Release notes
PingIDM (IDM) software provides centralized, simple management and synchronization of identities for users, devices, and things. IDM software is highly flexible and therefore able to fit almost any use case and workflow.
These release notes are written for anyone using the IDM 7.5 release. Read these notes before you install or upgrade PingIDM software.
What's New
New features and improvements in this version.
Prepare for Deployment
The requirements for running IDM software in production.
Compatibility
Key implementation changes and compatibility with previous deployments.
Bug Fixes
Bug fixes, limitations, and open issues.
Doc Updates
Documentation changes.
Get Support
Professional support and training.
ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, refer to https://www.forgerock.com.
The ForgeRock Common REST API works across the platform to provide common ways to access web resources and collections of resources.
New features
This release of PingIDM software includes the following new features:
Connectors
Connectors continue to be updated and released outside of IDM. To stay up-to-date with new features and versions, check out the ICF Release notes.
Although not bundled in this release of IDM, the two newest connectors are available to download from Backstage:
International email addresses
IDM now supports international email addresses. This feature is only available for supporting SMTP providers.
For more information, refer to International email addresses.
Store credentials as secrets
You can store credentials for a number of services as secrets. The supported services include:
For more information, refer to Secret stores.
Version file system secrets
You can have multiple versions of secrets stored in a file system secret store.
For more information, refer to Filesystem secret stores.
Enhanced signal propagation
Managed objects can now receive relationship graph topology change signals through the SignalPropagationCalculator class that is active by default.
Learn more in Enhanced signal propagation.
Workflow engine upgrade
The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you are upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.
Connect to DS with ScriptedREST sample supports client_credentials grant type
The customizer script for the Connect to DS with ScriptedREST sample now includes OAuth capabilities for the client_credentials grant type.
Security advisories
ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock’s security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.
For details of all the security advisories across ForgeRock products, refer to Security Advisories in the Knowledge Base library.
Before you install
This section covers requirements before you run PingIDM software, especially in a production environment. If you have a special request to support a component or combination not listed here, contact ForgeRock at info@forgerock.com.
Hardware and memory requirements
Due to the underlying Java platform, IDM software runs well on a variety of processor architectures.
When you install IDM for evaluation with the embedded DS repository, you need:
-
256 MB memory (32-bit) or 1 GB memory (64-bit) available.
-
10 GB free disk space for the software and sample data.
|
A DS repository (whether embedded or external) requires free disk space of 5% of the filesystem size, plus 1 GB by default. To change this requirement, set the In the case of an embedded DS instance, you can manage the configuration using the |
In production, disk space and memory requirements depend on the size of your external repository, as well as the size of the audit and service log files that IDM creates.
The amount of memory that IDM consumes is highly dependent on the data that it holds. Queries that return large data sets will have a significant impact on heap requirements, particularly if they are run in parallel with other large data requests. To avoid out-of-memory errors, analyze your data requirements, set the heap configuration appropriately, and modify access controls to restrict requests on large data sets.
IDM exposes many JVM metrics to help you analyze the amount of memory that it is consuming. For more information on analyzing hardware and memory performance, see Load testing.
Change the JVM heap size
Changing the JVM heap size can improve performance and reduce the time it takes to run reconciliations.
You can set the JVM heap size via the OPENIDM_OPTS environment variable. If OPENIDM_OPTS is undefined, the JVM maximum heap size defaults to 2GB. For example, to set the minimum and maximum heap sizes to 4GB, enter the following before starting IDM:
cd /path/to/openidm/ export OPENIDM_OPTS="-Xms4096m -Xmx4096m" ./startup.sh Using OPENIDM_HOME: /path/to/openidm Using PROJECT_HOME: /path/to/openidm Using OPENIDM_OPTS: -Xms4096m -Xmx4096m ... OpenIDM ready
cd \path\to\openidm set OPENIDM_OPTS=-Xms4096m -Xmx4096m startup.bat "Using OPENIDM_HOME: \path\to\openidm" "Using PROJECT_HOME: \path\to\openidm" "Using OPENIDM_OPTS: -Xms4096m -Xmx4096m -Dfile.encoding=UTF-8" ... OpenIDM ready
You can also edit the OPENIDM_OPTS values in startup.sh or startup.bat.
| For more information about tuning and load testing, refer to Load testing |
Operating System requirements
IDM 7.5 software is supported on the following operating systems:
-
Red Hat Enterprise Linux (and Rocky Linux) 7.9, 8.7, and 9.1
-
Ubuntu Linux 20.04 and 22.04
-
Windows Server 2019 and 2022
Java requirements
IDM software supports the following Java environments:
| Vendor | Versions | ||
|---|---|---|---|
OpenJDK, including OpenJDK-based distributions:
|
17** |
||
Oracle Java |
17** |
** Version 17.0.3 or higher.
| ForgeRock recommends that you keep your Java installation up-to-date with the latest security fixes. |
Supported web application containers
You must install IDM as a standalone service, using the bundled Apache Felix framework and Jetty web application container. Alternate containers are not supported. IDM bundles Jetty version 9.4.48.
Supported repositories
The following repositories are supported for use in production:
-
PingDS (DS) 7.5.
By default, IDM uses an embedded DS instance for testing purposes. The embedded instance is not supported in production. If you want to use DS as a repository in production, you must set up an external instance.
-
MySQL version 5.7 and 8.0 with MySQL JDBC Driver Connector/J 8.0.
Do not use Connector/J versions 8.0.23 through 8.0.25. Why? -
MariaDB version 10.6.11 and 10.10.2 with MySQL JDBC Driver Connector/J 8.0.
Do not use Connector/J versions 8.0.23 through 8.0.25. Why? -
Microsoft SQL Server 2019 and 2022.
-
Oracle Database 19c and 21c.
-
PostgreSQL 13.10, 14.7, and 15.2.
-
IBM DB2 11.5.
ForgeRock supports repositories in cloud-hosted environments, such as AWS and GKE Cloud, as long as the underlying repository is supported. In other words, the repositories listed above are supported, regardless of how they are hosted.
|
These repositories might not be supported on all operating system platforms. refer to the specific repository documentation for more information. Do not mix and match versions. For example, if you are running Oracle Database 19c, and want to take advantage of the support for Oracle UCP, download driver and companion JARs for Oracle version 19c. |
Supported browsers
The IDM UI has been tested with the latest, stable versions of the following browsers:
-
Chrome and Chromium
-
Edge
-
Firefox
-
Safari
Supported connectors
IDM bundles the following connectors:
-
Adobe Cloud Marketing connector
-
CSV File connector
-
Database Table connector
-
Google Apps connector
-
Groovy Connector Toolkit
This toolkit lets you create scripted connectors to virtually any resource.
-
Kerberos connector
The Kerberos connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled Kerberos connector requires Groovy version 3.0.
-
LDAP connector
Using the LDAP connector to provision to Active Directory is supported with Active Directory Domain Controllers, Active Directory Global Catalogues, and Active Directory Lightweight Directory Services (LDS).
-
Marketo connector
-
MongoDB connector
-
Microsoft Graph API connector
-
Salesforce connector
-
SCIM connector
-
Scripted REST connector
The scripted REST connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted REST connector requires Groovy version 3.0.
-
Scripted SQL connector
The scripted SQL connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted SQL connector requires Groovy version 3.0.
-
ServiceNow connector
-
Scripted SSH connector
The scripted SSH connector bundled with IDM 7 is not backward-compatible with IDM 6.x. IDM 7 uses Groovy version 3.0. IDM 6.5 uses version 2.5, and IDM 6 uses version 2.4. The bundled scripted SSH connector requires Groovy version 3.0.
Additional connectors are available from the BackStage download site.
A PowerShell Connector Toolkit is bundled with the .NET remove connector server. This toolkit lets you create scripted connectors to address the requirements of your Microsoft Windows ecosystem.
Windows Server 2012 R2, 2016, and 2019 are supported as the remote systems for connectors and password synchronization plugins.
You must use the supported versions of the .NET Remote Connector Server (RCS), or the Java Remote Connector Server (RCS). The 1.5.x Java RCS is backward-compatible with the version 1.1.x connectors. The 1.5.x .NET RCS is compatible only with the 1.4.x and 1.5.x connectors. For more information, refer to IDM / ICF Compatibility Matrix.
The Java RCS requires Java 11 or Java 17, and is supported on any platform on which Java runs.
The .NET RCS requires the .NET framework (version 4.6.2 or later) and is supported on Windows Server versions 2012 R2, 2016, and 2019.
|
Although the scripted connector toolkits are supported, connectors that you build with these toolkits are not supported. You can find examples of how to build connectors with these toolkits in Samples. |
The following table lists the connector and RCS versions that are supported across IDM versions. For a list of connectors supported with this IDM release, refer to the ICF connector documentation. For a list of connector releases associated with this version of IDM, refer to the ICF release notes.
| IDM Version | RCS Version | Java Connectors | Scripted Groovy Connectors | .NET Connectors |
|---|---|---|---|---|
4.x |
1.4.x, 1.5.x |
Java connectors version 1.1.x - 1.5.x |
Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0. |
PowerShell Connector 1.4.x |
5.x |
1.4.x, 1.5.x |
Java connectors version 1.1.x - 1.5.x |
Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0. |
PowerShell Connector 1.4.x |
6.x |
1.4.x, 1.5.x |
Java connectors version 1.1.x - 1.5.x |
Scripted REST, Scripted CREST, Scripted SQL, SSH, Kerberos connectors up to version 1.5.1.0. |
PowerShell Connector 1.4.x |
7.x |
1.4.x, 1.5.x |
Java connectors version 1.1.x - 1.5.x |
Scripted REST, Scripted SQL, SSH, Kerberos connectors version 1.5.x. |
PowerShell Connector 1.4.x, 1.5.x |
Supported password synchronization plugins
The following table lists the supported password synchronization plugins:
| Plugin | Supported Version |
|---|---|
DS Password Synchronization Plugin |
7.5.x, supported with DS 7.5.x and IDM 7.5.x 7.4.x, supported with DS 7.4.x and IDM 7.4.x 7.3.x, supported with DS 7.3.x and IDM 7.3.x 7.1.x, supported with DS 7.1.x, DS 7.2.x, IDM 7.1.x, and IDM 7.2.x 7.0.1, supported with DS 7.0.x, IDM 7.0.x, and IDM 7.1.x 6.5.0, supported with DS 6.5.x and IDM 6.5.x 6.0, supported with DS 6.0.x and IDM 6.0.x 5.5.0, supported with DS 5.5.x and IDM 5.5.x 5.0, supported with DS 5.0.x and IDM 5.0.x 3.5, supported with OpenDJ 3.5 and OpenIDM 4.x DS Password Sync plugins are not supported with DS OEM |
Active Directory Password Synchronization Plugin |
1.7.0 and 1.5.0 supported on Windows Server versions 2012 R2, 2016, 2019, and 2022 |
Third-Party software
ForgeRock provides support for using the following third-party software when logging ForgeRock Common Audit events:
| Software | Version | ||
|---|---|---|---|
Java Message Service (JMS) |
2.0 API |
||
MySQL JDBC Driver Connector/J |
8 (at least 8.0.19)
|
||
Splunk |
8.0 (at least 8.0.2) |
|
Elasticsearch and Splunk have native or third-party tools to collect, transform, and route logs. Examples include Logstash and Fluentd. ForgeRock recommends that you consider these alternatives. These tools have advanced, specialized features focused on getting log data into the target system. They decouple the solution from the Ping Identity Platform systems and version, and provide inherent persistence and reliability. You can configure the tools to avoid losing audit messages if a Ping Identity Platform service goes offline, or delivery issues occur. These tools can work with ForgeRock Common Audit logging:
|
Although ForgeRock does not provide support for these tools, you can any use of the following third-party software to monitor ForgeRock servers:
| Software | Version |
|---|---|
Grafana |
7 (at least 7.4.3) |
Graphite |
1 |
Prometheus |
2.36 |
For Hardware Security Module (HSM) support, ForgeRock software requires a client library that conforms to the PKCS#11 standard v2.20 or later.
Incompatible changes
When you update to IDM 7.5.0 from the last major version, the following changes may impact existing deployments. Adjust existing scripts, files, clients, and so on, as necessary.
If you are upgrading from an older release, review the changed functionality from all releases after your current version of IDM:
Workflow engine upgrade
The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you are upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.
Array schema fields default to item type string
Schema fields defined as type array are required to have an item type defined as of IDM 7.4.0. IDM 7.5.0 defaults the item type to string to avoid startup issues if the type is not defined.
populateDefaults flag removed from secrets configuration
The sample secrets configuration (secrets.json) no longer includes the populateDefaults flag. It is safe to remove this from your secrets configuration.
Java 17 required
Running IDM requires Java 17. For more information, refer to Java requirements.
Legacy hashing algorithms removed from the Admin UI
MD5 and SHA-1 are supported for legacy reasons, but should not be used in production environments and have been removed from the Admin UI. For more information, refer to Salted hash algorithms.
Deprecation
The following features are deprecated and likely to be discontinued in a future release.
Relationship schema query filter
The Query Filter field in the Edit Resource window of relationship schema properties has been deprecated.
Use cases requiring a delegated admin to see a subset of users or other objects can use a query filter on the role privilege to limit the users returned by the query.
Secret store class renamed
The org.forgerock.openidm.secrets.config.FileBasedStore class has been deprecated and replaced by org.forgerock.openidm.secrets.config.KeyStoreSecretStore. The old class is currently an alias.
Progressive profile
Progressive profile data collection is deprecated and will be removed in a future release of IDM. This functionality is already supported by AM in a platform deployment. For more information, refer to Progressive profile in the ForgeRock Identity Platform documentation.
Social authentication
Social authentication is deprecated and will be removed in a future release of IDM. The feature will be a function of AM. Once a user has logged in through AM (using a social provider or some other way), they can obtain an access token with that session and use the access token to interact with IDM through the rsFilter configuration.
Additionally, Microsoft has deprecated the "Sign In with LinkedIn" functionality as of August 1, 2023. Refer to Sign In with LinkedIn.
Integrated Windows Authentication (IWA)
IWA is deprecated and will be removed in a future release of IDM. This feature will be a function of AM.
Access configuration in access.js
In previous releases, access rules were configured in the access.js script. This script has been replaced by an access.json configuration file, that performs the same function. Existing deployments that use customized access.js files are still supported for backward compatibility. However, support for access rules defined in access.js is deprecated, and will be removed in a future release. You should move these access rules to a conf/access.json file. For more information, refer to Authorization and roles.
Actions on scheduler endpoint
The action parameter on the scheduler endpoint was deprecated in Version 1 of the endpoint and is not supported in Version 2.
To validate a cron expression, use the validateQuartzCronExpression action on the scheduler/job endpoint, as described in Validate Cron Trigger Expressions.
Health endpoints
The health endpoints, used to monitor system activity have been deprecated in this release, as their functionality was not considered to be of much use.
The information available on health/recon was node-specific. Instead, you can retrieve cluster-wide reconciliation details with a GET on the recon endpoint.
The information available on the health/os and health/memory endpoints can be retrieved by inspecting the JVM metrics.
Conditional query filters
The syntax of conditional query filters and scripts within notification filters has changed in this release. In previous IDM releases, request properties such as content in create and update requests or patchOperations in patch requests were referenced directly. For example, a previous configuration might have used the following query filter:
"condition" : "content/manager pr"In IDM 7 and later, query filters and scripts should reference the request object to obtain any request properties. Sample query filters have been changed accordingly. The previous example would be changed to the following:
"condition" : "request/content/manager pr",This syntax is more verbose, but it lets script implementations use request visitors logic based on the request type, and is more consistent with generic router filters.
The old request syntax will still work in IDM 7.0, but is considered deprecated. Support for the old syntax will be removed in a future release. Note that this change is limited to notification filters. Filters such as those used with scripted endpoints have never supported direct access to request properties, and are therefore not changing. For more information on notification filters, refer to Configure notifications.
Self-Service stages
Self-Service Stages (described in Self-service stage reference) are deprecated in this release and support for their use will be removed in a future release. From IDM 7 onwards, this functionality is replaced by AM Authentication Trees.
oauthReturn endpoint
Support for oauthReturn as an endpoint for OAuth2 and OpenID Connect standards has been deprecated for interactions with AM and will be removed in a future release. Support for interactions with social identity providers was removed in IDM 6.5.0.
Default versions of relevant configuration files no longer include oauthReturn in the redirectUri setting. However, for IDM 7.5, these configuration files should still work both with and without oauthReturn in the endpoint.
timeZone in schedules
In Configure schedules, setting a time zone using the timeZone field is deprecated. To specify a time zone for schedules, use the startTime and endTime fields.
MD5 and SHA-1 hash algorithms
Support for the MD5 and SHA-1 hash algorithms is deprecated and will be removed in a future release. You should use more secure algorithms in a production environment. For a list of supported hash algorithms, refer to Salted Hash Algorithms.
JAVA_TYPE_DATE attribute type
Support for the native attribute type, JAVA_TYPE_DATE, is deprecated and will be removed in a future release. This property-level extension is an alias for string. Any dates assigned to this extension should be formatted per ISO 8601.
POST request with ?_action=patch
Support for a POST request with ?_action=patch is deprecated, when patching a specific resource. You can still use ?_action=patch when patching by query on a collection.
Clients that do not support the regular PATCH verb should use the X-HTTP-Method-Override header instead.
For example, the following POST request uses the X-HTTP-Method-Override header to patch user jdoe’s entry:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--header "Content-Type: application/json" \
--request POST \
--header "X-HTTP-Method-Override: PATCH" \
--data '[
{
"operation":"replace",
"field":"/description",
"value":"The new description for Jdoe"
}
]' \
"http://localhost:8080/openidm/managed/user/jdoe"
minLength property
The managed object property minLength is deprecated. When you need to specify a minimum length for a property, use the minimum-length policy:
{
"policyId" : "minimum-length",
"params" : {
"minLength" : 8
}
}Read requests at top of /config
Support for top-level read requests to the /config endpoint is deprecated. You can still retrieve a list of config IDs by querying the /config endpoint.
Defining object schema type attribute in an array when it is a single type
Support for specifying an object’s schema type attribute in an array when there is only a single type is deprecated and will be removed in a later release.
This affects schemas with type attribute definitions in the form:
{
"type" : ["string"]
}type attribute definitions in this form should be updated to:
{
"type" : "string"
}For additional information, refer to the JSON schema type attribute definition.
Discontinued
The following functionality was removed in this release.
Java 11 support
Running IDM requires Java 17. For more information, refer to Java requirements.
Fixed issues
The following important bugs were fixed in this release:
-
OPENIDM-18484: apiVersion config uses onPrem resource paths for idcloud
-
OPENIDM-18820: Prefetch links query should be paged
-
OPENIDM-19130: fr-idm-secondid is not being picked up during migration from 6.5.0.4
-
OPENIDM-19272: Failure to cleanup orphaned recon progress state can cause the RepoReconProgressStatePersistence class to not initialize
-
OPENIDM-19405: Special characters (non-ascii) inside of emails being sent from IDM/Identity Cloud fail
-
OPENIDM-19411: Recovery of queued sync events at startup does not use paged queries
-
OPENIDM-19427: Workforce JIT NAO reconById runs target phase
-
OPENIDM-19467: Transformation script compile error in one mapping breaks another mapping
-
OPENIDM-19498: Assignment Attribute encryption not handled correctly during provisioning
-
OPENIDM-19557: Data tab in csv sample sometimes malfunctioning
-
OPENIDM-19606: Microsoft social provider authentication failed
-
OPENIDM-19646: Prevent modification of relationships for non-managed objects, specified in a request’s resource path.
-
OPENIDM-19647: Highlander theme showing wrong logo on sign in page preview
-
OPENIDM-19659: Relationships selected as 'required' do not persist as required.
-
OPENIDM-19666: Admin UI should not inject domain configuration property within Connector config for GoogleApps/Salesforce
-
OPENIDM-19675: NPE when reversePropertyName changes and resource collection is new
-
OPENIDM-19676: Schema id is not updated after a change to the reverse property name
-
OPENIDM-19681: A read to schema which ends with "properties" should receive a BadRequest Exception
-
OPENIDM-19690: Account for role override assignments
-
OPENIDM-19710: 2024 - Incorrect copyright years in admin UI - 2010-2024
-
OPENIDM-19755: GoogleApps Connector: update sample to reflect replacement of SECONDARY_EMAIL by SECONDARY_EMAILS
-
OPENIDM-19874: Feature endpoint doesn’t reflect password/timestamps installed
-
OPENIDM-19879: Query additional recon source/target pages whenever a paging cookie is returned irrespective of whether paging is enabled
-
OPENIDM-19920: Add the WebEx Connector to the CDK and IDC Docker images
-
OPENIDM-19941: Server Error when retrieving relationships of an object with delegated privileges
ICF/Connector fixes
| For a current list fixes in the latest version of the ICF connectors, refer to the ICF documentation. |
Limitations
PingIDM 7.5 has the following known limitations:
Workflow limitations
-
Workflows are not supported with a DS repository. If you are using a DS repository for IDM data, you must configure a separate JDBC repository as the workflow datasource.
-
The embedded workflow and business process engine is based on Flowable and the Business Process and Notation (BPMN) 2.0 standard. As an embedded system, local integration is supported. Remote integration is not currently supported.
Queries with a DS repository
For DS repositories, relationships must be defined in the repository configuration (repo.ds.json). If you do not explicitly define relationships in the repository configuration, you will be able to query those relationships, but filtering and sorting on those queries will not work. For more information, refer to Relationship Properties in a DS Repository.
Queries with an OracleDB repository
For OracleDB repositories, queries that use the queryFilter syntax do not work on CLOB columns in explicit tables.
Queries with privileges
Query filters used for privileges can only reference direct attributes of the object. For example, relationship fields cannot be referenced in a privilege filter.
Connector limitations
-
When you add or edit a connector through the admin UI, the list of required
Base Connector Detailsis not necessarily accurate for your deployment. Some of these details might be required for specific deployment scenarios only. If you need a connector configuration where not all the Base Connector Details are required, you must create your connector configuration file over REST or by editing the provisioner file. For more information, refer to Configure connectors.
Known issues
This topic lists important issues that remain open at the time of release.
IDM issues
-
OPENIDM-19942: ICF Provisioner service does not respect PATCH operation sequence
-
OPENIDM-19801: Boolean attribute shows incorrect value in IDM Admin UI Level in Forgeops based deployments
-
OPENIDM-19745: Component and bundle activation exceptions not printed to log files
-
OPENIDM-19640: Livesync scheduler retries are not handled
-
OPENIDM-19494: Editing "has one" relationship results in bad request error
-
OPENIDM-19493: Conditional grantee processing speciously triggering processing of relationship fields in MOS#update
-
OPENIDM-19492: Query for clustered recon target ids should be paged with a very small page size (e.g. 2)
-
OPENIDM-19435: Docs: Link historical accounts sample docs page instructions cause errors
-
OPENIDM-19306: JDBC explicit table managed user PATCH with _fields=*_ref caused 400 error
-
OPENIDM-19258: Performance regression Update and Patch tests with SpecRef
-
OPENIDM-19232: When adding additional property in new managed object the save button became unclickable
-
OPENIDM-19181: Merry-go-round will cause duplicate RDVP calculation for signals received across conditional relationship fields
-
OPENIDM-19061: "Persists association" option when not selected throws "Not found error"
-
OPENIDM-18941: Salesforce provisioner file is overwritten when connector is enabled
-
OPENIDM-18925: java.lang.IllegalArgumentException: Bad base context
-
OPENIDM-18891: IDM console cli.sh throws a java.lang.NoSuchFieldError
-
OPENIDM-18885: referencedRelationshipFields in queryConfig does not keep original data structure
-
OPENIDM-18848: New string and number attributes added to managed object schema default to "searchable"
-
OPENIDM-18846: Investigate order agnostic JsonValue comparisons
-
OPENIDM-18826: Out of memory in IDM platform groups read/delete members
-
OPENIDM-18780: IDM Native console should not query audit log
-
OPENIDM-18698: QueryFilter with invalid pageSize doesn’t throw an error
-
OPENIDM-18643: Sporadic NPE upon Activation of the OpenICF Provisioner Service
-
OPENIDM-18496: Missing UI templates for Groovy scripted connectors 1.5
-
OPENIDM-18495: Admin UI: Connector Data Tab is sending a queryFilter with bad sortKeys
-
OPENIDM-18493: Response from csv/template endpoint is different in IDM CDK
-
OPENIDM-18412: Value for boolean property in Linked Systems tab appears to be hidden
-
OPENIDM-18340: Multi-language support for platform deployment is missing
-
OPENIDM-18277: Task Scanner fails on erroneous conditional policy validation failure
-
OPENIDM-18271: Adding Policy via UI doesn’t always work
-
OPENIDM-18231: Disabling and enabling livesync schedule changes value of source
-
OPENIDM-18154: Mapping will restore itself after being deleted when moving position in grid holder view
-
OPENIDM-18074: End-User UI Preferences property to READ-ONLY (Non-editable) not working
-
OPENIDM-18039: Modify GroovyScript to utilize similar logic that RhinoScript is using in ScriptableWithDeferredBinding
-
OPENIDM-17997: Array virtual properties fail to update during a compound replace operation when revision data is included.
-
OPENIDM-17983: Workflow process definition diagram is not displayed in the Admin UI
-
OPENIDM-17922: Sample scripted powershell with ad is missing ResolveUsername script
-
OPENIDM-17813: File content incorrect on read
-
OPENIDM-17671: Request for postSync script hook
-
OPENIDM-17631: Overriding the key “aliases” in conf/secrets.json using $array and $list coercion type to support multiple key aliases is not working
-
OPENIDM-17630: A value set to the List of Names to Filter setting of a Provisioner via the UI disappears when saved and the provisioner is accessed again
-
OPENIDM-17516: Pattern policy ignored when doing operation replace with empty values
-
OPENIDM-17466: Unit tests in ManagedObjectSetTest make false assumptions
-
OPENIDM-17444: Workflow Admin UI hard-codes assignee to userName
-
OPENIDM-17345: Changing default rest context to /svc/idm rather than /idm causes UI to misbehave
-
OPENIDM-17255: The admin UI breaks the schema when editing it
-
OPENIDM-16923: If all KBA info questions are deleted through UI, question index is corrupted
-
OPENIDM-16825: User updates needs to be submitted twice
-
OPENIDM-16804: Admin UI forgets mat-icon setting when object properties are re-ordered
-
OPENIDM-16796: Error message: Only "replace" patch operation is supported on /kbaInfo when set to viewable
-
OPENIDM-16795: Inconsistent URLs when hovering on Admin UI home page OOTB widgets across IDM versions
-
OPENIDM-16791: Booleans show up in the end user ui even if set as not viewable
-
OPENIDM-16631: Cron-like Trigger for Weekly schedule shows incorrectly
-
OPENIDM-16618: Admin UI sends encrypted data as string when an unrelated attribute is modified
-
OPENIDM-16615: Admin UI duplicates patch operations when adding manager
-
OPENIDM-16564: 404 Error when viewing recon events in System Monitoring Dashboard
-
OPENIDM-16528: Properties defined as "nullable" become required
-
OPENIDM-16516: Incoherent script hooks bindings when PATCH a relationship collection containing relationship properties
-
OPENIDM-16487: The UI should allow the admin to select which linkQualifier the assignment belongs to
-
OPENIDM-16465: Saved powershell connector config through admin UI is not valid
-
OPENIDM-16453: Enduser login fails if user _id contains special characters
-
OPENIDM-16441: Enduser UI can fail to load organizations when the managed organization schema is updated
-
OPENIDM-16432: Self-service registration submits input as string for number attribute
-
OPENIDM-16201: Policy validation for new managed objects occurs against previously accessed object
-
OPENIDM-16108: Creating assignments via REST breaks IDM UI elements
-
OPENIDM-15623: DS Repo performance issues with large number of role members without paging
-
OPENIDM-15585: Admin UI doesn’t display correct enable state for Audit Event Handlers
-
OPENIDM-15322: Query on relationship endpoint with *_ref without paging takes much longer time to return with external DS as repo
-
OPENIDM-15284: authzRoles property does not show or accept addition of resource collection
-
OPENIDM-15145: UI: Audit Filter Policies only save to "excludeIf"
-
OPENIDM-13592: optimize java script context caching to reduce transient memory allocation
ICF/Connector issues
| For a current list of known issues in the latest version of the ICF connectors, refer to the ICF documentation. |
Documentation
| Date | Description |
|---|---|
2025-02-11 |
Miscellaneous fixes. |
2024-04-02 |
Initial release of PingIDM 7.5 software. |
Appendix A: Release levels and interface stability
ForgeRock product release levels
ForgeRock defines Major, Minor, Maintenance, and Patch product release levels. The release level is reflected in the version number. The release level tells you what sort of compatibility changes to expect.
| Release Label | Version Numbers | Characteristics |
|---|---|---|
Major |
Version: x[.0.0] (trailing 0s are optional) |
|
Minor |
Version: x.y[.0] (trailing 0s are optional) |
|
Maintenance, Patch |
Version: x.y.z[.p] The optional |
|
ForgeRock product stability labels
ForgeRock products support many features, protocols, APIs, GUIs, and command-line interfaces. Some of these are standard and very stable. Others offer new functionality that is continuing to evolve.
ForgeRock acknowledges that you invest in these features and interfaces, and therefore must know when and how ForgeRock expects them to change. For that reason, ForgeRock defines stability labels and uses these definitions in ForgeRock products.
| Stability Label | Definition |
|---|---|
Stable |
This documented feature or interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect. |
Evolving |
This documented feature or interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release. While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality. |
Legacy |
This feature or interface has been replaced with an improved version, and is no longer receiving development effort from ForgeRock. You should migrate to the newer version, however the existing functionality will remain. Legacy features or interfaces will be marked as Deprecated if they are scheduled to be removed from the product. |
Deprecated |
This feature or interface is deprecated and likely to be removed in a future release. For previously stable features or interfaces, the change was likely announced in a previous release. Deprecated features or interfaces will be removed from ForgeRock products. |
Removed |
This feature or interface was deprecated in a previous release and has now been removed from the product. |
Technology Preview |
Technology previews provide access to new features that are considered as new technology that is not yet supported. Technology preview features may be functionally incomplete and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT. Customers are encouraged to test drive the technology preview features in a non-production environment and are welcome to make comments and suggestions about the features in the associated forums. ForgeRock does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of the ForgeRock platform. Technology previews are provided on an “AS-IS” basis for evaluation purposes only and ForgeRock accepts no liability or obligations for the use thereof. |
Internal/Undocumented |
Internal and undocumented features or interfaces can change without notice. If you depend on one of these features or interfaces, contact ForgeRock support or email info@forgerock.com to discuss your needs. |
Appendix B: Getting support
ForgeRock provides support services, professional services, training through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, refer to https://www.forgerock.com.
ForgeRock has staff members around the globe who support our international customers and partners. For details on ForgeRock’s support offering, including support plans and service level agreements (SLAs), visit https://www.forgerock.com/support.
ForgeRock publishes comprehensive documentation online:
-
The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.
While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.
-
ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.