What’s new

This release adds the ability to push traces to an OpenTelemetry service.

Learn more in the following documentation:

With the new FileSystemSecretStore versionSuffix setting you can have multiple versions of a secret with the same ID.

For details, refer to FileSystemSecretStore.

Use the new HeaderFilter replace setting to replace headers instead of removing then adding them.

For details, refer to HeaderFilter.

The new runtimeExceptionCondition setting lets you restrict which runtime exceptions lead to retries.

Learn more in ClientHandler and ReverseProxyHandler.

The new securityProvider setting lets you choose the Java security provider to use when loading a keystore.

Learn more in KeyStoreSecretStore.

The new delayRouteMetrics setting lets you defer creation of route metrics until a request passes through the route. This can improve startup times for deployments with many routes.

Learn more in Router.

PingGateway now lets you configure a separate endpoint for administrative connections. PingGateway is expected to require a separate administrative endpoint in a future release.

For details, refer to AdminHttpApplication (admin.json).

The documentation now includes an example showing how to protect a web application with help from PingOne Authorize.

Learn more in PingOne Authorize integration.

Product names changed when ForgeRock became part of Ping Identity. PingGateway was formerly known as ForgeRock Identity Gateway, for example. Learn more about the name changes from New names for ForgeRock products in the Knowledge Base.

You can now use PingOne Protect risk evaluations to help protect web applications. Configure PingGateway routes to react dynamically to risk scores from PingOne Protect.

Learn more from PingOne Protect integration.

To facilitate consumption of Prometheus metrics, the format of some metrics has been updated and the new format is available on the new endpoint …​/openig/metrics/prometheus/0.0.4.

The old format and endpoint are deprecated, but for backward compatibility, they remain enabled and available by default.

The new property serveDeprecatedPrometheusEndpoint in AdminHttpApplication is available to deliver Prometheus metrics in the deprecated format. It is enabled by default.

Learn more from Metrics at the Prometheus Scrape Endpoint.

Startup and Websocket metrics are now available at the Prometheus Scrape Endpoint. Learn more from Startup metrics at the Prometheus Scrape Endpoint and WebSocket metrics at the Prometheus Scrape Endpoint.

The PingOneApiAccessManagementFilter is now supported for general use.

PingGateway now supports OpenID Connect ID token validation according to the OpenID Connect specifications.

For this release, signature validation is optional. The next major release is expected to make ID token signature validation required.

The following new properties enable validation of the ID token signatures and the iss, aud, exp, iat, and nonce claims:

Learn more from ClientRegistration configurations and Issuer configurations in Incompatible changes.

The following new objects are available for local processing on behalf of PingOne Advanced Identity Cloud as part of an PingOne Advanced Identity Cloud journey:

These objects exist alongside the Technical Preview objects IdentityAssertionHandlerTechPreview, ScriptableIdentityAssertionPluginTechPreview, and IdentityAssertionPluginTechPreview introduced in the last release.

Monitoring metrics are now available at the Prometheus Scrape Endpoint and Common REST Monitoring Endpoint for the caches described in Caches.

Learn more from Cache metrics at the Prometheus Scrape Endpoint.

IG now uses secrets instead of deprecated passwords. Learn about how IG manages migration in Upgrade from an earlier version of Studio.

IG Studio no longer uses the deprecated Splunk or ElasticSearch audit event handlers. Learn about how IG manages migration in Upgrade from an earlier version of Studio.

With PingOne Advanced Identity Cloud and from AM 7.5, passwords hardcoded in the identity provider configuration can optionally be managed by the identity provider’s secret service. These passwords include the IG agent passwords and OAuth 2.0 client passwords.

An IssuerRepository is provided as a default object. Learn more from Default objects.

PingOneApiAccessManagementFilter is a new filter dedicated to PingOne’s API Access Management. Use this filter with API Access Management to evaluate HTTP requests and responses.

GrantSwapJwtAssertionOAuth2ClientFilter is a new filter to transform requests for OAuth 2.0 access tokens into secure JWT bearer grant type requests.

Use this filter with PingOne Advanced Identity Cloud or AM to increase the security of less-secure grant-type requests such as Client credentials grant or Resource owner password credentials grant.

For more information, refer to Secure the OAuth 2.0 access token endpoint.

The new property includeKeyId is available in JwtBuilderFilter to include the ID of the signature key in the header of a built JWT.

The following new objects are available for local processing on behalf of PingOne Advanced Identity Cloud as part of an PingOne Advanced Identity Cloud journey:

JwkPropertyFormat is a new secret format. Use it with FileSystemSecretStore to decode JSON Web Key (JWK) formatted keys into secrets.

The new property certificateVerificationSecretId is available in SecretsTrustManager to facilitate the use of CA-certificates in mutual TLS. In previous releases, the use of CA-signed certificates was more restricted.

The new property exposePrivateSecrets is available in JwkSetHandler to safeguard against the accidental exposure of private keys in a JWK set.

The property is false by default to prevent exposure of private keys. To expose private keys, you must now explicitly set the property to true.

The following new properties have been added in AuthorizationCodeOAuth2ClientFilter and Issuer:

In OpenID Connect, use these properties to revoke access and refresh tokens issued by Authorization Servers during login.

The following new properties have been added in AuthorizationCodeOAuth2ClientFilter and Issuer:

In OpenID Connect, use these properties to initiate logout from Authorization Servers.

A new property prompt is available in AuthorizationCodeOAuth2ClientFilter.

Use the property in OIDC flows to require the Authorization Server to prompt the end user to reauthenticate and consent.

When an OAuth 2.0 authorization operation fails, the AuthorizationCodeOAuth2ClientFilter injects the error and error description into the OAuth2FailureContext. In previous releases, OAuth2FailureContext was used only for the OAuth2TokenExchangeFilter.

In AuthorizationCodeOAuth2ClientFilter, retrieve the original target URI for a request from the new context IdpSelectionLoginContext.

When verificationSecretId in CrossDomainSingleSignOnFilter isn’t configured, IG discovers and uses the AM JWK set to verify the signature of AM session tokens. If the JWK set isn’t available, IG doesn’t verify the tokens.

In earlier releases, IG did not verify the tokens when verificationSecretId in CrossDomainSingleSignOnFilter wasn’t configured.

To minimize the risk of CDSSO token tampering, always configure verificationSecretId in CrossDomainSingleSignOnFilter.

In stateless sessions, if the JWT session cookie exceeds 4 KBytes, IG automatically splits it into multiple cookies.

If your JWT session size is too close to the value of connectors:maxTotalHeadersSize in AdminHttpApplication, IG might block your next request containing split JWT session cookies. Consider increasing the value of connectors:maxTotalHeadersSize.

For more information, refer to Stateless sessions.

To improve security, JWT session cookies are no longer compressed by default. For more information, refer to the useCompression property of JwtSession.

Startup can now be allowed when there is an existing PID file. When activated, IG removes the existing PID file and creates a new one during startup. In previous releases, if there was an existing PID file during startup, the startup failed.

Activate the feature in the following ways:

For more information, refer to Allow startup when there is an existing PID file in the Installation guide and ig.pid.file.mode in the Deployment guide.

In CrossDomainSingleSignOnFilter, the new property redirectionMarker is enabled by default to prevent redirect loops when the session cookie is not present in the CDSSO flow.

When the marker is present in the request query parameters, the request is not redirected for authentication.

The new property mappings:aliasesMatching in KeyStoreSecretStore and HsmSecretStore is available to map all aliases that match a regular expression to a secret ID.

Some KeyStores, such as a global Java TrustStore, can contain hundreds of valid certificates. Use this property to map multiple aliases to a secret ID without listing them all in the mapping.

To improve readability, the entity property of a StaticResponseHandler can now be defined as an array of strings or as a string.

The new property connectors:maxTotalHeadersSize in AdminHttpApplication defines the maximum size in bytes of the sum of all headers in a request. This property replaces the deprecated Vert.x properties maxHeaderSize and initialSettings:maxHeaderListSize.

To support SDK in legacy installations, a new property useLegacyAdviceEncoding in the PolicyEnforcementFilter is available to provide unencoded advices. By default, advices are encoded with the encoder used by the AM version.

The use of this property is deprecated and should be used only to support SDK in legacy installations.

websocket:proxyOptions is a new property in ReverseProxyHandler to provide a dedicated WebSocket reverse proxy.

The following properties are now available in AmService to improve control of WebSocket connections to AM:

IG agents are automatically authenticated to PingOne Advanced Identity Cloud and AM by a non-configurable authentication module. Authentication chains and modules are deprecated in PingOne Advanced Identity Cloud and AM. They are replaced by trees and journeys.

You can now authenticate IG agents to PingOne Advanced Identity Cloud and AM 7.3 with a journey. The procedure is currently optional, but will be required when authentication chains and modules are removed in a future release.

For more information, refer to Authenticate an IG agent to PingOne Advanced Identity Cloud and Authenticate an IG agent to AM.

By default, when PingOne Advanced Identity Cloud or AM denies a request with advices, IG returns a redirect response with advices as parameters.

From this release, when the request includes the x-authenticate-response header with the value header, IG returns the response with the advices in a WWW-authentication header.

Use this method for SDKs and single page applications. Placing advices in a header gives these applications more options for handling the advices.

For information about how the header is used in policy enforcement, refer to Deny requests with advices in a header.

The x-authenticate-response header name can be configured by the new property authenticateResponseRequestHeader in PolicyEnforcementFilter.

The SamlFederationHandler is deprecated and replaced by the SamlFederationFilter.

The SamlFederationFilter can be used in a route protect a downstream application in the same way as other authentication triggering filters, such as the SingleSignOnFilter or CrossDomainSingleSignOnFilter.

When triggered, the SamlFederationFilter can initiate the login or logout of a SAML service provider with a SAML identity provider.

IG can now automatically renew WebSocket connections to AM after a defined delay. For more information, refer to the notifications.renewalDelay property of AmService.

ClientHandler and ReverseProxyHandler have a new property waitQueueSize to set the maximum number of outbound requests allowed to queue when no downstream connections are available. Use this property to limit memory use when there is a backlog of outbound requests, for example, when the protected application or third-party service is slow.

In previous releases, the queue size was unlimited. In this release, by default it is limited to the square of the value of the connections property.

The name and ID of a route is now included by default in access audit events. For more information about auditing, refer to Auditing your deployment.

AM 7.3 can be configured to invalidate sessions based on user ID, and send a notification with the topic /agent/session.v2 to IG. IG can now use the notification to evict all sessions bound to the user.

The DataPreservationFilter triggers POST data preservation when an unauthenticated client posts HTML form data to a protected resource.

For more information, refer to DataPreservationFilter and POST data preservation.

When the AmService property sessionIdleRefresh is enabled, IG now requests session refresh:

In previous releases, IG requested session refresh only after sessionIdleRefresh.interval elapsed. If IG got an SSO token that was close to its maximum idle time, the token could expire before sessionIdleRefresh.interval elapsed and IG triggered a refresh.

When relying on a SecretsProvider to retrieve the shared key required by the CapturedUserPasswordFilter, you can now rotate a secret without reloading the filter if the underlying secret store supports secret rotation.

KeyStoreSecretStore can now use KeyStores that are not password-protected. In previous releases, KeyStores had to be password-protected.

When IG is cleanly shut down, the destruction of HttpClientHandlerHeaplets is now delayed until after all other IG heaplets are destroyed. This change allows the other IG heaplets to use HttpClientHandlerHeaplets during shut down. For example, AmService can now call logout on any agent tokens it has allocated, which can help to reduce the build up of tokens in AM.

ClientHandlers and ReverseProxyHandlers are examples of HttpClientHandlerHeaplets.

A new property autoRefresh is available in FileSystemSecretStore and KeyStoreSecretStore to configure automatic reloaded of the secret store when a file in the filesystem is edited or deleted, or a keystore is edited or deleted.

IG now uses Groovy 4 for scripting. For more information, refer to Release notes for Groovy 4.0

The expression binding now gives the time since epoch at the instant the expression is evaluated. For more information, refer to Dynamic bindings.

sameSite is a new subproperty of session in admin.json, to manage the circumstances in which a cookie is sent to the server. Use this property to reduce the risk of cross-site request forgery (CSRF) attacks when IG is in standalone mode.

The functions find and matchesWithRegex are added to use as replacements for the deprecated function matches.

The function findGroups is added to use as a replacement for the deprecated function matchingGroups.

For more information, refer to Functions.

Exception logging when looking for client certificates in ChfApplicationWebHandler has been improved.

When IG detects that AMCtxId is not available in a session, it now checks that notifications are enabled before logging an error. When notifications are disabled, there is no need to make AMCtxId available.

Vert.x metrics are now available by default for IG in standalone mode, to provide metrics for HTTP, TCP, and the internal component pool. The metrics provide low-level information about requests and responses, such as the number of bytes, duration, the number of concurrent requests, and so on.

Metrics are provided at the Prometheus Scrape Endpoint and Common REST Monitoring Endpoint endpoints.

For more information, refer to the vertx object in admin.json, and Monitoring VertX metrics.

To help with troubleshooting, a debug message is logged when a BadRequestException occurs during policy evaluation requests. In previous releases, the original error was not logged, IG just returned an HTTP 401 Unauthorized.

The ForwardedRequestFilter has been added to rebase a request URI with a computed scheme, host name, and port. Use this filter to configure redirects when the request is forwarded by an upstream application such as a TLS offloader.

To reduce configuration errors, and simplify configuration, AmService no longer uses the default value, iPlanetDirectoryPro, for ssoTokenHeader. If ssoTokenHeader is not provided, IG queries the AM /serverinfo/* endpoint for the header name or cookie name of the SSO token.

IG is now delivered as a .zip file, for installation in standalone mode. In standalone mode, IG provides a simple unzip installation path, a classes directory for support, a startup script, and support for custom extensions.

A Vert.x-specific configuration block is available in the connector property of admin.json, and in the websocket property of ClientHandler and ReverseProxyHandler.

In standalone mode, IG can use HTTP/2 or HTTP/1.1 to send requests to a proxied application, or request services from a third-party application.

No additional configuration is required to use HTTP/2 over non-TLS. The Application Layer Protocol Negotiation ALPN extension is used for HTTP/2 over TLS.

The protocol is negotiated according to the configuration of IG’s admin.json, the alpn property in ClientTlsOptions, and by the new properties protocolVersion and http2PriorKnowledge in the ClientHandler and ReverseProxyHandler.

IG in standalone mode provides a new object, ServerTlsOptions, to configure server-side properties of the the TLS-protected connector. Use ServerTlsOptions in admin.json.

For IG installed in standalone mode, classes is a new directory in the classpath for patches from support.

CsrfFilter is a new filter to harden protection against CSRF attacks.

In SAML SP-initiated SSO, IG can now act as an SP with an IDP that does not support the transient NameID Format. For SP-initiated SSO as well as for IDP-initiated SSO, the NameID Format can be any format supported by the IDP.

In previous releases, for SP-initiated SSO, the NameID Format could be only urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

As a cookie passes through IG, if the cookie value is not enclosed in quotes, spaces in the cookie value are not removed. In previous releases, spaces were removed.

Not supported for IG in standalone mode.

stateTrackingEnabled is a new property of ClientHandler and ReverseProxyHandler to specify whether a connection can be kept open and reused after a request.

The user passwords in the sample application files are updated to align with the new AM password policy.

In OpenID Connect with multiple client registrations, the same clientId can now be used for multiple client registrations if the issuerName for each registration is different.

The clientId must be unique in the context of a single issuer.

In the OAuth2ClientFilter login service URI, specify both the clientId and the issuerName,

resourceUriProvider is a new property of the PolicyEnforcementFilter to ease the transition from an agent-based system. Use the property to request AM policy decisions with the original request URL as the resource URL, or with a script to generate the resource URL.

In previous releases, IG could request policy decisions only by using the route baseURI as the resource URL.

The SingleSignOnFilter has been adapted to prevent an infinite loop when a final redirect is returned without AM session cookie name. The filter now checks the goto query parameter for the presence of the _ig marker parameter.

The new SingleSignOnFilter property logoutExpression can trigger logout based on any aspect of a request. Before this improvement, logout could be triggered only when a request matched the URI path.

secure and httpOnly options on the cookie created for JWT sessions.

IG logs a warning when the decoded value of a BASE64-encoded secret starts or ends with a non-ASCII character.

If a text editor adds a carriage return to the end of a plain string value before it is encoded, non-ASCII characters can be added to the BASE64-encoded value. When the decoded value is used as part of a username/password exchange, it can then cause an authentication error.

sameSite is a new property in CrossDomainSingleSignOnFilter and JwtSession to manage the circumstances in which a cookie is sent to the server. Use this property to manage the risk of cross-site request forgery (CSRF) attacks.

The payload body of a GET or HEAD request is now honored. In previous releases, the payload body was removed when the internal Request representation was created. TRACE is the only request that does not support a payload.

Cookies that arrive at IG with the sameSite flag set are correctly maintained.

Previously, if the user’s SSO session had expired or become otherwise invalid and was used in a request to IG, calling the AM session info endpoint to get session status would return a 401 response. This 401 response was valid but ended up being logged by IG at Error level, which was misleading, and would generate a large amount of additional logging data.

IG now logs an error message only when the response from an AM session info endpoint is not a 401. IG still logs it as a debug message to show that it was a 401 response.

IG now supports that ability for clients to authenticate AM through OAuth 2.0 mutual TLS (mTLS) and X.509 certificates. You must use self-signed certificates or public key infrastructure (PKI), as per version 12 of the draft OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens.

SecretsProvider is now available to provide a secrets service for the StatelessAccessTokenResolver. It uses specified secret stores to resolve access tokens.

Before this improvement, the StatelessAccessTokenResolver used the global secrets service to resolve access tokens, which searches for keys across the whole configuration. If multiple keys have the same label, there is a bigger risk that the wrong key is used.

For backward compatibility, if SecretsProvider is not configured, the StatelessAccessTokenResolver uses the global secrets service.

If an AM policy decision denies a request with supported advices, the PolicyEnforcementFilter can now redirect the request to a URL specified in a SingleSignOnFilter, such as the URL of the custom login page. Previously, the filter always redirected the request back to AM.

The URL is passed in a new property, loginEndpoint, in the ssoToken context. To use the redirect, configure loginEndpoint in the SingleSignOnFilter.

A toJSON function is now available in expressions to parse strings as JSON.

preserveOriginalQueryString in AdminHttpApplication is now available to preserve query strings as they are presented in URLs. Select this option when query strings must not change during processing, for example, in signature verification.

By default, IG tolerates characters that are disallowed in query string URL components, by applying a decode/encode process to the whole query string.

IG leverages the Commons Secrets Service for the management of passwords and secrets in the following objects: AmService, ClientHandler, ClientRegistration, JwtSession, KeyManager, JwtBuilderFilter, and CapturedUserPasswordFilter.

Managing secrets with the Commons Secrets Service provides the following benefits:

In this release, routes generated in Studio do not use the Commons Secrets Service. Documentation examples generated with Studio use deprecated properties.

The StatelessAccessTokenResolver is now available to validate stateless access tokens without referring to AM. Use StatelessAccessTokenResolver with the access token resolver in OAuth2ResourceServerFilter.

Because IG can validate stateless access tokens locally, without referring AM, this feature provides the following benefits:

Supported with OpenAM 13.5, and AM 5 and later versions.

IG can now respond to the TransactionConditionAdvice from AM to require users to perform additional actions when trying to access a resource protected by an AM policy.

Performing the additional actions successfully grants a one-time access to the protected resource. Additional attempts to access the resource require the user to perform the additional actions again.

IG can now configure what happens to the session cache and policy enforcement cache when the WebSocket notification service is disconnected and then reconnected. By default, the caches are cleared on disconnect.

The OAuth2ResourceServerFilter can now use a script to evaluate which scopes must be provided in an OAuth 2.0 access token to access a protected resource. The script evaluates each request dynamically and returns the scopes that are required for the request to access the protected resource.

Use this feature when protected resources can’t be grouped within a set of static scopes, for example, when one set of URLs require one scope, and another set of URLs require another scope.

A new property, encryption, has been added to the JwtBuilderFilter to configure JWT encryption.

The template property of JwtBuilderFilter can now be configured as an expression that evaluates to a map. The referenced map is serialized as a JSON object.

A new object, TlsOptions, is available to configure connections to TLS-protected endpoints for the ClientHandler, ReverseProxyHandler, and for WebSocket notifications in AmService.

The UserProfileFilter provides new features to retrieve and cache user profile information:

A new property, agent, in AmService defines a Java agent to act on behalf of IG, and simplify configuration of the following filters:

The agent property is now mandatory in AmService and replaces properties in the above filters.

A new property, notifications, in AmService to disables WebSocket notifications, configures the time between attempts to re-establish lost WebSocket connections, and configures WebSocket connections to TLS-protected endpoints.

To simplify configuration, properties in UserProfileFilter have been deprecated and replaced with properties in AmService.

A new filter, StudioProtectionFilter, is available to protect the Studio endpoint when IG is running in development mode.

When IG is running in development mode, by default the Studio endpoint is open and accessible. When StudioProtectionFilter is defined in admin.json, IG uses it to filter access to the Studio endpoint.

New features have been added to the technology preview of Studio to allow you to:

New features have been added to the technology preview of Freeform Studio to allow you to:

Routes created in previous version of Freeform Studio are automatically transitioned into JSON editor routes.

When a TimerDecorator is set to true in a route, the metrics are now written to the Prometheus Scrape Endpoint and the Common REST Monitoring Endpoint.

Support has been added for an audit handler to send access log messages to standard output.

AdminHttpApplication now declares default configurations for the following objects: ClientHandler, ReverseProxyHandler, ForgeRockClientHandler, ScheduledThreadPoolExecutor, and TransactionIdOutboundFilter.

IG can now detect requests to upgrade from HTTPS to the WebSocket protocol, and create a secure, dedicated tunnel to send and receive WebSocket traffic.

IG can now detect requests to upgrade from HTTP to the WebSocket protocol, and create a dedicated tunnel to send and receive WebSocket traffic.

When you create a route in Studio, you can enable a new option to upgrade HTTP connections to WebSocket protocol.

To help with development, the sample app has been updated to include a WebSocket endpoint that exposes a simple WebSocket server.

A new filter, JwtBuilderFilter, collects data at runtime, packs it in a JSON Web Token (JWT), and places the resulting JWT into the JwtBuilderContext. When the JwtBuilderFilter is used with a HeaderFilter, it provides a flexible way for IG to pass identity or other runtime information to the protected application.

To help with development, the sample app has been updated to include a /jwt endpoint that displays the JWT and verifies its signature.

New features have been added to the technology preview of Freeform Studio to allow you to:

Instead of removing the decorator from the configuration, you can now configure the capture point none to disable capture.

You can now expire pooled connections after a fixed duration by setting a new property connectionTimeToLive in the ClientHandler and ReverseProxyHandler. To prevent the reuse of connections, set this property in routes for applications where the IP address (baseURI) is not stable or can change.

When IG fails to connect to a proxied application, the ReverseProxyHandler changes the runtime exception into a 502 Bad Gateway response.

When streaming is enabled, responses are processed as soon as all headers are received. The entity content is downloaded in a background thread. This mode reduces latency, and is mandatory for Server-Sent Events

A new filter, UserProfileFilter, queries AM to retrieve the profile attributes of an AM user. It makes the data available as a new context to downstream IG filters and handlers.

A new filter, SessionInfoFilter, calls the AM endpoint for session information, and makes the data available as a new context to downstream IG filters and handlers. Session properties that are allowlisted in AM are available.

CrossDomainSingleSignOnFilter, CdSsoContext, and CdSsoFailureContext have been added. Users can authenticate to AM in one domain, and then access resources protected by IG in another domain, without having to re-authenticate.

The Prometheus Scrape Endpoint and Common REST Monitoring Endpoint have been added for monitoring.

The endpoints are available in IG, without any configuration. Metrics are available for each router, subrouter, and route in the configuration, and for the defaultHandler of the main router.

By default, everyone has read access to the Prometheus endpoint. No special credentials or privileges are required, but access can be restricted.

The AmService heap object can be declared in the IG configuration to hold information about an instance of AM. IG objects that communicate with AM can share AmService, reducing the number of configuration properties in their configuration.

The new CapturedUserPasswordFilter makes it possible to use AM’s password capture and replay feature without an AM policy agent.

This filter retrieves an AM password, decrypts it, and exposes it in a new context. By using CapturedUserPasswordFilter, you can get login credentials from AM without setting up an AM policy agent.

From AM 6, CapturedUserPasswordFilter can use the stronger algorithm AES to decrypt the AM password.

AmService provides a shared session service that can cache session token info for improved performance.

IG can now receive notifications from AM on session logout, or when an AM session is modified, closed, destroyed, or times out. IG evicts related entries from the session cache.

SingleSignOnFilter, CrossDomainSingleSignOnFilter, SessionInfoFilter, UserProfileFilter and PolicyEnforcementFilter are using that shared service.

In previous releases, the SingleSignOnFilter called AM to validate the SSO token for every request in a session. The SingleSignOnFilter can now process multiple requests in the same session without calling AM to validate the SSO token.

IG can now capture WebSocket notifications from AM when a policy is created, deleted, or updated, and then clear the PolicyEnforcementFilter cache. To facilitate this feature, the PolicyEnforcementFilter cache has been replaced by a cache based on Caffeine.

More options are provided for caching access tokens in OAuth2ResourceServerFilter.

From this release, when streaming is enabled on the ClientHandler or ReverseProxyHandler, IG begins streaming a response to a client as soon as it begins receiving it from the downstream application.

Because IG does not need to buffer the entire content of the response, it can process responses faster, and can proxy applications and APIs that send responses bigger than 2 GB.

If the response flow includes a filter that buffers the entire content of the response, such as capture decorator, processing takes longer and the maximum size of the response is 2 GB.

The AM realm that contains the UMA configuration can be specified in UmaService.

The endpoint for the UMA sharing service is now configured by the wellKnownEndpoint property of UmaService instead of authorizationServerUri. authorizationServerUri has been removed.

The PolicyEnforcementFilter now supports the following AM advice types in addition to AuthLevel:

IG can now make use of a system-defined proxy server. Use the new systemProxy property of ClientHandler and ReverseProxyHandler to access the feature.

Support for parameterized configuration has been added through the introduction of configuration tokens, and the processes of token resolution, JSON evaluation, token substitution, and data transformation.

At startup and when routes are loaded, token resolvers make values available from environment variables, Java system properties, JSON and Java properties files, and route properties. Matching values are substituted in the configuration files as strings, and then transformed as required into different data types.

IG can now proxy Server Sent Events (SSE) API.

The CaptureDecorator property maxEntityLength has been added to limit the number of bytes that can be captured for an entity. Before this release, IG tried to capture the entire entity.

When the CaptureDecorator property captureEntity is true, use this property to prevent excessive memory use or OutOfMemoryError errors.

To deploy IG in Jetty, it is no longer necessary to rename the IG .war file from ig.war to root.war.

The following additional classes are now imported automatically for Groovy scripts:

It is no longer necessary to include imports statements for these classes in Groovy scripts.

IG can now retry failed HTTP requests. You can specify the number of times IG retries a failed request, and the delay between retries.

In bootstrap scenarios where IG depends on third-party services, IG can now pause the startup process until the required services are online (for example, OpenID Connect well-know configuration endpoint).

Freeform Studio is a new user interface to develop complex routes of filters and handlers. As you design a route, Freeform Studio helps you to visualize the chain of filters and handlers, identify break points, and track the path of requests, responses, and contexts.

The TokenTransformationFilter can now be configured in Studio.

Scripts for use in the ScriptableFilter and ThrottlingFilter can now be configured with arguments in Studio.

Audit logging can now be configured in Studio for JSON audit event handler and ElasticSearch audit event handler.

Stateless sessions that do not use a keystore can now be configured in Studio.

During IG upgrade, routes that were previously created in Studio are automatically transferred to the new version of IG. If extra information is required for compatibility, you are prompted for the required information.

Studio can now be used to configure the capture of the message context as well as the message body.

IG now supports the token introspection endpoint, /oauth2/introspect to resolve OAuth 2.0 access tokens. In previous releases, only the token info endpoint, /oauth2/tokeninfo, was supported.

Use the /oauth2/introspect endpoint to retrieve metadata about a token that is not available at the /oauth2/tokeninfo endpoint, such as the context in which the token was issued.

Clients can now authenticate to an OAuth 2.0 authorization server or OpenID provider using the tokenEndpointAuthMethod method private_key_jwt.

With private_key_jwt, you can configure claims to be used for client authentication during access token retrieval.

It is now possible to configure access token resolution by using a script. For information about all configuration options, see the accessTokenResolver property of OAuth2ResourceServerFilter.

IG can now run in JBoss Enterprise Application Platform (JBoss EAP) version 7.

Support has been added for the Splunk audit event handler.

Support for UMA 2.0 has been added in this release. Features and functionality have been upgraded to support new UMA standards. Support for earlier versions of UMA has been removed.

Configuration expressions can now be used to create the following properties of the StaticRequestFilter:

This feature provides the flexibility to assign different header names and form parameters when using the same route in different environments. For example, the name of a cookie header can be different in a production or development environment.

The ClientHandler can now declare an outgoing proxy server such as Squid to submit requests to other parts of the network.

Runtime expressions can now be used to define the baseURI property of DispatchHandler.

This feature provides the flexibility to change the baseURI according to some request attributes.

A new property, loginEndpoint, is added to the SingleSignOnFilter to increase flexibility for authentication. Authentication can be performed through AM or an alternative application, and can include authentication parameters. For information, see the loginEndpoint property of SingleSignOnFilter

Configuration expressions can now be used in the definition of prefix and the reference configuration object.

A list of audit event fields can be specified to be considered as case-insensitive for filtering.