Release notes
ForgeRock Identity Management (IDM) software provides centralized, simple management and synchronization of identities for users, devices, and things. IDM software is highly flexible and therefore able to fit almost any use case and workflow.
These release notes are written for anyone using the IDM 7.3 release. Read these notes before you install or upgrade ForgeRock Identity Management software.
What's New
New features and improvements in this version.
Prepare for Deployment
The requirements for running IDM software in production.
Compatibility
Key implementation changes and compatibility with previous deployments.
Bug Fixes
Bug fixes, limitations, and open issues.
Doc Updates
Documentation changes.
Get Support
Professional support and training.
ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, refer to https://www.forgerock.com.
The ForgeRock Common REST API works across the platform to provide common ways to access web resources and collections of resources.
What’s new
Maintenance releases
ForgeRock maintenance releases contain a collection of fixes and minor RFEs grouped together and released as part of our commitment to support our customers. For general information about ForgeRock’s maintenance and patch releases, see Maintenance and Patch Availability Policy.
IDM 7.3.1 is the latest release targeted for IDM 7.3 deployments and can be downloaded from the ForgeRock Download Center.
| You can deploy the release as an initial deployment or as an update from an existing 7.3.x deployment. For information on updating from 7.3.x, refer to Update to a maintenance release. |
IDM 7.3.1 features
Workflow engine upgrade
The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you are upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.
IDM 7.3.0 features
Support for Bouncy Castle FIPS
IDM now supports the use of Bouncy Castle FIPS as a security provider. Bouncy Castle FIPS is useful when dealing with government data, where meeting the FIPS 140-2 security requirement is necessary for regulatory compliance.
For information on how to configure Bouncy Castle, refer to FIPS 140-2 compliance.
Support for UTF-8 email addresses
IDM now supports UTF-8 (non-ascii/international) characters in email addresses, such as zoë@example.com. When sending emails to these type of addresses, the configured SMTP server must also support UTF-8.
Disable delegated administrator sort and filter while searching
You can now disable delegated administrator sort and filter while searching resource collections in the End User UI. For more information, refer to Disable sort and filter for resource collections.
Workflows now support JavaScript
IDM workflows now support JavaScript in addition to Groovy. For more information about scripting workflows, refer to BPMN 2.0 and workflow tools.
Patch operation improvements
It is now possible to patch the root of an object. The only supported patch operations on the root of an object are remove and replace.
Improvements to the /system endpoint
/system endpoints now support specifying additional fields when also using *. This allows callers to get fields that are not returned by default.
New sync mapping configuration fields
New sync mapping configuration fields, defaultSourceFields and defaultTargetFields, allow specifying which fields to use for read and query requests made on source and target resource collections.
Security advisories
ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock’s security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.
For details of all the security advisories across ForgeRock products, refer to Security Advisories in the Knowledge Base library.
Before you install
This section covers requirements before you run ForgeRock Identity Management software, especially in a production environment. If you have a special request to support a component or combination not listed here, contact ForgeRock at info@forgerock.com.
Hardware and memory requirements
Due to the underlying Java platform, IDM software runs well on a variety of processor architectures.
When you install IDM for evaluation with the embedded DS repository, you need:
-
256 MB memory (32-bit) or 1 GB memory (64-bit) available.
-
10 GB free disk space for the software and sample data.
|
A DS repository (whether embedded or external) requires free disk space of 5% of the filesystem size, plus 1 GB by default. To change this requirement, set the In the case of an embedded DS instance, you can manage the configuration using the |
In production, disk space and memory requirements depend on the size of your external repository, as well as the size of the audit and service log files that IDM creates.
The amount of memory that IDM consumes is highly dependent on the data that it holds. Queries that return large data sets will have a significant impact on heap requirements, particularly if they are run in parallel with other large data requests. To avoid out-of-memory errors, analyze your data requirements, set the heap configuration appropriately, and modify access controls to restrict requests on large data sets.
IDM exposes many JVM metrics to help you analyze the amount of memory that it is consuming. For more information on analyzing hardware and memory performance, see Load testing.
Operating System requirements
IDM 7.3 software is supported on the following operating systems:
-
Red Hat Enterprise Linux (and Rocky Linux) 7.9, 8.7, and 9.1
-
Ubuntu Linux 20.04 and 22.04
-
Windows Server 2019 and 2022
Java requirements
IDM software supports the following Java environments:
| Vendor | Versions | ||
|---|---|---|---|
OpenJDK, including OpenJDK-based distributions:
|
11, 17* |
||
Oracle Java |
11, 17* |
* Version 17.0.3 or higher.
| ForgeRock recommends that you keep your Java installation up to date with the latest security fixes. |
Supported web application containers
You must install IDM as a standalone service, using the bundled Apache Felix framework and Jetty web application container. Alternate containers are not supported. IDM bundles Jetty version 9.4.48.
Supported repositories
The following repositories are supported for use in production:
-
ForgeRock Directory Services (DS) 7.2, 7.3, and 7.4.
By default, IDM uses an embedded DS instance for testing purposes. The embedded instance is not supported in production. If you want to use DS as a repository in production, you must set up an external instance.
-
MySQL version 5.7 and 8.0 with MySQL JDBC Driver Connector/J 8.0.
Do not use Connector/J versions 8.0.23 through 8.0.25. Why? -
MariaDB version 10.6.11 and 10.10.2 with MySQL JDBC Driver Connector/J 8.0.
Do not use Connector/J versions 8.0.23 through 8.0.25. Why? -
Microsoft SQL Server 2019 and 2022.
-
Oracle Database 19c and 21c.
-
PostgreSQL 13.10, 14.7, and 15.2.
-
IBM DB2 11.5.
ForgeRock supports repositories in cloud-hosted environments, such as AWS and GKE Cloud, as long as the underlying repository is supported. In other words, the repositories listed above are supported, regardless of how they are hosted.
|
These repositories might not be supported on all operating system platforms. refer to the specific repository documentation for more information. Do not mix and match versions. For example, if you are running Oracle Database 19c, and want to take advantage of the support for Oracle UCP, download driver and companion JARs for Oracle version 19c. |
Supported browsers
The IDM UI has been tested with the latest, stable versions of the following browsers:
-
Chrome and Chromium
-
Edge
-
Firefox
-
Safari
Supported connectors
IDM bundles the following connectors:
-
Adobe Cloud Marketing connector
-
CSV File connector
-
Database Table connector
-
Google Apps connector
-
Groovy Connector Toolkit
This toolkit lets you create scripted connectors to virtually any resource.
-
Kerberos connector
The Kerberos connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled Kerberos connector requires Groovy version 3.0.
-
LDAP connector
Using the LDAP connector to provision to Active Directory is supported with Active Directory Domain Controllers, Active Directory Global Catalogues, and Active Directory Lightweight Directory Services (LDS).
-
Marketo connector
-
MongoDB connector
-
Microsoft Graph API connector
-
Salesforce connector
-
SCIM connector
-
Scripted REST connector
The scripted REST connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted REST connector requires Groovy version 3.0.
-
Scripted SQL connector
The scripted SQL connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted SQL connector requires Groovy version 3.0.
-
ServiceNow connector
-
Scripted SSH connector
The scripted SSH connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted SSH connector requires Groovy version 3.0.
Additional connectors are available from the ForgeRock BackStage download site.
A PowerShell Connector Toolkit is bundled with the .NET remove connector server. This toolkit lets you create scripted connectors to address the requirements of your Microsoft Windows ecosystem.
Windows Server 2012 R2, 2016, and 2019 are supported as the remote systems for connectors and password synchronization plugins.
You must use the supported versions of the .NET Remote Connector Server (RCS), or the Java Remote Connector Server (RCS). The 1.5.x Java RCS is backward-compatible with the version 1.1.x connectors. The 1.5.x .NET RCS is compatible only with the 1.4.x and 1.5.x connectors. For more information, refer to IDM / ICF Compatibility Matrix.
The Java RCS requires Java 11 or Java 17, and is supported on any platform on which Java runs.
The .NET RCS requires the .NET framework (version 4.6.2 or later) and is supported on Windows Server versions 2012 R2, 2016, and 2019.
|
Although the scripted connector toolkits are supported, connectors that you build with these toolkits are not supported. You can find examples of how to build connectors with these toolkits in Samples. |
The following table lists the connector and RCS versions that are supported across IDM versions. For a list of connectors supported with this IDM release, refer to the ICF connector documentation. For a list of connector releases associated with this version of IDM, refer to the ICF release notes.
| IDM Version | RCS Version | Java Connectors | Scripted Groovy Connectors | .NET Connectors |
|---|---|---|---|---|
4.x |
1.4.x, 1.5.x |
Java connectors version 1.1.x - 1.5.x |
Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0. |
PowerShell Connector 1.4.x |
5.x |
1.4.x, 1.5.x |
Java connectors version 1.1.x - 1.5.x |
Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0. |
PowerShell Connector 1.4.x |
6.x |
1.4.x, 1.5.x |
Java connectors version 1.1.x - 1.5.x |
Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0. |
PowerShell Connector 1.4.x |
7.x |
1.4.x, 1.5.x |
Java connectors version 1.1.x - 1.5.x |
Scripted REST, Scripted SQL, SSH, Kerberos connectors version 1.5.x. |
PowerShell Connector 1.4.x, 1.5.x |
Supported password synchronization plugins
The following table lists the supported password synchronization plugins:
| Plugin | Supported Version |
|---|---|
DS Password Synchronization Plugin |
7.3.x, supported with DS 7.3.x and IDM 7.3.x 7.1.x, supported with DS 7.1.x, DS 7.2.x, IDM 7.1.x, and IDM 7.2.x 7.0.1, supported with DS 7.0.x, IDM 7.0.x, and IDM 7.1.x 6.5.0, supported with DS 6.5.x and IDM 6.5.x 6.0, supported with DS 6.0.x and IDM 6.0.x 5.5.0, supported with DS 5.5.x and IDM 5.5.x 5.0, supported with DS 5.0.x and IDM 5.0.x 3.5, supported with OpenDJ 3.5 and OpenIDM 4.x DS Password Sync plugins are not supported with DS OEM |
Active Directory Password Synchronization Plugin |
1.7.0 and 1.5.0 supported on Windows Server versions 2012 R2, 2016, 2019, and 2022 |
Third-Party software
ForgeRock provides support for using the following third-party software when logging ForgeRock Common Audit events:
| Software | Version | ||
|---|---|---|---|
Java Message Service (JMS) |
2.0 API |
||
MySQL JDBC Driver Connector/J |
8 (at least 8.0.19)
|
||
Splunk |
8.0 (at least 8.0.2) |
|
Elasticsearch and Splunk have native or third-party tools to collect, transform, and route logs. Examples include Logstash and Fluentd. ForgeRock recommends that you consider these alternatives. These tools have advanced, specialized features focused on getting log data into the target system. They decouple the solution from the ForgeRock Identity Platform systems and version, and provide inherent persistence and reliability. You can configure the tools to avoid losing audit messages if a ForgeRock Identity Platform service goes offline, or delivery issues occur. These tools can work with ForgeRock Common Audit logging:
|
Although ForgeRock does not provide support for these tools, you can any use of the following third-party software to monitor ForgeRock servers:
| Software | Version |
|---|---|
Grafana |
5 (at least 5.0.2) |
Graphite |
1 |
Prometheus |
2.0 |
For Hardware Security Module (HSM) support, ForgeRock software requires a client library that conforms to the PKCS#11 standard v2.20 or later.
Incompatible changes
When you update to IDM 7.3.1 from the last major version, the following changes may impact existing deployments. Adjust existing scripts, files, clients, and so on, as necessary.
If you are upgrading from an older release, review the changed functionality from all releases after your current version of IDM:
Changes between IDM 7.3.0 and 7.3.1
Workflow engine upgrade
The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you are upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.
Changes between IDM 7.2.x and 7.3.0
Synchronization JSON array comparison is order-agnostic
JSON array comparison during sync is now order-agnostic. This change may negate the need for certain custom scripts within mappings. For example, scripts that were previously required to sort ldapGroups values to avoid unnecessary target object updates.
Attribute encryption on assignments
Assignment attributes are now encrypted if the corresponding connector attribute indicates confidentiality, based on the attribute’s nativeType (such as JAVA_TYPE_GUARDEDSTRING or JAVA_TYPE_GUARDED_BYTE_ARRAY). As part of this change, the managed assignment object now includes the following property:
"attributeEncryption" : { }If attributeEncryption is not present, the assignment attributes are not encrypted. If the property is present but empty, it will default to IDM’s default encryption cipher. To specify a different cipher, add the cipher property. For example:
"attributeEncryption" : {
"cipher" : "AES/CBC/PKCS5Padding"
}Additionally, secrets.json has a new secret: idm.assignment.attribute.encryption.
Deprecation
The following features are deprecated and likely to be discontinued in a future release.
Social authentication
Social authentication is deprecated and will be removed in a future release of IDM. The feature will be a function of AM. Once a user has logged in through AM (using a social provider or some other way), they can obtain an access token with that session and use the access token to interact with IDM through the rsFilter configuration.
Additionally, Microsoft has deprecated the "Sign In with LinkedIn" functionality as of August 1, 2023. Refer to Sign In with LinkedIn.
Access configuration in access.js
In previous releases, access rules were configured in the access.js script. This script has been replaced by an access.json configuration file, that performs the same function. Existing deployments that use customized access.js files are still supported for backward compatibility. However, support for access rules defined in access.js is deprecated, and will be removed in a future release. You should move these access rules to a conf/access.json file. For more information, refer to Authorization and roles.
Actions on scheduler endpoint
The action parameter on the scheduler endpoint was deprecated in Version 1 of the endpoint and is not supported in Version 2.
To validate a cron expression, use the validateQuartzCronExpression action on the scheduler/job endpoint, as described in Validate Cron Trigger Expressions.
Health endpoints
The health endpoints, used to monitor system activity have been deprecated in this release, as their functionality was not considered to be of much use.
The information available on health/recon was node-specific. Instead, you can retrieve cluster-wide reconciliation details with a GET on the recon endpoint.
The information available on the health/os and health/memory endpoints can be retrieved by inspecting the JVM metrics.
Conditional query filters
The syntax of conditional query filters and scripts within notification filters has changed in this release. In previous IDM releases, request properties such as content in create and update requests or patchOperations in patch requests were referenced directly. For example, the notification-newReport.json
configuration previously used the following query filter:
"condition" : "content/manager pr"In IDM 7, query filters and scripts should reference the request object to obtain any request properties. Sample query filters have been changed accordingly. For example, the query filter in notification-newReport.json
has been changed to the following:
"condition" : "request/content/manager pr",This syntax is more verbose, but it lets script implementations use request visitors logic based on the request type, and is more consistent with generic router filters.
The old request syntax will still work in IDM 7.0, but is considered deprecated. Support for the old syntax will be removed in a future release. Note that this change is limited to notification filters. Filters such as those used with scripted endpoints have never supported direct access to request properties, and are therefore not changing. For more information on notification filters, refer to Configure notifications.
Self-Service stages
Self-Service Stages (described in Self-service stage reference) are deprecated in this release and support for their use will be removed in a future release. From IDM 7 onwards, this functionality is replaced by AM Authentication Trees.
oauthReturn endpoint
Support for oauthReturn as an endpoint for OAuth2 and OpenID Connect standards has been deprecated for interactions with AM and will be removed in a future release. Support for interactions with social identity providers was removed in IDM 6.5.0.
Default versions of relevant configuration files no longer include oauthReturn in the redirectUri setting. However, for IDM 7.3, these configuration files should still work both with and without oauthReturn in the endpoint.
timeZone in schedules
In Configure schedules, setting a time zone using the timeZone field is deprecated. To specify a time zone for schedules, use the startTime and endTime fields.
MD5 and SHA-1 hash algorithms
Support for the MD5 and SHA-1 hash algorithms is deprecated and will be removed in a future release. You should use more secure algorithms in a production environment. For a list of supported hash algorithms, refer to Salted Hash Algorithms.
JAVA_TYPE_DATE attribute type
Support for the native attribute type, JAVA_TYPE_DATE, is deprecated and will be removed in a future release. This property-level extension is an alias for string. Any dates assigned to this extension should be formatted per ISO 8601.
POST request with ?_action=patch
Support for a POST request with ?_action=patch is deprecated, when patching a specific resource. You can still use ?_action=patch when patching by query on a collection.
Clients that do not support the regular PATCH verb should use the X-HTTP-Method-Override header instead.
For example, the following POST request uses the X-HTTP-Method-Override header to patch user jdoe’s entry:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--header "Content-Type: application/json" \
--request POST \
--header "X-HTTP-Method-Override: PATCH" \
--data '[
{
"operation":"replace",
"field":"/description",
"value":"The new description for Jdoe"
}
]' \
"http://localhost:8080/openidm/managed/user/jdoe"
minLength property
The managed object property minLength is deprecated. When you need to specify a minimum length for a property, use the minimum-length policy:
{
"policyId" : "minimum-length",
"params" : {
"minLength" : 8
}
}Splunk and Elasticsearch audit handlers
The Splunk and Elasticsearch audit event handlers are deprecated and will be removed in a later release.
IDM 7.3 supports both file-based audit handlers and logging to standard output, which Elasticsearch and Splunk can consume.
Read requests at top of /config
Support for top-level read requests to the /config endpoint is deprecated. You can still retrieve a list of config IDs by querying the /config endpoint.
Defining object schema type attribute in an array when it is a single type
Support for specifying an object’s schema type attribute in an array when there is only a single type is deprecated and will be removed in a later release.
This affects schemas with type attribute definitions in the form:
{
"type" : ["string"]
}type attribute definitions in this form should be updated to:
{
"type" : "string"
}For additional information, refer to the JSON schema type attribute definition.
Fixed issues
IDM 7.3.1
The following important bugs were fixed in this release:
-
OPENIDM-19467: Sync initialization mapping failures in one mapping will not disrupt other mappings from initializing
-
OPENIDM-19328: Queued Sync does not recover intermittently following node restart
-
OPENIDM-19192: Edit Personal Info required to be read-only not working as expected
-
OPENIDM-19141: Honor the tablePrefix and tablePrefixIsSchema configuration options that allow the customer to prefix tables for workflow
-
OPENIDM-18875: Incorrect behavior in handling variables in workflow subprocesses
-
OPENIDM-18613: Setting external system’s userPassword to null does not remove userPassword attribute when nativeName is
__PASSWORD__ -
OPENIDM-17481: Managed object schema can now describe a field as a nullable array and specify a default value for this field if not provided in a create request
IDM 7.3.0
The following important bugs were fixed in this release:
-
OPENIDM-18895: ManagedObjectSet patch contract lacks proper MVCC retry
-
OPENIDM-18875: Incorrect behavior in handling variables in workflow subprocesses
-
OPENIDM-18870: No ability to delete an inline reconciliation or schedule script
-
OPENIDM-18868: Inability to save a schedule when you add or remove a passed variable
-
OPENIDM-18865: Script changes cannot be saved unless you click outside of the Inline Script box
-
OPENIDM-18831: Order agnostic JsonValue comparisons necessary in sync
-
OPENIDM-18827: Delegated Admin UI - option to disable relationshipArray grid sorting and searching
-
OPENIDM-18823: Explicitly ask for all non-reference fields when presented with '*'
-
OPENIDM-18807: IDM sample "Provision user with workflow" is not working as expected
-
OPENIDM-18806: SpecReference caused regressions for explicit
-
OPENIDM-18794: queryFilter should not be transformed if already transformed
-
OPENIDM-18779: Legal noticed disappeared from OpenIDM zip
-
OPENIDM-18776: Sync operation fails silently without error when linkQualifier script returns wrong data type
-
OPENIDM-18753: Fields on a non-configured relationship request no longer returning
-
OPENIDM-18739: Authz - own relationship query is outdated
-
OPENIDM-18707: JsonUtil.jsonValueIsEqualWithoutRespectingOrder does not work when consumed via javascript
-
OPENIDM-18656: Read for singleton reverse spec reference is not working
-
OPENIDM-18629: Clustered recon source page jobs should use nanotime within job identifier
-
OPENIDM-18625: Top-level router contains route to empty subrouter on route deregistration
-
OPENIDM-18580: It’s not possible to type in a Base DN containing a space in IDM native console.
-
OPENIDM-18544: AD User with a Manager Cannot Update Manger in IDM
-
OPENIDM-18509: AM is unable to list groups created by IDM if DS repo is restarted.
-
OPENIDM-18506: IDC’s internal.json should be in conf directory
-
OPENIDM-18498: Queued Sync not triggered if target is a CREST proxy endpoint
-
OPENIDM-18483: Add "name" to resourceCollection query fields for Platform and FeatureService Groups
-
OPENIDM-18476: Changing a managed object field of type
numberresults in a default value of 0 if not set -
OPENIDM-18444: MVCC semantics not enforced during target update synchronization operations
-
OPENIDM-18414: Error in pwpolicy.js from multiple-passwords sample
-
OPENIDM-18411: RDVP values can be removed upon signal receipt when multiple multi-traversal RDVPs have matching initial traversal relationship
-
OPENIDM-18388: ClusteredReconWatchdog will incorrectly schedule sourcePageCompletionCheck jobs for a reconById recon running against a mapping configured for clustered recon
-
OPENIDM-18360: One-to-many relationship not enforced when delegated admin has no openidm-admin role
-
OPENIDM-18336: "managed/assignment" missing the "condition" property in default DS repo config
-
OPENIDM-18335: Assignment processing can mutate source effective assignments resulting in incorrect lastSync state
-
OPENIDM-18272: Save managed object properties correctly in Identity Management native console
-
OPENIDM-18247: get_target_preview_external_user_provisioned_linked_mapping test is failing with "Expected a single link, found 0"
-
OPENIDM-18243: Connector names need to be validated as alpha-numeric in UI
-
OPENIDM-18238: clustered recon: schedule creation in response to orphaned job may incorrectly propagate source pages, resulting in 'hung' recon
-
OPENIDM-18192: Virtual property is removed when another Virtual property is updated
-
OPENIDM-18167: mergeWithTarget assignment operation handles previously replaced object incorrectly
-
OPENIDM-18153: Throw statement truncates user-defined exception
-
OPENIDM-18149: Relationship entry needs to be selected two times to see the "Remove" option in End User UI
-
OPENIDM-18138: Setting empty conditional grants on 'old' object state causes all conditional relationships to be queried during RDVP calculations for both managed object update and signal receipt
-
OPENIDM-18123: Correctly load scripts that use ISO 8859-1 encoding
-
OPENIDM-18077: The CANNOT_CONTAIN_OTHERS password policy in IDM is case sensitive.
-
OPENIDM-18067: SourcePageToken equals, toString, and hashCode incomplete
-
OPENIDM-18064: ReconCancellation initialization should handle the activation→deactivation→activation of the ReconciliationService
-
OPENIDM-18001: Locale codes not working correctly in email templates
-
OPENIDM-17980: Inconsistent Policy Validation message on Admin UI for some policyId’s
-
OPENIDM-17954: POST _action=create for undefined resource collection results in internal server error
-
OPENIDM-17937: Recon query retry value should be increased to a total span > (rcs_staggered_connection_creator_interval + rcs_houskeeping_interval)
-
OPENIDM-17900: Workday connector fails to start
-
OPENIDM-17894: 404 page license is three years out of date
-
OPENIDM-17837: Unable to index nested arrays with JDBC repos
-
OPENIDM-17825: JsonValuePatch throws an NPE when patching a subject missing a field used in the complex filter
-
OPENIDM-17771: Processing of misfired triggers eventually leads to failure of all scheduled tasks
-
OPENIDM-17750: From field not allowing saving email address with multiple "domains" after the @
-
OPENIDM-17707: The Connector UI "Object Classes to Synchronize" parameter is storing values incorrectly
-
OPENIDM-17664: Adding whitespace in BaseDN results in invalid configuration
-
OPENIDM-17642: Document the usage of cancel action on openidm.action "recon"
-
OPENIDM-17612: Incorrect relationship collection query results with _sortKeys=_id
-
OPENIDM-17556: Executing REST PUT against a managed object without conditional roles will erase all object RDVPs
-
OPENIDM-17533: Allow configuration changes to the repo.ds.json file to take effect without restarting IDM
-
OPENIDM-17531: Conditional policy is not enforced for patch remove
-
OPENIDM-17529: LiveSync schedules are not saving correctly on first save
-
OPENIDM-17483: Quotation marks is automatically removed from Query field of Role’s condition
-
OPENIDM-17200: ReconAssociation query with queryMissingSide=true and _fields params results in 500 error
-
OPENIDM-17024: Admin UI - Query condition memberOfOrgIDs value not saved as a string
-
OPENIDM-16830: fr-idm-managed-organization-name is not indexed
-
OPENIDM-16768: Workflow process form should submit formProperty id instead of name
-
OPENIDM-16725: managed.json updated incorrectly when relationship property is modified in the UI
-
OPENIDM-16641: UI: Legacy Admin - config logic field "deleteQueryConfig" is leaking into UI generated managed config
-
OPENIDM-15303: Scheduler is logging incorrect messages in openidm.log
-
OPENIDM-15132: OPENIDM-14434 caused significant performance degradations
-
OPENIDM-14666: SCIM connector cannot be configured through the UI
-
OPENIDM-13209: Sorting is not working for edge_vertex query with embedded_dj repo
Limitations
ForgeRock Identity Management 7.3 has the following known limitations:
Workflow limitations
-
Workflows are not supported with a DS repository. If you are using a DS repository for IDM data, you must configure a separate JDBC repository as the workflow datasource.
-
The embedded workflow and business process engine is based on Flowable and the Business Process and Notation (BPMN) 2.0 standard. As an embedded system, local integration is supported. Remote integration is not currently supported.
Queries with a DS repository
For DS repositories, relationships must be defined in the repository configuration (repo.ds.json). If you do not explicitly define relationships in the repository configuration, you will be able to query those relationships, but filtering and sorting on those queries will not work. For more information, refer to Relationship Properties in a DS Repository.
Queries with an OracleDB repository
For OracleDB repositories, queries that use the queryFilter syntax do not work on CLOB columns in explicit tables.
Queries with privileges
Query filters used for privileges can only reference direct attributes of the object. For example, relationship fields cannot be referenced in a privilege filter.
Connector limitations
-
When you add or edit a connector through the admin UI, the list of required
Base Connector Detailsis not necessarily accurate for your deployment. Some of these details might be required for specific deployment scenarios only. If you need a connector configuration where not all the Base Connector Details are required, you must create your connector configuration file over REST or by editing the provisioner file. For more information, refer to Configure connectors.
Known issues
This topic lists important issues that remain open at the time of release.
IDM issues
-
OPENIDM-19801: Boolean attribute shows incorrect value in IDM Admin UI Level in Forgeops based deployments
-
OPENIDM-19493: Conditional grantee processing speciously triggering processing of relationship fields in MOS#update
-
OPENIDM-19492: Query for clustered recon target ids should be paged with a very small page size (e.g. 2)
-
OPENIDM-19473: Incorrect column name "messagedetail" in VIEW being created
-
OPENIDM-19306: JDBC explicit table managed user PATCH with _fields=*_ref caused 400 error
-
OPENIDM-19181: Merry-go-round will cause duplicate RDVP calculation for signals received across conditional relationship fields
-
OPENIDM-19061: "Persists association" option when not selected throws "Not found error"
-
OPENIDM-18941: Salesforce provisioner file is overwritten when connector is enabled
-
OPENIDM-18925: java.lang.IllegalArgumentException: Bad base context
-
OPENIDM-18891: IDM console cli.sh throws a java.lang.NoSuchFieldError
-
OPENIDM-18885: referencedRelationshipFields in queryConfig does not keep original data structure
-
OPENIDM-18848: New string and number attributes added to managed object schema default to "searchable"
-
OPENIDM-18846: Investigate order agnostic JsonValue comparisons
-
OPENIDM-18826: Out of memory in IDM platform groups read/delete members
-
OPENIDM-18780: IDM Native console should not query audit log
-
OPENIDM-18698: QueryFilter with invalid pageSize doesn’t throw an error
-
OPENIDM-18643: Sporadic NPE upon Activation of the OpenICF Provisioner Service
-
OPENIDM-18496: Missing UI templates for Groovy scripted connectors 1.5
-
OPENIDM-18495: Admin UI: Connector Data Tab is sending a queryFilter with bad sortKeys
-
OPENIDM-18493: Response from csv/template endpoint is different in IDM CDK
-
OPENIDM-18412: Value for boolean property in Linked Systems tab appears to be hidden
-
OPENIDM-18340: Multi-language support for platform deployment is missing
-
OPENIDM-18277: Task Scanner fails on erroneous conditional policy validation failure
-
OPENIDM-18271: Adding Policy via UI doesn’t always work
-
OPENIDM-18231: Disabling and enabling livesync schedule changes value of source
-
OPENIDM-18154: Mapping will restore itself after being deleted when moving position in grid holder view
-
OPENIDM-18074: End-User UI Preferences property to READ-ONLY (Non-editable) not working
-
OPENIDM-18039: Modify GroovyScript to utilize similar logic that RhinoScript is using in ScriptableWithDeferredBinding
-
OPENIDM-17997: Array virtual properties fail to update during a compound replace operation when revision data is included.
-
OPENIDM-17983: Workflow process definition diagram is not displayed in the Admin UI
-
OPENIDM-17922: Sample scripted powershell with ad is missing ResolveUsername script
-
OPENIDM-17813: File content incorrect on read
-
OPENIDM-17671: Request for postSync script hook
-
OPENIDM-17631: Overriding the key “aliases” in conf/secrets.json using $array and $list coercion type to support multiple key aliases is not working
-
OPENIDM-17630: A value set to the List of Names to Filter setting of a Provisioner via the UI disappears when saved and the provisioner is accessed again
-
OPENIDM-17516: Pattern policy ignored when doing operation replace with empty values
-
OPENIDM-17466: Unit tests in ManagedObjectSetTest make false assumptions
-
OPENIDM-17444: Workflow Admin UI hard-codes assignee to userName
-
OPENIDM-17345: Changing default rest context to /svc/idm rather than /idm causes UI to misbehave
-
OPENIDM-17255: The admin UI breaks the schema when editing it
-
OPENIDM-16923: If all KBA info questions are deleted through UI, question index is corrupted
-
OPENIDM-16825: User updates needs to be submitted twice
-
OPENIDM-16804: Admin UI forgets mat-icon setting when object properties are re-ordered
-
OPENIDM-16796: Error message: Only "replace" patch operation is supported on /kbaInfo when set to viewable
-
OPENIDM-16795: Inconsistent URLs when hovering on Admin UI home page OOTB widgets across IDM versions
-
OPENIDM-16791: Booleans show up in the end user ui even if set as not viewable
-
OPENIDM-16631: Cron-like Trigger for Weekly schedule shows incorrectly
-
OPENIDM-16618: Admin UI sends encrypted data as string when an unrelated attribute is modified
-
OPENIDM-16615: Admin UI duplicates patch operations when adding manager
-
OPENIDM-16564: 404 Error when viewing recon events in System Monitoring Dashboard
-
OPENIDM-16528: Properties defined as "nullable" become required
-
OPENIDM-16516: Incoherent script hooks bindings when PATCH a relationship collection containing relationship properties
-
OPENIDM-16487: The UI should allow the admin to select which linkQualifier the assignment belongs to
-
OPENIDM-16465: Saved powershell connector config through admin UI is not valid
-
OPENIDM-16453: Enduser login fails if user _id contains special characters
-
OPENIDM-16441: Enduser UI can fail to load organizations when the managed organization schema is updated
-
OPENIDM-16432: Self-service registration submits input as string for number attribute
-
OPENIDM-16201: Policy validation for new managed objects occurs against previously accessed object
-
OPENIDM-16108: Creating assignments via REST breaks IDM UI elements
-
OPENIDM-15623: DS Repo performance issues with large number of role members without paging
-
OPENIDM-15585: Admin UI doesn’t display correct enable state for Audit Event Handlers
-
OPENIDM-15322: Query on relationship endpoint with *_ref without paging takes much longer time to return with external DS as repo
-
OPENIDM-15284: authzRoles property does not show or accept addition of resource collection
-
OPENIDM-15145: UI: Audit Filter Policies only save to "excludeIf"
-
OPENIDM-13592: optimize java script context caching to reduce transient memory allocation
ICF/Connector issues
| For a current list of fixes in the latest version of the ICF connectors, please refer to the ICF documentation. |
-
OPENICF-2319: SCIM Connector: GoTo system returns non-404 code when trying to read a deleted record
-
OPENICF-2297: SCIM Connector: roles attribute should be a list of String, not a list of Objects
-
OPENICF-2258: MSGraphAPI Connector: Clicking on Directory Role Template gives oData error
-
OPENICF-2194: GoogleApps Connector: PATCH remove operation doesn’t update the object when both the field and value are provided
-
OPENICF-1991: Java RCS: No logging when we start RCS with /run and then /install as a Windows service
-
OPENICF-1972: LDAP Connector: Presence filter !(not) operator not working as expected
-
OPENICF-1905: Database Table Connector: Error when using NAME and pr operator in queryFilter
Documentation
| Date | Description | ||||||
|---|---|---|---|---|---|---|---|
2024-04-18 |
Initial release of Identity Management 7.3.1 software. |
||||||
2024-04-01 |
Added deprecation for "Sign In with LinkedIn". Refer to Deprecation → Social authentication. |
||||||
2023-11-11 |
|||||||
2023-09-26 |
Updated all uses of |
||||||
2023-09-14 |
Updated the following DS 7.3 commands:
These commands are used in Samples and Synchronize passwords with DS. |
||||||
2023-07-27 |
|
||||||
2023-04-05 |
Initial release of Identity Management 7.3.0 software. |
Appendix A: Release levels and interface stability
ForgeRock product release levels
ForgeRock defines Major, Minor, Maintenance, and Patch product release levels. The release level is reflected in the version number. The release level tells you what sort of compatibility changes to expect.
| Release Label | Version Numbers | Characteristics |
|---|---|---|
Major |
Version: x[.0.0] (trailing 0s are optional) |
|
Minor |
Version: x.y[.0] (trailing 0s are optional) |
|
Maintenance, Patch |
Version: x.y.z[.p] The optional |
|
ForgeRock product stability labels
ForgeRock products support many features, protocols, APIs, GUIs, and command-line interfaces. Some of these are standard and very stable. Others offer new functionality that is continuing to evolve.
ForgeRock acknowledges that you invest in these features and interfaces, and therefore must know when and how ForgeRock expects them to change. For that reason, ForgeRock defines stability labels and uses these definitions in ForgeRock products.
| Stability Label | Definition |
|---|---|
Stable |
This documented feature or interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect. |
Evolving |
This documented feature or interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release. While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality. |
Legacy |
This feature or interface has been replaced with an improved version, and is no longer receiving development effort from ForgeRock. You should migrate to the newer version, however the existing functionality will remain. Legacy features or interfaces will be marked as Deprecated if they are scheduled to be removed from the product. |
Deprecated |
This feature or interface is deprecated and likely to be removed in a future release. For previously stable features or interfaces, the change was likely announced in a previous release. Deprecated features or interfaces will be removed from ForgeRock products. |
Removed |
This feature or interface was deprecated in a previous release and has now been removed from the product. |
Technology Preview |
Technology previews provide access to new features that are considered as new technology that is not yet supported. Technology preview features may be functionally incomplete and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT. Customers are encouraged to test drive the technology preview features in a non-production environment and are welcome to make comments and suggestions about the features in the associated forums. ForgeRock does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of the ForgeRock platform. Technology previews are provided on an “AS-IS” basis for evaluation purposes only and ForgeRock accepts no liability or obligations for the use thereof. |
Internal/Undocumented |
Internal and undocumented features or interfaces can change without notice. If you depend on one of these features or interfaces, contact ForgeRock support or email info@forgerock.com to discuss your needs. |
Appendix B: Getting support
ForgeRock provides support services, professional services, training through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, refer to https://www.forgerock.com.
ForgeRock has staff members around the globe who support our international customers and partners. For details on ForgeRock’s support offering, including support plans and service level agreements (SLAs), visit https://www.forgerock.com/support.
ForgeRock publishes comprehensive documentation online:
-
The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.
While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.
-
ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.