ForgeRock Access Management 5.1.1 is a maintenance release that includes a number of fixes.

New OAuth 2.0 Stateless Access Token Claim

AM 5.1.1 adds a new OAuth 2.0 stateless access token claim, "grant_type".

ForgeRock Access Management 5.1 is a maintenance release that introduces improvements. No new features are included.

ForgeRock Access Management 5 is a major release that introduces new features, functional enhancements, and fixes.

Reduced Metadata for Stateless OAuth 2.0 Tokens

AM now stores less metadata in the CTS when the server uses Stateless OAuth 2.0 tokens. This improvement does not render any existing OAuth 2.0 tokens invalid.

When you upgrade an AM server, the upgrade process enables Stateless Grant Token upgrade compatibility mode. This mode allows the CTS to store both former and current formats of Stateless OAuth 2.0 token metadata. The mode enables you to benefit from the improvement when performing a rolling, zero-downtime upgrade of an AM cluster.

After successfully upgrading all servers in the cluster, disable this mode on each AM server in one of the following ways:

Improved OIDC claimSupport

AM 5.1 adds support to the following OIDC claim request parameter specs:

Support for the request and request_uri OIDC Parameters

The request and request_uri Authorization Parameters enables OIDC requests to be passed as a JWT or a reference to a JWT that can be signed and/or encrypted, as specified in Section 6. Passing Request Parameters as JWTs of the OpenID Connect Core 1.0 incorporating errata set 1 specification.

The jwks_uri returns both the encryption and signing keys, for encrypting and signing the content of the request parameter before sending it to AM.

The OAuth 2.0 / OpenID Connect client and the OAuth2 Provider include new properties for controlling the signing and encrypting of the contents of the parameters.

For more information on these properties, see "OAuth 2.0 and OpenID Connect 1.0 Client Settings" in the OpenID Connect 1.0 Guide and "Advanced OpenID Connect" in the OpenID Connect 1.0 Guide.

OpenJDK Support

OpenJDK 8 is now a supported JDK for AM deployments.

The REST Authentication Endpoint now Supports MIME-Encoded UTF-8

You can now use UTF-8 user names and passwords in calls to the /json/authenticate endpoint.

For more information, see "Authentication and Logout" in the Authentication and Single Sign-On Guide.

The Default WS-Federation and SAML v2.0 IdP Attribute Mapper now Support Base64-encoded Binary Values for NameID

AM now lets you add a ;binary flag to a NameID Value Map attribute to indicate that it will be Base64-encoded before being added to the assertion. The mapping may resemble the following:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent=objectGUID;binary

Realm DNS Alias Management Improved

Editing the list of DNS aliases for a realm in the AM console now also applies appropriate changes to the advanced default server property com.sun.identity.server.fqdnMap.

For more information, see "To Configure DNS Aliases for Accessing a Realm" in the Setup and Maintenance Guide.

New 503 Error Page When CTS Store is Disconnected

AM now displays a new 503 error status page when the store used for CTS data is not available. Previously the XUI remained available to users, even though functionality would not work as expected.

Like other XUI pages, you can customize the 503 error page using the theme system. For more information, see the UI Customization Guide.

New OAuth 2.0 / OpenID Connect client JWKS URI Content Cache Timeouts

The JWKS content is cached to avoid loading URI content every time a token is encrypted or requires signature verification. AM 5 adds two new properties to the OAuth 2.0 / OpenID Connect client to define a timeout for the encryption and signature verification caches. See "OAuth 2.0 and OpenID Connect 1.0 Client Settings" in the OpenID Connect 1.0 Guide.

Reduced Metadata for Stateless OAuth 2.0 Tokens

AM now stores less metadata in the CTS when the server uses Stateless OAuth 2.0 tokens. This improvement does not render any existing OAuth 2.0 tokens invalid.

When you upgrade an AM server, the upgrade process enables Stateless Grant Token upgrade compatibility mode. This mode allows the CTS to store both former and current formats of Stateless OAuth 2.0 token metadata. The mode enables you to benefit from the improvement when performing a rolling, zero-downtime upgrade of an AM cluster.

After successfully upgrading all servers in the cluster, disable this mode on each AM server in one of the following ways:

LDAPv3Repos LDAP Servers are Now Stored as Comma-Separated Ordered Lists

For multiple data stores behind a load balancer deployment, AM now stores its servers as a comma-separated list, rather than orderedlist.

For example, given a site configuration, ID 02, with two servers, IDs 01 and 03. In previous releases (prior to AM ${am.software.version} and earlier), AM would store the servers as an orderedlist:

$./ldapsearch -p 51389 -D "cn=Directory Manager" -w cangetin -b "ou=services,dc=openam,dc=forgerock,dc=org" "objectclass=*"  > backup.ldif
$ grep "sun-idrepo-ldapv3-config-ldap-server" backup.ldif
sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=xxx.example.com:1389|01|02
sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=zzz.example.com:1389|01|02
sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=xxx.example.com:1389|03|02
sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=localhost:51389
sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=zzz.example.com:1389|03|02

Now, AM stores its multi-server configuration as a comma-separated ordered list:

$./ldapsearch -p 51389 -D "cn=Directory Manager" -w cangetin -b "ou=services,dc=openam,dc=forgerock,dc=org" "objectclass=*"  > backup.ldif
$ grep "sun-idrepo-ldapv3-config-ldap-server" backup.ldif
sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=[0]=xxx.example.com:1389|01|02,xxx.example.com:1389|03|02,localhost:51389,zzz.example.com:1389|01|02,zzz.example.com:1389|03|02

Changes to Acceptable Audience aud Values in OpenID Connect JWTs

The server will reject JWTs that do not have an audience (aud) value that contains one of the following values:

The previous behavior of sending both the client ID and token endpoint URL as audience values is no longer supported.

Do Not Enable org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH in Production

It is strongly recommended not to use the forward slash character in policy names. Users running AM servers on Tomcat and JBoss web containers will not be able to manipulate policies with the forward slash character in their names without setting the ‑Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true argument in the CATALINA_OPTS environment variable before starting the AM web container.

It is also strongly recommended not to enable the ALLOW_ENCODED_SLASH=true setting while running AM in production. Using this option introduces a security risk. See Apache Tomcat 6.x Vulnerabilities and the related CVE for more information.

If you have policy names with forward slashes after migration to AM 5.x, rename the policies so that they do not have forward slashes. Perform the following steps if you use Tomcat or JBoss as your AM web container:

Methods for Specifying Realms in REST and XUI URLs Changed

The methods for specifying the realm to target when using the REST API or making requests to the XUI have been altered.

Realm paths must be absolute and include the top-level realm, and DNS aliases and realms specified in the query string are no longer concatenated if used together – the query string overrides the DNS alias.

For information on specifying realms in XUI URLs, see "Specifying the Realm in the Login URL" in the Authentication and Single Sign-On Guide.

For information on specifying realms in REST API URLs, see "Specifying Realms in REST API Calls" in the Authentication and Single Sign-On Guide.

Upgraded Instances Will Use XUI User Interface

This version only supports the XUI user interface. Upgrading an instance will force use of the XUI, even if the upgraded instance had disabled it.

The option to disable the XUI has also been removed in this release.

For more information, see UI Customization Guide.

Stateless Post-Authentication Plugins

Releases prior to AM 5 implemented the Keep Authentication Module Objects for Logout Processing option in the Core Authentication module. When this option was enabled, AM maintained state information in server memory throughout a session's duration for post authentication plugin module instances. When logout was triggered, AM invoked the same post authentication plugin module instance with state information intact. Therefore, developers could access module state stored at login when users logged out.

In AM 5, post authentication plugin modules can not hold state as module state is never maintained in an AM server's memory. Post authentication plugins that relied on module state being maintained in AM's memory between login and logout must be rewritten. You can store any information that you want to save between login and logout in a session property. AM stores session properties in the CTS token store after login, and retrieves them from the token store as part of the logout process.

The Keep Authentication Module Objects for Logout Processing option in the Core Authentication module has been removed from AM 5.

Two Default Post-Authentication Plugin Classes Renamed

The following default post authentication plugin classes have been renamed:

Upgrading to AM 5 automatically converts these two post authentication plugin class names if they are defined in authentication chain properties and in Core Authentication module properties. If you have specified the old class names anywhere else in AM, you must update to the new class names manually.

Server Memory Configuration Changes

In previous releases of AM, stateful sessions were always stored in AM server memory. They were also optionally written to the CTS token store when AM was configured for session failover.

In AM 5, the CTS token store is the authoritative source for stateful sessions. Sessions can also be cached in AM server memory for performance.

The server property com.iplanet.am.session.maxSessions, which formerly specified the maximum number of sessions that could be held concurrently in AM server memory (including RADIUS client sessions), has been removed from AM 5. The maximum number of sessions that can be stored in the CTS token store is unconstrained.

You can use either or both of the following two new properties if needed:

CTS Reaper Cache

When an AM server modifies a token in the CTS store, it also takes the responsibility to delete it when it expires. To reduce the number of relatively slow queries to the CTS store to determine which tokens have expired, each AM server maintains a local cache of which tokens to delete, and when.

The new org.forgerock.services.cts.reaper.cache.size advanced property controls the size of the cache.

For more information, see "CTS Tuning Considerations" in the Installation Guide.

As part of these CTS tuning changes, the following properties have been removed from AM:

Entity Tag Virtual Attribute

To tune the CTS data store for a slight boost in throughput, you can disable the default virtual attributes, except for the Entity Tag virtual attribute, which is required.

Bootstrap File Change

The name and format of the file used to bootstrap AM has been changed. The JSON file, boot.json, replaces the bootstrap file.

Federation Navigation Link Replaced

The Federation link in the AM console's top navigation bar has been removed.

Some CTS OIDs Now Use the Custom Float2dp Data Type

The following CTS OIDs now use the new, custom Float2dp data type:

The Float2dp data type is a floating point number with the value d-2 in the DISPLAY-HINT clause. SNMP clients that handle the DISPLAY-HINT clause will correctly display the value as a floating point number with two decimal places. Other types of clients that do not handle the DISPLAY-HINT clause will incorrectly display the value as an integer that is one hundred times larger than the correct value.

All other CTS OIDs use the Counter64 data type, a standard data type returned by SNMP OIDs.

For more information, see "Core Token Service (CTS) Object Identifiers" in the Installation Guide.

.NET Fedlet Documentation Moved

The .NET Fedlet documentation is now a ForgeRock Knowledge Base article available to ForgeRock customers.

Sessions Navigation Link Replaced

The Sessions link in the AM console's top navigation bar has been removed.

A new XUI Sessions page is available in Realms > Realm Name > Sessions, and its functionality has changed as follows:

Push Authentication Level Attribute for Push Authentication Module Renamed

The authentication level attribute, forgerock-am-auth-push-auth-level, for the push authentication module has been renamed to forgerock-am-auth-authenticatorpush-auth-level.

Support for HttpOnly

HttpOnly support has been updated with the following features:

For more information, see "Configuring HttpOnly" in the Authentication and Single Sign-On Guide.

REST "sessionresource" Endpoint Changed

Starting with this release, the sessionresource endpoint no longer supports the queryId=server and queryId=list options.

The queryId=all option has also changed. The number of returned records is limited by the token store maximum page size. For example, a Directory Services 5 store has a a limit of 4000 records by default. Queries that would return more records than the limit will return no records, and an error.

You should use version 2 of the endpoint, which supports fine-grained querying to limit the number of session records returned from the token store.

The "Idtokeninfo endpoint requires client authentication" Option Now Applies to All Signing Algorithms

Starting with this release, if the "Idtokeninfo endpoint requires client authentication" option is enabled, all requests to the /oauth2/idtokeninfo endpoint must be authenticated, not just those that use HMAC-based signing.

For more information, see "OAuth2 Provider" in the OpenID Connect 1.0 Guide.

Support for External OpenDJ 2.6 Data Stores Reduced

OpenDJ 3.0 or later is now required for external configuration, UMA, and CTS data stores.

For more information, see "Data Store Requirements".

No features have been deprecated in this release.

No features have been deprecated in this release.

Realm Aliases Deprecated

The use of realm aliases is deprecated in this release.

DNS aliases remain unaffected.

For information on aliases, see "Setting Up Realms" in the Setup and Maintenance Guide.

Classic Logging Service Deprecated

The classic logging service is deprecated in this release.

For information on the replacement audit logging service, see "Introducing the Audit Logging Service" in the Setup and Maintenance Guide.

User-Managed Access v1.0 and v1.0.1 Deprecated

Support for UMA 1.0 and UMA 1.0.1 will be removed in a future version of ForgeRock Access Management. Features and functionality will be upgraded to support upcoming UMA standards.

For more information on deprecation, see "Release Levels and Interface Stability".

The ssoadm.jsp Page Is Deprecated

Deprecated REST APIs

The following table lists deprecated REST APIs and their newer equivalents:

HTTP Client Get() and Post() Scripting Methods Deprecated

The HTTP client methods get() and post() used when making HTTP calls from within scripts are deprecated. Use the send() method in their place.

For more information, see "Accessing HTTP Services" in the Development Guide.

JDK 7 Support Deprecated

Support for Oracle JDK 7 and IBM SDK 7 will be removed in a future version of ForgeRock Access Management.

OAuth2Saml2GrantSPAdapter Adapter Class Deprecated

The org.forgerock.openam.oauth2.saml2.core.OAuth2Saml2GrantSPAdapter adapter class used in service provider configurations to POST assertions to OAuth 2.0 authorization services will be removed in a future version of ForgeRock Access Management.

The ssoadm, ampassword, configurator.jar and upgrade.jar Tools Are Deprecated

Amster is replacing the ssoadm command and the configurator.jar, upgrade.jar, and ampassword tools, which will be removed in a future release of ForgeRock Access Management.

For more information about Amster, see the Amster documentation.

Client SDK Deprecated

The client SDK will be removed and replaced in a future version of ForgeRock Access Management.

The Classic JATO-Based UI Is Deprecated

The classic JATO-based UI is deprecated for the end-user pages and replaced in OpenAM with the JavaScript-based XUI as a replacement. The classic UI for end user pages is likely to be removed in a future release.

Listing Tokens With the /frrest/oauth2/token/?_queryId Method is Deprecated

Improved _queryFilter support will be added to replace the _queryId method.

The Device Print Service Is Deprecated

For information on replacement device identification features, see "Device ID (Match) Authentication Module" in the Authentication and Single Sign-On Guide.

OpenAM Logging and User Self Service Are Deprecated

The OpenAM Logging, User Self Service, and Password Reset Services are deprecated. The User Self Service has been renamed to Legacy User Self Service.

Deprecated REST APIs

The following table lists deprecated REST APIs and their newer equivalents:

No features have been removed in this release.

Relational Database Identity Repository (Early Access) Removed

The early access feature of storing identity data in a relation database has been removed from AM. This feature was only supported for test and development environments.

Server Configuration Properties Removed

The following server configuration properties have been removed from AM:

Session Service Secondary Configuration Settings Removed

With the removal of crosstalk between AM servers, the settings in Session Service secondary configuration are no longer needed. As a result, the ability to add a secondary configuration instance to the global Session Service has been removed from AM.

Session Trimming Setting Removed

With the removal of the session purge delay from AM, there is no longer a need to trim sessions being held for purge delay. Therefore, the Session Service's session trimming property is also being removed from AM.

Keep Authentication Module Objects For Logout Processing Option Removed

This option, formerly a property of the Core Authentication Service, is no longer available in AM.

Specifying Session Listeners On All Removed

Schema attribute iplanet-am-session-add-session-listener-on-all-sessions has been removed. The AddSessionListenerOnAllSessions is a PLL call that allows you to specify a URL to be notified when changes occur, such as logout. It was found that this setting only applied to sessions that the current server was aware of and would not persist after a server restart.

Existing user stores may still have the schema attribute. Leaving the attribute in the user stores does not cause any issues. If you want to update your directory schema, you can remove this schema attribute.

For example, if you are using a Directory Services 5 data store, you can update the schema attribute as follows:

$ ldapsearch -p 1389 -b cn=schema -s base "(&)" \+ | \
 grep 2.16.840.1.113730.3.1.1070
attributeTypes: ( 2.16.840.1.113730.3.1.1070 \
NAME 'iplanet-am-session-add-session-listener-on-all-sessions' DESC 'an example' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications \
X-SCHEMA-FILE '99-user.ldif' )

$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password
dn: cn=schema
changetype: modify
delete: attributeTypes
attributeTypes: ( 2.16.840.1.113730.3.1.1070 NAME \
'iplanet-am-session-add-session-listener-on-all-sessions' DESC 'An example' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications \
X-SCHEMA-FILE '99-user.ldif' )
Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema

For more information, see AME-11448.

ssoadm Policy Commands Removed

The following policy commands have been removed from the ssoadm command:

For more information, see the AM Reference section ssoadm — configure AM core services in the Reference.

Safari for Windows No Longer Supported as Client Browser

For more information about supported clients, see "Supported Clients".

Liberty ID-FF Global Configuration Removed

Support for Liberty Identity Framework was deprecated in a previous version of AM.

OPENAM-11419: claim locale attribute ignored

OPENAM-11417: Claims result is empty when not defining the values claim attribute

OPENAM-11350: SAML2 IDPEntry XML element contains content violates SAML2 XML schema

OPENAM-11340: Password grant flow is failing after fix of OPENAM-10782

OPENAM-11309: "Supported Claims" and "Supported Scopes" are not hot swappable

OPENAM-11300: OIDC request parameter is failing when message level is enabled

OPENAM-11293: ODSEE ldif incorrectly identifies the pushDeviceProfile location

OPENAM-11280: authentication with noSession=true fails if post authentication plugin class is present

OPENAM-11273: Claims parameter is expected to be URL encoded twice

OPENAM-11272: The OIDC RSA JWKS modulus has an extra octet

OPENAM-11217: SAML2 Authentication module is not invoking custom SP Adapter class implementing a preSingleSignOnRequest() method.

OPENAM-11196: Incorrect debug logging level used in FMEncProvider.getEncryptionKey

OPENAM-11139: Orphaned NOTIFICATION tokens are not deleted from the CTS

OPENAM-11109: Any tabbed json editor view with realm level properties is not displaying the values correctly

OPENAM-11057: Global User Self Service UI does not display values

OPENAM-10782: endSession with an id_token generated from a refresh_token request does not destroy the session

OPENAM-10578: Stateless access token doesn't contain the grant type

OPENAM-10129: OAuth2 Device flow - user code verification is case insensitive

OPENAM-8270: Using client_credentials Grant type with openid scope returns User must be authenticated to issue ID tokens.

OPENAM-6252: Sporadic error on ssoadm commands

OPENAM-5153: Auth modules should call setAuthLevel after successful login

OPENAM-5152: AMAuthLevelManager miscalculates auth level

OPENAM-11179: OIDC Request Object MAY be encrypted and AM should allow this

OPENAM-11125: Request Uris needs to be optional in the schema

OPENAM-11114: Dynamic registration for userinfo is broken, due to request parameter overriding the JWS algorithm

OPENAM-11113: Request parameters fails if you had "none" to the "Request parameter Signing Algorithms supported"

OPENAM-11111: Need better error handling if the client ID in the request parameter doesn't exist.

OPENAM-11107: Request parameter should accept JWT without issuer or audience

OPENAM-11037: The AS issuer ID is the client id

OPENAM-11034: OpenAM 14.0.0 (AM5) ssoadm create-realm error

OPENAM-10882: Unable to import/export XACML policy using ssoadm when ScriptCondition is used

OPENAM-10585: The "claims" Request Parameter from the openid standard isn't functional

OPENAM-10346: Audit logging entries missing if federation changes are done using ssoadm command in sub-realms.

OPENAM-9717: TimerPool deadlock on ssoadm shutdown (client SDK)

OPENAM-10570: Add support for the SAML2_CONFIG component in FedletConfigurationImpl

OPENAM-10444: FMSessionProvider should adhere to setCookieToAllDomains setting

OPENAM-10429: oauth2/authorize consent page (authorize.json) should take locale headers into account

OPENAM-10388: Allow message from auth module to be returned when resource owner auth failed with grant_type=password

OPENAM-10316: Remove error from Maven build on openam-ui-ria for Windows

OPENAM-10207: Authorize sending both HTTP Basic Auth credentials and client_id if client secret is not defined

OPENAM-10144: Add introspection endpoint in .well_known discovery

OPENAM-9555: Persistent Cookie should set username in shared state

OPENAM-9536: Reduce size of stateless sessions

OPENAM-9460: Include SOAP STS WAR in OpenAM Distribution Zip

OPENAM-9454: Allow the .NET Fedlet to be serialized and stored in session state

OPENAM-9366: Install.log doesn't contain timestamps, which block performance issue investigation

OPENAM-9234: Add health check for the SOAP STS

OPENAM-8983: introspect endpoint shouldn't be limited to the same client as token

OPENAM-8836: Realm alias in XUI Admin Console should be reflected in fqdnMap

OPENAM-8790: Better error message when resource owner auth failed with grant_type=password

OPENAM-8772: Soap STS application token should retry if an operation failed

OPENAM-8627: Provide support for more XML signatures types in .NET fedlet

OPENAM-8581: JSON REST authenticate should return 401 for session timed out error

OPENAM-8560: CTS should use replace rather than delete/add for single valued attributes

OPENAM-8210: Enhance CTS to persist tokens across multiple OpenDJ instances rather than a single primary OpenDJ instance by some form of sharding

OPENAM-8078: Develop a REST endpoint that returns all sessions for a user

OPENAM-6360: Send notifications for sessions even when the authoritative server is down

OPENAM-5969: Allowing RequesterID chain when using SAML2 Idp Proxy

OPENAM-5802: Import of policies should import application and resource type information as well

OPENAM-5114: User should be able to rename or clone an existing Application containing policies without first deleting the policies

OPENAM-2632: RFE: The identity/authorize REST API should be able to consume an OAuth2 access token

OPENAM-2346: RFE: OAuth2 Resouce Owner Password Grant should support service and module auth parameters

JCEKS Keystore Support for User Self-Services

In OpenAM 13.0.0, the user self-service feature is stateless, which means that the end-user is tracked and replayed by an encrypted and signed JWT token on each AM instance. It also generates key pairs and caches its keys locally on the server instance.

In a multi-instance deployment behind a load balancer, one server instance with the user self-services enabled will not be able to decrypt the JWT token from the other instance due to the encryption keys being stored locally to its server.

OpenAM 13.5.0 and newer solve this issue by providing a JCEKS keystore that supports asymmetric keys for encryption and symmetric keys for signing. Users who have installed OpenAM 13.0.0 and enabled the user self-service feature will need to run additional steps to configure a JCEKS keystore to get the user self-service feature operating after an upgrade.

For specific instructions to configure the JCEKS keystore, see "Configuring Keystores" in the Setup and Maintenance Guide.

Cached JavaScript Files from OpenAM 12.0.0 May Cause Redirect to undefined:8080

If you configure an OpenAM 12.0.0 instance with long-lived cache times for the /XUI/index.html file, you may experience unexpected redirects to undefined:8080 after upgrading.

To work around this issue, in your chosen web container, or proxy server, reconfigure the cache time for the /XUI/index.html file to be short-lived, for example, 5 minutes. Allow enough time that cached files with the long-lived cache time will have expired before upgrading.

RADIUS Service Only Supports Commons Audit Logging. The new RADIUS service only supports the new Commons Audit Logging, available in this release. The RADIUS service cannot use the older Logging Service, available in releases prior to OpenAM 13.0.0.

Administration Console Access Requires the RealmAdmin privilege

In this version of AM, administrators can use the AM console as follows:

OAuth2 Scopes Behavior Affected by Upgrade

After an upgrade from OpenAM 12.0.x, OAuth v2.0 scope behavior uses a deprecated implementation class, org.forgerock.openam.oauth2.provider.impl.ScopeImpl.

The workaround is to manually update the OAuth v2.0 providers to use the org.forgerock.openam.oauth2.OpenAMScopeValidator.

For background information, see OPENAM-6319.

Supported ID Token Algorithms and Methods not Updated After Upgrade

AM 14 adds additional algorithms and methods for encrypting ID tokens. Performing an upgrade from OpenAM 13.5 does not add these new values to the affected properties.

After upgrade, navigate to Realm Name > Services > OAuth2 Provider > OpenID Connect, and manually update the ID Token Encryption Algorithms supported and ID Token Encryption Methods supported properties.

For more information on the available algorithms and methods, see "Encrypting OpenID Connect ID Tokens" in the OpenID Connect 1.0 Guide.

Different AM Version Within a Site

Do not run different versions of AM together in the same AM site.

Avoid use of Special Characters in Policy or Application Creation

Do not use special characters within policy, application or referral names (for example, "my+referral") using the Policy Editor or REST endpoints as AM returns a 400 Bad Request error. The special characters are: double quotes ("), plus sign (+), command (,), less than (<), equals (=), greater than (>), backslash (\), and null (\u0000). (OPENAM-5262)

XACML Policy Import and Export

AM can only import XACML 3.0 files that were either created by an AM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.

Custom Profile Attributes Are Not Visible in the User Profile Only With the XUI

Custom profile attributes do not appear in the user profile when users log in to AM using the XUI.

OPENAM-11360: OAuth2 ClientID and password URL decoded as per RFC-6749

OPENAM-11349: Assigning a service to ActiveDirectory user will throw NPE

OPENAM-11225: idpSingleLogoutRedirect throws 500 error SLO

OPENAM-11177: Scripted auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store

OPENAM-11172: Upgrade from 12.x to 13.5 fails with Module type : Device Id (Match) in the nested sub realm

OPENAM-11167: <ActualLockoutDuration> is not updated in the attribute sunStoreInvalidAttemptsData

OPENAM-11159: OpenAM Amster export/import for Site have import errors

OPENAM-11154: Memory leak in SMSEventListenerManager#subNodeChanges

OPENAM-11101: Clicking on Social Auth Icon redirects to user profile

OPENAM-5108: ESAPI.validator() in fedletXACMLQuery.jsp fails

OPENAM-11217: SAML2 Authentication module is not invoking custom SP Adapter class implementing a preSingleSignOnRequest() method.

OPENAM-11210: IDP Proxy does not set sticky cookie before redirect AuthnRequest to IDP

OPENAM-11198: Supported ID token encryption algorithms are missing after upgrade from OpenAM 13.5.0

OPENAM-11196: Incorrect debug logging level used in FMEncProvider.getEncryptionKey

OPENAM-11172: Upgrade from 12.x to 13.5 fails with Module type : Device Id (Match) in the nested sub realm

OPENAM-11141: HTML page title is not localised

OPENAM-11115: Push authentication should use alias attributes to find identities

OPENAM-11073: content of storepass and keypass files for boostrapping is not trimmed

OPENAM-11012: Monitoring count for authentication success not counted for OAuth2 password grant

OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.

OPENAM-10717: Encryption algorithms and encryptions methods don't all work out of the box

OPENAM-10481: Default JWKS_URI of an OpenID provider doesn't allow signing key rotation

OPENAM-10467: RFC7662: oauth2/introspect OpenAM returns token_type not as Bearer

OPENAM-9808: Forgot Username self-service can return "username" that might not be the same as login "username"

OPENAM-9798: CTS Query element order should be optimised

OPENAM-9447: OAuth2 client has different default values for clean installation and upgraded AM from 13.0.0 to 13.5

OPENAM-9112: Audit logging outputs errors in debug log under high load

OPENAM-8862: ServiceProvider (SP) meta data import succeeds with incorrect encryption key size

OPENAM-8831: Accessing policy editor through a subrealm DNS alias displays the policies for that subrealm independently of the realm selected

OPENAM-8336: XUI+REST authentication with chains must have sticky load balancing

OPENAM-7836: User Self Service forgottenPassword endpoint throws HTTP 500

OPENAM-5984: The XUI is unhappy when the CORS filter is enabled

OPENAM-4713: Can't use Common Tasks wizards when logged in as a delegated administrator

OPENAM-4040: SSO failure between SPs in separate CoTs with same hosted IDP

OPENAM-1194: Unable to get AuthnRequest error in multiserver setup