Notes covering new features, fixes and known issues in ForgeRock® Access Management. ForgeRock Access Management provides authentication, authorization, entitlement, and federation software.


Read these release notes before you install ForgeRock Access Management or update your existing installation.

The information contained in these release notes cover prerequisites for installation, known issues and improvements to the software, changes and deprecated functionality, and other important information.

About ForgeRock Identity Platform™ Software

ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see

Chapter 1. What's New

This chapter covers the new features and improvements done in the current release of ForgeRock Access Management.

1.1. Maintenance Releases

AM 6.5.1
  • ForgeRock maintenance releases contain a collection of fixes and minor RFEs that have been grouped together and released as part of our commitment to support our customers. AM 6.5.1 is the latest release targeted for AM 6.5 deployments and can be downloaded from the ForgeRock Backstage website. To view the list of fixes in this release, see Key Fixes in AM 6.5.1.

    The release can be deployed as an initial deployment or updated from an existing 6.5 deployment, see "Supported Upgrade Paths". AM 6.5 is available for download at the ForgeRock Backstage website.

    For general information on ForgeRock's maintenance and patch releases, see Maintenance and Patch Availability Policy.

1.2. New Features

What's New in AM 6.5.1
  • OAuth 2.0 Mutual TLS (mTLS) Support

    AM 6.5.1 adds support for draft 12 of the OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens specification, a key component of ForgeRock's Open Banking and Revised Payment Services Directive (PSD2) support.

    For information about authenticating an OAuth 2.0 client using mTLS certificates, see "Authenticating Clients Using Mutual TLS" in the OAuth 2.0 Guide.

    For information about issuing certificate-constrained OAuth 2.0 access tokens, see "Certificate-Bound Proof-of-Possession" in the OAuth 2.0 Guide.

  • New Extension Point to Customize Public Key ID (kid)

    By default, AM generates a key ID (kid) for each public key exposed in the jwk_uri URI when AM is configured as an OAuth 2.0 authorization server.

    AM 6.5.1 introduces a new extension point, KeyStoreKeyIdProvider, to customize the key ID values associated with public keys stored in keystore secret stores.

    For more information, see "Customizing Public Key IDs" in the Setup and Maintenance Guide.

  • OAuth 2.0 Dynamic Client Registration Management Protocol (RFC7592) Fully Supported

    AM 6.5.1 adds support for OAuth 2.0/OpenID Connect clients to edit and delete their client profile data as per RFC7592.

    Earlier versions of AM offered support for read operations only.

    For more information, see "Dynamic Client Registration Management" in the OAuth 2.0 Guide.

  • Updated Versions of the Admin Tools and Configurator Tools Utilities

    AM 6.5.1 also includes an updated version of the Admin Tools ( and the Configurator Tools ( utilities. These upgraded versions of the tools fixes an issue that could cause the ssoadm to malfunction while using JDK 11 or JDK 1.8.0_192+ (see Known Issues in AM 6.5). You can download these versions from the ForgeRock Backstage website.

What's New in AM 6.5

ForgeRock Access Management 6.5 is a major release that introduces new features, functional enhancements, and fixes.

  • Secret Stores

    AM introduces secret stores, which are repositories for cryptographic keys, key pairs, and credentials, such as passwords. The OAuth2 providers and the Persistent Cookie Module are now using secret stores.

    AM 6.5 adds support for the following secret store types:

    • Keystore

      AM supports a number of different keystore formats, including JCEKS, JKS, PKCS11, and PKCS12. AM allows key rotation within keystore secret stores.

    • File System Secret Volumes

      AM supports secrets that are stored as files in defined folders. For example, in a cloud deployment you could mount a secret volume that AM can access.

    • Hardware Security Modules (HSM)

      AM supports retrieval of secrets from hardware security modules, either locally or over the network.

    AM also supports secrets stored as environment or system properties.

    After an upgrade to AM 6.5, the following secret stores are deployed and configured for you:

    • default-keystore

    • default-password-store

    If you had Persistent Cookie authentication modules or OAuth 2.0 Providers configured, AM will perform extra tasks to ensure that the upgrade configures your secret stores correctly.

    For more information, see "Setting Up Secret Stores" in the Setup and Maintenance Guide.

  • Added Support for Web Authentication (WebAuthn)

    AM 6.5 adds support for Web Authentication, which allows users to authenticate by using an authenticator device as a second factor, for example the fingerprint scanner on their laptop or phone.

    For more information about Web Authentication, see "About Web Authentication (WebAuthn)" in the Authentication and Single Sign-On Guide.

    For information about the parts of the Web Authentication specification that are not currently supported, see Web Authentication (WebAuthn) Limitations.

  • Added Support for External Policy and Applications Configuration Store

    AM 6.5 adds support for using external DS directory servers instead of the embedded instance for storing the following data:

    • Policy data. Policy-related data, such as policies, policy sets, and resource types.

    • Application data. Application-related data, such as web and Java agent configuration, federation entities and configuration, and OAuth 2.0 client definitions.

    For more information, see "Preparing Policy and Application Stores" in the Installation Guide.

  • Added Support for the Directory Services Entry Expiration and Deletion Feature to Manage CTS Tokens

    AM 6.5 adds support to configure the DS entry expiration and deletion feature to manage CTS tokens. This configuration frees AM resources in the AM servers that can then be used for policy or authorization requests.

    Two possible configurations are supported:

    • DS manages the time to live for all tokens in the CTS and the AM CTS reaper is disabled.

      Disabling the AM CTS reaper completely impacts session-related functionality, such as sending notifications about session expiration or session timeout to agents.

    • The AM CTS reaper manages a subset of the tokens in the CTS, usually the SESSION tokens, while DS manages the non-session tokens.

      This configuration ensures your environment can still make use of all session functionality, while benefiting from DS's capabilities as well.

    For more information, see "Configuring the CTS Reaper" in the Installation Guide.

  • Improved CTS Storage Scheme for OAuth 2.0 tokens

    AM 6.5 introduces a new scheme for storing OAuth 2.0 tokens in the CTS store, called the grant-set scheme.

    The grant-set scheme groups multiple authorizations for a given OAuth 2.0 client and resource owner pair and stores them in a single CTS OAUTH2_GRANT_SET entry. This implementation reduces the size and quantity of entries stored, as well as the number of calls required to perform OAuth 2.0 operations.

    The one-to-one scheme, which stores the state of multiple authorizations for a given OAuth 2.0 client and resource owner pair across multiple entries, will be removed in a future release. You should upgrade to the grant-set scheme once all the servers on your environment have been upgraded to AM 6.5 or later.

    The grant-set scheme is backwards-compatible with existing entries stored in the CTS store. Therefore, any access or refresh token issued before configuring the grant-set scheme is still valid. Existing tokens will be retained in their original form until the refresh token expires or it is actively revoked.


    AM 6.5 also introduces a new "cts" claim for OAuth 2.0 access tokens. This claim allows AM to identify the storage schema for the presented token.

    If the claim is not present, for example, when tokens are issued before the grant-set feature was introduced in this release, then the previous storage scheme will be selected. If the claim is present, the AM will select the correct storage scheme for that particular token. This claim was added to ensure that the AM is backwards-compatible with the previous access tokens.

    Users will not notice any change in the tokens they receive, and there is no change to the OAuth 2.0 endpoints.

    To enable the grant-set scheme, navigate to Configure > Global Services > OAuth2 Provider > Global Attributes and set the CTS Storage Scheme drop-down to Grant-Set Storage Scheme. Then, save your changes.

    New OAuth 2.0 tokens stored in the CTS after the change will use the new scheme automatically.

  • Added Support for Customizing User-Facing OAuth 2.0 Pages

    AM 6.5 now supports the logo_uri, client_uri, and policy_uri parameters for OAuth 2.0 clients as defined in RFC 7591.

    Use these parameters to customize the OAuth 2.0 user-facing pages. For more information, see "Advanced" in the OAuth 2.0 Guide.

  • New OAuth 2.0 Provider Properties Added

    AM 6.5 adds a number of new OAuth 2.0 Provider properties, as follows:

    • Properties for controlling the supported signing and encryption algorithms and methods.

    • A property for controlling the supported signing algorithms for the private_key_jwt JWT-based authentication method.

    • A property for controlling the supported grant types.

    For more information about the properties available in OAuth 2.0 providers, see "OAuth2 Provider" in the OAuth 2.0 Guide.

  • New Authentication Nodes Added

    AM 6.5 introduces the following authentication nodes, in addition to the nodes added for Web Authentication (WebAuthn) and for displaying device recovery codes:

  • Added Support for Audit Logging to a PostgreSQL Database

    AM 6.5 adds support for recording audit events to a PostgreSQL database. An SQL script is provided to help in setting up the required tables.

    For information, see "Implementing JDBC Audit Event Handlers" in the Setup and Maintenance Guide.

1.3. Major Improvements

Improvements in AM 6.5.1
  • Transactional Authorization Can Return HTTP 401 Messages on Authentication Failure

    In earlier versions of AM, a transactional authorization advice that failed due to invalid credentials always returned an HTTP 200 message.

    Then, the user would be redirected to the protected resource, where policy evaluation would fail.

    AM 6.5.1 introduces a new advanced server property to control whether transactional authorization should return an HTTP 200 or an HTTP 401 message depending on the needs of your environment.

    In both cases, users cannot access the protected resources when they fail to complete the required actions during transactional authorization.

    For more information, see the org.forgerock.openam.auth.transactionalauth.returnErrorOnAuthFailure advanced server property.

  • New OpenID Connect Authentication Node Added

    AM introduces an OpenID Connect authentication node for authenticating users from an OpenID Connect-compliant identify provider. For more information, see "OpenID Connect Node" in the Authentication and Single Sign-On Guide

  • Option for isInitiator=false to WDSSO Configuration

    AM 6.5.1 now implements the JDK isInitiator parameter in the AM WDSSO module, which is used for the JDK Kerberos LoginModule. If set to True, it will be in an initiator role. If set to False, it will be in an acceptor role. Default is true.

    For more information, see "Windows Desktop SSO Authentication Module Properties" in the Authentication and Single Sign-On Guide

  • Allow XForwardedHeadersBaseURLProvider to Fall Back to Host Header

    When using SSL offloding in the Google Cloud Environment (GCE), the x-forwarded-for and x-forwarded-proto headers are added, but previously, the x-forwarded-host header was not automatically added. This caused origin mismatch failure in web authentication trees.

    AM 6.5.1 now allows the XForwardedHeadersBaseURLProvider header to fall back to the host header if X-Forwarded-Host is not present.

  • More Data Added to Scripted Node Decision Binding

    AM 6.5.1's scripted decision node now provides additional access to the following objects:

    • sharedState

    • transientState

    • callbacks

    • requestHeaders

    • logger

    • httpClient

    • realm

    • existingSession (if it exists)

  • JWK Key "use" Updated to Include "tls" Type

    AM 6.5.1 now includes a "tls" type as a supported value for the JSON Web Key (JWK)'s use parameter, which specifies the intended use of the public key. Possible values are: sig, enc, and tls.

  • Support for Dynamic Registration PUT

    AM 6.5.1 supports the a Dynamic Registration PUT to allow a registered OIDC client to update their registration.

  • Scripted Authentication Nodes Can Access Additional Functionality

    AM 6.5.1 adds support for the scripted authentication node to use callbacks, and additional features, such as access to transientState.

    For more information, see "Scripted Decision Node API Functionality" in the Authentication and Single Sign-On Guide.

Improvements in AM
  • OIDC Claims Script Support

    Additional support has been added to allow httpClient within the OIDC Claims script, if desired.

Improvements in AM 6.5
  • OAuth 2.0/ OpenID Connect 1.0

    • OAuth 2.0 Clients can be Restricted to a Particular OAuth 2.0 Grant Flow

      In earlier versions of AM, OAuth 2.0 clients could not be restricted to use a particular OAuth 2.0 grant flow and supported any OAuth 2.0 flow without any special configuration.

      OAuth 2.0 clients created in AM 6.5 are assigned the Authorization Code Grant flow by default. You must configure the client if it requires a different flow by navigating to Realms > Realm Name > Applications > OAuth 2.0 > Client Name > Advanced, and then editing the Grant Types field.

      After an upgrade to AM 6.5, all grant flows are added to existing clients to maintain backwards compatibility.

      For more information, see "OAuth 2.0 and OpenID Connect 1.0 Client Settings" in the OAuth 2.0 Guide.

    • Improved Support for PKCE

      In earlier versions of AM, the OAuth 2.0 Provider service could be configured to either require a PKCE code in all client requests, or to not require a code. This configuration was not very flexible for environments with both private clients and public clients.

      AM 6.5 allows configuring the OAuth 2.0 Provider service to specify which clients are required to present a PKCE code. To configure this feature, navigate to Realms > Realm Name > Services > OAuth2 Provider > Advanced, and select one of the following options in the Code Verifier Parameter Required drop-down field:

      • All requests. All clients must present a PKCE code.

      • Requests from all public clients. All public clients must present a PKCE code.

      • Requests from all passwordless public clients. All passwordless public clients must present a PKCE code.

      • No requests. No clients are required present a PCKE code.

    If a client makes a call to AM with the code_challenge parameter, AM will honor the code exchange regardless of the configuration of the Code Verifier Parameter Required field.

  • Client-based Refresh Tokens are Now Whitelisted

    Client-based refresh tokens now have corresponding entries in a CTS whitelist, rather than a blacklist. When presenting a client-based refresh token AM will check that a matching entry is found in the CTS whitelist, and prevent reissue if the record does not exist.

    Adding a client-based OAuth 2.0 token to the blacklist will also remove associated refresh tokens from the whitelist.

    For more information on revoking client-based tokens, see "Configuring Client-Based OAuth 2.0 Token Blacklisting" in the OAuth 2.0 Guide.

1.4. Security Advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base.

Chapter 2. Before You Install

This chapter covers software and hardware prerequisites for installing and running ForgeRock Access Management server software.

ForgeRock supports customers using the versions specified here. Other versions and alternative environments might work as well. When opening a support ticket for an issue, however, make sure you can also reproduce the problem on a combination covered here.

2.1. Files to Download

AM software is available at "AM Software" describes the files available for download.

AM Software

Cross-platform distribution including all software components.

For a list of the files in the .zip archive, see "Obtaining Software" in the Installation Guide.


Deployable web application archive file.

The .zip file that contains tools to manage AM from the command line.

The .zip file that contains tools to configure AM from the command line.

2.2. Operating System Requirements

ForgeRock supports customers using ForgeRock Access Management server software on the following operating system versions:

Supported Operating Systems
Operating SystemVersions
Red Hat Enterprise Linux, Centos6, 7
Amazon Linux

Amazon Linux 2

Amazon Linux 2017.09

Amazon Linux 2018.03


14.04 LTS

16.04 LTS

18.04 LTS

Solaris x6410, 11
Solaris Sparc10, 11
Windows Server

2012 R2


2.3. Web and Java Agents Platform Requirements

The following table summarizes the minimum required version of web and Java agents:

Minimum Agent Version Required
Web Agents5.0.1
Java Agents5.0.1

AM supports several versions of web agents and Java agents. For supported container versions and other platform requirements related to agents, refer to the ForgeRock Access Management Web Agents Release Notes and the ForgeRock Access Management Java Agents Release Notes.

2.4. Java Requirements

The following table lists supported Java versions:

JDK Requirements
Oracle JDK8, 11 [a]
IBM SDK, Java Technology Edition (WebSphere only)8
OpenJDK8, 11 [a]

[a] Federation-related pages do not display when using Java 11. For more information, see the Knowledge Base.

2.5. Web Application Container Requirements

The following table summarizes supported application containers and their required versions:

Web Containers
Web ContainerVersions
Apache Tomcat

7, 8.5, 9

Oracle WebLogic Server


JBoss Enterprise Application Platform


WildFly AS

10.1, 11, 12

IBM WebSphere


The web application container must be able to write to its own home directory, where AM stores configuration files.

2.6. Directory Server Requirements

This section lists supported directory servers.

As described in "Generic LDAPv3 Configuration Properties" in the Setup and Maintenance Guide, you can configure AM to use LDAPv3-compliant directory servers as user data stores. If you have a special request to deploy AM with a user data store not mentioned in the following table, contact

Supported Directory Servers
Directory ServerVersionsConfigurationApps / PoliciesCTSIdentitiesUMA
Embedded Directory Services6.5
External Directory Services/OpenDJ3.0+
Oracle Unified Directory11g R2     
Oracle Directory Server Enterprise Edition11g   
Microsoft Active Directory2012 R2, 2016     
IBM Tivoli Directory Server6.3     

2.7. Supported Clients

The following table summarizes supported clients and their minimum required versions:

Supported Clients
Client Platform Native Apps [a] Chrome 62+Internet Explorer 11+Edge 25+Firefox 57+Safari 11+Mobile Safari
Windows 8 or later [b]   
Mac OS X 10.11 or later     
Ubuntu 14.04 LTS or later      
iOS 9 or later     
Android 6 or later      

[a] Native Apps is a placeholder to indicate AM is not just a browser-based technology product. An example of a native app would be something written to use our REST APIs, such as the sample OAuth 2.0 Token Demo app.

[b] Windows 10 only.

2.8. Supported Upgrade Paths

The following table contains information about the supported upgrade paths to AM 6.5.1:

Upgrade Paths
VersionUpgrade Supported?
AM 6.5.x [a]
AM 6.x [a]
AM 5.x [a]
OpenAM 13.x


[a] AM is incompatible with SSO session tokens from OpenAM.

Storage and processing of sessions changed in AM 5: CTS-based (stateful) and client-based (stateless) sessions created by earlier versions of OpenAM are not supported.

After upgrading from an earlier version, any existing SSO tokens created by that version will become invalid, and users will need to reauthenticate.

In mixed version deployments, earlier versions of OpenAM will not be able to read or process SSO session tokens created by AM 5 or later.

This incompatibility only affects SSO session tokens. OAuth 2.0 and OpenID Connect 1.0 tokens are interoperable between versions.


Upgrading between Enterprise and OEM versions is not supported.

For more information, see Checking your product versions are supported in the ForgeRock Knowledge Base.

2.9. Special Requests

If you have a special request regarding support for a combination not listed here, contact ForgeRock at

Chapter 3. Installing or Upgrading

This chapter covers installing and upgrading AM 6.5 software.

Before you install AM or upgrade your existing installation, read these release notes. Then, install or upgrade AM.

  • If you are installing AM for the first time, see the Installation Guide.

  • If you have already installed AM, see the Upgrade Guide.

    Do not perform an upgrade by deploying the new version and then importing an existing configuration by running the ssoadm import-svc-config command. Importing an outdated configuration can result in a corrupted installation.

Chapter 4. Changes and Deprecated Functionality

This chapter covers both major changes to existing functionality, and also deprecated and removed functionality.

4.1. Important Changes to Existing Functionality

This section lists changes done to existing functionality, services, endpoints, and others in the current release of AM.


AM is incompatible with SSO session tokens from OpenAM.

Storage and processing of sessions changed in AM 5: CTS-based (stateful) and client-based (stateless) sessions created by earlier versions of OpenAM are not supported.

After upgrading from an earlier version, any existing SSO tokens created by that version will become invalid, and users will need to reauthenticate.

In mixed version deployments, earlier versions of OpenAM will not be able to read or process SSO session tokens created by AM 5 or later.

This incompatibility only affects SSO session tokens. OAuth 2.0 and OpenID Connect 1.0 tokens are interoperable between versions.

Important Changes in AM 6.5.1
Important Changes in AM
Important Changes in AM 6.5
  • Web and Java Agents Earlier than 5.0.1 Not Supported

    AM 6.5 does not interoperate with web and Java agents earlier than 5.0.1.

  • Stored Device Recovery Codes are now One-way Encrypted

    AM 6.5 encrypts stored device recovery codes by default. This means they can only be shown to users a single time before they become encrypted, and therefore, unreadable.


    To prevent AM from encrypting existing device recovery codes you must add a Java property to your environment, BEFORE starting the container.

    For more information on device recovery code encryption, and how to disable encryption, see "To Prevent AM Encrypting Device Recovery Codes" in the Upgrade Guide.

  • Utils Class Containing SHA-1 Usage Moved

    The class org.forgerock.oauth2.core.Utils#getKid has moved to org.forgerock.openam.secrets.SecretsUtils#getStaticId in AM 6.5.

    This class may get flagged for SHA-1 usage in source code scans. However, reports of this particular use of SHA-1 can be safely ignored.

    For more information, see Security scan shows use of SHA-1 in Utils class in AM/OpenAM (All versions) in the Knowledge Base.

  • Naming Convention Changes on Documentation and UI

    Earlier versions of the AM documentation and the UI classify OAuth 2.0 and OpenID Connect 1.0 tokens as stateful when AM stores tokens in the CTS token store, and stateless when AM returns the token to the client.

    This naming convention is misleading. OAuth 2.0 services are stateless (no information regarding OAuth 2.0 is stored in the AM server memory), and any server in the AM deployment can satisfy any OAuth 2.0-related request.

    AM 6.5 removes the stateful/stateless naming convention and classifies tokens depending on where they are stored:

    • CTS-based tokens (previously referred to as stateful tokens)

    • Client-based tokens (previously referred to as stateless tokens)

  • Signing Methods for Social Authentication with IDM Incompatible with Earlier Versions

    The signing method used by AM 6.5 when performing social authentication with IDM 6.5 has changed, in order to support non-extractable HMAC keys from Hardware Security Modules (HSMs).

    The new signing method is not compatible with IDM 6, or earlier.

    If you have not upgraded to IDM 6.5, or later, enable the new Signing Compatibility Mode property in the IDM Provisioning service in order to use social authentication involving IDM successfully.

    For more information, see "IDM Provisioning" in the User Self-Service Guide.

  • The Amster Configuration Upgrader Utility is not Included in the AM 6.5 Release

    The tool could be used to upgrade configuration files exported by Amster for use in later versions.

    Follow the procedures in the Upgrade Guide to upgrade from previous versions to AM 6.5. Then, use Amster to export configuration files that are compatible with AM 6.5.

  • Data Stores Renamed to Identity Stores

    To differentiate the stores used for identities from those used for configuration, applications, or policies, the Data Stores label in the user interface has been renamed to Identity Stores.

  • Changes to the Prometheus Monitoring Interface

    In earlier versions of AM, Prometheus had to authenticate with a username and a password when accessing the monitoring endpoint. AM 6.5 allows you to configure the monitoring interface such that Prometheus can access the endpoint without authenticating.

    For more information, see "Prometheus Monitoring" in the Setup and Maintenance Guide.

  • Oracle WebLogic Required Packages Now Included by Default

    In earlier versions of AM, Bouncy Castle and Jackson packages needed to be added to the weblogic.xml file in order to deploy AM successfully in Oracle WebLogic.

    This step is no longer required, as the packages are included by default.

    For more information, see"Preparing Oracle WebLogic" in the Installation Guide.

  • Changes to the activity.audit.json Log File

    In earlier versions of AM, the activity.audit.json log file only captured session changes. AM 6.5 captures session, user profile, and device profile changes in the logs.

    For more information, see "Audit Log Topics" in the Setup and Maintenance Guide.

  • UI Source Paths Changed

    In earlier versions of AM, the source code of the UI pages was under openam-ui-ria/src/main. AM 6.5 removes the main directory.

    For more information about the new paths, see "Customizing the XUI" in the UI Customization Guide.

4.2. Deprecated Functionality

Functionality listed under this section has been deprecated and will be removed in a future release of AM.

Deprecated Functionality in AM 6.5.1
Deprecated Functionality in AM
Deprecated Functionality in AM 6.5
  • SAML 1.0 Deprecated

    SAML 1.0 functionality is deprecated in AM 6.5, and will be removed in a future version.

4.3. Removed Functionality

Functionality listed under this section has been removed from AM.

Removed Functionality in AM 6.5.1
  • No features or functionality have been removed in this release.

Removed Functionality in AM
  • No features or functionality have been removed in this release.

Removed Functionality in AM 6.5
  • No features or functionality have been removed in this release.

Chapter 5. Fixes, Limitations, and Known Issues

This chapter covers the status of key issues and limitations at release 6.5.

5.1. Fixed Issues

The following important bugs were fixed in this release:

Key Fixes in AM 6.5.1
  • OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

  • OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled

  • OPENAM-11523: Using the LDAP/AD auth module, the change password on next login, if current password is empty it displays the wrong error message

  • OPENAM-11863: CORSFilter position in web.xml should come before most filters

  • OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme

  • OPENAM-12498: Authorization Grant response returns scope(s) in the URL

  • OPENAM-12620: Add more data to Scripted Node Decision binding

  • OPENAM-12627: Initiating TransactionConditionAdvice with a wrong credential resulting in a non-error response

  • OPENAM-12937: Soap STS creation fails when OpenIDConnect token config required

  • OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees

  • OPENAM-12965: httpClient not exposed to OIDC Claim Script

  • OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation

  • OPENAM-13088: Add option for isInitiator=false to WDSSO configuration

  • OPENAM-13217: make transient state available to scripted node type

  • OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"

  • OPENAM-13446: Social Auth Service doesn't redirect if already using another chain

  • OPENAM-13651: Client registration does not support auth method of "none"

  • OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

  • OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6

  • OPENAM-13861: Social Authentication Tree does not complete its flow with ForceAuth parameter

  • OPENAM-13892: Erroneous "Response's InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not

  • OPENAM-13896: Comparison method violates its general contract! seen during amster import

  • OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user

  • OPENAM-13940: Session quota limits not applied when using trees

  • OPENAM-13941: OAuth2 Provider's ID Token Algs lists PS384 algorithm as PS284

  • OPENAM-13978: Session Upgrade - AuthLevel format changes

  • OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

  • OPENAM-14004: AM should support agents deployed to the root context (/), not just /openam

  • OPENAM-14009: Authtree does not proceed for missing Authorization Header

  • OPENAM-14032: In Social authentication nodes and Message node is not possible to change value of attribute maps or dictionaries

  • OPENAM-14040: LdifUtils debug logging prints out wrong classname

  • OPENAM-14049: Amster export failure

  • OPENAM-14050: LDAP should reestablish connection to the orignal server after it has recovered

  • OPENAM-14053: Cannot build openam-ui in Windows for Yarn using mvn

  • OPENAM-14058: Cannot create Elasticsearch audit handler configuration through admin console UI

  • OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive

  • OPENAM-14068: The new Policy and Application Stores only support a single target connection address

  • OPENAM-14078: RetryTask can block notification processing for an extended period of time

  • OPENAM-14080: LDAP Decision Node returns incorrect user attribute to search for in user store

  • OPENAM-14082: Authentication Chains will not open using IE11

  • OPENAM-14092: Custom node can prevent all default nodes appearing in admin view

  • OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow

  • OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state

  • OPENAM-14147: arg=newsession in XUI does shows just the "Loading..." page

  • OPENAM-14165: ThemeConfiguration is Not Exposed in Final UI Production Build

  • OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.

  • OPENAM-14169: XUI does not update for a new PollingWaitCallback

  • OPENAM-14172: Amster Export - Persistent cookie Keystore Mapping inconsistency after upgrade to 6.5.0

  • OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered

  • OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception

  • OPENAM-14183: Cannot change amadmin's password through XUI

  • OPENAM-14189: effectiveRange of Time environment has issue

  • OPENAM-14200: Social auth modules do not work when AM is installed into the root context

  • OPENAM-14205: PageNodes property panel only appears for new PageNodes.

  • OPENAM-14210: Unable to delete a PageNode that has child nodes

  • OPENAM-14212: SAML redirect to login page fails if AM installed into the root context

  • OPENAM-14222: Amster fails exporting Secret Store Mappings in sub-realms

  • OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set

  • OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number

  • OPENAM-14235: mTLS drop down labels dont match the value (or the spec)

  • OPENAM-14255: Help text in OAuth 2.0 client "mTLS Self-Signed Certificate" property needs encoding?

  • OPENAM-14270: SocialOpenIdConnectNodeTest does not compile

  • OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef

  • OPENAM-14307: ConcurrentModificationException when creating resource_set

  • OPENAM-14308: LDAP Connection Pool Minimum Size for Identity Store missing from XUI

  • OPENAM-14369: Upgrading from OpenAM 13.5.0 to AM with custom PAPs causes NPE failure

  • OPENAM-14374: Success login URL via trees redirects to profile when already authenticated

  • OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set

  • OPENAM-14384: Allow metadata to be returned in authentication tree API responses

  • OPENAM-14386: JWK keyuse can be customised

  • OPENAM-14387: Dynamic registration PUT is not implemented

  • OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

  • OPENAM-14394: Customise the JWK KIDs

  • OPENAM-14425: JwkSetSecretStore does not reload the SecretStore when it has expired

  • OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS or SSL

  • OPENAM-14427: Certificate Module with option "Match Certificate in LDAP" does not work in AM 6.5.0

  • OPENAM-14450: userinfo typo in

  • OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on

  • OPENAM-14471: Failed to create root realm for data store (External Policy | Application)

  • OPENAM-14505: Agent sessions are constrained by Session Quota

  • OPENAM-14509: When a user is marked as inactive, can still perform introspect and tokeninfo endpoint requests

  • OPENAM-14516: Attempt to resolve a named secret containing a `:` character on Windows fails if the filesystem secret store is involved

  • OPENAM-14529: UMA RPT expiry time incorrect in CTS

  • OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore

  • OPENAM-14573: amlbcookie is not secure when authenticating with trees

  • OPENAM-14660: Error in console and unable to Add/Edit/Delete Security Questions for a user via XUI

  • OPENAM-14669: ssoadm does not install using Java 1.8.192 and above

  • OPENAM-14675: Error output in Configuration debug log when creating new realm

Key Fixes in AM
  • OPENAM-12498: Authorization Grant response returns scope(s) in the URL

  • OPENAM-12965: httpClient not exposed to OIDC Claim Script

  • OPENAM-13446: Social Auth Service doesn't redirect if already using another chain

  • OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

  • OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user

  • OPENAM-13940: Session quota limits not applied when using trees

  • OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

  • OPENAM-14049: Amster export failure

  • OPENAM-14053: Cannot build openam-ui in Windows for Yarn using mvn

  • OPENAM-14058: Cannot create Elasticsearch audit handler configuration through admin console UI

  • OPENAM-14080: LDAP Decision Node returns incorrect user attribute to search for in user store

  • OPENAM-14092: Custom node can prevent all default nodes appearing in admin view

  • OPENAM-14165: ThemeConfiguration is Not Exposed in Final UI Production Build

Key Fixes in AM 6.5
  • OPENAM-13842: OAuth 2.0 Device flow - can no longer use user_code more than once.

  • OPENAM-13786: REST policy evaluation throws 500 Internal Error due to stateless ssotoken encryption alg conflict.

  • OPENAM-13774: SOAP STS for Delegation RelationShip Supported is always false on XUI.

  • OPENAM-13732: Session Remaining Time is displayed with more precision and not rounded up.

  • OPENAM-13712: Unknown Signing Algorithm when Client Based Session set Signing to NONE.

  • OPENAM-13670: Selfservice password reset token doesn't work in site due to OPENAM-6426.

  • OPENAM-13604: IdP Proxy relays wrong AuthnContextClassRef if the AuthLevel requested by the SP is not 0.

  • OPENAM-13577: The xmlsec 2.1.1.jar had issues when linebreaks were enabled.

  • OPENAM-13573: Concurrent changePassword requests to LDAPAuthUtils may cause "insufficient access rights" failures.

  • OPENAM-13531: LDAP Decision node removed username from shared state when it is not found.

  • OPENAM-13530: Datastore Decision node removed username from shared state when it is not found.

  • OPENAM-13511: DN Cache should be cleared after idRepo config change.

  • OPENAM-13496: Unable to view Services when some services have invalid attribute.

  • OPENAM-13481: Stateless OAuth 2.0 Client_credential grant/implicit type has long CTS token timeout.

  • OPENAM-13457: AM XUI favicon icon not being recognised.

  • OPENAM-13456: AM XUI custom FooterTemplate.html and LoginHeaderTemplate.html was not being applied.

  • OPENAM-13414: Upgrade fails if OAuth2 Provider service lacks tokenSigningHmacSharedSecret.

  • OPENAM-13407: AMIdentitySubject.isMember should not check privilege for group in different realm.

  • OPENAM-13359: P11RSAPrivateKey failed RSA key check.

  • OPENAM-13318: Blank passwords using PageNode Auth Tree prevents log in.

  • OPENAM-13316: LDAP Decision Node does not return Inactive Account result correctly in eDirectory.

  • OPENAM-13308: LdapDecisionNode fails when Return UserDN to Datastore is set to false.

  • OPENAM-13302: AM Self-registration kba threw an error when a user inputs an answer and pressed the enter key.

  • OPENAM-13291: Create Identities Page appears broken after upgrade from 5.5 (to 6.0 or 6.5).

  • OPENAM-13255: DefaultIDPAccountMapper does not append domain value for UPN.

  • OPENAM-13249: AM did not recognize custom templates and partials.

  • OPENAM-13183: Concurrent changePassword requests to the "users" REST endpoint caused "insufficient access rights" failures.

  • OPENAM-13162: Policy evaluation returned 403 with expired stateless app token.

  • OPENAM-13154: Lockout Duration Multiplier had no effect.

  • OPENAM-13151: OAuth 2.0 Dynamic Registration did not accept Private-Use URI (for native apps) as redirect_uri.

  • OPENAM-13128: Invalid error message was returned when user with expired password authenticated with persistent cookie module.

  • OPENAM-13112: The showServerConfig.jsp page threw NullPointerException NPE when accessed using Site or LB URL.

  • OPENAM-13100: LDAP Decision node fails with NPE when used with Active Directory.

  • OPENAM-13087: ClassNotFound Exception thrown after upgrade.

  • OPENAM-13085: WSFederation Active Request Profile authentication request hangs on input-less scripted modules.

  • OPENAM-13082: Address claim in default OIDC claims script output non-spec compliant format.

  • OPENAM-13080: Resource owners sharing resources to themselves caused an error message.

  • OPENAM-13079: Importing SAML2 MetaData for RoleDescriptor for AttributeQueryDescriptor failed.

  • OPENAM-13075: Incorrect message displayed when resource is being shared.

  • OPENAM-13072: Case-sensitive usernames resulted in listing UMA resource incorrectly.

  • OPENAM-13053: ScriptingService did not add the new values to whitelist during upgrade.

  • OPENAM-12997: Consent for default scopes were not saved.

  • OPENAM-12985: Debug log files were swamped with message 'LDAPUtils.isDN: Invalid DN' in 'error' level.

  • OPENAM-12984: Access Token Endpoint issued search request against datastore for OAuth Client.

  • OPENAM-12867: IdP-Proxy - Single Logout failed as LogoutResponse was not signed.

  • OPENAM-12866: Subsequent idpSSOInit calls after the first will fail if custom IDPAdapter forces auth step up.

  • OPENAM-12856: User authentication configuration not migrated to XUI.

  • OPENAM-12847: Public API broken - SSOTokenManager.getValidSessions(SSOToken requester, String server).

  • OPENAM-12801: OAuth 2.0 token signing forced PKCS#11 keys to have specific attributes.

  • OPENAM-12784: ProviderConfiguration was not spec compliant.

  • OPENAM-12770: Some SAML assertions were not deserialized from a SAML2 Token.

  • OPENAM-12690: XUI theme configuration realm mapping was case sensitive.

  • OPENAM-12625: JWT OIDC Token could not be valid for over 86400 seconds.

  • OPENAM-12514: IdP initiated SSO - NumberFormatException was raised in session upgrade case.

  • OPENAM-12506: Upgrade could fail with RemoveReferralsStep having too broad base DN.

  • OPENAM-12419: Policy rules not updated when external configuration store connection restarted.

  • OPENAM-12403: LDAP response controls are not logged which complicates troubleshooting.

  • OPENAM-12401: DJLDAPv3Repo - insufficient debug logging to troubleshoot membership issues.

  • OPENAM-12301: Account lockout logs ERROR: ISAccountLockout.getAcInfo: acInfo: null.

  • OPENAM-12293: Audit logging no longer logs REST operation details.

  • OPENAM-12209: The 'acr' and 'acr_sig' parameters can become duplicated during step-up authn, should not be present in url.

  • OPENAM-12174: XUI - Deleting a built-in authentication module will delete any other created by it.

  • OPENAM-12096: API explorer example for PUT on /global-config/services/scripting/contexts/{contexts}/engineConfiguration fails.

  • OPENAM-11962: Calling Logout and passing a goto URL parameter with an expired session, goto URL is ignored.

  • OPENAM-11665: Unable to login in XUI with users endpoint getting 404 due to KBA attribute issues.

  • OPENAM-11642: CustomProperties do not work when creating J2EE/Web Agents via REST.

  • OPENAM-11473: NumberFormatException on startup for External configuration setup.

  • OPENAM-11407: An extra space in the CTS store connection string "" caused OpenDJ-SDK log to grow.

  • OPENAM-11355: Missing Service tab when trying to configure dashboard with Active Directory datastore.

  • OPENAM-11225: During single logout idpSingleLogoutRedirect threw 500 error.

  • OPENAM-11177: Scripted auth module can not be used in auth chain if the username in shared state map does not 'match' the search attribute of the data store.

  • OPENAM-11167: <ActualLockoutDuration> is not updated in the attribute sunStoreInvalidAttemptsData.

  • OPENAM-11048: account lockout did not work when naming attribute and LDAP Users Search Attribute are different.

  • OPENAM-10467: RFC7662: oauth2/introspect returned token_type not as Bearer.

  • OPENAM-10296: Session UI only allows searching for users in datastore.

  • OPENAM-9783: The json/users changePassword option returned the wrong error message with multiple datastores configured.

  • OPENAM-8296: OAuth 2.0 consent screen does not use XUI theme configuration.

  • OPENAM-4040: SSO failed between SPs in separate CoTs with same hosted IDP.

5.2. Limitations

Limitations in AM 6.5.1
Limitations in AM
Limitations in AM 6.5

The following limitations and workarounds apply to AM 6.5:

  • Web Authentication (WebAuthn) Limitations

    AM 6.5 does not support the following functionality as described in the Web Authentication specification:


    For more information about Web Authentication, see "About Web Authentication (WebAuthn)" in the Authentication and Single Sign-On Guide.

  • RADIUS Service Only Supports Commons Audit Logging. The new RADIUS service only supports the new Commons Audit Logging, available in this release. The RADIUS service cannot use the older Logging Service, available in releases prior to OpenAM 13.0.0.

  • Administration Console Access Requires the Realm Admin privilege

    In this version of AM, administrators can use the AM console as follows:

    • Delegated administrators with the Realm Admin privilege can access full AM console functionality within the realms they can administer. In addition, delegated administrators in the Top Level Realm who have this privilege can access AM's global configuration.

    • Administrators with lesser privileges, such as the Policy Admin privilege, can not access the AM administration console.

    • The top-level administrator, such as amadmin, has access to full AM console functionality in all realms and can access AM's global configuration.

5.3. Known Issues

The following important known issues remained open at the time release 6.5 became available. For details and information on other issues, see the issue tracker.

Known Issues in AM 6.5.1
  • OPENAM-13905: XUI Authentication - Switching realms is not possible

  • OPENAM-14666: XUI - InternalError: "too much recursion" error can appear when Adding/Viewing/Updating realms

Known Issues in AM
Known Issues in AM 6.5
  • ssoadm May Not Work with JDK 11 or JDK 1.8.0_192+

    In AM 6.5, ssoadm may not work with JDK 11 or JDK 1.8.0_192+ when AM is installed with DS in production mode or DS with restricted or strong ciphers.

    The workaround is to upgrade your AM deployment and tools to AM 6.5.1.

  • Passwordless OAuth 2.0 Public Clients cannot choose none as Client Authentication Method

    As per RFC 7591, passwordless public client should be able to choose none as their client authentication method.

    At present, AM does not allow registering passwordless public clients with the none authentication method.

    As a workaround, select the client_secret_post client authentication method when registering the client, but omit the password parameters when calling the endpoints. For example, do not use the client_secret parameter.

  • Using the Documented CORS Filter With IDM Integration Causes Errors

    When configuring IDM to delegate authentication to AM, as described in the IDM Samples Guide, you must configure AM with a cross-origin resource sharing (CORS) filter.

    However, when you use a CORS filter based on the org.forgerock.openam.cors.CORSFilter filter class, Unexpected End of JSON Input errors occur.

    To work around the problem, configure AM's web.xml file as described in "Enabling CORS Support" in the Installation Guide, but use a CORS filter specific to the AM web container instead of using a filter based on the org.forgerock.openam.cors.CORSFilter filter class. For example, for Apache Tomcat, use a filter based on the org.apache.catalina.filters.CorsFilter filter class:

    • Add a filter clause similar to the following to the web.xml file, making sure to specify the correct URLs for your deployment in the parameter:

    • Add the following filter-mapping clause to the web.xml file:

  • Large Amounts of Policies in a Policy Set Causes Errors if Unindexed

    If you have large numbers of policies in a policy set, ensure that the directory server has an index on the sunxmlKeyValue attribute.

    This index is created by default if you create an external DS instance by using the setup profiles feature. See "Preparing Policy and Application Stores" in the Installation Guide.

    If you did not use the setup profile feature to create the external DS instance, create an equality and substring index on the sunxmlKeyValue attribute. For example:

    $ ./dsconfig \
     create-backend-index \
     --hostname \
     --port 4444 \
     --bindDN "cn=Directory Manager" \
     --bindPassword "str0ngEx4mplePa55word" \
     --backend-name userRoot \
     --index-name sunxmlKeyValue \
     --set index-type:equality \
     --set index-type:substring \
     --trustAll \

    You will need to rebuild the indexes after adding additional attributes. For more information on creating indexes on attributes, and rebuilding indexes, see Indexing Attribute Values in the Directory Services Administration Guide.

  • Cached JavaScript Files from OpenAM 12.0.0 May Cause Redirect to undefined:8080

    If you configure an OpenAM 12.0.0 instance with long-lived cache times for the /XUI/index.html file, you may experience unexpected redirects to undefined:8080 after upgrading.

    To work around this issue, in your chosen web container, or proxy server, reconfigure the cache time for the /XUI/index.html file to be short-lived, for example, 5 minutes. Allow enough time that cached files with the long-lived cache time will have expired before upgrading.


    This issue does not affect upgrades from OpenAM 12.0.1 or later. OpenAM 12.0.1 and later set a short-lived cache-control header on UI files to work around the problem of having stale files cached locally.

  • OAuth2 Scopes Behavior Affected by Upgrade

    After an upgrade from OpenAM 12.0.x, OAuth v2.0 scope behavior uses a deprecated implementation class, org.forgerock.openam.oauth2.provider.impl.ScopeImpl.

    The workaround is to manually update the OAuth v2.0 providers to use the org.forgerock.openam.oauth2.OpenAMScopeValidator.

    For background information, see OPENAM-6319.

  • Supported ID Token Algorithms and Methods not Updated After Upgrade

    AM 5 added additional algorithms and methods for encrypting ID tokens. Performing an upgrade from OpenAM 13.5 does not add these new values to the affected properties.

    After upgrade, navigate to Realm Name > Services > OAuth2 Provider > OpenID Connect, and manually update the ID Token Encryption Algorithms supported and ID Token Encryption Methods supported properties.

    For more information on the available algorithms and methods, see "Encrypting OpenID Connect ID Tokens" in the OpenID Connect 1.0 Guide.

  • User Interface Not Localized if Locale Parameter Follows Fragment in URL

    The XUI user-facing pages are not localized if the locale parameter appears after the fragment in the URL.

    To ensure correct localization of user-facing pages, ensure the fragment appears at the end of the URL. For example:

    For more information, see "Authenticating Using the XUI" in the Authentication and Single Sign-On Guide.

  • OPENAM-13905: XUI Authentication - Switching realms is not possible.

  • OPENAM-13904: Authentication by using the REST API - Switching realms is not possible.

  • OPENAM-13583: OAuth 2.0 Node Redirect URL does not work.

  • OPENAM-13486: AM Upgrade fails on opendj_remove_session_listener_on_all_sessions.

  • OPENAM-13428: EntitlementException not passed to PLL or JSON policy layer.

  • OPENAM-9098: Changes in do not take effect immediately.

  • OPENAM-3285: OpenID Connect authorization response is not returning required session_state.

Chapter 6. Documentation Updates

The following table tracks changes to the documentation set following the release of AM 6.5:

Documentation Change Log

Initial release of AM 6.5.1.

The following documentation updates were made for this release:


Added missing release note for 6.5.0 regarding a change to the paths of the source code of the UI. For more information, see Important Changes in AM 6.5.


Added support for audit logging to a PostgreSQL database. For more information, see "Implementing JDBC Audit Event Handlers" in the Setup and Maintenance Guide.


Added how to validate CSV logs configured for the detection of tampering. For more information, see "Configuring CSV Audit Event Handlers" in the Setup and Maintenance Guide.


Initial release of AM


Initial release of AM 6.5.

Added new Authentication Node Development Guide.

Duplicated scripting API documentation to the Development Guide.

Appendix A. Release Levels and Interface Stability

This appendix includes ForgeRock definitions for product release levels and interface stability.

A.1. ForgeRock Product Release Levels

ForgeRock defines Major, Minor, Maintenance, and Patch product release levels. The release level is reflected in the version number. The release level tells you what sort of compatibility changes to expect.

Release Level Definitions
Release LabelVersion NumbersCharacteristics


Version: x[.0.0] (trailing 0s are optional)

  • Bring major new features, minor features, and bug fixes

  • Can include changes even to Stable interfaces

  • Can remove previously Deprecated functionality, and in rare cases remove Evolving functionality that has not been explicitly Deprecated

  • Include changes present in previous Minor and Maintenance releases


Version: x.y[.0] (trailing 0s are optional)

  • Bring minor features, and bug fixes

  • Can include backwards-compatible changes to Stable interfaces in the same Major release, and incompatible changes to Evolving interfaces

  • Can remove previously Deprecated functionality

  • Include changes present in previous Minor and Maintenance releases

Maintenance, Patch

Version: x.y.z[.p]

The optional .p reflects a Patch version.

  • Bring bug fixes

  • Are intended to be fully compatible with previous versions from the same Minor release

A.2. ForgeRock Product Interface Stability

ForgeRock products support many protocols, APIs, GUIs, and command-line interfaces. Some of these interfaces are standard and very stable. Others offer new functionality that is continuing to evolve.

ForgeRock acknowledges that you invest in these interfaces, and therefore must know when and how ForgeRock expects them to change. For that reason, ForgeRock defines interface stability labels and uses these definitions in ForgeRock products.

Interface Stability Definitions
Stability LabelDefinition


This documented interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect.


This documented interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release.

While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality.


This interface is deprecated and likely to be removed in a future release. For previously stable interfaces, the change was likely announced in a previous release. Deprecated interfaces will be removed from ForgeRock products.


This interface was deprecated in a previous release and has now been removed from the product.

Technology Preview

Technology previews provide access to new features that are evolving new technology that are not yet supported. Technology preview features may be functionally incomplete and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT.

Customers are encouraged to test drive the technology preview features in a non-production environment and are welcome to make comments and suggestions about the features in the associated forums.

ForgeRock does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of the ForgeRock platform. Technology previews are provided on an “AS-IS” basis for evaluation purposes only and ForgeRock accepts no liability or obligations for the use thereof.


Internal and undocumented interfaces can change without notice. If you depend on one of these interfaces, contact ForgeRock support or email to discuss your needs.

Appendix B. Getting Support

For more information or resources about AM and ForgeRock Support, see the following sections:

B.1. Accessing Documentation Online

ForgeRock publishes comprehensive documentation online:

  • The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.

    While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.

  • ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

B.2. Using the Site

The site has links to source code for ForgeRock open source software, as well as links to the ForgeRock forums and technical blogs.

If you are a ForgeRock customer, raise a support ticket instead of using the forums. ForgeRock support professionals will get in touch to help you.

B.3. Getting Support and Contacting ForgeRock

ForgeRock provides support services, professional services, training through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see

ForgeRock has staff members around the globe who support our international customers and partners. For details, visit, or send an email to ForgeRock at

Read a different version of :