Incompatible changes

Previously, REST API requests without an Accept-API-Version header used the latest available API version for the resource. These requests now default to API version 1.0. The consent, scheduler/job, scheduler/trigger, and schema endpoints default to API version 2.0.

Logging changes require new bundles and a specific start-level order. If you’re copying launcher.json from a previous version of IDM, review the 8.0.0 version of launcher.json and integrate the changes and additions:

The embedded Jetty web server has been upgraded to Jetty 12, and jetty.xml is no longer supported in this IDM release. Learn more in Embedded Jetty configuration and in Migrate Jetty configuration files.

Felix HTTP Jetty has been upgraded to Jetty 12.

Servlet Specification has been upgraded to 6.0.

You can now configure Jetty thread pool settings in conf/webserver.json.

You can now configure Gzip compression for HTTP responses in conf/webserver.json.

You can now configure Secure protocol settings in conf/webserver.listener-*json.

The embedded DS repository is no longer included with IDM. Before you can use IDM, you must select and configure a repository.

PingIDM now uses Logback to generate its server logs. You will need to add logback.xml to your configuration when updating. Learn more in Server logs.

The end-user UI is no longer bundled with PingIDM. You can download and install the end-user UI separately from the GitHub repository: ForgeRock/end-user-ui. Learn more in the End-user UI.

Requests passing the _api parameter now require authorization. Learn more in Common REST.

Starting with IDM 7.3, unordered array comparison became the default behavior. For this release of IDM, ordered array comparison is the default behavior, restoring the default behavior prior to IDM 7.3.

You can now use the comparison managed object schema configuration property to choose how JSON array comparisons are made with regard to array order.

Learn more about managed object schema properties and array comparison.

Previously, running IDM required Java 17. You can now use Java 17 or Java 21. Learn more in Java requirements.

Previously, REST API requests without an Accept-API-Version header used the latest available API version for the resource. These requests now default to API version 1.0. The consent, scheduler/job, scheduler/trigger, and schema endpoints default to API version 2.0.

Requests passing the _api parameter now require authorization. Learn more in Common REST.

Starting with IDM 7.3.0, unordered array comparison became the default behavior. For this release of IDM, ordered array comparison is the default behavior, restoring the default behavior from prior to IDM 7.3.0.

You can now use the comparison managed object schema configuration property to choose how JSON array comparisons are made with regard to array order.

Learn more about managed object schema properties and array comparison.

The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you are upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.

Schema fields defined as type array are required to have an item type defined as of IDM 7.4.0. IDM 7.5.0 defaults the item type to string to avoid startup issues if the type is not defined.

The sample secrets configuration (secrets.json) no longer includes the populateDefaults flag. It is safe to remove this from your secrets configuration.

Running IDM requires Java 17. For more information, refer to Java requirements.

MD5 and SHA-1 are supported for legacy reasons, but should not be used in production environments and have been removed from the Admin UI. For more information, refer to Salted hash algorithms.

The org.forgerock.openidm.secrets.config.FileBasedStore class has been deprecated and replaced by org.forgerock.openidm.secrets.config.KeyStoreSecretStore. The old class is currently an alias.

Previously, REST API requests without an Accept-API-Version header used the latest available API version for the resource. These requests now default to API version 1.0. The consent, scheduler/job, scheduler/trigger, and schema endpoints default to API version 2.0.

Requests passing the _api parameter now require authorization. Learn more in Common REST.

Starting with IDM 7.3.0, unordered array comparison became the default behavior. For this release of IDM, ordered array comparison is the default behavior, restoring the default behavior from prior to IDM 7.3.0.

You can now use the comparison managed object schema configuration property to choose how JSON array comparisons are made with regard to array order.

Learn more about managed object schema properties and array comparison.

You must upgrade to Java 17, which is required by Jetty 12, to run IDM 7.4.2. Learn more in Embedded Jetty configuration.

The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you’re upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.

If you try to run this version of IDM using an older release of JDK, the following error displays:

For a complete list of supported Java versions, refer to Java requirements.

When using IDM with a DB2 database, you previously had to create an OSGi-compliant driver. The driver included with DB2 is now compliant.

For more information, refer to:

Previously, REST API requests without an Accept-API-Version header used the latest available API version for the resource. These requests now default to API version 1.0. The consent, scheduler/job, scheduler/trigger, and schema endpoints default to API version 2.0.

Requests passing the _api parameter now require authorization. Learn more in Common REST.

Starting with IDM 7.3.0, unordered array comparison became the default behavior. For this release of IDM, ordered array comparison is the default behavior, restoring the default behavior from prior to IDM 7.3.0.

You can now use the comparison managed object schema configuration property to choose how JSON array comparisons are made with regard to array order.

Learn more about managed object schema properties and array comparison.

You must upgrade to Java 17, which is required by Jetty 12, to run IDM 7.3.2. Learn more in Embedded Jetty configuration.

The Flowable embedded workflow engine has been upgraded to version 6.8.0. If you’re upgrading from a previous version of IDM and use workflow, this upgrade requires one or more incremental upgrade scripts. For more information, refer to Upgrade an existing repository.

JSON array comparison during sync is now order-agnostic. This change may negate the need for certain custom scripts within mappings. For example, scripts that were previously required to sort ldapGroups values to avoid unnecessary target object updates.

Assignment attributes are now encrypted if the corresponding connector attribute indicates confidentiality, based on the attribute’s nativeType (such as JAVA_TYPE_GUARDEDSTRING or JAVA_TYPE_GUARDED_BYTE_ARRAY). As part of this change, the managed assignment object now includes the following property:

If attributeEncryption is not present, the assignment attributes are not encrypted. If the property is present but empty, it will default to IDM’s default encryption cipher. To specify a different cipher, add the cipher property. For example:

Additionally, secrets.json has a new secret: idm.assignment.attribute.encryption.

The default onDelete behavior previously called a file-based script, onDelete-roles.js. This has been removed from the managed object configuration.

IDM has upgraded to OSGi Core 8.0 and Felix Framework 7.0.0.

The samples that use the Java Message Service (JMS) have been upgraded to use the 2.0 API and Apache ActiveMQ Artemis:

Previously, illegal PATCH requests could return a 400 or 500 exception. In such cases, IDM now returns a 400 status.

The name property of a managed role is now subject to the uniqueness policy by default. This means that you cannot create multiple roles with the same name. To change this behavior, adjust the policy validation on the role property in your managed object configuration.

Previously, the defaultLocale specified in the Self-Registration Email Template configuration took precedence. As of IDM 7.2, locales specified as preferredLocales in the Accept-Language header take precedence over the defaultLocale.

Synchronization queue processing for a mapping is now paused if either the source or target system route are unregistered. For more information, see Configure queued synchronization.

Previously, you could use the Flowable workflow engine’s embedded H2 database for demo and testing purposes. IDM no longer includes this database. Before you use workflow, you must install a JDBC repository.

Learn more in Enable workflows.

The default JDBC Connection Configuration now uses the connection driver from MySQL 8.1 (com.mysql.cj.jdbc.Driver).

Previously, you could use the Flowable workflow engine’s embedded H2 database for demo and testing purposes. IDM no longer includes this database. Before you use workflow, you must install a JDBC repository.

Learn more in Enable workflows.

Previously, workflows would break when upgrading from version 7.0.2 to 7.1.0 of IDM, because of out-of-sync versions of the Flowable workflow engine. This is fixed in version 7.1.2 of IDM. If you’re upgrading IDM from version 7.0, please use IDM version 7.1.2 or higher.

For external DS repositories with explicitly mapped managed objects, the stored data format has changed for certain data types.

In IDM versions prior to 7.1, certain property values were always considered as strings, so the returned JSON format of a managed object would look something like this:

In IDM 7.1, these properties are returned with the correct data type, so a similar object in IDM 7.1 looks something like this:

This change doesn’t affect new deployments. If you’re upgrading an existing deployment with an external DS repository with explicit object mappings, you should test this change and adapt your scripts and REST API calls, as necessary.

This change affects the following data types:

The JsonStdoutAuditEventHandler is now pre-configured in the standard audit configuration, but is disabled by default.

Previously, to enable or disable audit handlers, you needed to modify conf/audit.json directly. Now, you can set the following properties in the resolver/boot.properties file to true or false:

Learn more in:

Previously, to enable or disable HTTP or HTTPS, you could modify conf/config.properties directly. Now, you can set the following properties in the resolver/boot.properties file to true or false:

Learn more in Property value substitution.

Previously, to change the Felix web console credentials, you could modify the conf/felix.webconsole.json file directly. Now, you can set the following properties in the resolver/boot.properties file:

Notifications are now disabled by default. Previously, to enable or disable notifications, you could modify the applicable conf/notificationType.json file directly. Now, you can set the following properties in the resolver/boot.properties file to true or false:

Learn more in Configure notifications.

The following files have been moved from the /path/to/openidm/conf/ directory:

Previously, API requests containing the validateProperty action to unknown resources or those with invalid POST body content could result in an invalid true response, or a generic 500 Internal Server Error. Both of these situations now return a 400 Bad Request Error with an explanation.

The default router.json file no longer includes system in the matching pattern.

Previously, you could use the Flowable workflow engine’s embedded H2 database for demo and testing purposes. IDM no longer includes this database. Before you use workflow, you must install a JDBC repository.

Learn more in Enable workflows.

The Activiti workflow engine has been replaced with Flowable. Current workflow definitions will continue to work with the new engine in compatibility mode, but all new workflow definitions must be written for Flowable. Learn more in Workflow definition comparison.

If you’re using MySQL for the workflow database, the following apply:

The default log message formatter has changed from ThreadIdLogFormatter to SanitizedThreadIdLogFormatter. The new default encodes control characters (such as newline characters) using URL-encoding, to protect against log forgery. Control characters in stack traces are not encoded. Learn more in Log message format.

In previous IDM releases, managed users were granted the openidm-authorized role as a relationship during user creation as part of the onCreateUser.js script. In IDM 7, users are granted the openidm-authorized role statically when they authenticate. Learn more in Authentication and roles.

The default relationship model for authzRoles and authzMembers has changed in this release. In the default configuration, a user’s authzRoles now references only the internal/role resource collection and not the managed/role. Conversely, an internal role’s authzMembers property now references only the managed/user resource collection.

The default schema configuration files have been amended to support this change. The managed/role collection has been removed from the authzRoles property on a managed user object and the internal/user collection has been removed from the authzMembers property on an internal role object.

Multiple resource collections for a single relationship field are not currently supported with a DS repository. For legacy reasons, Multiple resource collections will still work with a JDBC repository.

The INTERNAL_USER authentication module is no longer provided in the default authentication configuration.

This change means that any scripts you used previously to update internal user passwords in the IDM repository will need to be modified.

Monitoring using Prometheus is no longer achieved with a specific access role. The openidm/metrics/prometheus endpoint is now protected by a basic authentication filter, using credentials set in the resolver/boot.properties file. Learn more in Prometheus endpoint.

Properties stored in the repository with boolean (true/false) values are processed differently from this release. A property value is now considered false if its value is false or null. The value is considered true only if it is true, not if it is null. If you’re migrating from a previous IDM release, you might need to adjust your scripts to take this change into account.

effectiveRoles and effectiveAssignments are now calculated in IDM by default, using the new queryConfig property. The old method of using onRetrieve scripts will still work. The new queryConfig property is also available for use with other virtual properties. Learn more in Effective roles and effective assignments and Virtual properties.

You can now configure Gzip compression for HTTP responses in conf/jetty.xml. In previous IDM releases, compression was configured in conf/servletfilter-gzip.json. This file has been removed.

IDM 7 supports configurable hashing algorithms.

Enforcing temporal constraints on roles is now achieved through Java, rather than through the onSync-roles.js and postOperation-roles.js scripts. These scripts are still provided in openidm/bin/defaults/script/roles for backward compatibility.

To use the new Java-based functionality in existing deployments, change the role object in your managed object schema (conf/managed.json) by adding "isTemporalConstraint" : true to the "temporalConstraints" object. For example:

Learn more in Use temporal constraints to restrict effective roles.

The batch configuration for the JMS common audit handler for access logs has changed to support reconnection if the broker becomes unavailable.

This change adds a batch.writeInterval setting. It removes the following settings:

Learn more in Configure the JMS audit event handler.

The default audit configuration no longer includes the recon audit topic. You can enable it by adding the recon audit topic to the topics list in conf/audit.json for the event handlers you choose.

This change does not affect how auditing reconciliations works, just what the default configuration includes. No action is necessary unless you wish to have auditing on reconciliations enabled on a new installation. Learn more in Query the reconciliation audit log.

As a security precaution, the nativeType for userPassword properties has been changed to JAVA_TYPE_GUARDEDSTRING in all sample provisioner files for the LDAP connector. If you have customized provisioner files, you should change this property. For example, change:

Previous IDM versions included a global consent setting in conf/consent.json. This file included a single configuration property, enabled, which determined whether IDM should check any mappings where consent was enabled and prompt end users for consent.

This global consent setting and the corresponding consent.json file have been removed. If you have an existing consent.json file in your configuration, it will be ignored.

Consent is now assessed only on a per-mapping, per-object basis.

IDM 7 adds support for the latest version of MySQL Connector/J. If you’re using MySQL Connector/J version 8.0 or later, make sure your datasource.jdbc-default.json file includes a setting for the time zone in your jdbcUrl property:

Also, note the driverClass changed in MySQL Connector/J version 8.0, from com.mysql.jdbc.Driver to com.mysql.cj.jdbc.Driver. The previous driverClass name will still work for now, but should be updated to avoid it displaying a warning when starting up IDM.

The default security protocols for inbound connections to IDM are TLSv1.2 and TLSv1.3. Learn more in Jetty property reference.

Support for the TLSv1.1 protocol has been removed by default.

The address2 attribute has been removed from the managed object schema (conf/managed.json).

The following ICF and connector changes will have an impact on existing IDM deployments that use those connectors: