--- title: New in AM 7.1.x description: AM 7.1.4 is the latest maintenance release targeted for AM 7.1 deployments and can be downloaded from the Ping Identity Download Center. component: pingam version: release-notes page_id: pingam::whats-new-7.1 canonical_url: https://docs.pingidentity.com/pingam/release-notes/whats-new-7.1.html section_ids: am_7_1_4: AM 7.1.4 am_7_1_3: AM 7.1.3 new_jwks_uri_for_remote_consent_agents: New JWKs URI for remote consent agents keep_alive_and_load_balancer_availability_checks: Keep-alive and load balancer availability checks am_7_1_2: AM 7.1.2 org_forgerock_openam_encryption_padshortinputs_system_property_for_aes_key_wrap_encryption: org.forgerock.openam.encryption.padshortinputs system property for AES Key Wrap encryption org_forgerock_openam_authentication_forceauth_enabled_advanced_server_property_for_authentication_chains: org.forgerock.openam.authentication.forceAuth.enabled advanced server property for authentication chains am_7_1_1: AM 7.1.1 am_7_1: AM 7.1 oauth_2_0_and_openid_connect_token_exchange_support: OAuth 2.0 and OpenID Connect Token Exchange Support social_identity_provider_client_improvements: Social identity provider client improvements openid_connect_backchannel_logout: OpenID Connect backchannel logout push_authentication_nodes: Push authentication nodes account_active_check_authentication_module: Account Active Check authentication module properties_available_to_claims_and_access_token_scripts: Properties available to claims and access token scripts live_and_ready_status_endpoints: live and ready status endpoints access_to_secrets_and_credentials_in_authentication_scripts: Access to secrets and credentials in authentication scripts support_for_pem_formatted_keys_and_certificates: Support for PEM-formatted keys and certificates session_service_uses_secret_stores: Session service uses secret stores loading_secrets_from_google_secret_manager: Loading secrets from Google Secret Manager new_oath_nodes: New OATH nodes --- # New in AM 7.1.x ## AM 7.1.4 AM 7.1.4 is the latest maintenance release targeted for AM 7.1 deployments and can be downloaded from the [Ping Identity Download Center](https://backstage.pingidentity.com/downloads/browse/am/all/productId:ds/minorVersion:7.1/version:7.1.4/releaseType:full). The release can be deployed as an initial deployment or updated from an existing AM 7.1.x deployment. No new features have been added in AM 7.1.4. ## AM 7.1.3 AM 7.1.3 is a maintenance release that introduces functional enhancements and fixes. The release can be deployed as an initial deployment or updated from an existing AM 7.1.x deployment. ### New JWKs URI for remote consent agents To make it easier to publish keys used for remote consent, AM 7.1.3 provides a new JWKs URI, specifically for remote consent agents. This URI indicates where a remote consent service can obtain the keys that AM uses to sign and encrypt the consent request. These keys include: * The public signing key, used to sign the consent request that is sent to the remote consent server, so that it can be validated on the remote consent server. * The public encryption key for the consent response, so that the response can be encrypted (if encryption is enabled). The default JWKs URI for remote consent clients is `/oauth2/consent_agents/jwk_uri`. For example, `/https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/consent_agents/jwk_uri`. ### Keep-alive and load balancer availability checks DS has introduced a new LDAP health check feature that changes how AM determines server availability. Keep-alive checks are now sent for every LDAP connection to prevent idle timeouts and separate availability checks are performed for load balanced connections. Two new advanced server properties determine the settings for the keep-alive and availability checks: * `org.forgerock.openam.ldap.keepalive.search.base` * `org.forgerock.openam.ldap.keepalive.search.filter` For details, refer to *Advanced properties*. ## AM 7.1.2 ### `org.forgerock.openam.encryption.padshortinputs` system property for AES Key Wrap encryption A new Java system property (`org.forgerock.openam.encryption.padshortinputs`) pads short inputs for compatibility with Java 17, in preparation for upgrade. For details, refer to *Preparing AES Key Wrap Encryption*. ### `org.forgerock.openam.authentication.forceAuth.enabled` advanced server property for authentication chains A new advanced server property (`org.forgerock.openam.authentication.forceAuth.enabled`) controls the ForceAuth authentication property for chains. ## AM 7.1.1 There are no new features in AM 7.1.1, only bug fixes. ## AM 7.1 AM 7.1.0 is a minor release that introduces new features, functional enhancements, and fixes. ### OAuth 2.0 and OpenID Connect Token Exchange Support Following the [OAuth 2.0 Token Exchange](https://datatracker.ietf.org/doc/html/rfc8693) specification, AM 7.1 now lets you exchange ID tokens and access tokens in delegation and impersonation use cases. For details, refer to *OAuth 2.0 Token Exchange*. ### Social identity provider client improvements AM 7.1 enhances the OAuth 2.0/OpenID Connect client support offered in the Social Identity Provider Service. To connect to financial-grade identity providers, AM and Ping Advanced Identity Software can now: * Use `acr` values to specify a set of rules that the authorization request must satisfy when authenticating to the provider; for example, using multi-factor authentication. > **Collapse: Learn more** > > A new property, *ACR Values*, has been to the OpenID Connect secondary configuration of the Social Identity Provider Service. * Accept encrypted ID tokens. > **Collapse: Learn more** > > AM includes a new JWK URI, which the provider can use to obtain keys for verifying request object signatures, and for encrypting ID tokens. > > Two new properties have been added to the OpenID Connect secondary configuration of the Social Identity Provider Service: > > * *OP Encrypts ID Tokens* > > * *Issuer* * Send request parameters in a JWT, or as a reference to a JWT. > **Collapse: Learn more** > > The JWT is always signed, and optionally encrypted. > > As part of this change, the following fields have been added to the OpenID Connect secondary configuration of the Social Identity Provider Service: > > * *Request Parameter JWT Option* > > * *Request Object Audience* > > * *Encrypt Request Parameter JWT* > > * *JWT Signing Algorithm* > > * *JWT Encryption Algorithm* > > * *JWT Encryption Method* * Authenticate using a JWT or mutual TLS (mTLS). > **Collapse: Learn more** > > The JWT is always signed, and optionally encrypted. > > As part of this change, the *Use Basic Auth* switch in the client has been replaced with the *Client Authentication Method* drop-down list, which contains the following options: > > * `CLIENT_SECRET_POST` > > * `CLIENT_SECRET_BASIC` > > * `PRIVATE_KEY_JWT` > > * `ENCRYPTED_PRIVATE_KEY_JWT` > > * `TLS_CLIENT_AUTH` > > * `SELF_SIGNED_TLS_CLIENT_AUTH` > > AM 7.1 also includes a new advanced server property, `openam.private.key.jwt.encryption.algorithm.whitelist`, that specifies the algorithms the client can use to encrypt authentication JWTs and request object JWTs. * Let social providers return ID tokens by submitting an HTML form using the HTTP POST method, as defined in the [OAuth 2.0 Form Post Response Mode](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) specification. > **Collapse: Learn more** > > The *Response Mode* drop-down list has been added to the OpenID Connect secondary configuration of the Social Identity Provider Service. > > The *Redirect after form post URL* property has been added to support the form post response mode in custom login pages. AM 7.1 provides a preconfigured client for Apple and itsme. For details, refer to *Social Authentication* and the */oauth2/connect/rp/jwk\_uri* endpoint. ### OpenID Connect backchannel logout As the OpenID provider, AM 7.1 supports the [OpenID Connect Back-Channel Logout 1.0 Draft 06](https://openid.net/specs/openid-connect-backchannel-1_0.html). This draft lets AM send *logout tokens* to relevant relying parties when a session associated with an ID token becomes invalid. As part of this change, the *Store OPS Tokens* switch, used to enable session management at the provider, has been renamed to *OIDC Session Management*. When *OIDC Session Management* is enabled, ID tokens contain a new claim, `sid`. This claim specifies a session ID that identifies the relying party's session with the provider. The `sid` can also be found in the logout tokens, if enabled. For details, refer to *Informing Relying Parties that a Session has Expired*. ### Push authentication nodes AM 7.1 adds a number of authentication nodes to assist with push authentication: * [Opt-out Multi-Factor Authentication node](https://docs.pingidentity.com/auth-node-ref/8.1/opt-out-multi-factor.html) * [Push Registration node](https://docs.pingidentity.com/auth-node-ref/8.1/push-registration.html) * [MFA Registration Options node](https://docs.pingidentity.com/auth-node-ref/8.1/mfa-registration-options.html) * [Get Authenticator App node](https://docs.pingidentity.com/auth-node-ref/8.1/get-authenticator-app.html) ### Account Active Check authentication module AM 7.1 includes an Account Active Check authentication module that lets you determine whether an account is marked as active, or locked, without having to run through the rest of the authentication chain. For details, refer to *Account Active Check Module*. ### Properties available to claims and access token scripts AM 7.1 adds new properties to the *OpenID Connect Claims* and *OAuth 2.0 Access Token Modification* script types, to access the properties of the relevant client and the incoming request. For details, refer to *Scripting OpenID Connect 1.0 Claims* and *Modifying the Content of Access Tokens*. ### `live` and `ready` status endpoints AM 7.1 includes new endpoints to check whether an instance is alive and ready to process requests. For details, refer to *Monitoring Instances*. ### Access to secrets and credentials in authentication scripts AM 7.1 adds the ability for scripted decision nodes to access the secrets configured in AM secret stores. For example, a script can access credentials or secrets defined in a file system secret volume in order to make outbound calls to a third-party REST service, without hard-coding those credentials in the script. For details, refer to *Accessing Credentials and Secrets*. ### Support for PEM-formatted keys and certificates AM 7.1 adds support for loading the following PEM-formatted secrets: * Elliptic Curve and RSA private keys * OpenSSL format * PKCS#8 format * X.509 certificates * RSA public keys * (non-standard) AES secret keys * (non-standard) HMAC secret keys * (non-standard) Generic secrets, such as connection passwords or API keys Use PEM secrets on the secret stores that support it: * *Environment and system property secrets store* * *File system secret volumes* * *Google GSM secret stores* For more information, refer to *Importing PEM-Formatted Keys*. ### Session service uses secret stores Client-based sessions and client-based authentication sessions now use secret stores for: * Signing JWTs with RSA and elliptic curve algorithms. * Encrypting JWTs with RSA algorithms. The upgrade process migrates the relevant configuration to secret stores automatically. HMAC signing secrets and symmetric AES keys for encryption have not been migrated yet, and are still available in the Session service configuration page. For more information, refer to *Configuring Client-Based Session Security*. ### Loading secrets from Google Secret Manager AM 7.1 lets you load secrets from Google Secret Manager (GSM). For details, refer to *Google GSM Secret Stores*. ### New OATH nodes AM 7.1 adds two new multi-factor authentication nodes that replicate the existing OATH module functionality: * [OATH Registration node](https://docs.pingidentity.com/auth-node-ref/8.1/oath-registration.html) * [OATH Token Verifier node](https://docs.pingidentity.com/auth-node-ref/8.1/oath-token-verifier.html)