IDM 7.2.2

Release notes

ForgeRock Identity Management (IDM) software provides centralized, simple management and synchronization of identities for users, devices, and things. IDM software is highly flexible and therefore able to fit almost any use case and workflow.

These release notes are written for anyone using the IDM 7.2 release. Read these notes before you install or upgrade ForgeRock Identity Management software.

ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see https://www.forgerock.com.

The ForgeRock Common REST API works across the platform to provide common ways to access web resources and collections of resources.

What’s new

Maintenance releases

ForgeRock maintenance releases contain a collection of fixes and minor RFEs grouped together and released as part of our commitment to support our customers. For general information about ForgeRock’s maintenance and patch releases, see Maintenance and Patch Availability Policy.

IDM 7.2.2 is the latest release targeted for IDM 7.2 deployments, and can be downloaded from the ForgeRock Download Center.

You can deploy the release as an initial deployment or as an update from an existing 7.2.x deployment. For information on updating from 7.2.x, refer to Update to a maintenance release.

New features

IDM 7.2.2

This release includes updates to ICF connectors, updates to dependency libraries, bug fixes, and the following new feature:

Support for upgrading DS to later version than IDM

Upgrading to DS 7.3 is now supported. For more information, refer to Supported repositories.

IDM 7.2.1

This release includes updates to ICF connectors, updates to dependency libraries, and bug fixes.

IDM 7.2.0

This release of ForgeRock Identity Management software includes the following new features:

Property-based secret stores

IDM now supports property-based secret stores and can read keys and trusted certificates from properties that contain keys in Privacy-Enhanced Mail (PEM) format.

For more information, see Property-based secret stores.

Scanning tasks to activate and deactivate accounts

The default IDM configuration now includes two scanning tasks that activate and deactivate a user’s accountStatus, based on their activeDate and inactiveDate. For more information, see Activate and deactivate accounts.

external/email endpoint improvements

You can now use cc and bcc parameters with the sendTemplate action. For more information, see:

Workflow improvements

The Flowable embedded workflow engine has been upgraded to version 6.6.0. This upgrade fixes the issue with native email tasks previously mentioned in the Workflow Guide.

Policy validation for field removal

You can now validate field removal using the policy action validateProperty.

Relationship-derived Virtual Properties (RDVP) improvements

Relationship-derived Virtual Properties now include reference fields with details of the referenced relationship.

AD Password Synchronization Plugin UTC timestamps

The latest version of the Active Directory password synchronization plugin (v1.7.0) uses UTC timestamps for logs.

Bootstrap IDM without stored configuration

Previously, the property openidm.fileinstall.enabled also controlled the configs being loaded on startup. Therefore, to disable file monitoring, you had to first start IDM with it enabled in order to load the configs into the repository, and then restart IDM with it disabled. The new setting openidm.config.bootstrap.enabled (which defaults to true), allows file monitoring to be disabled, and the bootstrap process will load the configuration into the repository.

For more information, see Disable automatic configuration updates.

API version header warnings

IDM can now log warnings when API version headers are not specified.

Reconciliation enhancements

Reconciliation has been enhanced in the following ways:

  • Previously, if one node in the cluster went down or offline during a clustered reconciliation run, the reconciliation was canceled. This limitation no longer exists. For more information, see Clustered reconciliation.

  • Addition of the properties:

    • reconTargetQueryPaging

    • reconTargetQueryPageSize

    For more information, see Synchronization reference.

Assignment synchronization optimization

A new property has been added to synchronization mappings, optimizeAssignmentSync, which determines whether modifications to an assignment’s attributes or relationships should be treated as a synchronization event for members of that assignment or role, or if it should only be treated as a synchronization event for members if the modified assignment is directly relevant to that mapping, or if effectiveAssignments is included in triggerSyncProperties.

For more information, see Synchronization reference.

Query filtering on arrays

For versions of IDM running DS or PostgreSQL as a repository, queryFilter now supports filtering on the contents of arrays. For more information, see Filter objects in arrays.

Additional metrics

New metrics are available for workflow and JVM.

Security advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock’s security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.

Before you install

This section covers requirements before you run ForgeRock Identity Management software, especially in a production environment. If you have a special request to support a component or combination not listed here, contact ForgeRock at info@forgerock.com.

Hardware and memory requirements

Due to the underlying Java platform, IDM software runs well on a variety of processor architectures.

When you install IDM for evaluation with the embedded DS repository, you need:

  • 256 MB memory (32-bit) or 1 GB memory (64-bit) available.

  • 10 GB free disk space for the software and sample data.

A DS repository (whether embedded or external) requires free disk space of 5% of the filesystem size, plus 1 GB by default. To change this requirement, set the disk-full-threshold in the DS configuration. For more information, see Disk Space Thresholds in the DS Maintenance Guide.

In the case of an embedded DS instance, you can manage the configuration using the dsconfig command in /path/to/openidm/db/openidm/opendj/bin.

In production, disk space and memory requirements will depend on the size of your external repository, as well as the size of the audit and service log files that IDM creates.

The amount of memory that IDM consumes is highly dependent on the data that it holds. Queries that return large data sets will have a significant impact on heap requirements, particularly if they are run in parallel with other large data requests. To avoid out-of-memory errors, analyze your data requirements, set the heap configuration appropriately, and modify access controls to restrict requests on large data sets.

Operating System requirements

Identity Management 7.2 software is supported on the following operating systems:

  • Red Hat Enterprise Linux (and CentOS Linux) 7.9 and 8.6

  • Ubuntu Linux 20.04 and 22.04

  • Windows Server 2016 and 2019

Java requirements

IDM software supports the following Java environments:

Supported Java Versions
Vendor Versions

OpenJDK, including OpenJDK-based distributions:

  • AdoptOpenJDK/Eclipse Temurin

  • Amazon Corretto

  • Azul Zulu

  • Red Hat OpenJDK

ForgeRock tests most extensively with AdoptOpenJDK/Eclipse Temurin. ForgeRock recommends using the HotSpot JVM.

11

Oracle Java

11
ForgeRock recommends that you keep your Java installation up to date with the latest security fixes.

Supported web application containers

You must install IDM as a standalone service, using the bundled Apache Felix framework and Jetty web application container. Alternate containers are not supported. IDM bundles Jetty version 9.4.41.

Supported repositories

IDM supports the following repositories for use in production:

  • ForgeRock Directory Services (DS) 7.2, 7.3, and 7.4.

    By default, IDM uses an embedded DS instance for testing purposes. The embedded instance is not supported in production. If you want to use DS as a repository in production, you must set up an external instance.

  • MySQL version 5.7 and 8.0 with MySQL JDBC Driver Connector/J 8.0.

    Do not use Connector/J versions 8.0.23 through 8.0.25. Why?

  • MariaDB version 10.7 with MySQL JDBC Driver Connector/J 8.0.

    Do not use Connector/J versions 8.0.23 through 8.0.25. Why?

  • Microsoft SQL Server 2017 and 2019.

  • Oracle Database 19c and 21c.

  • PostgreSQL 12.11, 13.7, and 14.3.

  • IBM DB2 11.5.

ForgeRock supports repositories in cloud-hosted environments, such as AWS and GKE Cloud, as long as the underlying repository is supported. In other words, the repositories listed above are supported, regardless of how they are hosted.

These repositories might not be supported on all operating system platforms. See the specific repository documentation for more information.

Do not mix and match versions. For example, if you are running Oracle Database 19c, and want to take advantage of the support for Oracle UCP, download driver and companion JARs for Oracle version 19c.

Supported browsers

The IDM UI has been tested with the latest, stable versions of the following browsers:

  • Chrome and Chromium

  • Edge

  • Firefox

  • Safari

Supported connectors

IDM bundles the following connectors:

  • Adobe CM Connector

  • CSV File Connector

  • Database Table Connector

  • Google Apps Connector

  • Groovy Connector Toolkit

    This toolkit lets you create scripted connectors to virtually any resource.

  • Kerberos Connector

    The Kerberos connector that is bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled Kerberos connector requires Groovy version 3.0.

  • LDAP Connector

    Using the LDAP connector to provision to Active Directory is supported with Active Directory Domain Controllers, Active Directory Global Catalogues, and Active Directory Lightweight Directory Services (LDS).

  • Marketo Connector

  • MongoDB Connector

  • Microsoft Graph API Java Connector

  • Salesforce Connector

  • SCIM Connector

  • Scripted REST Connector

    The scripted REST connector that is bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted REST connector requires Groovy version 3.0.

  • Scripted SQL Connector

    The scripted SQL connector that is bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted SQL connector requires Groovy version 3.0.

  • ServiceNow Connector

  • Scripted SSH Connector

    The scripted SSH connector that is bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted SSH connector requires Groovy version 3.0.

You can download a PowerShell Connector Toolkit from the ForgeRock BackStage download site. This Toolkit lets you create scripted connectors to address the requirements of your Microsoft Windows ecosystem.

Additional connectors are available from the ForgeRock BackStage download site.

Windows Server 2012 R2, 2016, and 2019 are supported as the remote systems for connectors and password synchronization plugins.

You must use the supported versions of the .NET Remote Connector Server (RCS), or the Java Remote Connector Server (RCS). The 1.5.x Java RCS is backward-compatible with the version 1.1.x connectors. The 1.5.x .NET RCS is compatible only with the 1.4.x and 1.5.x connectors. For more information, see IDM / ICF Compatibility Matrix.

The Java RCS requires Java 11, and is supported on any platform on which Java runs.

The .NET RCS requires the .NET framework (version 4.6.2 or later) and is supported on Windows Server versions 2012 R2, 2016, and 2019.

Although the scripted connector toolkits are supported, connectors that you build with these toolkits are not supported. You can find examples of how to build connectors with these toolkits in Samples.

The following table lists the connector and RCS versions that are supported across IDM versions. For a list of connectors supported with this IDM release, see Overview. For a list of connector releases associated with this version of IDM, see Release notes overview

IDM / ICF Compatibility Matrix
IDM Version RCS Version Java Connectors Scripted Groovy Connectors .NET Connectors

4.x

1.4.x, 1.5.x

Java connectors version 1.1.x - 1.5.x

Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0.

PowerShell Connector 1.4.x

5.x

1.4.x, 1.5.x

Java connectors version 1.1.x - 1.5.x

Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0.

PowerShell Connector 1.4.x

6.x

1.4.x, 1.5.x

Java connectors version 1.1.x - 1.5.x

Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0.

PowerShell Connector 1.4.x

7.x

1.4.x, 1.5.x

Java connectors version 1.1.x - 1.5.x

Scripted REST, Scripted SQL, SSH, Kerberos connectors version 1.5.x.

PowerShell Connector 1.4.x

Supported password synchronization plugins

The following table lists the supported password synchronization plugins:

Plugin Supported Version

DS Password Synchronization Plugin

7.1.x, supported with DS 7.1.x, DS 7.2.x, IDM 7.1.x, and IDM 7.2.x

7.0.1, supported with DS 7.0.x, IDM 7.0.x, and IDM 7.1.x

6.5.0, supported with DS 6.5.x and IDM 6.5.x

6.0, supported with DS 6.0.x and IDM 6.0.x

5.5.0, supported with DS 5.5.x and IDM 5.5.x

5.0, supported with DS 5.0.x and IDM 5.0.x

3.5, supported with OpenDJ 3.5 and OpenIDM 4.x

DS Password Sync plugins are not supported with DS OEM

Active Directory Password Synchronization Plugin

1.7.0, 1.5.0, 1.4.0, 1.3.0, 1.2.0 and 1.1.0 supported on Windows Server versions 2012 R2, 2016, and 2019

Because version 1.4.0 can fail to make a secure connection with certain Windows versions, ForgeRock recommends using a later version.

Third-Party software

ForgeRock provides support for using the following third-party software when logging ForgeRock Common Audit events:

Software Version

Java Message Service (JMS)

2.0 API

MySQL JDBC Driver Connector/J

8 (at least 8.0.19)

Do not use Connector/J versions 8.0.23 through 8.0.25. Why?

Splunk

8.0 (at least 8.0.2)

Elasticsearch and Splunk have native or third-party tools to collect, transform, and route logs. Examples include Logstash and Fluentd.

ForgeRock recommends that you consider these alternatives. These tools have advanced, specialized features focused on getting log data into the target system. They decouple the solution from the ForgeRock Identity Platform systems and version, and provide inherent persistence and reliability. You can configure the tools to avoid losing audit messages if a ForgeRock Identity Platform service goes offline, or delivery issues occur.

These tools can work with ForgeRock Common Audit logging:

  • Configure the server to log messages to standard output, and route from there.

  • Configure the server to log to files, and use log collection and routing for the log files.

Although ForgeRock does not provide support for these tools, you can any use of the following third-party software to monitor ForgeRock servers:

Software Version

Grafana

5 (at least 5.0.2)

Graphite

1

Prometheus

2.0

For Hardware Security Module (HSM) support, ForgeRock software requires a client library that conforms to the PKCS#11 standard v2.20 or later.

Incompatible changes

When you update to IDM 7.2.0, the following changes may impact existing deployments. Adjust existing scripts, files, and clients, as necessary.

Default onDelete behavior

The default onDelete behavior previously called a file-based script, onDelete-roles.js. This has been removed from the .

Felix and OSGi upgrades

IDM has upgraded to OSGi Core 8.0 and Felix Framework 7.0.0.

JMS 2.0 upgrade

The samples that use the Java Message Service (JMS) have been upgraded to use the 2.0 API and Apache ActiveMQ Artemis:

PATCH request exceptions

Previously, illegal PATCH requests could return a 400 or 500 exception. In such cases, IDM now returns a 400 status.

Policy enforcement on role name

The name property of a managed role is now subject to the uniqueness policy by default. This means that you cannot create multiple roles with the same name. To change this behavior, adjust the policy validation on the role property in your .

Precedence in locales in the self-registration email template

Previously, the defaultLocale specified in the Self-Registration Email Template configuration took precedence. As of IDM 7.2, locales specified as preferredLocales in the Accept-Language header take precedence over the defaultLocale.

Paused queued synchronization for unavailable routes

Synchronization queue processing for a mapping is now paused if either the source or target system route are unregistered. For more information, see Configure queued synchronization.

Embedded workflow database

Previously, you could use the Flowable workflow engine’s embedded H2 database for demo and testing purposes. IDM no longer includes this database. Before you use workflow, you must install a JDBC repository.

For more information, see Enable workflows.

Default MySQL connection driver

The default JDBC Connection Configuration now uses the connection driver from MySQL 8.1 (com.mysql.cj.jdbc.Driver).

Deprecation

The following features are deprecated and likely to be discontinued in a future release.

Social authentication

Social authentication is deprecated and will be removed in a future release of IDM. The feature will be a function of AM. Once a user has logged in through AM (using a social provider or some other way), they can obtain an access token with that session and use the access token to interact with IDM through the rsFilter configuration.

Additionally, Microsoft has deprecated the "Sign In with LinkedIn" functionality as of August 1, 2023. Refer to Sign In with LinkedIn.

Access configuration in access.js

In previous releases, access rules were configured in the access.js script. This script has been replaced by an access.json configuration file, that performs the same function. Existing deployments that use customized access.js files are still supported for backward compatibility. However, support for access rules defined in access.js is deprecated, and will be removed in a future release. You should move these access rules to a conf/access.json file. For more information, see Authorization and roles.

Actions on scheduler endpoint

The action parameter on the scheduler endpoint was deprecated in Version 1 of the endpoint and is not supported in Version 2.

To validate a cron expression, use the validateQuartzCronExpression action on the scheduler/job endpoint, as described in Validate Cron Trigger Expressions.

Health endpoints

The health endpoints, used to monitor system activity have been deprecated in this release, as their functionality was not considered to be of much use.

The information available on health/recon was node-specific. Instead, you can retrieve cluster-wide reconciliation details with a GET on the recon endpoint.

The information available on the health/os and health/memory endpoints can be retrieved by inspecting the JVM metrics.

Conditional query filters

The syntax of conditional query filters and scripts within notification filters has changed in this release. In previous IDM releases, request properties such as content in create and update requests or patchOperations in patch requests were referenced directly. For example, the notification-newReport.json configuration previously used the following query filter:

"condition" : "content/manager pr"
json

In IDM 7, query filters and scripts should reference the request object to obtain any request properties. Sample query filters have been changed accordingly. For example, the query filter in notification-newReport.json has been changed to the following:

"condition" : "request/content/manager pr",
json

This syntax is more verbose, but it lets script implementations use request visitors logic based on the request type, and is more consistent with generic router filters.

The old request syntax will still work in IDM 7.0, but is considered deprecated. Support for the old syntax will be removed in a future release. Note that this change is limited to notification filters. Filters such as those used with scripted endpoints have never supported direct access to request properties, and are therefore not changing. For more information on notification filters, see Configure notifications.

Self-Service stages

Self-Service Stages (described in Self-service stage reference) are deprecated in this release and support for their use will be removed in a future release. From IDM 7 onwards, this functionality is replaced by AM Authentication Trees.

oauthReturn endpoint

Support for oauthReturn as an endpoint for OAuth2 and OpenID Connect standards has been deprecated for interactions with AM and will be removed in a future release. Support for interactions with social identity providers was removed in IDM 6.5.0.

Default versions of relevant configuration files no longer include oauthReturn in the redirectUri setting. However, for IDM 7.2, these configuration files should still work both with and without oauthReturn in the endpoint.

timeZone in schedules

In Configure schedules, setting a time zone using the timeZone field is deprecated. To specify a time zone for schedules, use the startTime and endTime fields.

MD5 and SHA-1 hash algorithms

Support for the MD5 and SHA-1 hash algorithms is deprecated and will be removed in a future release. You should use more secure algorithms in a production environment. For a list of supported hash algorithms, see Salted Hash Algorithms.

JAVA_TYPE_DATE attribute type

Support for the native attribute type, JAVA_TYPE_DATE, is deprecated and will be removed in a future release. This property-level extension is an alias for string. Any dates assigned to this extension should be formatted per ISO 8601.

POST request with ?_action=patch

Support for a POST request with ?_action=patch is deprecated, when patching a specific resource. You can still use ?_action=patch when patching by query on a collection.

Clients that do not support the regular PATCH verb should use the X-HTTP-Method-Override header instead.

For example, the following POST request uses the X-HTTP-Method-Override header to patch user jdoe’s entry:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--header "Content-Type: application/json" \
--request POST \
--header "X-HTTP-Method-Override: PATCH" \
--data '[
    {
        "operation":"replace",
        "field":"/description",
        "value":"The new description for Jdoe"
    }
]' \
"http://localhost:8080/openidm/managed/user/jdoe"

minLength property

The managed object property minLength is deprecated. When you need to specify a minimum length for a property, use the minimum-length policy:

{
    "policyId" : "minimum-length",
    "params" : {
        "minLength" : 8
    }
}
json

Splunk and Elasticsearch audit handlers

The Splunk and Elasticsearch audit event handlers are deprecated and will be removed in a later release.

IDM 7.2 supports both file-based audit handlers and logging to standard output, which Elasticsearch and Splunk can consume.

Discontinued

Support for the following functionality has been removed in this release.

OAUTH_CLIENT authentication module

The OAUTH_CLIENT authentication module has been removed. Using OAuth2 for authentication through AM is available with the resource server filter (rsFilter).

CLI update command

The cli.sh update command (used in older releases to apply maintenance updates) has been removed in this release. For details on upgrading to the latest IDM release, see the Upgrade Guide. The ability to place a server in maintenance mode has also been removed.

Fixed issues

IDM 7.2.2

The following important bugs were fixed in this release:

  • OPENIDM-16906: Sample audit jdbc causes increasing flow of exceptions

  • OPENIDM-18238: Clustered recon: schedule creation in response to orphaned job may incorrectly propagate source pages, resulting in hung recon

  • OPENIDM-18360: One-to-many relationship not enforced when delegated admin has no openidm-admin role

  • OPENIDM-18388: ClusteredReconWatchdog will incorrectly schedule sourcePageCompletionCheck jobs for a reconById recon running against a mapping configured for clustered recon

  • OPENIDM-18544: AD user with a manager cannot update manager in IDM

  • OPENIDM-18625: Top-level router contains route to empty subrouter on route deregistration

  • OPENIDM-18807: IDM sample "Provision user with workflow" is not working as expected

  • OPENIDM-18875: Incorrect behavior in handling variables in workflow subprocesses

  • OPENIDM-18895: ManagedObjectSet patch contract lacks proper MVCC retry

IDM 7.2.1

The following important bugs were fixed in this release:

  • OPENIDM-18153: Throw statement truncates user-defined exception

  • OPENIDM-18123: Correctly load scripts that use ISO 8859-1 encoding

  • OPENIDM-18067: SourcePageToken equals, toString, and hashCode incomplete

  • OPENIDM-18066: NPE getting a schedule for a job

  • OPENIDM-17980: Inconsistent Policy Validation message on Admin UI for some policyId’s

  • OPENIDM-17924: Conditional policy, with required policyId, modifies the schema

  • OPENIDM-17876: Query filter editor incorrectly removes double quotes from all properties that aren’t of type "string"

  • OPENIDM-17531: Conditional policy is not enforced for patch remove

IDM 7.2.0

The following important bugs were fixed in this release:

  • OPENIDM-17858: Deferred Trigger JobCompletion never completes when Trigger NOT_FOUND

  • OPENIDM-17856: Possible multiple X-Not-Modified headers appended to response

  • OPENIDM-17836: ObjectMapping constructor exception on startup

  • OPENIDM-17802: Inconsistent display with viewable option for managed object creation on Admin UI

  • OPENIDM-17792: 7.1 doesn’t start on M1 mac

  • OPENIDM-17790: In samples/audit-jdbc, the column for response_detail is missing from the sample files.

  • OPENIDM-17783: ReconProgressState culling should occur for reconById invocations if amendAssociation not specified

  • OPENIDM-17773: Delete operations fail with DB2 repository

  • OPENIDM-17766: Some variables are undefined when triggering "Sample source preview" in mapping

  • OPENIDM-17750: From field not allowing saving email address with multiple "domains" after the @

  • OPENIDM-17743: With dynamic roles enabled, using social provider login results in a return to the login page

  • OPENIDM-17720: Missing ldapAttribute in repo.ds.json properties configuration causes nullPointer when using fieldPolicy with failed patch

  • OPENIDM-17707: The Connector UI "Object Classes to Synchronize" parameter is storing values incorrectly

  • OPENIDM-17692: Audit handlers in IDM do not use any of the filterPolicies configuration documented

  • OPENIDM-17687: Admin UI updates manager relationship using only the _ref field

  • OPENIDM-17664: Adding whitespace in BaseDN results in invalid configuration

  • OPENIDM-17591: NPE when creating object with null value for singleton relationship

  • OPENIDM-17582: Generic Add Connector template incorrectly sets enabled boolean to string value

  • OPENIDM-17555: Attempting to write certain data to the audit logs on a SQL DB results in a retry-loop event.

  • OPENIDM-17535: IDM stack releases that include bundled connectors should continue to work with existing provisioner configuration

  • OPENIDM-17532: Unable to access to audit data using auditdb connector

  • OPENIDM-17521: PUT on managed user with conditional grant returns alternating responses

  • OPENIDM-17513: Multi-column index on DB2 should be replaced by multiple single-column indexes

  • OPENIDM-17498: LiveSync stops working with RCS

  • OPENIDM-17475: CSV Import fails for the very first time in a newly deployed IDM cluster

  • OPENIDM-17436: Recon fails due to PreconditionFailedException when updating interim recon progress state

  • OPENIDM-17435: Update scripted-powershell-with-ad sample to fix memory leak

  • OPENIDM-17428: SCIM connector: httpProxyUsername and httpProxyPassword missing in sample provisioner

  • OPENIDM-17423: ScriptedREST Connector sample: import org.identityconnectors.common.security.SecurityUtil is missing

  • OPENIDM-17414: flattenProperties is removed from managed.json after saving changes

  • OPENIDM-17405: temporalConstraints behavior with DS different when the object is mapped for generic vs. explicit

  • OPENIDM-17388: Relationship Properties label is invisible due to white font

  • OPENIDM-17367: target phase run for reconById when using clustered recon

  • OPENIDM-17306: Nullable boolean variables are set to false

  • OPENIDM-17254: handleSignalVertexUpdateFromEdge MVCC retry semantics lack virtual property constitution

  • OPENIDM-17204: Improve IDM REST API query performance

  • OPENIDM-17198: REST calls without Accept-API-Version header sometimes get 2 Warning headers back

  • OPENIDM-17195: Change password button disabled state is inverted

  • OPENIDM-17164: Conditional on rdvp relationships not being consistently removed on grantee update

  • OPENIDM-17138: JsonValueException thrown when using Social providers Authentication

  • OPENIDM-17133: JsonValueException thrown when using Passthrough Authentication

  • OPENIDM-17092: Conditional grants processing differently for grantor vs. grantee operations

  • OPENIDM-17076: Migration service not fully ready after create on the config endpoint when using waitForCompletion=true

  • OPENIDM-17071: NullPointerException with augmentSecurityContext

  • OPENIDM-17065: Return idm_sync_queue_failed error in Prometheus when an implicit sync fails

  • OPENIDM-17048: Incorrect label for LDAP server type in IDM Admin UI

  • OPENIDM-17007: Patch to selfservice to update KBA questions does not allow for custom questions with all non-word characters

  • OPENIDM-17002: Can’t tune hash settings from openidm.hash script invocations

  • OPENIDM-16987: Recon operation fails with NPE when dynamic link qualifiers and link pre-fetching are enabled

  • OPENIDM-16978: Neither clustered, nor non-clustered recon updates persisted ReconProgressState when target phase starts

  • OPENIDM-16969: Adding incorrect type to managed attribute expecting a map results in 500 error

  • OPENIDM-16931: SynchronizationException caught on clustered recon node not propagated to other nodes

  • OPENIDM-16929: Values of relationship properties lost when updating another relationship property on the same object

  • OPENIDM-16920: base contexts and base contexts to synchronize not properly compared

  • OPENIDM-16887: Tag not closed on Native UI for scripted rest connector "/button"

  • OPENIDM-16871: RDVPs not updated when allowed API request to modify edge is performed

  • OPENIDM-16866: Setting managed/user/roles schema to returnByDefault = true breaks password tab in user edit page

  • OPENIDM-16864: IDM Admin UI 'Help ?' links are broken

  • OPENIDM-16836: Releasing acquired triggers in RepoJobStore shutdown causes Quartz NPE when job/trigger next executed

  • OPENIDM-16819: Scheduler Service may execute before scheduled service is ready

  • OPENIDM-16816: Node added to cluster causes recon exceptions

  • OPENIDM-16810: SCIM sample provisioner: bad format for maximumConnections

  • OPENIDM-16809: Config changes are not always ready after using waitForCompletion

  • OPENIDM-16808: connectionTimeout is string instead of integer in Oracle repo sample config

  • OPENIDM-16774: Provide full details of schedules in the IDM admin UI

  • OPENIDM-16771: Updating managed/user property from the EndUserUI fails with policy validation error if there are Required relationships

  • OPENIDM-16748: Clustered recon: target phase can run during first source page if page size only slightly less than total number of entries reconciled

  • OPENIDM-16731: Bulk import - user gets updated when imported twice

  • OPENIDM-16727: Admin UI displays object relationships incorrectly when uninitialised virtual property is present

  • OPENIDM-16725: managed.json updated incorrectly when relationship property is modified in the UI

  • OPENIDM-16696: Failing to load a CA-signed certificate due to restrictive KeyUsage constraints in the certificates themselves

  • OPENIDM-16687: Improve error handling when creating managed object with an invalid condition

  • OPENIDM-16678: Clustered recon fails with "Schedule does not exist"

  • OPENIDM-16677: Cannot retrieve entries from /recon endpoint when using DS as a repo if reconprogressstate size exceeds index limits

  • OPENIDM-16641: UI: Legacy Admin - config logic field "deleteQueryConfig" is leaking into UI generated managed config

  • OPENIDM-16640: Updated relationship properties are no longer available to property onRetrieve hooks after object onUpdate

  • OPENIDM-16633: OpenIDM fails to start with custom properties on Windows

  • OPENIDM-16607: If deletion of the previous recon data under ou=assoc fails the data is never cleaned up

  • OPENIDM-16581: DS maximum entry size exceeded when writing target ids corresponding to source ids for large page sizes in clustered recon

  • OPENIDM-16571: default truststore doesn’t include root cert required for MS Graph API Connector

  • OPENIDM-16567: Workflow: store task complete variables in process

  • OPENIDM-16565: NPE when querying report/audit/* endpoint

  • OPENIDM-16557: managedUserLink is in docs and samples for PASSTHROUGH authn but is not used

  • OPENIDM-16545: Custom endpoint API Descriptor not being loaded

  • OPENIDM-16530: Concurrent Modification Exception serializing VertexTraversalContext

  • OPENIDM-16519: QueryFilters on reference properties do not work with ds as a repo

  • OPENIDM-16510: Delegated Admin UI cannot demote owner/admin from org

  • OPENIDM-16484: Error when accessing managed user object that has relationship to itself

  • OPENIDM-16479: Privileges not displayed when user authenticates with certificate

  • OPENIDM-16478: Environment Variables do not get parsed when added to managed.json

  • OPENIDM-16472: Relationship properties sent to repo as part of defaultPostMapping patch

  • OPENIDM-16452: Explicitly mapped boolean fields return as Strings in JSON payloads

  • OPENIDM-16449: End User UI allows DA to perform operations that are disallowed by Admin UI on “relationship” type attributes

  • OPENIDM-16444: Content-API-Version header does not appear in REST call in IDM 7.0.1

  • OPENIDM-16424: UI does not save changes to "Action to perform after retry attempts"

  • OPENIDM-16420: The valid-email-address-format policy requires refinement

  • OPENIDM-16414: Re-installing bundles via Felix webconsole generates errors/stacktraces on console

  • OPENIDM-16386: Inconsistent policy evaluation between replace and add no-op PATCH requests

  • OPENIDM-16379: Removing values from a multi-valued managed/user property fails with policy validation error if the property is set to Required

  • OPENIDM-16377: PATCH operations fail with unmapped fields on explicit repos under certain conditions

  • OPENIDM-16335: NPE on org model children endpoint when making a request that contains an error

  • OPENIDM-16296: Intermittent failure to parse timestamp when querying the report/audit endpoint

  • OPENIDM-16290: DA: Resulting privileges calculated incorrectly if object update modifies the qualifying attribute

  • OPENIDM-16238: Deadlock on IDM shutdown

  • OPENIDM-16233: Percent encoded slashes are NOT FOUND while running RECON using changelog

  • OPENIDM-16081: Prevent users saving managed objects with invalid names

  • OPENIDM-15975: Multi-column index on Postgresql should be replaced by multiple single-column indexes

  • OPENIDM-15932: Blank Page shown for Admin UI Login-in Page in IE11

  • OPENIDM-15911: Dropwizard Table with Graph causing unexpected behavior in the Admin UI

  • OPENIDM-15905: socialUserClaim endpoint to support a hashed password

  • OPENIDM-15843: RouterAuditEventHandler groovy script throws an error when trying to write out Scheduler events to activity audit.

  • OPENIDM-15792: Selfservice registration submits input as string for boolean attribute

  • OPENIDM-15670: Workflow Invocation Does Not Work with Platform Enduser UI 7.0 in AM/IDM Integrated deployments

  • OPENIDM-15511: IDM Admin console - Paging controls in managed objects are disabled

  • OPENIDM-15050: Please add SchemaScript.groovy to audit-jdbc sample

  • OPENIDM-14666: SCIM connector cannot be configured through the UI

  • OPENIDM-11765: Warnings on startup with Java 11

Limitations

ForgeRock Identity Management 7.2 has the following known limitations:

Workflow limitations

  • Workflows are not supported with a DS repository. If you are using a DS repository for IDM data, you must configure a separate JDBC repository as the workflow datasource.

  • The embedded workflow and business process engine is based on Flowable and the Business Process and Notation (BPMN) 2.0 standard. As an embedded system, local integration is supported. Remote integration is not currently supported.

Queries with a DS repository

For DS repositories, relationships must be defined in the repository configuration (repo.ds.json). If you do not explicitly define relationships in the repository configuration, you will be able to query those relationships, but filtering and sorting on those queries will not work. For more information, see Relationship Properties in a DS Repository.

Queries with an OracleDB repository

For OracleDB repositories, queries that use the queryFilter syntax do not work on CLOB columns in explicit tables.

Queries with privileges

Query filters used for privileges can only reference direct attributes of the object. For example, relationship fields cannot be referenced in a privilege filter.

Connector limitations

  • When you add or edit a connector through the admin UI, the list of required Base Connector Details is not necessarily accurate for your deployment. Some of these details might be required for specific deployment scenarios only. If you need a connector configuration where not all the Base Connector Details are required, you must create your connector configuration file over REST or by editing the provisioner file. For more information, see Configure connectors.

If-Match requests

A conditional GET request, with the If-Match request header, is not supported.

Known issues

This topic lists important issues that remain open at the time of release.

IDM issues

  • OPENIDM-17813: File content incorrect on read

  • OPENIDM-17749: DB2 repo failed to query cluster states. Lock balancing aborted

  • OPENIDM-17665: Undocumented behavior change with internal roles/users security

  • OPENIDM-17631: Overriding the key “aliases” in conf/secrets.json using $array and $list coercion type to support multiple key aliases is not working

  • OPENIDM-17518: 500 Internal Server Error when making PUT and POST requests against a managed endpoint that doesn’t exist

  • OPENIDM-17516: Pattern policy ignored when doing operation replace with empty values

  • OPENIDM-17488: Removing a parent relationship from a child org as owner/admin of that parent org returns a 404 instead of a 200 on JDBC/MySQL as repo

  • OPENIDM-17375: IDM info/ping endpoint intermittently throws NPE

  • OPENIDM-17345: Changing default rest context to /svc/idm rather than /idm causes UI to misbehave

  • OPENIDM-17255: The admin UI breaks the schema when editing it

  • OPENIDM-17190: PBKDF2 pre-hashed passwords from IDM not working on DS

  • OPENIDM-16923: If all KBA info questions are deleted through UI, question index is corrupted

  • OPENIDM-16825: User updates needs to be submitted twice

  • OPENIDM-16804: Admin UI forgets mat-icon setting when object properties are re-ordered

  • OPENIDM-16796: Error message: Only "replace" patch operation is supported on /kbaInfo when set to viewable

  • OPENIDM-16795: Inconsistent URLs when hovering on Admin UI home page OOTB widgets across IDM versions

  • OPENIDM-16791: Booleans show up in the end user ui even if set as not viewable

  • OPENIDM-16631: Cron-like Trigger for Weekly schedule shows incorrectly

  • OPENIDM-16618: Admin UI sends encrypted data as string when an unrelated attribute is modified

  • OPENIDM-16615: Admin UI duplicates patch operations when adding manager

  • OPENIDM-16564: 404 Error when viewing recon events in System Monitoring Dashboard

  • OPENIDM-16528: Properties defined as "nullable" become required

  • OPENIDM-16516: Incoherent script hooks bindings when PATCH a relationship collection containing relationship properties

  • OPENIDM-16487: The UI should allow the admin to select which linkQualifier the assignment belongs to

  • OPENIDM-16465: Saved powershell connector config through admin UI is not valid

  • OPENIDM-16463: API explorer failing in platform integration

  • OPENIDM-16453: Enduser login fails if user _id contains special characters

  • OPENIDM-16443: Setting RCS Cluster Load Balancing Algorithm to round robin results in failed recons for large datasets

  • OPENIDM-16441: Enduser UI can fail to load organizations when the managed organization schema is updated

  • OPENIDM-16432: Self-service registration submits input as string for number attribute

  • OPENIDM-16201: Policy validation for new managed objects occurs against previously accessed object

  • OPENIDM-16108: Creating assignments via REST breaks IDM UI elements

  • OPENIDM-15702: INTERNAL_USER auth module no longer in the default config

  • OPENIDM-15623: DS Repo performance issues with large number of role members without paging

  • OPENIDM-15585: Admin UI doesn’t display correct enable state for Audit Event Handlers

  • OPENIDM-15322: Query on relationship endpoint with *_ref without paging takes much longer time to return with external DS as repo

  • OPENIDM-15284: authzRoles property does not show or accept addition of resource collection

  • OPENIDM-15145: UI: Audit Filter Policies only save to "excludeIf"

ICF/Connector issues

For an up-to-date list of known ICF and connector issues, refer to Known issues in the Connector documentation.

Documentation

Date Description

2024-04-01

Added deprecation for "Sign In with LinkedIn". Refer to Deprecation → Social authentication.

2023-11-11

Added support for ForgeRock Directory Services (DS) 7.4.

2023-09-26

Updated all uses of factoryPid to instanceName and added further clarifications to the remote proxy documentation.

2023-07-24

  • Initial release of Identity Management 7.2.2 software.

  • Added a note regarding repository upgrade.

2023-03-14

ICF-related documentation now direct the reader to use updated documentation on Backstage instead. Use the new documentation for any future ICF updates going forward.

2022-09-28

Initial release of Identity Management 7.2.1 software.

2022-06-30

Initial release of Identity Management 7.2.0 software.

Appendix A: Release levels and interface stability

ForgeRock product release levels

ForgeRock defines Major, Minor, Maintenance, and Patch product release levels. The release level is reflected in the version number. The release level tells you what sort of compatibility changes to expect.

Release Level Definitions
Release Label Version Numbers Characteristics

Major

Version: x[.0.0] (trailing 0s are optional)

  • Bring major new features, minor features, and bug fixes

  • Can include changes even to Stable interfaces

  • Can remove previously Deprecated functionality, and in rare cases remove Evolving functionality that has not been explicitly Deprecated

  • Include changes present in previous Minor and Maintenance releases

Minor

Version: x.y[.0] (trailing 0s are optional)

  • Bring minor features, and bug fixes

  • Can include backwards-compatible changes to Stable interfaces in the same Major release, and incompatible changes to Evolving interfaces

  • Can remove previously Deprecated functionality

  • Include changes present in previous Minor and Maintenance releases

Maintenance, Patch

Version: x.y.z[.p]

The optional .p reflects a Patch version.

  • Bring bug fixes

  • Are intended to be fully compatible with previous versions from the same Minor release

ForgeRock product stability labels

ForgeRock products support many features, protocols, APIs, GUIs, and command-line interfaces. Some of these are standard and very stable. Others offer new functionality that is continuing to evolve.

ForgeRock acknowledges that you invest in these features and interfaces, and therefore must know when and how ForgeRock expects them to change. For that reason, ForgeRock defines stability labels and uses these definitions in ForgeRock products.

ForgeRock Stability Label Definitions
Stability Label Definition

Stable

This documented feature or interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect.

Evolving

This documented feature or interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release.

While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality.

Legacy

This feature or interface has been replaced with an improved version, and is no longer receiving development effort from ForgeRock.

You should migrate to the newer version, however the existing functionality will remain.

Legacy features or interfaces will be marked as Deprecated if they are scheduled to be removed from the product.

Deprecated

This feature or interface is deprecated and likely to be removed in a future release. For previously stable features or interfaces, the change was likely announced in a previous release. Deprecated features or interfaces will be removed from ForgeRock products.

Removed

This feature or interface was deprecated in a previous release and has now been removed from the product.

Technology Preview

Technology previews provide access to new features that are considered as new technology that is not yet supported. Technology preview features may be functionally incomplete and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT.

Customers are encouraged to test drive the technology preview features in a non-production environment and are welcome to make comments and suggestions about the features in the associated forums.

ForgeRock does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of the ForgeRock platform. Technology previews are provided on an “AS-IS” basis for evaluation purposes only and ForgeRock accepts no liability or obligations for the use thereof.

Internal/Undocumented

Internal and undocumented features or interfaces can change without notice. If you depend on one of these features or interfaces, contact ForgeRock support or email info@forgerock.com to discuss your needs.

Appendix B: Getting support

ForgeRock provides support services, professional services, training through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see https://www.forgerock.com.

ForgeRock has staff members around the globe who support our international customers and partners. For details on ForgeRock’s support offering, including support plans and service level agreements (SLAs), visit https://www.forgerock.com/support.

ForgeRock publishes comprehensive documentation online:

  • The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.

    While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.

  • ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.