IDM 7.4.1

Release notes

ForgeRock Identity Management (IDM) software provides centralized, simple management and synchronization of identities for users, devices, and things. IDM software is highly flexible and therefore able to fit almost any use case and workflow.

These release notes are written for anyone using the IDM 7.4 release. Read these notes before you install or upgrade ForgeRock Identity Management software.

ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, refer to https://www.forgerock.com.

The ForgeRock Common REST API works across the platform to provide common ways to access web resources and collections of resources.

What’s new

Maintenance releases

ForgeRock maintenance releases contain a collection of fixes and minor RFEs grouped together and released as part of our commitment to support our customers. For general information about ForgeRock’s maintenance and patch releases, see Maintenance and Patch Availability Policy.

IDM 7.4.1 is the latest release targeted for IDM 7.4 deployments and can be downloaded from the ForgeRock Download Center.

You can deploy the release as an initial deployment or as an update from an existing 7.4.x deployment. For information on updating from 7.4.x, refer to Update to a maintenance release.

IDM 7.4.1 features

  • The Flowable embedded workflow engine has been upgraded to version 6.8.0.

  • End user UI supports array properties.

  • SalesForce connector supports client_credentials and refresh_token grant types.

IDM 7.4.0 features

Filesystem secret stores

You can now configure secret stores to use filesystem secret stores. Filesystem secret stores use a directory containing many files, each storing a single secret. For more information, refer to Filesystem secret stores.

Microsoft Graph API email client

In addition to the SMTP client, you can now configure the outbound email service to use the new MS Graph API Client.

Use of the new email client requires a properly configured Microsoft Azure tenant.

For more information, refer to Outbound email.

Additional metrics

New metrics are available for livesync and scheduler functions. For example requests, refer to Scheduler metrics.

Script support for countOnly queries

Queries within scripts now support the _countOnly parameter.

mTLS for authentication to DS

If you are using IDM with a DS repository, ForgeRock recommends using mTLS to authenticate to DS to better facilitate credential rotation. Refer to Configure mTLS.

Security advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock’s security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, refer to Security Advisories in the Knowledge Base library.

Before you install

This section covers requirements before you run ForgeRock Identity Management software, especially in a production environment. If you have a special request to support a component or combination not listed here, contact ForgeRock at info@forgerock.com.

Hardware and memory requirements

Due to the underlying Java platform, IDM software runs well on a variety of processor architectures.

When you install IDM for evaluation with the embedded DS repository, you need:

  • 256 MB memory (32-bit) or 1 GB memory (64-bit) available.

  • 10 GB free disk space for the software and sample data.

A DS repository (whether embedded or external) requires free disk space of 5% of the filesystem size, plus 1 GB by default. To change this requirement, set the disk-full-threshold in the DS configuration. For more information, refer to Disk Space Thresholds in the DS Maintenance Guide.

In the case of an embedded DS instance, you can manage the configuration using the dsconfig command in /path/to/openidm/db/openidm/opendj/bin.

In production, disk space and memory requirements depend on the size of your external repository, as well as the size of the audit and service log files that IDM creates.

The amount of memory that IDM consumes is highly dependent on the data that it holds. Queries that return large data sets will have a significant impact on heap requirements, particularly if they are run in parallel with other large data requests. To avoid out-of-memory errors, analyze your data requirements, set the heap configuration appropriately, and modify access controls to restrict requests on large data sets.

IDM exposes many JVM metrics to help you analyze the amount of memory that it is consuming. For more information on analyzing hardware and memory performance, see Load testing.

Operating System requirements

IDM 7.4 software is supported on the following operating systems:

  • Red Hat Enterprise Linux (and Rocky Linux) 7.9, 8.7, and 9.1

  • Ubuntu Linux 20.04 and 22.04

  • Windows Server 2019 and 2022

Java requirements

IDM software supports the following Java environments:

Supported Java Versions
Vendor Versions

OpenJDK, including OpenJDK-based distributions:

  • AdoptOpenJDK/Eclipse Temurin

  • Amazon Corretto

  • Azul Zulu

  • Red Hat OpenJDK

ForgeRock tests most extensively with AdoptOpenJDK/Eclipse Temurin. ForgeRock recommends using the HotSpot JVM.

11*, 17**

Oracle Java

11*, 17**

* Version 11.0.20 or higher.

** Version 17.0.3 or higher.

ForgeRock recommends that you keep your Java installation up-to-date with the latest security fixes.

Supported web application containers

You must install IDM as a standalone service, using the bundled Apache Felix framework and Jetty web application container. Alternate containers are not supported. IDM bundles Jetty version 9.4.48.

Supported repositories

The following repositories are supported for use in production:

  • ForgeRock Directory Services (DS) 7.4.

    By default, IDM uses an embedded DS instance for testing purposes. The embedded instance is not supported in production. If you want to use DS as a repository in production, you must set up an external instance.

  • MySQL version 5.7 and 8.0 with MySQL JDBC Driver Connector/J 8.0.

    Do not use Connector/J versions 8.0.23 through 8.0.25. Why?

  • MariaDB version 10.6.11 and 10.10.2 with MySQL JDBC Driver Connector/J 8.0.

    Do not use Connector/J versions 8.0.23 through 8.0.25. Why?

  • Microsoft SQL Server 2019 and 2022.

  • Oracle Database 19c and 21c.

  • PostgreSQL 13.10, 14.7, and 15.2.

  • IBM DB2 11.5.

ForgeRock supports repositories in cloud-hosted environments, such as AWS and GKE Cloud, as long as the underlying repository is supported. In other words, the repositories listed above are supported, regardless of how they are hosted.

These repositories might not be supported on all operating system platforms. refer to the specific repository documentation for more information.

Do not mix and match versions. For example, if you are running Oracle Database 19c, and want to take advantage of the support for Oracle UCP, download driver and companion JARs for Oracle version 19c.

Supported browsers

The IDM UI has been tested with the latest, stable versions of the following browsers:

  • Chrome and Chromium

  • Edge

  • Firefox

  • Safari

Supported connectors

IDM bundles the following connectors:

  • Adobe Cloud Marketing connector

  • CSV File connector

  • Database Table connector

  • Google Apps connector

  • Groovy Connector Toolkit

    This toolkit lets you create scripted connectors to virtually any resource.

  • Kerberos connector

    The Kerberos connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled Kerberos connector requires Groovy version 3.0.

  • LDAP connector

    Using the LDAP connector to provision to Active Directory is supported with Active Directory Domain Controllers, Active Directory Global Catalogues, and Active Directory Lightweight Directory Services (LDS).

  • Marketo connector

  • MongoDB connector

  • Microsoft Graph API connector

  • Salesforce connector

  • SCIM connector

  • Scripted REST connector

    The scripted REST connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted REST connector requires Groovy version 3.0.

  • Scripted SQL connector

    The scripted SQL connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted SQL connector requires Groovy version 3.0.

  • ServiceNow connector

  • Scripted SSH connector

    The scripted SSH connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted SSH connector requires Groovy version 3.0.

Additional connectors are available from the ForgeRock BackStage download site.

A PowerShell Connector Toolkit is bundled with the .NET remove connector server. This toolkit lets you create scripted connectors to address the requirements of your Microsoft Windows ecosystem.

Windows Server 2012 R2, 2016, and 2019 are supported as the remote systems for connectors and password synchronization plugins.

You must use the supported versions of the .NET Remote Connector Server (RCS), or the Java Remote Connector Server (RCS). The 1.5.x Java RCS is backward-compatible with the version 1.1.x connectors. The 1.5.x .NET RCS is compatible only with the 1.4.x and 1.5.x connectors. For more information, refer to IDM / ICF Compatibility Matrix.

The Java RCS requires Java 11 or Java 17, and is supported on any platform on which Java runs.

The .NET RCS requires the .NET framework (version 4.6.2 or later) and is supported on Windows Server versions 2012 R2, 2016, and 2019.

Although the scripted connector toolkits are supported, connectors that you build with these toolkits are not supported. You can find examples of how to build connectors with these toolkits in Samples.

The following table lists the connector and RCS versions that are supported across IDM versions. For a list of connectors supported with this IDM release, refer to the ICF connector documentation. For a list of connector releases associated with this version of IDM, refer to the ICF release notes.

IDM / ICF Compatibility Matrix
IDM Version RCS Version Java Connectors Scripted Groovy Connectors .NET Connectors

4.x

1.4.x, 1.5.x

Java connectors version 1.1.x - 1.5.x

Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0.

PowerShell Connector 1.4.x

5.x

1.4.x, 1.5.x

Java connectors version 1.1.x - 1.5.x

Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0.

PowerShell Connector 1.4.x

6.x

1.4.x, 1.5.x

Java connectors version 1.1.x - 1.5.x

Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0.

PowerShell Connector 1.4.x

7.x

1.4.x, 1.5.x

Java connectors version 1.1.x - 1.5.x

Scripted REST, Scripted SQL, SSH, Kerberos connectors version 1.5.x.

PowerShell Connector 1.4.x, 1.5.x

Supported password synchronization plugins

The following table lists the supported password synchronization plugins:

Plugin Supported Version

DS Password Synchronization Plugin

7.4.x, supported with DS 7.4.x and IDM 7.4.x

7.3.x, supported with DS 7.3.x and IDM 7.3.x

7.1.x, supported with DS 7.1.x, DS 7.2.x, IDM 7.1.x, and IDM 7.2.x

7.0.1, supported with DS 7.0.x, IDM 7.0.x, and IDM 7.1.x

6.5.0, supported with DS 6.5.x and IDM 6.5.x

6.0, supported with DS 6.0.x and IDM 6.0.x

5.5.0, supported with DS 5.5.x and IDM 5.5.x

5.0, supported with DS 5.0.x and IDM 5.0.x

3.5, supported with OpenDJ 3.5 and OpenIDM 4.x

DS Password Sync plugins are not supported with DS OEM

Active Directory Password Synchronization Plugin

1.7.0 and 1.5.0 supported on Windows Server versions 2012 R2, 2016, 2019, and 2022

Third-Party software

ForgeRock provides support for using the following third-party software when logging ForgeRock Common Audit events:

Software Version

Java Message Service (JMS)

2.0 API

MySQL JDBC Driver Connector/J

8 (at least 8.0.19)

Do not use Connector/J versions 8.0.23 through 8.0.25. Why?

Splunk

8.0 (at least 8.0.2)

Elasticsearch and Splunk have native or third-party tools to collect, transform, and route logs. Examples include Logstash and Fluentd.

ForgeRock recommends that you consider these alternatives. These tools have advanced, specialized features focused on getting log data into the target system. They decouple the solution from the ForgeRock Identity Platform systems and version, and provide inherent persistence and reliability. You can configure the tools to avoid losing audit messages if a ForgeRock Identity Platform service goes offline, or delivery issues occur.

These tools can work with ForgeRock Common Audit logging:

  • Configure the server to log messages to standard output, and route from there.

  • Configure the server to log to files, and use log collection and routing for the log files.

Although ForgeRock does not provide support for these tools, you can any use of the following third-party software to monitor ForgeRock servers:

Software Version

Grafana

7 (at least 7.4.3)

Graphite

1

Prometheus

2.36

For Hardware Security Module (HSM) support, ForgeRock software requires a client library that conforms to the PKCS#11 standard v2.20 or later.

Incompatible changes

When you update to IDM 7.4.1 from the last major version, the following changes may impact existing deployments. Adjust existing scripts, files, clients, and so on, as necessary.

If you are upgrading from an older release, review the changed functionality from all releases after your current version of IDM:

Changes between IDM 7.4.0 and 7.4.1

Workflow engine upgrade

The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you are upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.

Changes between IDM 7.3.x and 7.4.0

IDM requires JDK 11.0.20 or higher

If you try to run this version of IDM using an older release of JDK, the following error displays:

SEVERE: Error loading keystore
java.io.IOException: Invalid keystore format
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:667)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at org.forgerock.security.keystore.KeyStoreBuilder.build(KeyStoreBuilder.java:228)
at org.forgerock.openidm.secrets.keystore.KeyStoreRepository.load(KeyStoreRepository.java:59)
at org.forgerock.openidm.secrets.config.ConfigSupport.asKeyStoreHolder(ConfigSupport.java:95)
at org.forgerock.openidm.secrets.config.StoreSupport.asKeyStoreHolder(StoreSupport.java:61)
at org.forgerock.openidm.secrets.config.FileBasedStore.asKeyStoreHolder(FileBasedStore.java:18)
...

For a complete list of supported Java versions, refer to Java requirements.

The DB2 driver is now OSGi-compliant

When using IDM with a DB2 database, you previously had to create an OSGi-compliant driver. The driver included with DB2 is now compliant.

For more information, refer to:

Deprecation

The following features are deprecated and likely to be discontinued in a future release.

Progressive profile

Progressive profile data collection is deprecated and will be removed in a future release of IDM. This functionality is already supported by AM in a platform deployment. For more information, refer to Progressive profile in the ForgeRock Identity Platform documentation.

Social authentication

Social authentication is deprecated and will be removed in a future release of IDM. The feature will be a function of AM. Once a user has logged in through AM (using a social provider or some other way), they can obtain an access token with that session and use the access token to interact with IDM through the rsFilter configuration.

Additionally, Microsoft has deprecated the "Sign In with LinkedIn" functionality as of August 1, 2023. Refer to Sign In with LinkedIn.

Integrated Windows Authentication (IWA)

IWA is deprecated and will be removed in a future release of IDM. This feature will be a function of AM.

Access configuration in access.js

In previous releases, access rules were configured in the access.js script. This script has been replaced by an access.json configuration file, that performs the same function. Existing deployments that use customized access.js files are still supported for backward compatibility. However, support for access rules defined in access.js is deprecated, and will be removed in a future release. You should move these access rules to a conf/access.json file. For more information, refer to Authorization and roles.

Actions on scheduler endpoint

The action parameter on the scheduler endpoint was deprecated in Version 1 of the endpoint and is not supported in Version 2.

To validate a cron expression, use the validateQuartzCronExpression action on the scheduler/job endpoint, as described in Validate Cron Trigger Expressions.

Health endpoints

The health endpoints, used to monitor system activity have been deprecated in this release, as their functionality was not considered to be of much use.

The information available on health/recon was node-specific. Instead, you can retrieve cluster-wide reconciliation details with a GET on the recon endpoint.

The information available on the health/os and health/memory endpoints can be retrieved by inspecting the JVM metrics.

Conditional query filters

The syntax of conditional query filters and scripts within notification filters has changed in this release. In previous IDM releases, request properties such as content in create and update requests or patchOperations in patch requests were referenced directly. For example, a previous configuration might have used the following query filter:

"condition" : "content/manager pr"

In IDM 7 and later, query filters and scripts should reference the request object to obtain any request properties. Sample query filters have been changed accordingly. The previous example would be changed to the following:

"condition" : "request/content/manager pr",

This syntax is more verbose, but it lets script implementations use request visitors logic based on the request type, and is more consistent with generic router filters.

The old request syntax will still work in IDM 7.0, but is considered deprecated. Support for the old syntax will be removed in a future release. Note that this change is limited to notification filters. Filters such as those used with scripted endpoints have never supported direct access to request properties, and are therefore not changing. For more information on notification filters, refer to Configure notifications.

Self-Service stages

Self-Service Stages (described in Self-service stage reference) are deprecated in this release and support for their use will be removed in a future release. From IDM 7 onwards, this functionality is replaced by AM Authentication Trees.

oauthReturn endpoint

Support for oauthReturn as an endpoint for OAuth2 and OpenID Connect standards has been deprecated for interactions with AM and will be removed in a future release. Support for interactions with social identity providers was removed in IDM 6.5.0.

Default versions of relevant configuration files no longer include oauthReturn in the redirectUri setting. However, for IDM 7.4, these configuration files should still work both with and without oauthReturn in the endpoint.

timeZone in schedules

In Configure schedules, setting a time zone using the timeZone field is deprecated. To specify a time zone for schedules, use the startTime and endTime fields.

MD5 and SHA-1 hash algorithms

Support for the MD5 and SHA-1 hash algorithms is deprecated and will be removed in a future release. You should use more secure algorithms in a production environment. For a list of supported hash algorithms, refer to Salted Hash Algorithms.

JAVA_TYPE_DATE attribute type

Support for the native attribute type, JAVA_TYPE_DATE, is deprecated and will be removed in a future release. This property-level extension is an alias for string. Any dates assigned to this extension should be formatted per ISO 8601.

POST request with ?_action=patch

Support for a POST request with ?_action=patch is deprecated, when patching a specific resource. You can still use ?_action=patch when patching by query on a collection.

Clients that do not support the regular PATCH verb should use the X-HTTP-Method-Override header instead.

For example, the following POST request uses the X-HTTP-Method-Override header to patch user jdoe’s entry:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--header "Content-Type: application/json" \
--request POST \
--header "X-HTTP-Method-Override: PATCH" \
--data '[
    {
        "operation":"replace",
        "field":"/description",
        "value":"The new description for Jdoe"
    }
]' \
"http://localhost:8080/openidm/managed/user/jdoe"

minLength property

The managed object property minLength is deprecated. When you need to specify a minimum length for a property, use the minimum-length policy:

{
    "policyId" : "minimum-length",
    "params" : {
        "minLength" : 8
    }
}

Read requests at top of /config

Support for top-level read requests to the /config endpoint is deprecated. You can still retrieve a list of config IDs by querying the /config endpoint.

Defining object schema type attribute in an array when it is a single type

Support for specifying an object’s schema type attribute in an array when there is only a single type is deprecated and will be removed in a later release.

This affects schemas with type attribute definitions in the form:

{
    "type" : ["string"]
}

type attribute definitions in this form should be updated to:

{
    "type" : "string"
}

For additional information, refer to the JSON schema type attribute definition.

Discontinued

The following features or functionality were removed in this release.

Sample notification configuration files

The following sample notification configuration files have been removed from the /path/to/openidm/samples/example-configurations/conf directory:

  • notification-newReport.json

  • notification-termsUpdate.json

Splunk and Elasticsearch audit handlers

The Splunk and Elasticsearch audit event handlers have been removed in this release.

IDM 7.4 supports file-based audit handlers and logging to standard output, both of which Elasticsearch and Splunk can consume.

Fixed issues

IDM 7.4.1

The following important bugs were fixed in this release:

  • OPENIDM-19203: Admin UI lists unsafe hashing algorithms

  • OPENIDM-19244: Workflow will not work if upgrade from IDM v7.0.4 to 7.3

  • OPENIDM-19467: Transformation script compile error in one mapping breaks another mapping

IDM 7.4.0

The following important bugs were fixed in this release:

  • OPENIDM-18405: Admin UI pagination disabled for array of relationships/roles when using JDBC repo

  • OPENIDM-18655: pagedResultsOffset on SpecReference query does not work when using sortKeys

  • OPENIDM-18737: Field Policy Service does not handle multivalued required attributes

  • OPENIDM-18743: IDM throws a NPE when operationOptions{} is defined in the provisioner

  • OPENIDM-18774: Sync queue fails to initialise when mapping defined in individual file is updated

  • OPENIDM-18822: Query on relationship endpoint with paging takes too long to return with DS as repo

  • OPENIDM-18875: Incorrect behaviour in handling variables in workflow subprocesses

  • OPENIDM-18896: SpecReference not retrieving all vertex fields when _fields is present and empty

  • OPENIDM-18897: Signal cycle detection logic must be abrogated in override assignment processing

  • OPENIDM-18983: SpecReference - not retrieving vertex fields when removal of relationships ou support is not enabled

  • OPENIDM-18988: Anonymous info/ping results in query of the anonymous user in DS in IDC

  • OPENIDM-19139: Merry-go-round upon signal receipt will erase RDVP fields not returned by default

  • OPENIDM-19161: Boolean properties in managed user are always visible on End User UI

  • OPENIDM-19216: The clustered recon resilience scheme will fail if identities in a recovered page are mutated during recovery

  • OPENIDM-19225: Scheduler shutdown semantics incorrect

  • OPENIDM-19238: SAP Connector label missing from IDM translation.json file

  • OPENIDM-19240: Cannot invoke "java.util.concurrent.atomic.AtomicInteger.intValue()" because the return value of "java.util.Map.get(Object)" is null

  • OPENIDM-19248: CREST Proxy incorrectly downgrading to Protocol v1 when communicating with IDM 7.x and beyond

ICF/Connector fixes

For a current list fixes in the latest version of the ICF connectors, refer to the ICF documentation.

Limitations

ForgeRock Identity Management 7.4 has the following known limitations:

Workflow limitations

  • Workflows are not supported with a DS repository. If you are using a DS repository for IDM data, you must configure a separate JDBC repository as the workflow datasource.

  • The embedded workflow and business process engine is based on Flowable and the Business Process and Notation (BPMN) 2.0 standard. As an embedded system, local integration is supported. Remote integration is not currently supported.

Queries with a DS repository

For DS repositories, relationships must be defined in the repository configuration (repo.ds.json). If you do not explicitly define relationships in the repository configuration, you will be able to query those relationships, but filtering and sorting on those queries will not work. For more information, refer to Relationship Properties in a DS Repository.

Queries with an OracleDB repository

For OracleDB repositories, queries that use the queryFilter syntax do not work on CLOB columns in explicit tables.

Queries with privileges

Query filters used for privileges can only reference direct attributes of the object. For example, relationship fields cannot be referenced in a privilege filter.

Connector limitations

  • When you add or edit a connector through the admin UI, the list of required Base Connector Details is not necessarily accurate for your deployment. Some of these details might be required for specific deployment scenarios only. If you need a connector configuration where not all the Base Connector Details are required, you must create your connector configuration file over REST or by editing the provisioner file. For more information, refer to Configure connectors.

If-Match requests

A conditional GET request, with the If-Match request header, is not supported.

Known issues

This topic lists important issues that remain open at the time of release.

IDM issues

  • OPENIDM-19801: Boolean attribute shows incorrect value in IDM Admin UI Level in Forgeops based deployments

  • OPENIDM-19555: Track: vulnerable to CVE-2023-43643 IDM 7.4.0 (RFE)

  • OPENIDM-19494: Editing "has one" relationship results in bad request error

  • OPENIDM-19435: Docs: Link historical accounts sample docs page instructions cause errors

  • OPENIDM-19306: JDBC explicit table managed user PATCH with _fields=*_ref caused 400 error

  • OPENIDM-19258: Performance regression Update and Patch tests with SpecRef

  • OPENIDM-19232: When adding additional property in new managed object the save button became unclickable

  • OPENIDM-19181: Merry-go-round will cause duplicate RDVP calculation for signals received across conditional relationship fields

  • OPENIDM-19084: Pyforge: Changing SOURCE_TARGET_CONFLICT default action to EXCEPTION caused a regression on Oracle repo

  • OPENIDM-19061: "Persists association" option when not selected throws "Not found error"

  • OPENIDM-18941: Salesforce provisioner file is overwritten when connector is enabled

  • OPENIDM-18925: java.lang.IllegalArgumentException: Bad base context

  • OPENIDM-18891: IDM console cli.sh throws a java.lang.NoSuchFieldError

  • OPENIDM-18885: referencedRelationshipFields in queryConfig does not keep original data structure

  • OPENIDM-18848: New string and number attributes added to managed object schema default to "searchable"

  • OPENIDM-18846: Investigate order agnostic JsonValue comparisons

  • OPENIDM-18826: Out of memory in IDM platform groups read/delete members

  • OPENIDM-18780: IDM Native console should not query audit log

  • OPENIDM-18738: Field Policy Service exception handler hides DS exceptions that are not policy failure exceptions

  • OPENIDM-18698: QueryFilter with invalid pageSize doesn’t throw an error

  • OPENIDM-18643: Sporadic NPE upon Activation of the OpenICF Provisioner Service

  • OPENIDM-18496: Missing UI templates for Groovy scripted connectors 1.5

  • OPENIDM-18495: Admin UI: Connector Data Tab is sending a queryFilter with bad sortKeys

  • OPENIDM-18493: Response from csv/template endpoint is different in IDM CDK

  • OPENIDM-18412: Value for boolean property in Linked Systems tab appears to be hidden

  • OPENIDM-18340: Multi-language support for platform deployment is missing

  • OPENIDM-18333: Policy validation does not work fine if values are provided to all fields together which are being used in policy validation

  • OPENIDM-18290: Dependant conditional policy not run when patching a property

  • OPENIDM-18277: Task Scanner fails on erroneous conditional policy validation failure

  • OPENIDM-18271: Adding Policy via UI doesn’t always work

  • OPENIDM-18231: Disabling and enabling livesync schedule changes value of source

  • OPENIDM-18154: Mapping will restore itself after being deleted when moving position in grid holder view

  • OPENIDM-18074: End-User UI Preferences property to READ-ONLY (Non-editable) not working

  • OPENIDM-18039: Modify GroovyScript to utilize similar logic that RhinoScript is using in ScriptableWithDeferredBinding

  • OPENIDM-17997: Array virtual properties fail to update during a compound replace operation when revision data is included.

  • OPENIDM-17983: Workflow process definition diagram is not displayed in the Admin UI

  • OPENIDM-17922: Sample scripted powershell with ad is missing ResolveUsername script

  • OPENIDM-17813: File content incorrect on read

  • OPENIDM-17671: Request for postSync script hook

  • OPENIDM-17631: Overriding the key “aliases” in conf/secrets.json using $array and $list coercion type to support multiple key aliases is not working

  • OPENIDM-17630: A value set to the List of Names to Filter setting of a Provisioner via the UI disappears when saved and the provisioner is accessed again

  • OPENIDM-17516: Pattern policy ignored when doing operation replace with empty values

  • OPENIDM-17466: Unit tests in ManagedObjectSetTest make false assumptions

  • OPENIDM-17444: Workflow Admin UI hard-codes assignee to userName

  • OPENIDM-17345: Changing default rest context to /svc/idm rather than /idm causes UI to misbehave

  • OPENIDM-17255: The admin UI breaks the schema when editing it

  • OPENIDM-16923: If all KBA info questions are deleted through UI, question index is corrupted

  • OPENIDM-16825: User updates needs to be submitted twice

  • OPENIDM-16804: Admin UI forgets mat-icon setting when object properties are re-ordered

  • OPENIDM-16796: Error message: Only "replace" patch operation is supported on /kbaInfo when set to viewable

  • OPENIDM-16795: Inconsistent URLs when hovering on Admin UI home page OOTB widgets across IDM versions

  • OPENIDM-16791: Booleans show up in the end user ui even if set as not viewable

  • OPENIDM-16631: Cron-like Trigger for Weekly schedule shows incorrectly

  • OPENIDM-16618: Admin UI sends encrypted data as string when an unrelated attribute is modified

  • OPENIDM-16615: Admin UI duplicates patch operations when adding manager

  • OPENIDM-16564: 404 Error when viewing recon events in System Monitoring Dashboard

  • OPENIDM-16528: Properties defined as "nullable" become required

  • OPENIDM-16516: Incoherent script hooks bindings when PATCH a relationship collection containing relationship properties

  • OPENIDM-16487: The UI should allow the admin to select which linkQualifier the assignment belongs to

  • OPENIDM-16465: Saved powershell connector config through admin UI is not valid

  • OPENIDM-16453: Enduser login fails if user _id contains special characters

  • OPENIDM-16441: Enduser UI can fail to load organizations when the managed organization schema is updated

  • OPENIDM-16432: Self-service registration submits input as string for number attribute

  • OPENIDM-16201: Policy validation for new managed objects occurs against previously accessed object

  • OPENIDM-16108: Creating assignments via REST breaks IDM UI elements

  • OPENIDM-15585: Admin UI doesn’t display correct enable state for Audit Event Handlers

  • OPENIDM-15284: authzRoles property does not show or accept addition of resource collection

  • OPENIDM-15145: UI: Audit Filter Policies only save to "excludeIf"

  • OPENIDM-13592: optimize java script context caching to reduce transient memory allocation

ICF/Connector issues

For a current list of known issues in the latest version of the ICF connectors, refer to the ICF documentation.

Documentation

Date Description

2024-04-30

Initial release of Identity Management 7.4.1 software.

2024-03-27

Added deprecation for "Sign In with LinkedIn". Refer to Deprecation → Social authentication.

2023-10-02

Initial release of Identity Management 7.4.0 software.

Appendix A: Release levels and interface stability

ForgeRock product release levels

ForgeRock defines Major, Minor, Maintenance, and Patch product release levels. The release level is reflected in the version number. The release level tells you what sort of compatibility changes to expect.

Release Level Definitions
Release Label Version Numbers Characteristics

Major

Version: x[.0.0] (trailing 0s are optional)

  • Bring major new features, minor features, and bug fixes

  • Can include changes even to Stable interfaces

  • Can remove previously Deprecated functionality, and in rare cases remove Evolving functionality that has not been explicitly Deprecated

  • Include changes present in previous Minor and Maintenance releases

Minor

Version: x.y[.0] (trailing 0s are optional)

  • Bring minor features, and bug fixes

  • Can include backwards-compatible changes to Stable interfaces in the same Major release, and incompatible changes to Evolving interfaces

  • Can remove previously Deprecated functionality

  • Include changes present in previous Minor and Maintenance releases

Maintenance, Patch

Version: x.y.z[.p]

The optional .p reflects a Patch version.

  • Bring bug fixes

  • Are intended to be fully compatible with previous versions from the same Minor release

ForgeRock product stability labels

ForgeRock products support many features, protocols, APIs, GUIs, and command-line interfaces. Some of these are standard and very stable. Others offer new functionality that is continuing to evolve.

ForgeRock acknowledges that you invest in these features and interfaces, and therefore must know when and how ForgeRock expects them to change. For that reason, ForgeRock defines stability labels and uses these definitions in ForgeRock products.

ForgeRock Stability Label Definitions
Stability Label Definition

Stable

This documented feature or interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect.

Evolving

This documented feature or interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release.

While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality.

Legacy

This feature or interface has been replaced with an improved version, and is no longer receiving development effort from ForgeRock.

You should migrate to the newer version, however the existing functionality will remain.

Legacy features or interfaces will be marked as Deprecated if they are scheduled to be removed from the product.

Deprecated

This feature or interface is deprecated and likely to be removed in a future release. For previously stable features or interfaces, the change was likely announced in a previous release. Deprecated features or interfaces will be removed from ForgeRock products.

Removed

This feature or interface was deprecated in a previous release and has now been removed from the product.

Technology Preview

Technology previews provide access to new features that are considered as new technology that is not yet supported. Technology preview features may be functionally incomplete and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT.

Customers are encouraged to test drive the technology preview features in a non-production environment and are welcome to make comments and suggestions about the features in the associated forums.

ForgeRock does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of the ForgeRock platform. Technology previews are provided on an “AS-IS” basis for evaluation purposes only and ForgeRock accepts no liability or obligations for the use thereof.

Internal/Undocumented

Internal and undocumented features or interfaces can change without notice. If you depend on one of these features or interfaces, contact ForgeRock support or email info@forgerock.com to discuss your needs.

Appendix B: Getting support

ForgeRock provides support services, professional services, training through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, refer to https://www.forgerock.com.

ForgeRock has staff members around the globe who support our international customers and partners. For details on ForgeRock’s support offering, including support plans and service level agreements (SLAs), visit https://www.forgerock.com/support.

ForgeRock publishes comprehensive documentation online:

  • The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.

    While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.

  • ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.