-19261

Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant

OPENAM-18709

New nodeState.getObject method added to return values stored in both shared and secure state

OPENAM-18685

New realm-level configuration setting to remove or skip subname claim

OPENAM-18004

Support sequential transaction IDs to improve audit logging for HTTP requests to IDM

OPENAM-17331

Push Notifications: User with disabled endpoint is not able to login

OPENAM-17179

Deleting an authentication tree leaves orphaned nodes that prevent deletion of referenced scripts

AM 7.3.x

AM 7.3.3

OPENAM-23519

Android devices without a screen lock not working with WebAuthn registration

OPENAM-23518

AuthenticateToTreeConditionAdvice doesn’t work with Inner Tree as first node

OPENAM-23441

Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working

OPENAM-22846

External app/policy store active/passive LB isn’t working

OPENAM-22654

BooleanAttributeInputCallback renders an enabled checkbox in AM XUI

OPENAM-22608

Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing

OPENAM-21026

OAuth Clients don’t work when the redirect uri list contains an invalid uri

OPENAM-20451

Fix to display user-friendly account name during WebAuthn device registration

OPENAM-15834

Access token call fails when an unsupported claim is requested

AM 7.3.2

OPENAM-22836

Unable to update KBA Security questions using XUI

OPENAM-22753

Destroy All session may fail to work

OPENAM-22717

SP-initiated SSO fails with "Illegal character in scheme name" when IdP name contains a special character

OPENAM-22696

Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes

OPENAM-22656

Setting JWKs URI content cache timeout to a small value throws an error

OPENAM-22632

AMSetupServlet install error with Windows multi-domain environment

OPENAM-22602

OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL

OPENAM-22421

Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2

OPENAM-22391

Issues with evaluateTree when using wildcard policies

OPENAM-22322

Unable to verify signed ArtifactResponse Assertion leading to failure

OPENAM-22318

OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication

OPENAM-22289

Session quota action may fail when the session isn’t updatable but should be fine to proceed

OPENAM-22288

Amster upgrade 7.3.0-to-7.3.x fails with Groovy Exception

OPENAM-22181

Approve UMA request fails with 500 error when AM deployed as a platform

OPENAM-22120

Backchannel logout token doesn’t contain exp claim

OPENAM-21972

SAML artifact binding is failing in load-balanced deployments

OPENAM-21937

Quota enforcement affects agent sessions that authenticate by tree

OPENAM-21897

Creation order determines policy evaluate and evaluateTree results

OPENAM-21473

Certificate collector node: getPortalStyleCert throws exception when cert/header not present

OPENAM-21322

AM console allows creation of entity provider with space at the end of the name

OPENAM-21191

Web agent sessions have a long session lifetime of 42 years

OPENAM-21085

Undefined bindings are incorrectly evaluated in Groovy scripts

OPENAM-20945

Unable to trace token revocation back to resource owner because of missing trackingID field

OPENAM-20314

Social Provider Handler node and Social IdP service use the sub claim to search for links to existing accounts

OPENAM-20299

Fix to make agent authentication honor com.iplanet.am.session.agentSessionIdleTime

OPENAM-19261

Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant

AM 7.3.1

OPENAM-22017

ConfigProviderNode creates node class dynamically leading to native memory leak

OPENAM-21976

Single point of locking contention when performing client-based session logout

OPENAM-21941

Unable to edit policies in the UI

OPENAM-21854

TermsAndConditionsCallback fails with error on XUI

OPENAM-21747

Rest SDK and Amster send cookies if request has cookie header

OPENAM-21728

Certificate module fails using JDK 11.0.21 and later with undefined access to private method

OPENAM-21484

Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response

OPENAM-21421

Scripting logger name isn’t based on logging hierarchy convention

OPENAM-21390

ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment

OPENAM-21304

OAuth 2.0 dynamic client registrations don’t retain request_uri values when creating

OPENAM-21277

Running Amster in debug mode doesn’t work on Windows

OPENAM-21164

Calling toXMLString in custom SAML adapter can return incorrectly formatted XML leading to invalid signature

OPENAM-21160

Inconsistent values in secure state when navigating an authentication tree

OPENAM-21158

Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2

OPENAM-21069

WindowsDesktopSSO authentication is failing

OPENAM-21030

Amster 7.3.0 CLI isn’t working on Windows

OPENAM-21010

Social authentication for remote OIDC server for user profile non-english words corrupted

OPENAM-21004

AM will always look for valid session when scope=openid

OPENAM-21001

IdPAccountMapper is not correctly determined

OPENAM-20980

Unable to use issuer comparison check regex in oidc social provider

OPENAM-20897

Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others

OPENAM-20895

Newly-created Maven archetype project fails to build

OPENAM-20756

OIDC social authentication request (Apple) fails due to duplicate response_mode=form_post request parameter

OPENAM-20691

Destroy oldest session may fail to work

OPENAM-20682

Unable to encrypt from jwk_uri when there are duplicate kid

OPENAM-20490

AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"

OPENAM-20026

Trailing whitespace prevents social provider deletion via UI

OPENAM-19999

ID token as AM session doesn’t work with /authorize when openid scope is requested

OPENAM-19889

Policy evaluation fails with agent access token JWT as subject

OPENAM-19282

Recovery Code Display Node works only immediately after Registration node

OPENAM-18599

Allow for custom error message if user account is locked

AM 7.3

OPENAM-20396

Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved

OPENAM-20360

Ampersand is double encoded in the Destination of a SAML Assertion

OPENAM-20260

Unable to log into AM when external application store is down

OPENAM-20230

Class allowlisting fails with permission denied after an extended period

OPENAM-20181

AD account notification fails

OPENAM-20159

Upgrader adds requestObjectProcessing to OAuth2Provider subconfigs

OPENAM-20104

The fragment response_mode for the /oauth2/authorize endpoint is not working

OPENAM-20085

STS token generation does not work with clustered docker pods

OPENAM-20082

Locked out users are shown a misleading error message

OPENAM-19868

Correctly handle multi-line text in Email Suspend nodes

OPENAM-19866

Excessive logging when accessing protected resources

OPENAM-19726

The par endpoint doesn’t return a request_uri when using JAR and claims are provided

OPENAM-19665

Wrong Java version in Amster README file

OPENAM-19515

Unable to update session service with read only identity store

OPENAM-19411

Amster installation failure with authorizedKey parameter when trying to overwrite an existing configuration

OPENAM-18818

Persistent search error message shows wrong DS identifier

OPENAM-18488

Windows Hello with TPM/platform authenticator returns two certificates

OPENAM-18172

Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level

OPENAM-17215

Policy debug log fills up at very high pace if the config store is not found

OPENAM-13766

No configuration found for login with SessionConditionAdvice=deny

Fixes in AM 7.5.x

This page lists the cumulative fixes in AM 7.5.x releases:

AM 7.5.2

OPENAM-24543

The PingOne Protect Initialization node displays an unnecessary form to the end user

OPENAM-24349

"Unable to determine key size for key" error occurs when signing an assertion with an explicit signing algorithm configured in the SP

OPENAM-24335

The _queryFilter Parameter doesn’t work for advancedOAuth2ClientConfig when scalable OAuth 2.0 clients are enabled

OPENAM-24125

OAuth 2.0 or agent service fails to recover after schema reload required for external app store

OPENAM-24109

LDAPFilterCondition uses search time limit for request timeout

OPENAM-23716

Policy lookup doesn’t error when cache isn’t populated and policy store is down

OPENAM-23595

Redirect using a URN loses the scheme-specific part

OPENAM-23767

The acr_sig value is read from the PAR object instead of the query parameter

OPENAM-23766

Adapter Environment under SP role in the GUI isn’t working properly

OPENAM-23519

Android devices without a screen lock not working with WebAuthn registration

OPENAM-23518

AuthenticateToTreeConditionAdvice does not work with innerTree as first node

OPENAM-23441

Enabling OAuth 2.0 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working

OPENAM-23341

AM doesn’t log errors for OIDC or OAuth 2.0 failures

OPENAM-23283

SecretReferenceCache not used for am.applications.oauth2.client.%s.secret labels

OPENAM-23091

Fix for systemEnv.getProperty() in next-generation scripting

OPENAM-22988

Failover doesn’t occur when heartbeat interval is set to 0

OPENAM-22846

External app/policy store active/passive LB isn’t working

OPENAM-22657

JWT validation fails when signed using the RS256 algorithm

OPENAM-22654

BooleanAttributeInputCallback renders an enabled checkbox in AM XUI

OPENAM-22630

Empty webhooks property key results in a NullPointerException

OPENAM-22608

Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing

OPENAM-22520

WebAuthN (FIDO Certification): TPM attestation failing when pubArea.nameAlg doesn’t match the hash used to generate the attested name

OPENAM-22346

The RP form_post endpoint doesn’t handle POST data well when OP returns error

OPENAM-22298

NullPointerException in SAML2Utils.verifyNameIDFormat method

OPENAM-22281

NameIdFormat values populated for remote IdP

OPENAM-22120

Backchannel logout tokens now include the exp claim

OPENAM-20776

Enable private key jwt audience to be configurable

OPENAM-20239

Setting the keepalive or heartbeat interval to a negative value in the IdRepo config causes an error

OPENAM-20089

Configuration Provider nodes don’t take integer values

OPENAM-15834

Access token call fails when an unsupported claim is requested

OPENAM-15410

Audience claim not customizable when scope set to openid and profile

AM 7.5.1

IAM-5473

Always save UI environment variables to .env file when using yarn start

IAM-6429

Failure URL node not working as expected on Safari when used with a Message node

OPENAM-23059

SSOADM doesn’t work for realm defaults

OPENAM-22955

Set Persistent Cookie node causes 500 error before failure

OPENAM-22847

Nodes that use a tree hook with an injection annotation cause an error when the tree fails

OPENAM-22836

Unable to update KBA security questions using XUI

OPENAM-22753

Destroy All session may fail to work

OPENAM-22717

SP-initiated SSO fails with "Illegal character in scheme name" when the IdP entity name has a special character

OPENAM-22715

PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder isn’t escaping values correctly

OPENAM-22708

Loop back to the same node causes exception when tree is executed

OPENAM-22696

Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes

OPENAM-22676

SecretsProviderFacadeFactory is not a supported API but is the only valid way to create the SecretsProviderFacade

OPENAM-22675

Unable to set a default value for NameCallback in next-generation callbacksBuilder

OPENAM-22672

Configuring SAML entities with invalid secret label mappings break SAML flows for other entities

OPENAM-22656

Setting JWKs URI content cache timeout to a small value throws an error

OPENAM-22632

AMSetupServlet installation error on Windows multi-domain environment

OPENAM-22620

Slow response from access token endpoint using client credentials grant

OPENAM-22602

OIDC ID Token Validator Node isn’t using inbuilt httpClient settings to connect to JWK or well-known URL

OPENAM-22465

Unexpected error when request_uri client doesn’t match request parameter client in PAR authorise request

OPENAM-22391

Issues with evaluateTree when using wildcard policies

OPENAM-22322

ArtifactResponse Assertion that is signed cannot be verified and fails

OPENAM-22318

OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication

OPENAM-22289

Session quota action may fail when the session is not updateable but should be fine to proceed.

OPENAM-22281

NameIdFormat values populated for remote IdP

OPENAM-22181

Approve UMA request fails with 500 error when AM deployed as a platform

OPENAM-22171

Forgotten password fails when AM searches for the identity to modify

OPENAM-22146

OAuth 2.0 request object failure not logged for POST requests even when full debug logging is enabled

OPENAM-22120

Backchannel logout tokens now include the exp claim

OPENAM-22109

The expiry time of OPS token in 7.x fails to update correctly

OPENAM-22009

Providing an invalid alias to a secret store mapping breaks AM

OPENAM-21972

SAML artifact binding is failing in load-balanced deployments

OPENAM-21951

No option to set the selectedIndex on a ChoiceCallback

OPENAM-21897

Creation order determines policy evaluate and evaluateTree results

OPENAM-21864

No option to enable the trackingCookie with next-generation callbacksBuilder

OPENAM-21852

Failure when reading input from next-generation SelectIDPCallback

OPENAM-21609

OAuth2Provider service created immediately after install/restart isn’t available in code flow

OPENAM-21191

Web agent sessions have a long session lifetime of 42 years

OPENAM-21158

Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2

OPENAM-20945

Unable to trace token revocation back to resource owner because of missing trackingID field

OPENAM-20609

Inconsistent error message getting access token when using refresh token after changing username

OPENAM-20314

Social Provider Handler node and Social IdP service use the sub claim to search for links to existing accounts

OPENAM-14438

Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster

AM 7.5

OPENAM-22206

AM upgrade fails for 7.1.4 and older: Creating UMA PCT Encryption Secret Failed

OPENAM-22191

JUnit jars are bundled in the AM.war release

OPENAM-22119

"Access to Java class ScriptedLoggerWrapper prohibited" exception

OPENAM-22101

UI admin tests are failing since updating secret ID to secret label

OPENAM-22060

am-config-upgrader: poor performance

OPENAM-22035

Page Nodes don’t delete contained nodes when a tree is deleted

OPENAM-22017

ConfigProviderNode creates node class dynamically leading to native memory leak

OPENAM-21976

Single point of locking contention when doing Client-based session logout

OPENAM-21941

Unable to edit policies in the UI

OPENAM-21937

Quota Enforcement affecting agents sessions that authenticate by tree

OPENAM-21936

Unable to use Legacy and Next Generation Script in the same authentication tree

OPENAM-21912

OAuth2/OIDC signing slow with RSA keys when using Google Secret Manager

OPENAM-21856

Introspecting stateless token with IG/Web agents will cause OAuth2ChfException

OPENAM-21854

TermsAndConditionsCallback fails with error on XUI

OPENAM-21840

Warning for missing mapping in dynamic secret doesn’t warn for missing secret label identifier

OPENAM-21803

CertificateUserExtractorNode cannot resolve wrong name when UPN SubjectAltNameExt

OPENAM-21780

Next generation scripting httpClient adds "null" as entity to GET requests

OPENAM-21748

Next generation scripting missing "get" wrapper function for HiddenValueCallback

OPENAM-21747

Amster not working after connecting when AM REST call has extra set-cookie headers

OPENAM-21739

Running the am-config-upgrader on an empty directory results in unexpected addition of library scripting service

OPENAM-21707

file-functional-tests: OAuth2Provider doesn’t allow setting of default consent agent when scalableAgents are enabled

OPENAM-21693

Remove default global library script

OPENAM-21664

Upgrade fails to AM 7.4 with an uncaught exception when initialising the PrivilegeIndexStore class

OPENAM-21506

Inner Evaluator Tree with Data Store Decision node fails with correct password on first pass when used with Retry Decision node

OPENAM-21484

OAuth2 tokenintrospection response has different claim value types when refresh tokens are introspected

OPENAM-21473

Certificate collector node: getPortalStyleCert throws exception when cert/header not present

OPENAM-21389

Searching algorithm for calculating the reachability of a node in a tree returns incorrect result

OPENAM-21277

Running Amster in debug mode doesn’t work on Windows

OPENAM-21053

User ID is missing from access.audit.json for JWT client authentication flow using org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false

OPENAM-20924

Reentry cookie when set causes the user to redirect to an incorrect IdP

OPENAM-20490

AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"

OPENAM-20329

Forgerock JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) not spec compliant

OPENAM-19999

ID token as AM session doesn’t work with /authorize when openid scope is requested

OPENAM-19889

Policy evaluation fails with Agent access token JWT as subject

OPENAM-17816

500 Internal Server Error (from NPE) returned for a missing Content-Type header

OPENAM-17315

Update defaults scripts with the change introduced in COMMONS-628

AM 7.4.x

AM 7.4.2

OPENAM-23441

Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working

OPENAM-23091

Fix for systemEnv.getProperty() in next-generation scripting

OPENAM-23059

ssoadm doesn’t work against realm defaults

OPENAM-22988

Failover doesn’t occur when heartbeat interval is set to 0

OPENAM-22846

External app/policy store active/passive LB isn’t working

OPENAM-22836

Unable to update KBA security questions using XUI

OPENAM-22717

SP-initiated SSO fails with "Illegal character in scheme name" when the IdP entity name has a special character

OPENAM-22657

JWT validation fails when signed using the RS256 algorithm

OPENAM-22632

AMSetupServlet install error with Windows multi-domain environment

OPENAM-22608

Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing

OPENAM-22465

Unexpected error when request_uri client doesn’t match request parameter client in PAR authorise request

OPENAM-22391

Issues with evaluateTree when using wildcard policies

OPENAM-22346

The RP form_post endpoint doesn’t handle POST data well when OP returns error

OPENAM-22322

Signed ArtifactResponse Assertion can’t be verified and fails

OPENAM-22318

OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication

OPENAM-22298

NullPointerException in SAML2Utils.verifyNameIDFormat method

OPENAM-22264

Add global attribute handling to ssoadm

OPENAM-22120

Backchannel logout tokens now include the exp claim

OPENAM-21951

No option to set the selectedIndex on a ChoiceCallback

OPENAM-21926

Lockout message is not applied when using Identity Store Decision node

OPENAM-21897

Creation order determines policy evaluate and evaluateTree results

OPENAM-21864

No option to enable the trackingCookie with callbacksBuilder

OPENAM-21748

Next-generation scripting missing "get" wrapper function for HiddenValueCallback

OPENAM-21609

OAuth2Provider service created immediately after install/restart isn’t available in code flow

OPENAM-21545

Unable to create a circle of trust in file-based configuration with external data store

OPENAM-20945

Unable to trace token revocation back to resource owner because of missing trackingID field

OPENAM-20314

Social Provider Handler node and Social IdP service use the sub claim to search for links to existing accounts

OPENAM-20239

Setting the keepalive or heartbeat interval to a negative value in the IdRepo config causes an error

OPENAM-15834

Access token call fails when an unsupported claim is requested

OPENAM-14438

Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster

AM 7.4.1

OPENAM-22753

Destroy All session may fail to work

OPENAM-22715

PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder is not escaping values correctly

OPENAM-22696

Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes

OPENAM-22620

Slow response from access token endpoint using client credentials grant

OPENAM-22602

OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL

OPENAM-22421

Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2

OPENAM-22289

Session quota action may fail when the session isn’t updatable but should be fine to proceed

OPENAM-22181

Approve UMA request fails with 500 error when AM deployed as a platform

OPENAM-22171

Forgotten password fails when AM searches for the identity to modify

OPENAM-22119

"Access to Java class ScriptedLoggerWrapper prohibited" exception

OPENAM-22109

The expiry time of OPS token in 7.x doesn’t change with the time of tokens created

OPENAM-22017

Configuration Provider node creates node class dynamically leading to native memory leak

OPENAM-21976

Single point of locking contention when doing client-based session logout

OPENAM-21972

SAML artifact binding is using crosstalk for artifact resolution

OPENAM-21941

Unable to edit policies in the UI

OPENAM-21937

Quota enforcement affects agent sessions that authenticate by tree

OPENAM-21936

Unable to use legacy and next-generation scripts in the same authentication tree

OPENAM-21868

ssoadm create-sub-cfg not working for AM 7.2+ due to the context= field

OPENAM-21854

TermsAndConditionsCallback fails with error on XUI

OPENAM-21803

Certificate User Extractor node cannot resolve wrong name when UPN SubjectAltNameExt

OPENAM-21780

Next-generation httpClient script binding adds "null" as entity to GET requests

OPENAM-21747

Amster not working after connecting when AM REST call has extra set-cookie headers

OPENAM-21664

Upgrade fails to AM 7.4.0 with an uncaught exception when initializing the PrivilegeIndexStore class

OPENAM-21484

OAuth 2.0 token introspection response has different claim value types when introspecting refresh tokens

OPENAM-21473

Certificate Collector node: getPortalStyleCert throws exception when cert/header not present

OPENAM-21466

AM using OIDC social authentication fails to verify ID token if remote JWK_URIs have duplicate KID

OPENAM-21277

Running Amster in debug mode doesn’t work on Windows

OPENAM-21191

Web agent sessions have a long session lifetime of 42 years

OPENAM-20609

Inconsistent error message when generating access token using refresh token after changing username

OPENAM-19999

ID token as AM session doesn’t work with /authorize when openid scope is requested

OPENAM-19889

Policy evaluation fails with agent access token JWT as subject

OPENAM-17816

500 Internal Server Error (from NPE) returned for a missing Content-Type header

AM 7.4

OPENAM-21476

Persistent Cookie isn’t created when using Configuration Provider node

OPENAM-21421

Scripting logger name isn’t based on logging hierarchy convention

OPENAM-21390

Fix caching error when a journey switches backend instances to correctly provide data to nodeState

OPENAM-21360

Add java.util.concurrent.ExecutionException to AM scripting class allowlist

OPENAM-21323

LDAP (inline) upgrade fails due to policy creation of UssSelfWriteAttributes

OPENAM-21304

Retain request URI values specified during dynamic client registration

OPENAM-21164

Fix type issue of XML String in SAML responses when using a custom adapter

OPENAM-21160

Make sure secure state values are retained when navigating the authentication tree

OPENAM-21158

Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2

OPENAM-21085

Undefined bindings are incorrectly evaluated in Groovy scripts

OPENAM-21069

WindowsDesktopSSO authentication is failing

OPENAM-21053

Missing userId from Access audit log when org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false in JWT client authentication flow

OPENAM-21030

Amster CLI doesn’t work on Windows

OPENAM-21010

Social authentication user profile corrupted when remote OIDC server provides non-English identity claims

OPENAM-21004

AM will always look for valid session when scope=openid

OPENAM-21001

SAML IdPAccountMapper isn’t correctly determined

OPENAM-20980

OIDC social provider uses configured issuer instead of wellknown endpoint issuer when using regex comparison

OPENAM-20953

Return subject attributes correctly when evaluating a policy using a JwtClaim as subject type

OPENAM-20920

Improve handling of SAML2 IDP metadata that uses SSO endpoint entries other than HTTP-POST or HTTP-Redirect bindings when binding is null

OPENAM-20897

Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others

OPENAM-20895

Newly created Maven archetype project for building custom authentication nodes fails to build

OPENAM-20851

Existing registered devices unable to use push notifications when AWS SNS credentials are updated

OPENAM-20784

TestUMAPolicy fails for users that will cause LocalizedIllegalArgumentException

OPENAM-20756

Social authentication request for Apple fails due to duplicated response_mode=form_post request parameter

OPENAM-20691

Fix rare race condition in session quota destroy next expiring action that can lead to the oldest session not being destroyed

OPENAM-20682

Unable to encrypt from jwk_uri where there are multiple JWKs with the same kid but different algorithms

OPENAM-20490

AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"

OPENAM-20451

Fix to display user-friendly account name during WebAuthn device registration

OPENAM-20299

Fix to make agent authentication honor com.iplanet.am.session.agentSessionIdleTime

OPENAM-20230

Class allowlisting denies access to permitted classes after running for an extended period of time

OPENAM-20026

Social IDP with trailing whitespace in the name can’t be deleted using the UI

OPENAM-20024

Improve debug logging when login to XUI fails with HTTP 404 JsonValueException from endpoint

OPENAM-19282

Recovery Code Display Node works only immediately after Registration node

OPENAM-19261

Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant

OPENAM-18709

New nodeState.getObject method added to return values stored in both shared and secure state

OPENAM-18685

New realm-level configuration setting to remove or skip subname claim

OPENAM-18004

Support sequential transaction IDs to improve audit logging for HTTP requests to IDM

OPENAM-17331

Push Notifications: User with disabled endpoint is not able to login

OPENAM-17179

Deleting an authentication tree leaves orphaned nodes that prevent deletion of referenced scripts

AM 7.3.x

AM 7.3.3

OPENAM-23519

Android devices without a screen lock not working with WebAuthn registration

OPENAM-23518

AuthenticateToTreeConditionAdvice doesn’t work with Inner Tree as first node

OPENAM-23441

Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working

OPENAM-22846

External app/policy store active/passive LB isn’t working

OPENAM-22654

BooleanAttributeInputCallback renders an enabled checkbox in AM XUI

OPENAM-22608

Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing

OPENAM-21026

OAuth Clients don’t work when the redirect uri list contains an invalid uri

OPENAM-20451

Fix to display user-friendly account name during WebAuthn device registration

OPENAM-15834

Access token call fails when an unsupported claim is requested

AM 7.3.2

OPENAM-22836

Unable to update KBA Security questions using XUI

OPENAM-22753

Destroy All session may fail to work

OPENAM-22717

SP-initiated SSO fails with "Illegal character in scheme name" when IdP name contains a special character

OPENAM-22696

Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes

OPENAM-22656

Setting JWKs URI content cache timeout to a small value throws an error

OPENAM-22632

AMSetupServlet install error with Windows multi-domain environment

OPENAM-22602

OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL

OPENAM-22421

Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2

OPENAM-22391

Issues with evaluateTree when using wildcard policies

OPENAM-22322

Unable to verify signed ArtifactResponse Assertion leading to failure

OPENAM-22318

OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication

OPENAM-22289

Session quota action may fail when the session isn’t updatable but should be fine to proceed

OPENAM-22288

Amster upgrade 7.3.0-to-7.3.x fails with Groovy Exception

OPENAM-22181

Approve UMA request fails with 500 error when AM deployed as a platform

OPENAM-22120

Backchannel logout token doesn’t contain exp claim

OPENAM-21972

SAML artifact binding is failing in load-balanced deployments

OPENAM-21937

Quota enforcement affects agent sessions that authenticate by tree

OPENAM-21897

Creation order determines policy evaluate and evaluateTree results

OPENAM-21473

Certificate collector node: getPortalStyleCert throws exception when cert/header not present

OPENAM-21322

AM console allows creation of entity provider with space at the end of the name

OPENAM-21191

Web agent sessions have a long session lifetime of 42 years

OPENAM-21085

Undefined bindings are incorrectly evaluated in Groovy scripts

OPENAM-20945

Unable to trace token revocation back to resource owner because of missing trackingID field

OPENAM-20314

Social Provider Handler node and Social IdP service use the sub claim to search for links to existing accounts

OPENAM-20299

Fix to make agent authentication honor com.iplanet.am.session.agentSessionIdleTime

OPENAM-19261

Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant

AM 7.3.1

OPENAM-22017

ConfigProviderNode creates node class dynamically leading to native memory leak

OPENAM-21976

Single point of locking contention when performing client-based session logout

OPENAM-21941

Unable to edit policies in the UI

OPENAM-21854

TermsAndConditionsCallback fails with error on XUI

OPENAM-21747

Rest SDK and Amster send cookies if request has cookie header

OPENAM-21728

Certificate module fails using JDK 11.0.21 and later with undefined access to private method

OPENAM-21484

Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response

OPENAM-21421

Scripting logger name isn’t based on logging hierarchy convention

OPENAM-21390

ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment

OPENAM-21304

OAuth 2.0 dynamic client registrations don’t retain request_uri values when creating

OPENAM-21277

Running Amster in debug mode doesn’t work on Windows

OPENAM-21164

Calling toXMLString in custom SAML adapter can return incorrectly formatted XML leading to invalid signature

OPENAM-21160

Inconsistent values in secure state when navigating an authentication tree

OPENAM-21158

Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2

OPENAM-21069

WindowsDesktopSSO authentication is failing

OPENAM-21030

Amster 7.3.0 CLI isn’t working on Windows

OPENAM-21010

Social authentication for remote OIDC server for user profile non-english words corrupted

OPENAM-21004

AM will always look for valid session when scope=openid

OPENAM-21001

IdPAccountMapper is not correctly determined

OPENAM-20980

Unable to use issuer comparison check regex in oidc social provider

OPENAM-20897

Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others

OPENAM-20895

Newly-created Maven archetype project fails to build

OPENAM-20756

OIDC social authentication request (Apple) fails due to duplicate response_mode=form_post request parameter

OPENAM-20691

Destroy oldest session may fail to work

OPENAM-20682

Unable to encrypt from jwk_uri when there are duplicate kid

OPENAM-20490

AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"

OPENAM-20026

Trailing whitespace prevents social provider deletion via UI

OPENAM-19999

ID token as AM session doesn’t work with /authorize when openid scope is requested

OPENAM-19889

Policy evaluation fails with agent access token JWT as subject

OPENAM-19282

Recovery Code Display Node works only immediately after Registration node

OPENAM-18599

Allow for custom error message if user account is locked

AM 7.3

OPENAM-20396

Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved

OPENAM-20360

Ampersand is double encoded in the Destination of a SAML Assertion

OPENAM-20260

Unable to log into AM when external application store is down

OPENAM-20230

Class allowlisting fails with permission denied after an extended period

OPENAM-20181

AD account notification fails

OPENAM-20159

Upgrader adds requestObjectProcessing to OAuth2Provider subconfigs

OPENAM-20104

The fragment response_mode for the /oauth2/authorize endpoint is not working

OPENAM-20085

STS token generation does not work with clustered docker pods

OPENAM-20082

Locked out users are shown a misleading error message

OPENAM-19868

Correctly handle multi-line text in Email Suspend nodes

OPENAM-19866

Excessive logging when accessing protected resources

OPENAM-19726

The par endpoint doesn’t return a request_uri when using JAR and claims are provided

OPENAM-19665

Wrong Java version in Amster README file

OPENAM-19515

Unable to update session service with read only identity store

OPENAM-19411

Amster installation failure with authorizedKey parameter when trying to overwrite an existing configuration

OPENAM-18818

Persistent search error message shows wrong DS identifier

OPENAM-18488

Windows Hello with TPM/platform authenticator returns two certificates

OPENAM-18172

Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level

OPENAM-17215

Policy debug log fills up at very high pace if the config store is not found

OPENAM-13766

No configuration found for login with SessionConditionAdvice=deny

Fixes in AM 7.4.x

This page lists the cumulative fixes in AM 7.4.x releases:

AM 7.4.2

OPENAM-23441

Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working

OPENAM-23091

Fix for systemEnv.getProperty() in next-generation scripting

OPENAM-23059

ssoadm doesn’t work against realm defaults

OPENAM-22988

Failover doesn’t occur when heartbeat interval is set to 0

OPENAM-22846

External app/policy store active/passive LB isn’t working

OPENAM-22836

Unable to update KBA security questions using XUI

OPENAM-22717

SP-initiated SSO fails with "Illegal character in scheme name" when the IdP entity name has a special character

OPENAM-22657

JWT validation fails when signed using the RS256 algorithm

OPENAM-22632

AMSetupServlet install error with Windows multi-domain environment

OPENAM-22608

Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing

OPENAM-22465

Unexpected error when request_uri client doesn’t match request parameter client in PAR authorise request

OPENAM-22391

Issues with evaluateTree when using wildcard policies

OPENAM-22346

The RP form_post endpoint doesn’t handle POST data well when OP returns error

OPENAM-22322

Signed ArtifactResponse Assertion can’t be verified and fails

OPENAM-22318

OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication

OPENAM-22298

NullPointerException in SAML2Utils.verifyNameIDFormat method

OPENAM-22264

Add global attribute handling to ssoadm

OPENAM-22120

Backchannel logout tokens now include the exp claim

OPENAM-21951

No option to set the selectedIndex on a ChoiceCallback

OPENAM-21926

Lockout message is not applied when using Identity Store Decision node

OPENAM-21897

Creation order determines policy evaluate and evaluateTree results

OPENAM-21864

No option to enable the trackingCookie with callbacksBuilder

OPENAM-21748

Next-generation scripting missing "get" wrapper function for HiddenValueCallback

OPENAM-21609

OAuth2Provider service created immediately after install/restart isn’t available in code flow

OPENAM-21545

Unable to create a circle of trust in file-based configuration with external data store

OPENAM-20945

Unable to trace token revocation back to resource owner because of missing trackingID field

OPENAM-20314

Social Provider Handler node and Social IdP service use the sub claim to search for links to existing accounts

OPENAM-20239

Setting the keepalive or heartbeat interval to a negative value in the IdRepo config causes an error

OPENAM-15834

Access token call fails when an unsupported claim is requested

OPENAM-14438

Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster

AM 7.4.1

OPENAM-22753

Destroy All session may fail to work

OPENAM-22715

PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder is not escaping values correctly

OPENAM-22696

Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes

OPENAM-22620

Slow response from access token endpoint using client credentials grant

OPENAM-22602

OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL

OPENAM-22421

Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2

OPENAM-22289

Session quota action may fail when the session isn’t updatable but should be fine to proceed

OPENAM-22181

Approve UMA request fails with 500 error when AM deployed as a platform

OPENAM-22171

Forgotten password fails when AM searches for the identity to modify

OPENAM-22119

"Access to Java class ScriptedLoggerWrapper prohibited" exception

OPENAM-22109

The expiry time of OPS token in 7.x doesn’t change with the time of tokens created

OPENAM-22017

Configuration Provider node creates node class dynamically leading to native memory leak

OPENAM-21976

Single point of locking contention when doing client-based session logout

OPENAM-21972

SAML artifact binding is using crosstalk for artifact resolution

OPENAM-21941

Unable to edit policies in the UI

OPENAM-21937

Quota enforcement affects agent sessions that authenticate by tree

OPENAM-21936

Unable to use legacy and next-generation scripts in the same authentication tree

OPENAM-21868

ssoadm create-sub-cfg not working for AM 7.2+ due to the context= field

OPENAM-21854

TermsAndConditionsCallback fails with error on XUI

OPENAM-21803

Certificate User Extractor node cannot resolve wrong name when UPN SubjectAltNameExt

OPENAM-21780

Next-generation httpClient script binding adds "null" as entity to GET requests

OPENAM-21747

Amster not working after connecting when AM REST call has extra set-cookie headers

OPENAM-21664

Upgrade fails to AM 7.4.0 with an uncaught exception when initializing the PrivilegeIndexStore class

OPENAM-21484

OAuth 2.0 token introspection response has different claim value types when introspecting refresh tokens

OPENAM-21473

Certificate Collector node: getPortalStyleCert throws exception when cert/header not present

OPENAM-21466

AM using OIDC social authentication fails to verify ID token if remote JWK_URIs have duplicate KID

OPENAM-21277

Running Amster in debug mode doesn’t work on Windows

OPENAM-21191

Web agent sessions have a long session lifetime of 42 years

OPENAM-20609

Inconsistent error message when generating access token using refresh token after changing username

OPENAM-19999

ID token as AM session doesn’t work with /authorize when openid scope is requested

OPENAM-19889

Policy evaluation fails with agent access token JWT as subject

OPENAM-17816

500 Internal Server Error (from NPE) returned for a missing Content-Type header

AM 7.4

OPENAM-21476

Persistent Cookie isn’t created when using Configuration Provider node

OPENAM-21421

Scripting logger name isn’t based on logging hierarchy convention

OPENAM-21390

Fix caching error when a journey switches backend instances to correctly provide data to nodeState

OPENAM-21360

Add java.util.concurrent.ExecutionException to AM scripting class allowlist

OPENAM-21323

LDAP (inline) upgrade fails due to policy creation of UssSelfWriteAttributes

OPENAM-21304

Retain request URI values specified during dynamic client registration

OPENAM-21164

Fix type issue of XML String in SAML responses when using a custom adapter

OPENAM-21160

Make sure secure state values are retained when navigating the authentication tree

OPENAM-21158

Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2

OPENAM-21085

Undefined bindings are incorrectly evaluated in Groovy scripts

OPENAM-21069

WindowsDesktopSSO authentication is failing

OPENAM-21053

Missing userId from Access audit log when org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false in JWT client authentication flow

OPENAM-21030

Amster CLI doesn’t work on Windows

OPENAM-21010

Social authentication user profile corrupted when remote OIDC server provides non-English identity claims

OPENAM-21004

AM will always look for valid session when scope=openid

OPENAM-21001

SAML IdPAccountMapper isn’t correctly determined

OPENAM-20980

OIDC social provider uses configured issuer instead of wellknown endpoint issuer when using regex comparison

OPENAM-20953

Return subject attributes correctly when evaluating a policy using a JwtClaim as subject type

OPENAM-20920

Improve handling of SAML2 IDP metadata that uses SSO endpoint entries other than HTTP-POST or HTTP-Redirect bindings when binding is null

OPENAM-20897

Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others

OPENAM-20895

Newly created Maven archetype project for building custom authentication nodes fails to build

OPENAM-20851

Existing registered devices unable to use push notifications when AWS SNS credentials are updated

OPENAM-20784

TestUMAPolicy fails for users that will cause LocalizedIllegalArgumentException

OPENAM-20756

Social authentication request for Apple fails due to duplicated response_mode=form_post request parameter

OPENAM-20691

Fix rare race condition in session quota destroy next expiring action that can lead to the oldest session not being destroyed

OPENAM-20682

Unable to encrypt from jwk_uri where there are multiple JWKs with the same kid but different algorithms

OPENAM-20490

AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"

OPENAM-20451

Fix to display user-friendly account name during WebAuthn device registration

OPENAM-20299

Fix to make agent authentication honor com.iplanet.am.session.agentSessionIdleTime

OPENAM-20230

Class allowlisting denies access to permitted classes after running for an extended period of time

OPENAM-20026

Social IDP with trailing whitespace in the name can’t be deleted using the UI

OPENAM-20024

Improve debug logging when login to XUI fails with HTTP 404 JsonValueException from endpoint

OPENAM-19282

Recovery Code Display Node works only immediately after Registration node

OPENAM-19261

Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant

OPENAM-18709

New nodeState.getObject method added to return values stored in both shared and secure state

OPENAM-18685

New realm-level configuration setting to remove or skip subname claim

OPENAM-18004

Support sequential transaction IDs to improve audit logging for HTTP requests to IDM

OPENAM-17331

Push Notifications: User with disabled endpoint is not able to login

OPENAM-17179

Deleting an authentication tree leaves orphaned nodes that prevent deletion of referenced scripts

AM 7.3.x

AM 7.3.3

OPENAM-23519

Android devices without a screen lock not working with WebAuthn registration

OPENAM-23518

AuthenticateToTreeConditionAdvice doesn’t work with Inner Tree as first node

OPENAM-23441

Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working

OPENAM-22846

External app/policy store active/passive LB isn’t working

OPENAM-22654

BooleanAttributeInputCallback renders an enabled checkbox in AM XUI

OPENAM-22608

Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing

OPENAM-21026

OAuth Clients don’t work when the redirect uri list contains an invalid uri

OPENAM-20451

Fix to display user-friendly account name during WebAuthn device registration

OPENAM-15834

Access token call fails when an unsupported claim is requested

AM 7.3.1

OPENAM-22017

ConfigProviderNode creates node class dynamically leading to native memory leak

OPENAM-21976

Single point of locking contention when performing client-based session logout

OPENAM-21941

Unable to edit policies in the UI

OPENAM-21854

TermsAndConditionsCallback fails with error on XUI

OPENAM-21747

Rest SDK and Amster send cookies if request has cookie header

OPENAM-21728

Certificate module fails using JDK 11.0.21 and later with undefined access to private method

OPENAM-21484

Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response

OPENAM-21421

Scripting logger name isn’t based on logging hierarchy convention

OPENAM-21390

ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment

OPENAM-21304

OAuth 2.0 dynamic client registrations don’t retain request_uri values when creating

OPENAM-21277

Running Amster in debug mode doesn’t work on Windows

OPENAM-21164

Calling toXMLString in custom SAML adapter can return incorrectly formatted XML leading to invalid signature

OPENAM-21160

Inconsistent values in secure state when navigating an authentication tree

OPENAM-21158

Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2

OPENAM-21069

WindowsDesktopSSO authentication is failing

OPENAM-21030

Amster 7.3.0 CLI isn’t working on Windows

OPENAM-21010

Social authentication for remote OIDC server for user profile non-english words corrupted

OPENAM-21004

AM will always look for valid session when scope=openid

OPENAM-21001

IdPAccountMapper is not correctly determined

OPENAM-20980

Unable to use issuer comparison check regex in oidc social provider

OPENAM-20897

Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others

OPENAM-20895

Newly-created Maven archetype project fails to build

OPENAM-20756

OIDC social authentication request (Apple) fails due to duplicate response_mode=form_post request parameter

OPENAM-20691

Destroy oldest session may fail to work

OPENAM-20682

Unable to encrypt from jwk_uri when there are duplicate kid

OPENAM-20490

AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"

OPENAM-20026

Trailing whitespace prevents social provider deletion via UI

OPENAM-19999

ID token as AM session doesn’t work with /authorize when openid scope is requested

OPENAM-19889

Policy evaluation fails with agent access token JWT as subject

OPENAM-19282

Recovery Code Display Node works only immediately after Registration node

OPENAM-18599

Allow for custom error message if user account is locked

AM 7.3

OPENAM-20396

Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved

OPENAM-20360

Ampersand is double encoded in the Destination of a SAML Assertion

OPENAM-20260

Unable to log into AM when external application store is down

OPENAM-20230

Class allowlisting fails with permission denied after an extended period

OPENAM-20181

AD account notification fails

OPENAM-20159

Upgrader adds requestObjectProcessing to OAuth2Provider subconfigs

OPENAM-20104

The fragment response_mode for the /oauth2/authorize endpoint is not working

OPENAM-20085

STS token generation does not work with clustered docker pods

OPENAM-20082

Locked out users are shown a misleading error message

OPENAM-19868

Correctly handle multi-line text in Email Suspend nodes

OPENAM-19866

Excessive logging when accessing protected resources

OPENAM-19726

The par endpoint doesn’t return a request_uri when using JAR and claims are provided

OPENAM-19665

Wrong Java version in Amster README file

OPENAM-19515

Unable to update session service with read only identity store

OPENAM-19411

Amster installation failure with authorizedKey parameter when trying to overwrite an existing configuration

OPENAM-18818

Persistent search error message shows wrong DS identifier

OPENAM-18488

Windows Hello with TPM/platform authenticator returns two certificates

OPENAM-18172

Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level

OPENAM-17215

Policy debug log fills up at very high pace if the config store is not found

OPENAM-13766

No configuration found for login with SessionConditionAdvice=deny

Fixes in AM 7.3.x

This page lists the cumulative fixes in AM 7.3.x releases:

AM 7.3.3

OPENAM-23519

Android devices without a screen lock not working with WebAuthn registration

OPENAM-23518

AuthenticateToTreeConditionAdvice doesn’t work with Inner Tree as first node

OPENAM-23441

Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working

OPENAM-22846

External app/policy store active/passive LB isn’t working

OPENAM-22654

BooleanAttributeInputCallback renders an enabled checkbox in AM XUI

OPENAM-22608

Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing

OPENAM-21026

OAuth Clients don’t work when the redirect uri list contains an invalid uri

OPENAM-20451

Fix to display user-friendly account name during WebAuthn device registration

OPENAM-15834

Access token call fails when an unsupported claim is requested

AM 7.3.2

OPENAM-22836

Unable to update KBA Security questions using XUI

OPENAM-22753

Destroy All session may fail to work

OPENAM-22717

SP-initiated SSO fails with "Illegal character in scheme name" when IdP name contains a special character

OPENAM-22696

Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes

OPENAM-22656

Setting JWKs URI content cache timeout to a small value throws an error

OPENAM-22632

AMSetupServlet install error with Windows multi-domain environment

OPENAM-22602

OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL

OPENAM-22421

Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2

OPENAM-22391

Issues with evaluateTree when using wildcard policies

OPENAM-22322

Unable to verify signed ArtifactResponse Assertion leading to failure

OPENAM-22318

OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication

OPENAM-22289

Session quota action may fail when the session isn’t updatable but should be fine to proceed

OPENAM-22288

Amster upgrade 7.3.0-to-7.3.x fails with Groovy Exception

OPENAM-22181

Approve UMA request fails with 500 error when AM deployed as a platform

OPENAM-22120

Backchannel logout token doesn’t contain exp claim

OPENAM-21972

SAML artifact binding is failing in load-balanced deployments

OPENAM-21937

Quota enforcement affects agent sessions that authenticate by tree

OPENAM-21897

Creation order determines policy evaluate and evaluateTree results

OPENAM-21473

Certificate collector node: getPortalStyleCert throws exception when cert/header not present

OPENAM-21322

AM console allows creation of entity provider with space at the end of the name

OPENAM-21191

Web agent sessions have a long session lifetime of 42 years

OPENAM-21085

Undefined bindings are incorrectly evaluated in Groovy scripts

OPENAM-20945

Unable to trace token revocation back to resource owner because of missing trackingID field

OPENAM-20314

Social Provider Handler node and Social IdP service use the sub claim to search for links to existing accounts

OPENAM-20299

Fix to make agent authentication honor com.iplanet.am.session.agentSessionIdleTime

OPENAM-19261

Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant

AM 7.3.1

OPENAM-22017

ConfigProviderNode creates node class dynamically leading to native memory leak

OPENAM-21976

Single point of locking contention when performing client-based session logout

OPENAM-21941

Unable to edit policies in the UI

OPENAM-21854

TermsAndConditionsCallback fails with error on XUI

OPENAM-21747

Rest SDK and Amster send cookies if request has cookie header

OPENAM-21728

Certificate module fails using JDK 11.0.21 and later with undefined access to private method

OPENAM-21484

Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response

OPENAM-21421

Scripting logger name isn’t based on logging hierarchy convention

OPENAM-21390

ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment

OPENAM-21304

OAuth 2.0 dynamic client registrations don’t retain request_uri values when creating

OPENAM-21277

Running Amster in debug mode doesn’t work on Windows

OPENAM-21164

Calling toXMLString in custom SAML adapter can return incorrectly formatted XML leading to invalid signature

OPENAM-21160

Inconsistent values in secure state when navigating an authentication tree

OPENAM-21158

Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2

OPENAM-21069

WindowsDesktopSSO authentication is failing

OPENAM-21030

Amster 7.3.0 CLI isn’t working on Windows

OPENAM-21010

Social authentication for remote OIDC server for user profile non-english words corrupted

OPENAM-21004

AM will always look for valid session when scope=openid

OPENAM-21001

IdPAccountMapper is not correctly determined

OPENAM-20980

Unable to use issuer comparison check regex in oidc social provider

OPENAM-20897

Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others

OPENAM-20895

Newly-created Maven archetype project fails to build

OPENAM-20756

OIDC social authentication request (Apple) fails due to duplicate response_mode=form_post request parameter

OPENAM-20691

Destroy oldest session may fail to work

OPENAM-20682

Unable to encrypt from jwk_uri when there are duplicate kid

OPENAM-20490

AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"

OPENAM-20026

Trailing whitespace prevents social provider deletion via UI

OPENAM-19999

ID token as AM session doesn’t work with /authorize when openid scope is requested

OPENAM-19889

Policy evaluation fails with agent access token JWT as subject

OPENAM-19282

Recovery Code Display Node works only immediately after Registration node

OPENAM-18599

Allow for custom error message if user account is locked

AM 7.3

OPENAM-20396

Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved

OPENAM-20360

Ampersand is double encoded in the Destination of a SAML Assertion

OPENAM-20260

Unable to log into AM when external application store is down

OPENAM-20230

Class allowlisting fails with permission denied after an extended period

OPENAM-20181

AD account notification fails

OPENAM-20159

Upgrader adds requestObjectProcessing to OAuth2Provider subconfigs

OPENAM-20104

The fragment response_mode for the /oauth2/authorize endpoint is not working

OPENAM-20085

STS token generation does not work with clustered docker pods

OPENAM-20082

Locked out users are shown a misleading error message

OPENAM-19868

Correctly handle multi-line text in Email Suspend nodes

OPENAM-19866

Excessive logging when accessing protected resources

OPENAM-19726

The par endpoint doesn’t return a request_uri when using JAR and claims are provided

OPENAM-19665

Wrong Java version in Amster README file

OPENAM-19515

Unable to update session service with read only identity store

OPENAM-19411

Amster installation failure with authorizedKey parameter when trying to overwrite an existing configuration

OPENAM-18818

Persistent search error message shows wrong DS identifier

OPENAM-18488

Windows Hello with TPM/platform authenticator returns two certificates

OPENAM-18172

Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level

OPENAM-17215

Policy debug log fills up at very high pace if the config store is not found

OPENAM-13766

No configuration found for login with SessionConditionAdvice=deny

Removed

The functionality listed here was removed.

AM 8.0

Authentication modules and chains: We’ve removed authentication modules and chains. They were deprecated in AM 7.

For this release only, it’s possible to temporarily re-enable modules and chains for migration purposes. Learn more in Authentication modules and chains.
Embedded DS: The embedded DS server has been removed.

It was deprecated in AM 7 for use in production.
Legacy audit logging service: The legacy audit logging service was deprecated in AM 7.2 and is no longer supported.
SOAP STS service: The SOAP STS service has been removed.

It was deprecated in AM 7.

AM 7.5

Java 11: AM 7.5 removes support for Java 11. Only Java 17 is supported in this release.
SNMP monitoring: SNMP monitoring was deprecated in AM 7.3 and is no longer supported.

AM 7.4

No features or functionality were removed in this release.

AM 7.3

Removal of CTS worker pool: The org.forgerock.services.cts.async.queue.size and org.forgerock.services.cts.async.queue.timeout advanced configuration properties were removed.

For details, refer to: Removal of CTS worker thread pool.

Changes

Changes in AM 8.0.x

AM 8.0

Support for Tomcat 10

AM 8.0 supports Apache Tomcat 10 as a web application container. If you use Apache Tomcat, you must upgrade to at least version 10 before you upgrade to AM 8.0.

Find more information in Upgrade Tomcat.

As part of this change, you should rewrite scripts that used the javax.servlet.request.X509Certificate attribute in the servlet request to obtain the client certificate. Your updated scripts should use the jakarta.servlet.request.X509Certificate attribute instead.

Authentication modules and chains

Authentication modules and chains have been removed in AM 8.0. If you’re still using modules and chains for authentication, you must migrate to nodes and trees as soon as possible.

It’s recommended that you migrate to nodes and trees before upgrading to AM 8.

If that’s not possible, and you need access to modules and chains for migration purposes, you can temporarily re-enable them in AM 8.0.

Re-enable modules and chains

Go to Configure > Server Defaults > Advanced in the AM admin UI.
Add the org.forgerock.am.authentication.chains.enabled property and set it to true.
Save your changes.
Restart AM or the container where it runs.

You can now access modules and chains through the REST endpoints. Modules and chains aren’t accessible through the AM admin UI.

The option to re-enable modules and chains is only for migration purposes in AM 8.0. Authentication modules and chains will be removed completely in an upcoming release.

Providing OAuth 2.0 client certificates to AM

Clients can provide mTLS certificates to AM using trusted headers. AM now supports certificates in Base64-encoded PEM and DER format.

The corresponding value of the TLS Client Certificate Header Format configuration property on the OAuth2 Provider service has therefore changed from URLENCODED_PEM to BASE64_ENCODED_CERT.

Change in behavior for WebAuthn flows

Previously, for WebAuthn flows, if an authenticator provided an attestation that included the certificate authority (CA) root certificate, AM would remove and silently ignore the certificate. This behavior has changed in AM 8.0.

Now, if the authenticator provides an attestation that contains an invalid certificate chain (including the root CA certificate in the chain), PingAM rejects the attestation and throws an InvalidDataException error. The root certificate must be issued and securely distributed by a CA.

Endpoint for monitoring server activity with Prometheus

To monitor server activity with Prometheus, use one of the new endpoints:

/metrics/prometheus

The path of this endpoint is format-agnostic, but the response payload is identical to that from the /json/metrics/prometheus endpoint.

Although this endpoint is new, it is also deprecated in this release and support for its use will be removed in a future release. Move to the /metrics/prometheus/0.0.4 endpoint as soon as convenient.
/metrics/prometheus/0.0.4

The path of this endpoint is format-agnostic, but the response payload is slightly different to that from the /metrics/prometheus endpoint.

Learn more in Monitor with Prometheus.

Sessions terminology

Sessions that are created to track progress through an authentication tree were previously referred to as authentication sessions, and sessions that are created after a user has authenticated were just referred to as sessions.

This release introduces the following new terminology to clarify and simplify the distinction between these session types:

Journey session (previously called authentication session)
Authenticated session (previously called session).

This change is reflected in the documentation.

You no longer need to specify a well-known endpoint when configuring a custom OIDC Social Identity Provider service.

If the well-known endpoint isn’t specified, AM verifies signatures using the JWK location, keystore location, or the client secret.

Changes to audit logging

The following events have been added to the audit log:
- AM-TREE-LOGIN-STARTED
  
  Logged when authentication through a tree starts.
- AM-TREE-LOGIN-COMPLETED with exception
Learn more in the Audit logging reference.
The org.forgerock.openam.audit.identity.activity.events.blacklist advanced server property contains a comma-separated list of audit events that won’t be logged. In previous releases, you could only add the AM-ACCESS-ATTEMPT, AM-IDENTITY-CHANGE, and AM-GROUP-CHANGE events to this list. From AM 8.0, you can prevent logging of any event.

Logging all events can impact performance. You should log only those events you intend to monitor.

WS-Federation `com.sun.identity.wsfederation.logout.wreply` URL validation

To facilitate logging out of WS-Federation and multiprotocol environments (WS-Federation communicating with SAML 2.0), you must add the URL specified in the com.sun.identity.wsfederation.logout.wreply query parameter to the Valid goto URL Resources field in the validation service. If you don’t add this URL, redirection fails.

Learn more in Add a URL to the validation service.

Changes to LinkedIn social identity provider configuration

The OAuth 2.0 version of the LinkedIn social identity provider configuration profile is deprecated by LinkedIn. This deprecated version has been renamed to LinkedIn (Legacy).

To configure your social identity provider with the latest OIDC version of the LinkedIn profile, use the LinkedIn profile.

SOAP STS service

The SOAP STS service has been removed in this release. If you’re still using the SOAP STS, you must migrate to the REST STS.

When you upgrade to AM 8, the SOAP STS agents and configuration are deleted. Make sure you retain anything useful to your migration prior to upgrading.

The `accountId` field in JWT script binding operations

Two new fields, subject and issuer, replace the accountId field used by the jwtAssertion and jwtValidator script bindings. This lets you specify separate values for these JWT claims.

If specified, the accountId is now used as the values for issuer, stableId, and subject when these values aren’t provided.

Learn more in Generate and validate JWTs.

Device authorization grant behavior

The behavior of the device authorization grant has changed slightly. Previously, AM didn’t consult the default ACRs until after consent was granted by the user. This meant that the user had already been prompted to authenticate through the default realm authentication mechanism and was sometimes required to authenticate twice if the default ACRs dictated a different mechanism.

The /oauth2/device/user endpoint checks for a user_code during the initial request. From AM 8.0, if a user_code is supplied, AM uses it to retrieve the associated device code to determine if any ACRs were requested. If ACRs were requested, they guide the authentication mechanism.

This change improves the user experience by reducing redundant authentication prompts.

You can find more information in Device authorization grant.

Changes in AM 7.5.x

AM 7.5

Change in behavior for journeys containing a Certificate Collector node

Previously, for journeys containing a Certificate Collector node, AM would throw an exception in the following scenario:

You set the node’s Certificate Collection Method property to Either or Header
You specified an HTTP header name
The certificate was missing from the browser (and from the request if Either was selected)

Now, in this scenario, the journey continues down the Not Collected path.

Default setting for AES key wrap encryption

The system property org.forgerock.openam.encryption.padshortinputs is now true by default.

This property pads short inputs (less than 8 bytes). If you’re using AES key wrap encryption, do one of the following before you upgrade to AM 7.5:

Check that any passwords encrypted with AES key wrap encryption are longer than eight characters. AM won’t be able to decrypt shorter values.
Set org.forgerock.openam.encryption.padshortinputs to true and re-save any short passwords to update the padding.

Change to OAuth 2.0 refresh token introspection response types

Previously, introspecting a stateful refresh token returned some claims as an array containing a single string.

For consistency, the following claims are now returned as strings:

realm
userName
authGrantId
clientID

Changes in AM 7.4.x

AM 7.4.2

The `accountId` field in JWT script binding operations

Two new fields, subject and issuer, replace the accountId field used by the jwtAssertion and jwtValidator script bindings. This lets you specify separate values for these JWT claims.

If specified, the accountId is now used as the values for issuer, stableId, and subject when these values aren’t provided.

Learn more in Generate and validate JWTs.

AM 7.4.1

WS-Federation `com.sun.identity.wsfederation.logout.wreply` URL validation

Learn more in Add a URL to the validation service.

Change in behavior for journeys containing a Certificate Collector node

Previously, for journeys containing a Certificate Collector node, AM would throw an exception in the following scenario:

You set the node’s Certificate Collection Method property to Either or Header
You specified an HTTP header name
The certificate was missing from the browser (and from the request if Either was selected)

Now, in this scenario, the journey continues down the Not Collected path.

Change to OAuth 2.0 refresh token introspection response types

Previously, introspecting a stateful refresh token returned some claims as an array containing a single string.

For consistency, the following claims are now returned as strings:

realm
userName
authGrantId
clientID

AM 7.4

Removal of `dsameuserpwd` from default keystore

The alias of the dsameuserpwd has been removed from the default keystore. The dsameUser is an internal account that AM uses to connect to the configuration store. AM now generates the password for this account on startup, and you can’t read or change it.

If you upgrade to AM 7.4 using the upgrade wizard and need to roll back the upgrade, you must restore the default keystore. The upgrade wizard removes the dsameuserpwd alias. If you don’t restore this alias, the rolled back instance of AM won’t start up.

If you try to use a previous version of ssoadm with AM 7.4, the command will show an error Can’t open boot keystore as it expects the dsameuserpwd to be there. To avoid this error, use the ssoadm version that is delivered with AM 7.4.

Preconfigure policy and application data stores

You can now disable policy and application data stores until you are ready to use them. This means that you can preconfigure a data store before the directory server is ready. When you want to use the data store configuration, you can enable it, at which point AM verifies that it can connect to the configured store.

All default policy and application data store configurations are enabled. A new custom external data store configuration is disabled by default. When you upgrade to AM 7.4, existing data store configurations are enabled by default.

The dataStoreEnabled property is mandatory if you’re creating new data stores over REST (using DataStoreService/config?_action=create). It’s also mandatory if you’re updating data stores over REST with a PUT request. For backward compatibility, if you don’t include this property in the JSON payload, the endpoint currently adds it to the configuration by default with a value of true.

In the next AM release, the endpoint version will be incremented and the latest version will require the property to be present.

Change in behavior when an authentication tree is deleted

From this release, when you delete an authentication tree, any nodes referenced by that tree are also deleted, provided they aren’t referenced by another tree.

This change eliminates orphaned nodes in the configuration and lets you delete the scripts referenced by those nodes.

Change in behavior of `subjectattributes` endpoint

The behavior of queries to the subjectattributes endpoint has changed in this release.

To override the new behavior and revert to the previous behavior, set the org.forgerock.security.entitlement.enforce.realm advanced server property to false, then restart AM for the change to take effect.

For security reasons you should set this property back to true when you have updated your scripts.

Rotatable secrets for `amAdmin` password

AM now caches the special secret used to store the password of amAdmin user. The expiry time of the cache is 900 seconds (15 minutes) by default. To change the expiry time, set the org.forgerock.openam.secrets.special.user.secret.refresh.seconds advanced server property.

For more information, refer to Store the amAdmin password in a secret store.

Amster

The .zip distribution now includes a root folder named amster.

This aligns the Amster delivery with the other products in the Ping Advanced Identity Software.

Changes in AM 7.3.x

AM 7.3.2

Change in behavior for journeys containing a Certificate Collector node

Previously, for journeys containing a Certificate Collector node, AM would throw an exception in the following scenario:

You set the node’s Certificate Collection Method property to Either or Header
You specified an HTTP header name
The certificate was missing from the browser (and from the request if Either was selected)

Now, in this scenario, the journey continues down the Not Collected path.

AM 7.3.1

Change to OAuth 2.0 refresh token introspection response types

Previously, introspecting a stateful refresh token returned some claims as an array containing a single string.

For consistency, the following claims are now returned as strings:

realm
userName
authGrantId
clientID

AM 7.3

Artifact updates

If your custom code uses the following supported Java classes, you must update your build dependencies to include these modules:

Class / interface Module

com.sun.identity.idm.IdUtils

customer-api

com.sun.identity.idm.AMIdentity

identity-api

com.sun.identity.idm.IdEventListener

identity-api

com.sun.identity.idm.IdOperation

identity-api

com.sun.identity.idm.IdRepoException

identity-api

com.sun.identity.idm.IdSearchControl

identity-api

com.sun.identity.idm.IdSearchResults

identity-api

com.sun.identity.idm.IdSearchOpModifier

identity-api

com.sun.identity.idm.IdType

identity-api

com.sun.identity.idm.AMIdentityRepository

openam-identity

com.sun.identity.idm.IdRepoListener

openam-identity

`AMIdentity` constructor

The supported constructor, public AMIdentity(SSOToken token, String universalId) throws IdRepoException, no longer throws an IllegalArgumentException if the provided string is not a valid representation of a DN. Instead, these exceptions are now converted to instances of IdRepoException.

Deletion of site data on logout

For security reasons, AM now instructs the browser to clear site data such as locally cached data and cookies when a user successfully logs out. This behavior can be disabled for compatibility purposes. Refer to the Add clear-site-data Header on Logout property in the Core authentication attributes for more information.

Session condition advice behavior

Previously, a Session condition failure resulted in a No configuration found error. This behavior has been changed as follows:

If terminateSession is true and policy evaluation is requested, AM sends the session advice to the Java, Web, or Identity Gateway agent when the maxSessionTime elapses and the user is required to reauthenticate.
If terminateSession is false and policy evaluation is requested, AM does not send the session advice to the Java, Web, or Identity Gateway agent when the maxSessionTime elapses. Instead of being redirected to the login page, the user receives a 403 Forbidden response for the protected resource.

Password change messages can now be returned in sentence case

Previously, all password change and password reset messages were transformed to upper case; for example, YOU MUST RESET YOUR PASSWORD. The LDAP Decision node now provide an option to disable this transformation, letting messages be returned in the case in which they are configured; for example You must reset your password.

This option is disabled by default.

Base URL `X-Forwarded-*` headers

Previously, if you set the Base URL source to X-Forwarded-* headers and no X-Forwarded-Proto header was provided, the generated URL would have a protocol of null, for example null://host, which would result in a broken URL.

From this release, if no X-Forwarded-Proto header is provided, a fallback scheme is used, based on the URI of the request.
You can now specify a port in the Base URL, using the X-Forwarded-Port header.
If multiple X-Forwarded-Host headers are specified, the outermost proxy host is used.

`org.forgerock.openam.services.email.MailServer` interface

The supported interface, org.forgerock.openam.services.email.MailServer has moved from the openam-core module to mail-api.

You need to update the dependencies to recompile your implementation of this interface.

Removal of CTS worker thread pool

To simplify AM behavior, CTS operations are now performed as part of the HTTP worker thread created by the HTTP container. This refactoring introduces the following changes:

The org.forgerock.services.cts.async.queue.size and org.forgerock.services.cts.async.queue.timeout advanced configuration properties are no longer used.
The following monitoring metrics have been replaced:
- Old: cts.task.queue and cts.task.queue.size
- New: cts.connection.state.out and cts.connection.state.pending
  
  For details, refer to CTS metrics.
The primary way to tune the CTS connection pool is to use the org.forgerock.services.cts.store.max.connections property. The default value has been increased from 10 to 100. Existing deployments will be upgraded to whichever is greater: 100 or the original value.
In previous AM releases, calls to the /json/health/ready endpoint returned an HTTP 200 OK response if the CTS queue was below the configured threshold, even if the CTS data store was unavailable.

The CTS queue has been removed in AM 7.3 as part of optimizing connections to the CTS store. If the CTS data store is unavailable, calls to the /json/health/ready endpoint now return an HTTP 503 Service Unavailable error.

Deprecated

The functionality listed here is deprecated, and likely to be removed in a future release.

Deprecated since AM 8.0

Monitoring

Interface endpoint for monitoring server activity with Prometheus

The /json/metrics/prometheus endpoint is deprecated in this release.

To monitor server activity with Prometheus, use one of the new endpoints instead:

/metrics/prometheus
/metrics/prometheus/0.0.4

Although the /metrics/prometheus endpoint is new, it is also deprecated in this release and support for its use will be removed in a future release. Move to the /metrics/prometheus/0.0.4 endpoint as soon as convenient.

Learn more in Monitor with Prometheus.

MBean and JMX interfaces

Support for the legacy MBean and the JMX monitoring interfaces is deprecated in this release.

AM supports other options for monitoring servers, including Graphite. Learn more in Monitor AM instances.

Audit event handlers

The following audit event handlers are deprecated and will be removed in a future release:

CSV
Syslog
JDBC
JMS

Use the JSON audit event handler instead.

Deprecated since AM 7.5

Secret label mappings

The following secret label mappings are deprecated in this release:

am.global.services.session.clientbased.encryption
am.global.services.session.clientbased.signing

Learn more about changes to secret label mappings in Support for storing secrets in secret stores.

Configuration replaced by secret labels

Feature Deprecated field

CAPTCHA node

CAPTCHA Secret Key

Core authentication settings

Persistent Cookie Encryption Certificate Alias

Organization Authentication Signing Secret

Encrypted device storage services:

Key Store Password

Key-Pair Alias

Private Key Password

OTP SMS Sender node and OTP Email Sender node

Mail Server Authentication Password

Password replay

Replay Password Key (com.sun.identity.agents.config.replaypasswd.key)

Persistent Cookie Decision node and Set Persistent Cookie node

HMAC Signing Key

PUSH notification service

SNS Access Key Secret

SAML v2.0 remote SP and IDP configuration

Basic Authentication settings

Session service

Encryption Symmetric AES Key

Signing HMAC Shared Secret

Social Provider service

Client Secret

Changes to `Action` class

The following org.forgerock.openam.auth.node.api.Action methods are deprecated in this release:

public ActionBuilder withUniversalId(String universalId)
public ActionBuilder withUniversalId(Optional<String> universalId)

Use the new public ActionBuilder withIdentifiedIdentity(String username, IdType identityType) and public ActionBuilder withIdentifiedIdentity(AMIdentity identity) methods instead.

The Optional <String> universalId field is also deprecated, and is replaced by Optional<IdentifiedIdentity> identifiedIdentity.

Legacy Social Provider node

The Legacy Social Provider Handler node has been marked as deprecated and will be removed in a future release. This node is replaced by a new Social Provider Handler node that resolves issues related to reentry cookies. The legacy node remains supported in existing journeys. If you’re creating new journeys, use the new Social Provider Handler node instead.

Deprecated since AM 7.4

No features or functionality were deprecated in this release.

Deprecated since AM 7.3

Changes to SAML v2.0 classes

The following classes are deprecated and will be removed in a future release:

Deprecated Replacement

com.sun.identity.saml2.plugins.FedletAdapter

org.forgerock.openam.saml2.plugins.FedletAdapter

com.sun.identity.saml2.plugins.SAML2IDPFinder

org.forgerock.openam.saml2.plugins.IDPFinder

com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter

org.forgerock.openam.saml2.plugins.IDPAdapter

com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter

org.forgerock.openam.saml2.plugins.SPAdapter

The following methods are deprecated and will be removed in a future release:

InitializePlugin.java: default void initialize(String, String)

Use initialize(Map) instead.

IDPAuthnContextMapper.java: public IDPAuthnContextInfo getIDPAuthnContextInfo(AuthnRequest, String, String) throws SAML2Exception

Use getIDPAuthnContextInfo(AuthnRequest, String, String, String) instead.

SNMP monitoring

Support for SNMP monitoring is deprecated in this release.

AM provides better options for monitoring servers, including support for Prometheus, Graphite, and JMX. Learn more in Monitor AM instances.

Documentation updates

In addition to the changes described elsewhere in these release notes, the published documentation for each AM version includes the following important changes.

The Amster release notes have been combined into the AM release notes. These release notes now include Amster changes since AM 7.2.

AM 8.0.x

AM 8.0.1

AME-31340: Document ability of Push Notification service to reset device ID
AME-31138: Document removal of library scripts from custom scripted nodes
OPENAM-23714: Indicate that only one secret can be active for any secret label mapping
OPENAM-23616: Client secret not required for OAuth 2.0 client update request

AM 8.0

AME-31026: Deprecate audit event handlers
AME-30978: Add the Set Error Details node to nodes list and add details about the acceptException() method
AME-30936: Mark legacy monitoring as deprecated
AME-30901: Document dynamic client registration scripting
AME-30890: OPENAM-23637: Add documentation for No Session Trees and update session text where necessary
AME-30857: Config Provider node script enabled for next-gen scripting engine
AME-30819: Upgrade instructions for Tomcat 10
AME-30789: Remove SNMP properties from the documentation
AME-30457: Document updated TLS Client Certificate Header Format option value
AME-30442: OPENAM-22904: Overhaul STS guide - remove SOAP STS and modules and chains
AME-30393: Document new next-generation cookieName binding
AME-30392: Document next-generation context for policy condition scripts
AME-30344: Document DER-formatted certificates for OAuth2: Client authentication
AME-30333: Document IDM Environment Condition
AME-30291: SAML certificate metadata update
AME-30249: Document backchannel authentication
AME-30229: Document the Message-Authenticator attribute config for RADIUS servers
AME-30173: Update Evaluation guide to use external DS
AME-30154: Document prevent use of mustRun trees as realm default
AME-30046: AM: Document the Flow Control node
AME-30026: Document new next-gen scripting utils.crypto.subtle binding
AME-29963: AME-30155: Document OIDC application journeys
AME-29951: Document back-channel logout exp claim
AME-29759: Document new next-generation script method to get random values
AME-29757: Document removal of custom Social IdP UI configuration properties
AME-29754: Document new suspend and resume functionality in Scripted Decision node
AME-29685: Revise the section about post-authentication tree hooks
AME-29619: Add navigation for the new Success Details node
AME-29538: Update next-generation scripting documentation with exception handling scenarios
AME-29511: Document the WebAuthn metadata service and related secret label for FIDO certification
AME-29485: Document samlApplication script binding
AME-29415: Document the Failure Details node
AME-29406: AME-29431: Document new prometheus endpoints
AME-29326: Document property to indicate OIDC provider doesn’t return unique value for the sub claim
AME-29179: Document additional Config Provider node options
AME-29168: Add section on node security
AME-29165: Added "Send an HTTP request" section
AME-29164: Update Maintain Authentication nodes
AME-29163: Update Plugin Class
AME-29162: Update Handle Errors
AME-29161: AME-29141: Reorganise node developer guide
AME-29160: Update Action Class
AME-29159: Update Inject Objects into a node
AME-29155: Document new NodeState merge state methods
AME-29133: Config Interface @Attribute Improvements
AME-29132: Node Metadata Improvements
AME-29131: Node Class Improvements
AME-29129: AME-29127: AME-29130: Updates to nodes 'Prepare for development' page
AME-29072: Document change in behavior for self-signed root CA provided in WebAuthN attestation
AME-28883: Document grace period for client-side sessions in one-to-one storage scheme
AME-28726: Documentation for custom LINE OIDC config
AME-28682: Outdated options in DS command-line examples
AME-28614: Documentation of fix for validateJwtClaims failing when using a RS256: Alg signature
AME-28596: Document add entity configuration to enable journey association
AME-28322: Document new scripting monitoring metrics
AME-28264: Document new advanced server property for configurable ID token clock skew time
AME-28256: Document configure journey to always run to completion
AME-28057: Document Distributed Tracing
AME-27982: Add Customize account lockout message example from KB
AME-27965: Add KB content from How do I add a roles claim to the OIDC Claims Script in AM?
AME-27964: Add KB content from How do I add a session property claim to the OIDC Claims Script?
AME-27963: Adding salient info from How do I add custom claims to the OIDC Claims Script in AM?
AME-27962: Add content from How do I override claims in the OIDC ID token in Identity Cloud or AM?
AME-27953: Documentation for enabling mTLS for HTTP Client script binding
AME-27930: Docs on preparing a truststore should use DS 7.x security model
AME-27878: Document customizing SAML NameID with a script
AME-27846: Document the addition of encodeURI form body for httpClient
AME-27845: Document the Scripted Decision node access to context.request.cookies
AME-27844: Document new functions added to ActionWrapper next-generation script binding
AME-27843: Document rotation of the http proxy password without server restart
AME-27841: Document availability of utility classes in library scripts
AME-27840: Documentation for new utility class script bindings
AME-27838: Document secrets binding for all next-generation scripts
AME-27834: Client certificate in SP metadata is configurable
AME-27774: AME-27792: Document audit logging changes for trees
AME-27726: Add more information for activity audit log events
AME-27697: Document jwtAssertion and jwtValidator next-generation scripting improvements
AME-27609: Document renaming of OAuth2: Client ID Token Public Encryption Key property
DOCS-7931: Rename ForgeRock SDKs to Ping SDKs
OPENAM-28565: Add note to docs about reserved binding names
OPENAM-23662: Document the Amster Jwt Decision node
OPENAM-23660: Update docs to include info on default trees that exist in AM 8
OPENAM-23620: Update REST version messages
OPENAM-23558: Provide more info on the am_authentication_count metric
OPENAM-23549: Error in documentation on scope validation
OPENAM-23547: Remove deprecated openam-legacy-debug-slf4j module from docs
OPENAM-23513: Update supported directory stores
OPENAM-23463: Docs for Journey Timeout settings for authenticated sessions
OPENAM-23461: Docs for Journey Timeout settings for pre-authentication sessions
OPENAM-23411: Document changes to default denylist poll interval
OPENAM-23410: Document changes to mergeShared and mergeTransient nodeState methods
OPENAM-23407: Updated Localize AM section to make it clearer that you have to download the UI first
OPENAM-23362: Success Redirect order is incorrect
OPENAM-23278: Clarify docs on CTS token types
OPENAM-23277: Update Amster upgrade section to include 7.5
OPENAM-23188: Correct steps for accessing am-external in auth node developer guide
OPENAM-23171: Errors in SAML 2.0: profile OAuth 2: Grant docs
OPENAM-23104: authLib script context missing from docs
OPENAM-23081: Document improvements to transactional authorization
OPENAM-23078: Update steps for letting DS manage CTS tokens
OPENAM-23066: Update amr claims section to use OIDC claims script instead of module mapping
OPENAM-23036: Incorrect example used in Configure scr claims
OPENAM-23005: Add section on creating trees using REST
OPENAM-22887- 22906: Remove deprecated modules and chains from the documentation
OPENAM-22899: Add notes to the Radius guide about reenabling modules and chains
OPENAM-22878: Document the settings for OCSP verification
OPENAM-22871: Wrong default value for STS Instance is running as remote instance
OPENAM-22841: Document new OIDC LinkedIn social identity provider configuration
OPENAM-22813: Remove AM 6.x references including for supported upgrades
OPENAM-22741: Adding missing step in "Configure amr claims" procedure
OPENAM-22641: Corrected token terminology per feedback
OPENAM-22635: Rework pruning CTS tokens
OPENAM-22607: Link to DS docs for appropriate tuning info
OPENAM-22549: Add references for Set State node
OPENAM-22525: Add HSM support info from KB
OPENAM-22515: Document Logout Webhook key WebhookEventType
OPENAM-22417: Add link to max length property for goTo URL
OPENAM-22385: Document default values for Session properties
OPENAM-22356: Include a more useful link in Release Notes for custom auth node secrets enablement
OPENAM-22343: Document method return types for the script binding
OPENAM-22339: Provide example systemd script for AM
OPENAM-22327: Remove mention of Internet Explorer from AM docs
OPENAM-22254: Update browser support table for WebAuthn
OPENAM-22157: Clarify version support in upgrade instructions
OPENAM-22152: Additional information required in token exchange impersonation
OPENAM-22100: OPENAM-22049: OPENAM-22885: OPENAM-21325: Various improvements to upgrading servers section
OPENAM-22099: Remove misleading information about unsupported custom callbacks
OPENAM-22045: Corrected default log level
OPENAM-21935: Document the maximum JWT token liftime accepted by AM
OPENAM-21907: Added a tip to the setup guide for finding server and site IDs
OPENAM-21857: Document security hardening for UMA confusable homoglyphs
OPENAM-21763: Update terminology around "sessions" to use authenticated and pre-authentication
OPENAM-21763: Changed pre-authentication session terminology to journey session
OPENAM-21744: Removed incorrect statement about invalidating client-side auth session
OPENAM-21591: Document checkIssuerForIdTokenInfo advanced server property
OPENAM-20673: Clarify device reset with WebAuthn
OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars
OPENAM-19899: Remove all instances of /UI/login
OPENAM-19575: OIDC guide feedback: Check algorithm statement for /oauth2/connect/jwk_uri
OPENAM-19533: Remove unnecessary images from installation steps
OPENAM-19395: Distinguish between general mail server and self-service mail service
SDKS-3759: Added verifyTransactionsHelper script binding docs from AIC.
SDKS-3173: The PingOne Worker service requires a configured OAuth2 provider service.
SDKS-2959: Document PingOne Protect-related callbacks
SDKS-2953: Document PingOne Worker service
SDKS-2864: Adding new nodes to catalog page in AM
SDKS-2861: Add PingOne Protect nodes to the list of nodes

AM 7.5.x

AM 7.5.2

AME-32653: Document support for PingDirectory as an identity store
OPENAM-24374: Correct docs for validators in Auth Node dev guide
OPENAM-24320: Indicate support for other third-party authenticator apps
OPENAM-24300: Update AM docs regarding PKCS12 keystore support
OPENAM-24225: Fully integrate Amster docs into AM docs
OPENAM-24196: SAML documentation improvements
OPENAM-24158: Address feedback on the ForgeRock Authenticator app
OPENAM-24092: Transactional authorization policies aren’t supported for the JwtClaim subject type
OPENAM-24067: Created a single drawio.png which includes the vector
OPENAM-24067: Add documentation on how to rename MFA devices & update push diagram
OPENAM-24018: Improve IdP adapter custom script
OPENAM-24014: Fix encoding for auth header example
OPENAM-23959: Fix error in default secret alias name
OPENAM-23920: Clarify requirements for environment condition and difference from subject condition
OPENAM-23855: JDBC Audit log table note about VARCHAR limits
OPENAM-23746: Incorrect sub value in mayAct script for delegation
OPENAM-23714: Indicate only one secret can be active for any secret label mapping
OPENAM-23638: Fix DATA_STORE setting for silent install should be dirServer
OPENAM-23620: Update docs for error logging in Rest API
OPENAM-23616: Client secret not required for OAuth 2.0 client update request
OPENAM-23549: Error in documentation on scope validation
OPENAM-23485: Add more info on how locale is used
OPENAM-23407: Updated Localize AM section to make it clearer that you have to download the UI first
OPENAM-23394: Clarify usage of FBC at install time
OPENAM-23362: Success redirect order is incorrect
OPENAM-23359: Added note about FBC not being supported
OPENAM-23281: Document bindings for Social IdP Profile transformation script type
OPENAM-23126: Incorrect guidance on setSessionProperty
OPENAM-22853: Add description for Token Endpoint Authentication Method is none
OPENAM-22849: The DS rebuild-index command doesn’t have a --useSsl option
OPENAM-22576: Updating links for the push auth nodes
OPENAM-22576: Update MFA related screenshots
OPENAM-22173: Provide more detail for httpClient script binding
OPENAM-22100: Improvements to upgrading servers section
OPENAM-21858: Document the fields available for SAML Name ID Mapping
OPENAM-21849: Configure same key for two AMs using AES
OPENAM-21779: Fixed errors in legacy OAuth 2.0 endpoint docs
OPENAM-21744: Removed an incorrect statement about invalidating the client-side auth session
OPENAM-21655: Updated docs to reflect correct default setting for HTTP only cookies
OPENAM-21638: Clarified the valid values for the default lockout attribute
OPENAM-21455: Added more info around SAML 2.0 algorithms
OPENAM-21454: Provide sample SAML metadata files
OPENAM-21452: Made AES Keywrap note specific to SOAP STS
OPENAM-20974: Update path to incremental upgrade for amUpgrade tool
OPENAM-19503: Fixed CustomIdRepoConfig idRepoClass method name
SDKS-2793: Add bound devices to list of upgrade LDIF files.

AM 7.5.1

AME-29538: Update next-generation scripting documentation with exception handling scenarios
AME-28883: Add info from KB about different token types in the CTS
AME-28766: Documentation for new utility class script binding
AME-28682: Update options in DS command-line examples
AME-27982: Add customize account lockout message example from Knowledge Base
AME-27930: Documentation on preparing a truststore should use DS 7.x security model
AME-27726: Add more information for activity audit log events
AME-22545: com.sun.identity.sm.filebased_embedded_enabled must be set to false after migration
AMAGENTS-6487: Update info about web agent and session cookie name in line with changes to web agent docs
FRAAS-20042: Add content from How do I check what MFA devices are registered to a user in Identity Cloud and AM?
OPENAM-23277: Update Amster upgrade section to include 7.5
OPENAM-23188: Correct steps for accessing am-external in auth node developer guide
OPENAM-23078: Update steps for letting DS manage CTS tokens
OPENAM-23005: Add section on creating trees using REST
OPENAM-22972: Request to add a statement on async in doc
OPENAM-22931: Two callbacks are incorrectly named in the documentation
OPENAM-22871: Wrong default value for STS instance is running as remote instance
OPENAM-22741: Add missing step in "Configure amr claims" procedure
OPENAM-22641: Correct token terminology per feedback
OPENAM-22635: Rework pruning CTS tokens
OPENAM-22607: Link to DS docs for appropriate tuning info
OPENAM-22515: Document Logout Webhook key WebhookEventType
OPENAM-22356: Include a more useful link in Release Notes for custom auth node secrets enablement
OPENAM-22343: Document method return types for the script binding
OPENAM-22339: Provide example systemd script for AM
OPENAM-22327: Remove mention of Internet Explorer from AM documentation
OPENAM-22254: Update browser support table for WebAuthn
OPENAM-22157: Clarify version support in upgrade instructions
OPENAM-22099: Remove misleading information about unsupported custom callbacks
OPENAM-22045: Correct default log level
OPENAM-21935: Document the maximum JWT token lifetime accepted by AM
OPENAM-21907: Added a tip to the Setup guide for finding server and site IDs
OPENAM-21778: Error in documentation on modifying access tokens
OPENAM-20673: Clarify device reset with WebAuthn
OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars
OPENAM-19899: Remove all instances of /UI/login
OPENAM-19575: OIDC guide feedback: Check algorithm statement for /oauth2/connect/jwk_uri
OPENAM-19533: Remove unnecessary images from installation steps
OPENAM-19395: Distinguish between general mail server and self-service mail service
SDKS-3173: The PingOne Worker service requires a configured OAuth 2.0 provider service
SDKS-2861: Add PingOne Protect nodes to the list of nodes

AM 7.5

OPENAM-22207: List HiddenValueCallback as interactive not read-only
OPENAM-22098: Additional information required in JWT validation example
OPENAM-22065: Fix Knowledge Base link in documentation
OPENAM-22061: The Get Session Data Node updates the objectAttributes
OPENAM-21964: Update and align documentation for secret default mappings
OPENAM-21914: Clarify deprecation and replacement of shared and transient state bindings
OPENAM-21900: The Identify Existing User Node updates the shared state username
OPENAM-21885: Clarify statement on realms in the API Explorer docs
OPENAM-21882: Document minimum OTP length for HOTP Generator node
OPENAM-21851: Clarify use of setting for the IdP
OPENAM-21801: Next generation scripting: Update nodeState.getObject
OPENAM-21798: Next generation scripting: Document "get" wrapper functions
OPENAM-21759: Clarify use of Java class allowlisting in next-generation scripting
OPENAM-21754: Add warning to library scrips about use of third party libraries
OPENAM-21723: Attribute Present Decision node: Add note about case-sensitivity
OPENAM-21711: Incorrect acr_values step in Backchannel request grant
OPENAM-21706: Policy evaluation will succeed for failed transactional authorization under certain conditions
OPENAM-21699: Fix example for authenticating to specific services
OPENAM-21696: Add a note to the Set Custom Cookie node docs around host vs domain cookies
OPENAM-21670: Setup guide: Check and update link to affinity load balancing
OPENAM-21667: Sessions guide: Set JWT token expiry if you update max session TTL
OPENAM-21622: Retry limit decision node: Wrong shared state property name
OPENAM-21620: Node development: Improve and correct Node class documentation
OPENAM-21603: Missing spaces in catalina opts example prevents tomcat starting
OPENAM-21504: List Prometheus output with better description.
OPENAM-21418: Fix numbering in JWT profile sequence diagram
OPENAM-21413: Sample script in SAML docs does not work
OPENAM-21344: Update profile data scripting examples with try-catch blocks
OPENAM-20906: Artifact changes in AM 7.3 are not documented in Release Notes
OPENAM-20752: OAuth2 scripted policy condition variables needs updating
OPENAM-20522: State in docs that Sector Identifier URI is needed for Pairwise OAuth2Client profile
OPENAM-20349: Add detail to the Device Match node docs
OPENAM-19204: Customer cannot rely on Transient Node data for WebAuthN Authentication Node
OPENAM-18095: Update documentation with all available audit log fields

AM 7.4.x

AM 7.4.2

AME-29951: Document back-channel logout exp claim
AME-29538: Update next-generation scripting documentation with exception handling scenarios
AME-27726: Add more information for activity audit log events
AME-27697: Document jwtAssertion and jwtValidator next-generation scripting improvements
AME-27432: SAML Artifact flow fails when running AM with JRE 17
AME-22545: com.sun.identity.sm.filebased_embedded_enabled must be set to false after migration
OPENAM-23394: Clarify usage of FBC at install time
OPENAM-23362: Success redirect order is incorrect
OPENAM-23359: Added note about FBC not being supported
OPENAM-23188: Correct steps for accessing am-external in node developer guide
OPENAM-23078: Update steps for letting DS manage CTS tokens
OPENAM-22972: Request to add a statement on async in doc
OPENAM-22871: Wrong default value for STS instance is running as remote instance
OPENAM-22741: Adding missing step in "Configure amr claims" procedure
OPENAM-22635: Procedure for enabling the AM reaper is incorrect
OPENAM-22515: Document Logout Webhook key WebhookEventType
OPENAM-22327: Remove mention of Internet Explorer from AM docs
OPENAM-22254: Update browser support table for WebAuthn
OPENAM-22207: List HiddenValueCallback as interactive not read-only
OPENAM-22157: Clarify version support in upgrade instructions
OPENAM-22100 OPENAM-22049 OPENAM-22885 OPENAM-21325: Improvements to upgrading servers section
OPENAM-22099: Remove misleading information about unsupported custom callbacks
OPENAM-22045: Corrected default log level
OPENAM-21935: Document the maximum JWT token liftime accepted by AM
OPENAM-21907: Added a tip to the setup guide for finding server and site IDs
OPENAM-21744: Removed an incorrect statement about invalidating client-side auth session
OPENAM-21650: Updated base DN for AM configuration data
OPENAM-21165: Request for a sample script to be added to the docs
OPENAM-20673: Clarify device reset with WebAuthn
OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars
OPENAM-19899: Remove all instances of /UI/login
OPENAM-19575: OIDC guide feedback: Check algorithm statement for /oauth2/connect/jwk_uri
OPENAM-19533: Remove unnecessary images from install steps
OPENAM-19395: Distinguish between general mail server and self-service mail service

AM 7.4.1

AME-27930: Prepare truststore should use 7.x DS security model
AME-27531: Incorrect description for Scripting Engine configuration for Thread pool queue size
AME-25385: Document the HTTP client asynchronous feature
OPENAM-22635: Procedure for enabling the AM reaper is incorrect
OPENAM-22207: List HiddenValueCallback as interactive not read-only
OPENAM-22099: Remove misleading information about unsupported custom callbacks
OPENAM-22098: Additional information required in JWT validation example
OPENAM-22066: Document Social Provider Handler node nodeState updates
OPENAM-22065: Fix Knowledge Base link in documentation
OPENAM-21914: Clarify deprecation and replacement of shared and transient state bindings
OPENAM-21851: Clarify use of Single SignOn Service setting for the IdP
OPENAM-21801: Next generation scripting: Update nodeState.getObject
OPENAM-21798: Next generation scripting: Document "get" wrapper functions
OPENAM-21754: Add warning to library scrips about use of third party libraries
OPENAM-21699: Fix example for authenticating to specific services
OPENAM-21696: Add a note to the Set Custom Cookie node docs around host vs domain cookies
OPENAM-21667: Sessions guide: Set JWT token expiry if you update max session TTL
OPENAM-21666: Security guide: Byte and MB values of request body limit don’t match
OPENAM-21620: Node development: Improve and correct Node class documentation
OPENAM-21603: Missing spaces in catalina opts example prevents tomcat starting
OPENAM-21457: Clarify where the Failure node routes a user
OPENAM-21419: Security guide: Attach Java examples for custom secret stores
OPENAM-21413: Fix sample script in SAML docs
OPENAM-21344: Update profile data scripting examples with try-catch blocks
OPENAM-20752: OAuth 2.0 scripted policy condition variables need updating
OPENAM-20522: State that Sector Identifier URI is needed for Pairwise OAuth2Client profile
OPENAM-18598: Clarify account linking in Social Provider Handler Node documentation
OPENAM-18095: List all usable audit log attributes

AM 7.4

Corrected name of SSOResponse binding in SAML SP adapter sample script.
Added links to Knowledge Base articles about restricting access to endpoints.
Updated social identity provider configuration reference with more information about transformation scripts and added realm to redirect URL example.
Provided more detail about audit log events.
Corrected error in WDSSO REST call in Authentication guide.
Note added about a SESSION_BLACKLIST token that exists for client-side authentication sessions.
Clarified documentation for the OIDC user info plugin that the /userinfo retrieves claims from the profile scope only.
Added explanation for audit filtering example in the Security guide.
Amended wording describing the Amster version used for upgrading exported configuration.
Updated instructions to download the UI source.
Documented changes to the OAuth 2.0 device authorization grant.
Updated format of scripting logger names
Fixed error in Device Profile Collector node documentation.
Clarified information around tuning the CTS connection pool.
Added note to caution that a certificate must exist in the keystore before mapping secrets to that keystore.
Removed references to unsupported CoreWrapper API from the documentation.
Improved the information about the bindings available to OAuth 2.0 scripted extensions.
Added more information for the following authentication nodes:
Corrected information about storing device data in shared state for OATH Registration node.
Updated Node development documentation with a note that OTP Email Sender node supports plain text notifications only.
Added note to advise installers and upgraders to remove web.xml entry to prevent a click-servlet exception.
Documented the new org.forgerock.openam.ldap.secure.protocol.version advanced property for defining the protocols AM uses to connect to a secure LDAP server.
Added new REST STS configuration property, STS Instance is running as remote instance. For details, refer to REST STS configuration
Updated Authentication guide with links to WS-Federation implementation steps in Knowledge Base.
Clarified supported claims when requesting policy decisions.
Added a table to list the certificates used in SAML 2.0 flows with their corresponding secret mappings. For details, refer to Certificates and secrets.
Clarified the steps to remove an AM instance in the installation guide.
Added the default path for audit logs on Windows.
Added a note about adding urls to Valid WReply List to ensure successful WS-Federation sign-on flow.
Added Inner Tree Node capabilities and restrictions.
Corrected an error in the deployment diagram. Refer to Example deployment topology.
Updated module information to refer readers to Knowledge Base articles about certificate authentication.
Fixed a documentation error relating to OAuth 2.0 email service configuration values.
Documented authentication session state management scheme differences and concerns. For details, refer to Server-side sessions and Client-side sessions.
Updated instructions for setting CATALINA_OPTS on Windows.
Documented the setting to configure the rotatable amadmin secret cache expiry time. Refer to org.forgerock.openam.secrets.special.user.secret.refresh.seconds.
Documented the new Enabled setting for external data stores.

AM 7.3.x

AM 7.3.3

OPENAM-23746: Incorrect sub value in mayAct script for delegation
OPENAM-23714: Indicate that only one secret can be active for any secret label mapping
OPENAM-23638: Update DATA_STORE setting for silent install to dirServer
OPENAM-23620: Update documentation for error logging in Rest API
OPENAM-23616: Client secret not required for OAuth 2.0 client update request
OPENAM-23549: Error in documentation on scope validation
OPENAM-23362: Success redirect URL order of precedence is incorrect
OPENAM-21779: Fix errors in legacy OAuth 2 endpoint docs
OPENAM-21744: Remove statement about invalidating the client-side authentication session
OPENAM-21452: Update AES Keywrap note to apply only to SOAP STS
OPENAM-20974: Update path to incremental upgrade for amUpgrade tool
OPENAM-20859: Update SAML v2.0 reference section

AM 7.3.2

OPENAM-23188: Correct steps for accessing am-external in Node developer guide
OPENAM-23139: Fix links to Agent docs from AM
OPENAM-23065: Update Knowledge links to Salesforce location
OPENAM-22871: Wrong default value for STS instance is running as remote instance
OPENAM-22741: Add missing step in "Configure amr claims" procedure
OPENAM-22635: Procedure for enabling the AM reaper is incorrect
OPENAM-22515: Document Logout Webhook key WebhookEventType
OPENAM-22449: Add Combined MFA Registration node to 7.3.x documentation
OPENAM-22327: Remove mention of Internet Explorer from AM docs
OPENAM-22254: Update browser support table for WebAuthn
OPENAM-22207: List HiddenValueCallback as interactive not read-only
OPENAM-22099: Remove misleading information about unsupported custom callbacks
OPENAM-22078: Update OATH Device Storage node
OPENAM-22045: Correct default log level
OPENAM-21935: Document the maximum JWT token liftime accepted by AM
OPENAM-21851: Clarify use of Single SignOn Service setting for the IdP
OPENAM-21650: Update base DN for AM configuration data
OPENAM-21051: Update logger names with new format
OPENAM-20987: Document OAuth 2.0 provider setting Allow Client Credentials in Token Endpoint Query Parameters
OPENAM-20673: Clarify device reset with WebAuthn
OPENAM-19899: Remove all instances of /UI/login
OPENAM-19575: Correct algorithm statement for /oauth2/connect/jwk_uri
OPENAM-19533: Remove unnecessary images from install steps
OPENAM-18598: Clarify account linking in Social Provider Handler node documentation

AM 7.3.1

AME-25154: Update the CATALINA_OPTS in setenv.bat for Windows
OPENAM-21851: Clarify use of Single SignOn Service setting for the IdP
OPENAM-21699: Fix example for authenticating to specific services
OPENAM-21620: Node development: Improve and correct Node class documentation
OPENAM-21580: Improve documentation on updating OAuth 2.0 clients
OPENAM-21579: Java keystores require ASCII passwords
OPENAM-21573: Amster upgrade documentation description contains an error
OPENAM-21383: Instructions to download the UI source code are out of date
OPENAM-21344: Update profile data scripting examples with try-catch blocks
OPENAM-21254: Complete note in Invalidate all sessions for a user section
OPENAM-21081: Clarify version support in Amster release notes
OPENAM-21051: Update logger name and review debug logging page
OPENAM-21048: Error in Device Profile Collector node documentation
OPENAM-20925: Inaccurate documentation on CTS tuning
OPENAM-20911: Corewrapper object no longer accessible in authentication nodes
OPENAM-20909: Align multi-version release notes with content of previous versions
OPENAM-20906: Artifact changes in AM 7.3 aren’t documented in Release Notes
OPENAM-20903: Clarify audit filtering example
OPENAM-20870: Access token script API is incomplete
OPENAM-20835: Explain the SESSION_BLACKLIST token that exists for client-side authentication sessions
OPENAM-20666: Caution against duplicate OIDC ACR mappings
OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars
OPENAM-20522: State that Sector Identifier URI is needed for Pairwise OAuth2Client profile
OPENAM-20311: Document AM property for LDAPS protocol
OPENAM-20038: Document which URLs for REST STS are made locally/remotely
OPENAM-19215: Missing documentation for WS Federation in Admin guide
OPENAM-19214: Authorization guide: Clarify supported claims in requesting policy decisions
OPENAM-19149: Clarify SAML certificates and secrets usage
OPENAM-18606: The documentation to remove an AM instance is misleading
OPENAM-18495: Provide details of each audit log event name in the AM documentation
OPENAM-18468: Maintenance guide: Update config store connection pool values
OPENAM-18099: Explanation of rawProfile information and mappings
OPENAM-18092: Provide better explanation on default Social Identity Provider configuration
OPENAM-18078: Review documentation on endpoints
OPENAM-17906: State default path for audit logs on windows
OPENAM-17580: Document configuration settings needed for AM 6.5.3+ for WS-Federation token issuer endpoints
OPENAM-17535: Authorization guide: Building the sample plugin is showing outdated info
OPENAM-16325: Inner Tree node capabilities and restrictions
OPENAM-16311: Rework transactional authorization over REST
OPENAM-16191: Deployment images lost accuracy between release 13.5 and 6
OPENAM-15083: Certificate Auth module needs detailed documentation

AM 7.3

Removed instructions on using deprecated chains and modules to set up push authentication. Use authentication trees instead, as described in Push authentication journeys.
Updated the format of these release notes to list cumulative changes, instead of reflecting only the changes for the current release.
Clarified that AM truncates sequences of whitespace with a single whitespace when creating SAML v2.0 values such as entity IDs.
Removed use of deprecated with method from Scripted decision node API callbacks.
Documented new Use mixed case for password change messages property for the LDAP Decision node.
Added missing HTTP connector settings to WildFly setup instructions.
Updated information about --acceptLicense parameter in the Set up administration tools steps.
Removed access token from header in call to /oauth2/connect/endSession.
Documented how to mark configuration properties as passwords in the Node development guide.
Improved documentation for dynamic client registration.
Improved description of the Transformation Script field for the Social Provider Handler node.
Documented how to use the amupgrade tool to upgrade configuration.
Improved navigation of the authentication nodes configuration reference.
Clarified that the ForgeRock Authenticator app supports JPEG and PNG image formats.
Clarified location of setenv script in the Evaluation guide.
Updated installation and deployment graphics to show less complex DS installations.
Described the role of the Latest Access Time Update Frequency property in session management.

Known issues

The following important issues remained open at the time of the latest release for each version.

Releases are cumulative, so if an issue in a previous version isn’t listed as fixed, it remains open in the latest version.

AM 8.0.x

AM 8.0.1

There are no new issues identified in AM 8.0.1.

AM 8.0

AME-31109

Amster 8.0 import fails with NoSuchMethodError

OPENAM-23851

The AM-8.0.0.zip (and AM-8.0.1.zip) Distribution Kits are missing several files required to build the sample base Docker image (am-empty). As a result, the steps to build your own AM Docker images will fail. + NOTE: This issue only affects self-managed Docker environments where you’re attempting to build your own AM image.

OPENAM-23770

WebAuthn node flow causes exception instead of Client Error outcome when passkey prompt cancelled

OPENAM-23763

Next button not enabled on Configuration Data Store Settings page of install wizard

OPENAM-23717

Access token requests fail when default tree uses Set Persistent Cookie node

OPENAM-23595

A redirect_uri using a URN results in a malformed redirect location

OPENAM-23582

WebAuthn’s pubKeyCredParams sequence isn’t honored and changes on AM restart

OPENAM-23322

Formatting errors in SAML metadata certificate export

OPENAM-23155

Agent group inheritance settings are lost during Amster export/import

OPENAM-17819

AM admin UI doesn’t show leading . for cookie domains

OPENAM-17818

Domain cookie with leading . is configured although no cookie domain is specified during install

AM 7.5.x

AM 7.5.2

OPENAM-23998

RhinoJS Date() doesn’t calculate DaylightSavingTime correctly in a next-generation script

OPENAM-23481

Token is allowed in raw JSON in introspect request

OPENAM-23227

OIDC ID Token Validator node doesn’t work with proxy settings

OPENAM-23035

AM should preserve setAttribute multivalue update order

OPENAM-22967

Config upgrader uses OS file encoding causing issues with special characters

OPENAM-22952

SMSEntry class should throw exception to avoid NullPointerException

OPENAM-22812

Create Object node logs failure at debug level instead of error/warning

OPENAM-22777

Deploying AM 7.5.0 on Wildfly 26.x with JDK 17 fails

OPENAM-22770

Configuring AES Key Wrap encryption for Tomcat doesn’t work

OPENAM-22700

OAuth 2.0 introspect: Multi-audience token only checks against first value

OPENAM-22670

DJLDAPv3Repo getDN may return broken cached DN

OPENAM-22663

WS-Federation SLO calls cleanup directive if issued

OPENAM-22530

OAUTH_REQUEST_ATTRIBUTES cookie is set for HTTP GET /authorize requests

OPENAM-22505

Scripted policy condition fails with "Exception from invocation expected to be handled by promise"

OPENAM-22386

Next-generation idRepository binding doesn’t return null if identity isn’t found

OPENAM-22031

LDAP Decision node no longer displays locked account message but redirects to failed login

OPENAM-19968

IdP-initiated SAML SLO doesn’t invalidate SP-side session using integrated mode

AM 7.5.1

OPENAM-23045

Performance degradation and WS-Federation issues with Java 17

OPENAM-23022

Transaction condition for policy evaluation fails with JWT subject

OPENAM-22927

WebAuthn Registration node should be able to use user.name as display attribute

OPENAM-22616

Upgrade from AM 6.5.5 to 7.5 using external CTS fails with error "Message:Service does not exist: GoogleSecretManagerSecretStoreProvider"

OPENAM-22457

Amster doesn’t delete all default scripts when using --clean true flag

OPENAM-22406

Product ZIP file contains files prefixed with openam

OPENAM-19453

CTS authentication sessions may cause tree to fail if AM server is not configured for sticky load balancing

OPENAM-14790

OAuth 2.0 scope policy set fails with LDAP filter environment condition

AM 7.5

OPENAM-22151

Expiration of cache held in StatelessJWTCache could cause Internal Server Error

OPENAM-22067

Stateless Session denylist caching and bloomfilter layers removed on config change

OPENAM-22031

LDAP Decision node change of behavior when user is locked from password change screen

OPENAM-21820

Set policy result TTL to 0 when using Environment Policy Active Session

OPENAM-21819

Default value for LinkedIn configuration uses out of data scopes

OPENAM-21683

AM lets you create anonymous user when it already exists

OPENAM-15948

Update DS profiles to add VLV indexes for CTS use

AM 7.4.x

AM 7.4.2

OPENAM-23273

Failure URL not handled using Safari Browser

OPENAM-23182

Failure URL not handled after Authentication Session times out using SAML2 Authentication node

OPENAM-22158

User creation attributes on LDAP Decision node don’t work

AM 7.4.1

OPENAM-22795

SAML2 encryption method can’t be changed using IDP remote SP host settings

OPENAM-22674

Unable to create encrypted PEM that works for Secrets ENCRYPTED_PEM

OPENAM-22656

Setting JWKs URI content cache timeout to a small value throws an error

OPENAM-22608

Non-extractable secrets in HSM fail to work on AM for SAML v2.0 XML signing

OPENAM-22479

LDAPv3 Userstore Connection doesn’t reconnect without Heartbeat enabled

OPENAM-22151

Expiration of cache held in StatelessJWTCache could cause Internal Server Error

OPENAM-22102

Adjusting evalThreadSize has no effect

OPENAM-22009

Providing an invalid alias to a secret store mapping breaks AM

OPENAM-21959

Unable to create next-generation script in XUI if default script language is Groovy

OPENAM-21893

Configurator not releasing resources on failure

OPENAM-21823

Page node with Scripted Decision node doesn’t persist withErrorMessage value

OPENAM-21741

SSOADM fails to install or run due to mtlsAlias field in boot.json

OPENAM-21636

AM is unable to run in FIPS compliance mode due to RAW keys

OPENAM-19810

No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey' or cannot work with unextractable key when using HSM

OPENAM-16797

Allow Custom OATH/Push/WebAuthn device integrations to be managed by standard AM interface

OPENAM-12197

Custom methods postSingleSignOnSuccess and postSingleSignOnFailure aren’t called by SAML Authentication module or node

OPENAM-4201

XUI returning messages based on localized responses from REST authentication interface

AM 7.4

OPENAM-21569

Rapid policy evaluation using token of deleted user leads to HTTP 500 error

OPENAM-21497

Editing the mappings for an existing secret store throws an exception

OPENAM-21441

Policy evaluation with LDAPFilter condition uses config store user instead of identity store user

OPENAM-21379

Unable to read SMS config when request is too quick after changing configuration

OPENAM-21363

Unable to modify an external data store configuration when set as a global default data store but not referenced in a realm

OPENAM-21311

XUI performs logout of newly created session when resuming authentication with no further callbacks

OPENAM-21294

Remove openam-core from Soap STS server

OPENAM-21284

AM returns a 500 Internal Server Error response when providing an invalid client_id to the deleteUserPasswords agent action

OPENAM-21178

Social authentication "Secret" field not mandatory

OPENAM-20927

User info is still cached after removing privilege from group

OPENAM-15948

Update DS profiles to add VLV indexes for CTS use

AM 7.3.x

AM 7.3.3

OPENAM-23778

AM issues unindexed search when ttlsupport.enabled=true

OPENAM-23703

Custom and native claims in a refreshed, stateless access token don’t match the parent modified stateless access token

OPENAM-23607

AuthenticateToTreeConditionAdvice composite_advice not working as expected

AM 7.3.2

OPENAM-23345

Performance issues when accessing SAML entity provider via the admin console with 5k entities

OPENAM-23022

Transaction condition for policy evaluation fails with JWT subject

OPENAM-22988

Failover doesn’t occur when heartbeat interval is set to 0

OPENAM-22927

WebAuthnRegister should be able to use user.name as display attribute

OPENAM-22846

External app/policy store active/passive LB isn’t working

OPENAM-22674

Unable to create encrypted PEM that works for ENCRYPTED_PEM secret

OPENAM-22608

Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing

OPENAM-22479

LDAPv3 Userstore connection doesn’t reconnect without Heartbeat enabled

OPENAM-22188

Heavy load leads to BLOCKED threads traced to the SecurityManager

OPENAM-22156

logoutByUser throws UnsupportedOperationException

OPENAM-22151

Expiration of cache held in StatelessJWTCache could cause Internal Server Error

OPENAM-21636

AM is unable to run in FIPS compliance mode due to RAW keys

OPENAM-21100

SAML2 IDP Single logout SLO using HTTP redirect needs Request stickiness and HA.

OPENAM-20927

User info is still cached after removing privilege from group

OPENAM-20754

SAML pages saml2-write.js and saml2-read.js can cause an error

OPENAM-20234

Setting LDAP Connection Heartbeat Interval to be zero breaks persistent search

OPENAM-20143

False alarms in debug logs when adding pointers in Field whitelist filters

OPENAM-19810

Error: "No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey"

OPENAM-19453

Using CTS Authentication Session may fail authentication journey if AM is not LB sticky

OPENAM-18307

Global services don’t reflect changes made by ssoadm

OPENAM-18293

AuthContext.login doesn’t work with trees when performing service-based authentication

OPENAM-18111

Second login attempt using InnerTreeEvaluatorNode gets previous transient state

OPENAM-17679

User text not showing up for IDM Provisioning Service

OPENAM-17340

Lack of integration for logger with logback configuration

OPENAM-12197

postSingleSignOnSuccess and postSingleSignOnFailure not called when using SAML2 athentication module or node

OPENAM-4201

XUI returns messages based on localized responses from REST authentication interface

AM 7.3.1

OPENAM-21972

SAML Artifact Binding is failing in load-balanced deployments such as K18S

OPENAM-21820

Set policy result TTL to 0 when using Environment Policy Active Session

OPENAM-21802

Email Service value Transport type is overwritten in the static config export

OPENAM-21773

The Secondary Configurations tab is missing from the Global Email service

OPENAM-21772

No OAuth 2.0 clients displayed in the UI when AM has more than 1000 clients

OPENAM-21743

WebAuthn Node with AM XUI: Error is rendered along with Recovery code button

OPENAM-21734

WebAuthn Registration Node: UserNotVerifiedException not caught leading to Node failure

OPENAM-21683

AM lets you create anonymous user when it already exists

OPENAM-21682

OAuth 2.0: AM doesn’t redirect back to the client if consent is denied and no redirect_uri is present in the query parameters

OPENAM-21535

The logout at AM’s GUI only target the root realm instead of the respective sub realm

OPENAM-21466

AM using social OIDC authentication fails to verify idtoken if the remote JWK_URIs have duplicate kid

OPENAM-21441

Policy evaluation with LDAPFilter condition uses config store user instead of identity store user

OPENAM-21407

External data store config min connection pool can be set higher than the max connection pool and the config can still be persisted

OPENAM-21406

Realm services are no longer accessible after deleting the “External Data Stores” service

OPENAM-21379

Unable to read SMS config when request is too quick after changing configuration

OPENAM-21363

Unable to modify an external data store config when it is set as a global default datastore but not referenced in any realm

OPENAM-21354

OAuth2 provider: Insufficient debug logging for SAML bearer authorization grant

OPENAM-21352

Amster read AuthTree doesn’t return nodes within a page node

OPENAM-21327

Unable to specify property name with a '-' when configuring policy environment conditions

OPENAM-21322

AM Console allows Entity Provider to be created with space at end of the name

OPENAM-21319

Policy and Application Store Cache is not updated in multiple server deployment when changes are made

OPENAM-21309

DefaultDataStoreConfigurationManager shouldn’t establish DS connection in FBC mode

OPENAM-21305

Dynamic Client Registration does not permit setting Client ID Token Public Encryption key

OPENAM-21294

Remove openam-core from Soap-STS server

OPENAM-21278

Amster doesn’t use console or accept piped input in interactive mode

OPENAM-21273

TOTP Registration information no longer contains Issuer in the otpauth’s PATH

OPENAM-21270

OAuth2 resource owner password credential grant (ROPC) token response does not tell reason for failure

OPENAM-21204

Scripted node - idRepository.setAttribute does not execute catch block when setting userPassword attribute fails

OPENAM-21193

AM-Config-upgrader amupgrade cannot work on Windows

OPENAM-21191

In AM 7.3, web agent sessions have a lifetime of 42 years

OPENAM-21187

AM agent UI fails when an agent configuration present in FBC and external store is used

OPENAM-21180

Amster should set file encoding to UTF-8 internally

OPENAM-21151

Amster command cannot operate on HostedSaml2EntityProvider

OPENAM-21137

Performing Amster import with --clean in FBC with external Data Store service fails with error

OPENAM-21127

Config Upgrader Exception CreateSecretStores at 6.5.x-to-7.x.x on Windows 2019

OPENAM-21125

Installing AM using Tomcat under local system account fails with Amster RSA file issue

OPENAM-21114

Trusted JWT Issuer does not provider correct error and lack information on defined behaviour

OPENAM-21085

Undefined bindings in Groovy scripts are evaluated as defined

OPENAM-21076

KerberosNode and Window SSO module uses System.setProperty to set kerberos realm

OPENAM-21055

Unable to get AMIdentityRepository in custom code in 7.3

OPENAM-21053

UserId is missing from access.audit.json for JWT client authentication flow using org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false

OPENAM-21046

Insufficient logging in Create and Patch Object nodes

OPENAM-21003

IE11 not working during SAML tree authentication due to use of Arrow function

OPENAM-20976

Consent Collector node "Next" button text localization not working

OPENAM-20975

OATH Registration node "Next" button text localization not working

OPENAM-20937

Migration from OATH module to Auth Tree using OATH Token Verifier causes OathVerificationException: null

OPENAM-20920

NPE in SPSSOFederate#getSingleSignOnServiceEndpoint when binding is null and SSO endpoint list contains non-SAML2 entries

OPENAM-20899

ConfigurationAttributes class is exposed but there is no class file or Javadoc available for it

OPENAM-20896

Supported AMIdentity API getMembership and others changed

OPENAM-20809

IE11 doesn’t work with AM 7.2.1-RC1 and AM 7.3.0

OPENAM-20766

Insufficient debug logging to troubleshoot WS-Federation issuing party issue

OPENAM-19998

Performing an Amster export on AM running in FBC mode generates new configuration which breaks the FBC upgrader ////

OPENAM-20751

Authentication errors with AM on Windows and Connect Error in Session log

OPENAM-20703

Tree secure state retained unnecessarily Long

OPENAM-20647

JavaScript throws wrong exception when trying to access a non-allowlisted class’s static method

OPENAM-20572

Enduser password reset email field is not validated

OPENAM-20557

OATH. Recovery codes are not displayed if Registration Node is followed by OATH Token Verifier Node

OPENAM-20556

OATH Recovery codes aren’t display when “Store device data in shared state” is selected in OATH Registration Node

OPENAM-20543

Display page node header, description and footer in correct default language

OPENAM-20520

httpClient sent request is not returning the correct response object

OPENAM-20517

Device Match Node - Acceptable Variance Configuration

OPENAM-20516

Create Tree command fails when using POST with _action=create

OPENAM-20515

Delete fails for Authentication Node, when its _id is not an UUID

OPENAM-20513

Random login failure when using registration tree

OPENAM-20496

Null refresh_token for OAuth 2.0 token exchange delegation case

OPENAM-20329

Forgerock JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) not spec compliant

OPENAM-20324

Default install of AM does not have the updated identity classes in the policy script whitelist ////

OPENAM-20234

Setting the LDAP Connection Heartbeat Interval to zero breaks persistent search

OPENAM-20314

Social Provider Handler Node / Social Identity Provider Service - the search for existing link is hard coded to Sub claim (regression)

OPENAM-18111

Next attempt in InnerTreeEvaluatorNode will get previous transient state

OPENAM-17679

User text not showing up for IDM Provisioning Service

OPENAM-17340

AM 7 lack of integration for logger from config for logback

OPENAM-15948

Update DS profiles to add VLV indexes for CTS use

OPENAM-15410

Enable modifying Access Token audience claim in OIDC

AM 7.3

OPENAM-20751

Authentication errors with AM on Windows and connection errors in session log

OPENAM-20703

Tree secure state retained unnecessarily long

OPENAM-20647

Incorrect exception thrown when trying to access the static method of a non-allowlisted class

OPENAM-20572

End user password reset email field is not validated

OPENAM-20557

OATH recovery codes are not displayed if Registration node is followed by OATH Token Verifier node

OPENAM-20556

OATH recovery codes are not displayed if Store device data in shared state is selected in OATH Registration node

OPENAM-20543

Display page node header, description, and footer, in correct default language

OPENAM-20520

HttpClient sent request is not returning the correct response object

OPENAM-20517

Acceptable variance configuration not working for Device Match node

OPENAM-20516

Create tree command fails when using POST with _action=create

OPENAM-20515

Delete fails for Authentication node, when its _id is not a UUID

OPENAM-20513

Random login failure when using registration tree

OPENAM-20496

Null refresh_token for OAuth 2.0 token exchange delegation case

OPENAM-20324

Default install of AM does not have the updated identity classes in the policy script whitelist

OPENAM-20299

com.iplanet.am.session.agentSessionIdleTime is not honored using Agent authentication tree

OPENAM-20188

Using session cookie created before AM is restarted

OPENAM-20077

Access token modification script does not have access to client for client_credential grant flow if realm configured to ignore profile

OPENAM-19988

Using an id_token generated by AM in a policy condition does not work

OPENAM-19878

ArrayIndexOutOfBoundsException in SAML2

OPENAM-19829

Build fails on module openam-encryption-support when using JDK 18

Limitations

The following limitations are inherent to the design, not bugs to be fixed.

Redundant files

The installation and upgrade wizards use three libraries that you should remove for security reasons.

When your installation or upgrade is complete, remove the following .jar files from the WEB-INF/lib directory:

click-extras-2.3.0.jar
click-nodeps-2.3.0.jar
velocity-1.7.jar

These files are used only by the wizards. Removing them will have no effect on your installed instance.

Evaluation installations

Sometimes, installing AM for evaluation purposes will fail with a message similar to the following if the JDK’s default truststore’s permissions are 444:

$JAVA_HOME/lib/security/cacerts (Permission denied), refer to install.log under /path/to/install.log for more information.

To work around this issue, locate the truststore that your container is using and change its permissions to 644 before installing AM:

$ sudo chmod 644 $JAVA_HOME/lib/security/cacerts

You can change the permissions to their original settings after you have installed AM.

Identity and data store scaling

The connection strings to the data or identity stores are static and not hot-swappable. This means that, if you expand or contract your DS affinity deployment, AM will not detect the change. To work around this, either:

Manually add or remove the instances from the connection string and restart AM or the container where it runs.
Configure a DS proxy in front of the DS instances to distribute data across many DS shards, and configure the proxy address in the connection string.

Web Authentication (WebAuthn)

AM doesn’t support the following functionality, as described in the Web Authentication specification:

Registration

AM doesn’t support Token Binding.
Web Authentication extensions aren’t supported.
Credential ID values aren’t verified against the credential IDs registered with all existing users.
The ECDAA signature of the Packed attestation format isn’t supported.

Authentication

Token Binding isn’t supported.
Web Authentication extensions aren’t supported.
Signature counters aren’t supported.

Refer to MFA: Web Authentication (WebAuthn) for more information.

AM admin UI access requires the `Realm Admin` privilege

In this version of AM, administrators can use the AM admin UI as follows:

Delegated administrators with the Realm Admin privilege can access full AM admin UI functionality within the realms they administer. In addition, delegated administrators in the Top Level Realm who have this privilege can access AM’s global configuration.
Administrators with fewer privileges, such as the Policy Admin privilege, can’t access the AM admin UI.
The top-level administrator, such as amAdmin, has access to full AM admin UI functionality in all realms and can access AM’s global configuration.

Specifying keys in JWT headers

AM ignores keys specified in JWT headers, such as jku and jwe. Configure the public keys or certificates in AM instead, as explained in the relevant sections of the documentation.

Different AM versions within a site

Different AM versions within a site aren’t supported. Don’t run different versions of AM together in the same AM site.

Special characters in policy, application, or referral names

Don’t use special characters in policy, application or referral names (for example, "my+referral"). AM returns a 400 Bad Request error. The special characters are:

double quotes (")
plus sign (+)
comma (,)
less than (<)
equals (=)
greater than (>)
backslash (\)
null (\u0000)

XACML policy import and export from different vendors

AM can only import XACML 3.0 files that were created by an AM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.

UMA

UMA is not currently supported in the Platform End User UI.

Amster

Amster has the following known limitations:

No support for load balanced deployments

Amster can’t connect to a load balancer URL. You must connect Amster directly to a single AM instance. Using a load balancer could send sequential commands to different AM instances, and could result in concurrency issues when writing to the underlying configuration store.
Bulk import to external application stores with affinity

If affinity is enabled for an external application data store, bulk import intermittently fails with errors similar to the following:

Resource path 'http////////eea87a38e3ca476fa93a3669375ada3a' contains empty path elements

Before using Amster for a bulk import to an application store, disable data store affinity, or remove the load balancer from the application store deployment. You can re-enable affinity when the import has completed.

Importing resources containing slash characters can fail

Some PingAM resources have names that can contain slash characters (/), for example policy names, application names, and SAML v2.0 entities. These slash characters can cause unexpected behavior and failures in Amster when importing into PingAM instances running on Apache Tomcat.

To workaround this issue, configure Apache Tomcat 8.5 or 9 to allow encoded slash characters by updating the CATALINA_OPTS environment variable. For example:

On Unix/Linux systems:

$ export CATALINA_OPTS= \
  "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"
$ startup.sh

On Windows systems:

C:\> set CATALINA_OPTS= ^
  "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"
C:\> startup.bat

It’s strongly recommended that you do not enable org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH when running AM in production as it introduces a security risk on Apache Tomcat. Additionally, this setting isn’t supported on Apache Tomcat 10.

Learn more in How do I safely enable the org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH setting in PingAM? in the Knowledge Base.

[INFO] messages showing on SuSE on Amster start up

Running Amster on SuSE may produce [INFO] messages, for example:

# ./amster
[INFO] Unable to bind key for unsupported operation: up-history
[INFO] Unable to bind key for unsupported operation: down-history
[INFO] Unable to bind key for unsupported operation: up-history
[INFO] Unable to bind key for unsupported operation: down-history
OpenAM Shell (version build build, JVM: version)
Type ':help' or ':h' for help.
-----------------------------------------------------
am>

These messages are caused by the keyboard mappings configured in the /etc/inputrc file and can safely be ignored, as they don’t affect functionality.

Interface stability

Interfaces labeled as Evolving in the documentation may change without warning. In addition, the following rules apply:

All Java APIs are Evolving, except com.* packages, which are Internal/Undocumented.
Interfaces that aren’t described in released product documentation should be considered Internal/Undocumented.
Also refer to the Deprecated and Removed features.

Product release levels

Ping Identity defines Major, Minor, Maintenance, and Patch product release levels. The version number reflects the release level. The release level tells you what sort of compatibility changes to expect.

Release level definitions
Release Label	Version Numbers	Characteristics
Major	Version: x[.0.0] (trailing 0s are optional)	Bring major new features, minor features, and bug fixes. Can include changes even to Stable interfaces. Can remove previously Deprecated functionality, and in rare cases remove Evolving functionality that has not been explicitly Deprecated. Include changes present in previous Minor and Maintenance releases.
Minor	Version: x.y[.0] (trailing 0s are optional)	Bring minor features, and bug fixes. Can include backwards-compatible changes to Stable interfaces in the same Major release, and incompatible changes to Evolving interfaces. Can remove previously Deprecated functionality. Include changes present in previous Minor and Maintenance releases.
Maintenance, Patch	Version: x.y.z[.p] The optional p reflects a Patch version.	Bring bug fixes Are intended to be fully compatible with previous versions from the same Minor release.

Product stability labels

Ping Advanced Identity Software software supports many features, protocols, APIs, GUIs, and command-line interfaces. Some of these are standard and very stable. Others offer new functionality that is continuing to evolve.

Ping Identity acknowledges you invest in these features and interfaces and so need to understand when they are expected to change. For that reason, we define stability labels and use these definitions in Ping Advanced Identity Software products.

Stability label definitions
Stability Label	Definition
Stable	This documented feature or interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect.
Evolving	This documented feature or interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release. While new protocols and APIs are still in the process of standardization, they are Evolving. This applies, for example, to recent Internet-Draft implementations and to newly developed functionality.
Legacy	This feature or interface has been replaced with an improved version, and is no longer receiving development effort from Ping Identity. You should migrate to the newer version, however the existing functionality will remain. Legacy features or interfaces will be marked as Deprecated if they are scheduled to be removed from the product.
Deprecated	This feature or interface is deprecated, and likely to be removed in a future release. For previously stable features or interfaces, the change was likely announced in a previous release. Deprecated features or interfaces will be removed from Ping Identity products.
Removed	This feature or interface was deprecated in a previous release, and has now been removed from the product.
Technology Preview	Technology previews provide access to new features that are considered as new technology that is not yet supported. Technology preview features may be functionally incomplete, and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT. Customers are encouraged to test drive the technology preview features in a non-production environment, and are welcome to make comments and suggestions about the features in the associated forums. Ping Identity does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of Ping Advanced Identity Software. Technology previews are provided on an “AS-IS” basis for evaluation purposes only, and Ping Identity accepts no liability or obligations for the use thereof.
Internal/Undocumented	Internal and undocumented features or interfaces can change without notice. If you depend on one of these features or interfaces, contact support to discuss your needs.

Getting support

Ping Identity provides support services, professional services, training, and partner services to assist you in setting up and maintaining your deployments. Find a general overview of these services at https://www.pingidentity.com.

Ping Identity has staff members around the globe who support our international customers and partners. For details on Ping Identity’s support offering, visit https://www.pingidentity.com/support.

Ping Identity publishes comprehensive documentation online:

The Ping Identity Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage Ping Advanced Identity Software software.

While many articles are visible to everyone, Ping Identity customers have access to much more, including advanced information for customers using Ping Advanced Identity Software software in a mission-critical capacity.
Ping Identity product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

Security advisories

Ping Identity issues security advisories in collaboration with our customers to address any security vulnerabilities transparently and rapidly.

Ping Identity’s security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

You can find security advisories in the Knowledge Base.

Release timeline

Release date	AM version	Release type⁽¹⁾
2025-01-10	7.5.2	Maintenance
2025-06-17	7.3.3	Maintenance
2025-04-17	7.4.2	Maintenance
2025-04-17	8.0.1	Maintenance
2025-04-07	8.0	Major
2024-12-18	7.3.2	Maintenance
2024-12-12	7.5.1	Maintenance
2024-08-28	7.4.1	Maintenance
2024-06-26	7.2.2	Maintenance
2024-04-02	7.5	Minor
2024-02-26	7.3.1	Maintenance
2023-10-02	7.4	Minor
2023-07-11	7.1.4	Maintenance
2023-04-04	7.3	Minor
2023-04-04	7.2.1	Maintenance
2022-10-13	7.1.3	Maintenance
2022-08-02	6.5.5	Maintenance
2022-06-27	7.2	Minor
2022-03-15	7.1.2	Maintenance
2021-12-06	7.1.1	Maintenance
2021-10-18	6.5.4	Maintenance
2021-05-27	7.0.2	Maintenance
2021-05-19	7.1	Minor
2020-11-03	7.0.1	Maintenance
2020-09-16	6.5.3	Maintenance
2020-08-10	7.0	Major
2020-04-30	5.5.2	Maintenance
2020-04-03	5.5.3	Maintenance
2020-02-17	6.5.2.3	Patch
2019-10-31	6.5.2.2	Patch
2019-08-27	6.5.2.1	Patch
2019-06-20	6.5.2	Maintenance
2019-06-04	6.0.0.7	Patch
2019-04-30	6.5.0.2	Maintenance
2019-04-11	6.5.1	Maintenance
2019-01-15	6.5.0.1	Maintenance
2018-12-06	6.0.0.6	Patch
2018-11-28	6.5	Minor
2018-10-24	6.0.0.5	Patch
2018-08-24	6.0.0.4	Patch
2018-07-30	6.0.0.3	Patch
2018-06-18	6.0.0.2	Patch
2018-05-25	6.0.0.1	Patch
2018-05-09	6.0	Major
2017-10-27	5.5.1	Maintenance
2017-10-23	5.5	Minor

⁽¹⁾ For details about the scope of expected changes for different release types, see Interface stability.