Notes covering new features, fixes and known issues in ForgeRock® Access Management. ForgeRock Access Management provides authentication, authorization, entitlement, and federation software.

Preface

Read these release notes before you install ForgeRock Access Management or update your existing installation.

The information contained in these release notes cover prerequisites for installation, known issues and improvements to the software, changes and deprecated functionality, and other important information.

About ForgeRock Identity Platform™ Software

ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see https://www.forgerock.com.

Chapter 1. What's New

This chapter covers the new features and improvements done in the current release of ForgeRock Access Management.

1.1. Patch Bundle Releases

ForgeRock patch bundle releases contain a collection of fixes and minor RFEs that have been grouped together and released as part of our commitment to support our customers. For general information on ForgeRock's maintenance and patch releases, see Maintenance and Patch Availability Policy.

AM 6.5.2.1
  • AM 6.5.2.1 is the latest patch bundle release targeted for AM 6.5.2 deployments and can be downloaded from the ForgeRock Backstage website. To view the list of fixes in this release, see Key Fixes in AM 6.5.2.1.

    The release can be deployed as an initial deployment or updated from an existing 6.5.2 deployment, see "Supported Upgrade Paths". AM 6.5.2 is available for download at the ForgeRock Backstage website: AM 6.5.2.

1.2. New Features

What's New in AM 6.5.2.1
  • There are no new features in this release.

What's New in AM 6.5.2
  • Added Support for the JWT Profile for OAuth 2.0 Authorization Grant

    AM 6.5.2 adds support for the JWT profile for OAuth 2.0 Authorization Grant, defined in the RFC 7523 specification.

    As part of this feature, AM includes a new agent of the type Trusted JWT Issuer.

    For more information, see "JWT Profile for OAuth 2.0 Authorization Grant" in the OAuth 2.0 Guide.

  • Added OAuth 2.0 Access Token Modification Scripts

    AM 6.5.2 adds support for scripting the modification of issued OAuth 2.0 access tokens. You can add properties to the access token, for example, values taken from the resource owner's profile, such as telephone number or email address.

    For more information, see "Modifying Access Token Content Using Scripts" in the OAuth 2.0 Guide.

  • Added OpenID Connect Client Initiated Backchannel Authentication (CIBA) Support

    AM 6.5.2 introduces support for OpenID Connect Client Initiated Backchannel Authentication (CIBA) that allows a client application, known as the consumption device, to obtain authentication and consent from a user without requiring the user to interact with it directly. The user authenticates and consents to the operation using a separate "decoupled" device, known as the authentication device, such as an authenticator application or a mobile banking application on their mobile phone.

    For more information, see "Backchannel Request Grant" in the OpenID Connect 1.0 Guide

  • Added Support for the id_token_hint Parameter on the OAuth 2.0/OpenID Connect Authorization Endpoint

    AM 6.5.2 adds support for client relying parties to use the id_token_hint parameter in their request to the authorization endpoint as a hint about the end user's session. AM uses the ID token to verify whether the end user specified on it has a valid session in AM.

    As part of this change, the authorization endpoint supports the new none response type.

    For more information, see "/oauth2/authorize" in the OAuth 2.0 Guide and "Retrieving Session State without the Check Session Endpoint" in the OpenID Connect 1.0 Guide.

What's New in AM 6.5.1
  • OAuth 2.0 Mutual TLS (mTLS) Support

    AM 6.5.1 adds support for draft 12 of the OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens specification, a key component of ForgeRock's Open Banking and Revised Payment Services Directive (PSD2) support.

    For information about authenticating an OAuth 2.0 client using mTLS certificates, see "Authenticating Clients Using Mutual TLS" in the OAuth 2.0 Guide.

    For information about issuing certificate-constrained OAuth 2.0 access tokens, see "Certificate-Bound Proof-of-Possession" in the OAuth 2.0 Guide.

  • New Extension Point to Customize Public Key ID (kid)

    By default, AM generates a key ID (kid) for each public key exposed in the jwk_uri URI when AM is configured as an OAuth 2.0 authorization server.

    AM 6.5.1 introduces a new extension point, KeyStoreKeyIdProvider, to customize the key ID values associated with public keys stored in keystore secret stores.

    For more information, see "Customizing Public Key IDs" in the Setup and Maintenance Guide.

  • OAuth 2.0 Dynamic Client Registration Management Protocol (RFC7592) Fully Supported

    AM 6.5.1 adds support for OAuth 2.0/OpenID Connect clients to edit and delete their client profile data as per RFC7592.

    Earlier versions of AM offered support for read operations only.

    For more information, see "Dynamic Client Registration Management" in the OAuth 2.0 Guide.

  • Updated Versions of the Admin Tools and Configurator Tools Utilities

    AM 6.5.1 also includes an updated version of the Admin Tools (AM-SSOAdminTools-5.1.2.3.zip) and the Configurator Tools (AM-SSOConfiguratorTools-5.1.2.3.zip) utilities. These upgraded versions of the tools fixes an issue that could cause the ssoadm to malfunction while using JDK 11 or JDK 1.8.0_192+ (see Known Issues in AM 6.5). You can download these versions from the ForgeRock Backstage website.

What's New in AM 6.5

ForgeRock Access Management 6.5 is a major release that introduces new features, functional enhancements, and fixes.

  • Secret Stores

    AM introduces secret stores, which are repositories for cryptographic keys, key pairs, and credentials, such as passwords. The OAuth2 providers and the Persistent Cookie Module are now using secret stores.

    AM 6.5 adds support for the following secret store types:

    • Keystore

      AM supports a number of different keystore formats, including JCEKS, JKS, PKCS11, and PKCS12. AM allows key rotation within keystore secret stores.

    • File System Secret Volumes

      AM supports secrets that are stored as files in defined folders. For example, in a cloud deployment you could mount a secret volume that AM can access.

    • Hardware Security Modules (HSM)

      AM supports retrieval of secrets from hardware security modules, either locally or over the network.

    AM also supports secrets stored as environment or system properties.

    After an upgrade to AM 6.5, the following secret stores are deployed and configured for you:

    • default-keystore

    • default-password-store

    If you had Persistent Cookie authentication modules or OAuth 2.0 Providers configured, AM will perform extra tasks to ensure that the upgrade configures your secret stores correctly.

    For more information, see "Setting Up Secret Stores" in the Setup and Maintenance Guide.

  • Added Support for Web Authentication (WebAuthn)

    AM 6.5 adds support for Web Authentication, which allows users to authenticate by using an authenticator device as a second factor, for example the fingerprint scanner on their laptop or phone.

    For more information about Web Authentication, see "About Web Authentication (WebAuthn)" in the Authentication and Single Sign-On Guide.

    For information about the parts of the Web Authentication specification that are not currently supported, see Web Authentication (WebAuthn) Limitations.

  • Added Support for External Policy and Applications Configuration Store

    AM 6.5 adds support for using external DS directory servers instead of the embedded instance for storing the following data:

    • Policy data. Policy-related data, such as policies, policy sets, and resource types.

    • Application data. Application-related data, such as web and Java agent configuration, federation entities and configuration, and OAuth 2.0 client definitions.

    For more information, see "Preparing Policy and Application Stores" in the Installation Guide.

  • Added Support for the Directory Services Entry Expiration and Deletion Feature to Manage CTS Tokens

    AM 6.5 adds support to configure the DS entry expiration and deletion feature to manage CTS tokens. This configuration frees AM resources in the AM servers that can then be used for policy or authorization requests.

    Two possible configurations are supported:

    • DS manages the time to live for all tokens in the CTS and the AM CTS reaper is disabled.

      Disabling the AM CTS reaper completely impacts session-related functionality, such as sending notifications about session expiration or session timeout to agents.

    • The AM CTS reaper manages a subset of the tokens in the CTS, usually the SESSION tokens, while DS manages the non-session tokens.

      This configuration ensures your environment can still make use of all session functionality, while benefiting from DS's capabilities as well.

    For more information, see "Configuring the CTS Reaper" in the Installation Guide.

  • Improved CTS Storage Scheme for OAuth 2.0 tokens

    AM 6.5 introduces a new scheme for storing OAuth 2.0 tokens in the CTS store, called the grant-set scheme.

    The grant-set scheme groups multiple authorizations for a given OAuth 2.0 client and resource owner pair and stores them in a single CTS OAUTH2_GRANT_SET entry. This implementation reduces the size and quantity of entries stored, as well as the number of calls required to perform OAuth 2.0 operations.

    The one-to-one scheme, which stores the state of multiple authorizations for a given OAuth 2.0 client and resource owner pair across multiple entries, will be removed in a future release. You should upgrade to the grant-set scheme once all the servers on your environment have been upgraded to AM 6.5 or later.

    The grant-set scheme is backwards-compatible with existing entries stored in the CTS store. Therefore, any access or refresh token issued before configuring the grant-set scheme is still valid. Existing tokens will be retained in their original form until the refresh token expires or it is actively revoked.

    Note

    AM 6.5 also introduces a new "cts" claim for OAuth 2.0 access tokens. This claim allows AM to identify the storage schema for the presented token.

    If the claim is not present, for example, when tokens are issued before the grant-set feature was introduced in this release, then the previous storage scheme will be selected. If the claim is present, the AM will select the correct storage scheme for that particular token. This claim was added to ensure that the AM is backwards-compatible with the previous access tokens.

    Users will not notice any change in the tokens they receive, and there is no change to the OAuth 2.0 endpoints.

    To enable the grant-set scheme, navigate to Configure > Global Services > OAuth2 Provider > Global Attributes and set the CTS Storage Scheme drop-down to Grant-Set Storage Scheme. Then, save your changes.

    New OAuth 2.0 tokens stored in the CTS after the change will use the new scheme automatically.

  • Added Support for Customizing User-Facing OAuth 2.0 Pages

    AM 6.5 now supports the logo_uri, client_uri, and policy_uri parameters for OAuth 2.0 clients as defined in RFC 7591.

    Use these parameters to customize the OAuth 2.0 user-facing pages. For more information, see "Advanced" in the OAuth 2.0 Guide.

  • New OAuth 2.0 Provider Properties Added

    AM 6.5 adds a number of new OAuth 2.0 Provider properties, as follows:

    • Properties for controlling the supported signing and encryption algorithms and methods.

    • A property for controlling the supported signing algorithms for the private_key_jwt JWT-based authentication method.

    • A property for controlling the supported grant types.

    For more information about the properties available in OAuth 2.0 providers, see "OAuth2 Provider" in the OAuth 2.0 Guide.

  • New Authentication Nodes Added

    AM 6.5 introduces the following authentication nodes, in addition to the nodes added for Web Authentication (WebAuthn) and for displaying device recovery codes:

  • Added Support for Audit Logging to a PostgreSQL Database

    AM 6.5 adds support for recording audit events to a PostgreSQL database. An SQL script is provided to help in setting up the required tables.

    For information, see "Implementing JDBC Audit Event Handlers" in the Setup and Maintenance Guide.

1.3. Major Improvements

Improvements in AM 6.5.2
Improvements in AM 6.5.2
Improvements in AM 6.5.1
  • Transactional Authorization Can Return HTTP 401 Messages on Authentication Failure

    In earlier versions of AM, a transactional authorization advice that failed due to invalid credentials always returned an HTTP 200 message.

    Then, the user would be redirected to the protected resource, where policy evaluation would fail.

    AM 6.5.1 introduces a new advanced server property to control whether transactional authorization should return an HTTP 200 or an HTTP 401 message depending on the needs of your environment.

    In both cases, users cannot access the protected resources when they fail to complete the required actions during transactional authorization.

    For more information, see the org.forgerock.openam.auth.transactionalauth.returnErrorOnAuthFailure advanced server property.

  • New OpenID Connect Authentication Node Added

    AM introduces an OpenID Connect authentication node for authenticating users from an OpenID Connect-compliant identify provider. For more information, see "OpenID Connect Node" in the Authentication and Single Sign-On Guide

  • Option for isInitiator=false to WDSSO Configuration

    AM 6.5.1 now implements the JDK isInitiator parameter in the AM WDSSO module, which is used for the JDK Kerberos LoginModule. If set to True, it will be in an initiator role. If set to False, it will be in an acceptor role. Default is true.

    For more information, see "Windows Desktop SSO Authentication Module Properties" in the Authentication and Single Sign-On Guide

  • Allow XForwardedHeadersBaseURLProvider to Fall Back to Host Header

    When using SSL offloding in the Google Cloud Environment (GCE), the x-forwarded-for and x-forwarded-proto headers are added, but previously, the x-forwarded-host header was not automatically added. This caused origin mismatch failure in web authentication trees.

    AM 6.5.1 now allows the XForwardedHeadersBaseURLProvider header to fall back to the host header if X-Forwarded-Host is not present.

  • More Data Added to Scripted Node Decision Binding

    AM 6.5.1's scripted decision node now provides additional access to the following objects:

    • sharedState

    • transientState

    • callbacks

    • requestHeaders

    • logger

    • httpClient

    • realm

    • existingSession (if it exists)

  • JWK Key "use" Updated to Include "tls" Type

    AM 6.5.1 now includes a "tls" type as a supported value for the JSON Web Key (JWK)'s use parameter, which specifies the intended use of the public key. Possible values are: sig, enc, and tls.

  • Support for Dynamic Registration PUT

    AM 6.5.1 supports the a Dynamic Registration PUT to allow a registered OIDC client to update their registration.

  • Scripted Authentication Nodes Can Access Additional Functionality

    AM 6.5.1 adds support for the scripted authentication node to use callbacks, and additional features, such as access to transientState.

    For more information, see "Scripted Decision Node API Functionality" in the Authentication and Single Sign-On Guide.

Improvements in AM 6.5.0.2
Improvements in AM 6.5.0.1
  • OIDC Claims Script Support

    Additional support has been added to allow httpClient within the OIDC Claims script, if desired.

Improvements in AM 6.5
  • OAuth 2.0/ OpenID Connect 1.0

    • OAuth 2.0 Clients can be Restricted to a Particular OAuth 2.0 Grant Flow

      In earlier versions of AM, OAuth 2.0 clients could not be restricted to use a particular OAuth 2.0 grant flow and supported any OAuth 2.0 flow without any special configuration.

      OAuth 2.0 clients created in AM 6.5 are assigned the Authorization Code Grant flow by default. You must configure the client if it requires a different flow by navigating to Realms > Realm Name > Applications > OAuth 2.0 > Client Name > Advanced, and then editing the Grant Types field.

      After an upgrade to AM 6.5, all grant flows are added to existing clients to maintain backwards compatibility.

      For more information, see "OAuth 2.0 and OpenID Connect 1.0 Client Settings" in the OAuth 2.0 Guide.

    • Improved Support for PKCE

      In earlier versions of AM, the OAuth 2.0 Provider service could be configured to either require a PKCE code in all client requests, or to not require a code. This configuration was not very flexible for environments with both private clients and public clients.

      AM 6.5 allows configuring the OAuth 2.0 Provider service to specify which clients are required to present a PKCE code. To configure this feature, navigate to Realms > Realm Name > Services > OAuth2 Provider > Advanced, and select one of the following options in the Code Verifier Parameter Required drop-down field:

      • All requests. All clients must present a PKCE code.

      • Requests from all public clients. All public clients must present a PKCE code.

      • Requests from all passwordless public clients. All passwordless public clients must present a PKCE code.

      • No requests. No clients are required present a PCKE code.

    If a client makes a call to AM with the code_challenge parameter, AM will honor the code exchange regardless of the configuration of the Code Verifier Parameter Required field.

  • Client-based Refresh Tokens are Now Whitelisted

    Client-based refresh tokens now have corresponding entries in a CTS whitelist, rather than a blacklist. When presenting a client-based refresh token AM will check that a matching entry is found in the CTS whitelist, and prevent reissue if the record does not exist.

    Adding a client-based OAuth 2.0 token to the blacklist will also remove associated refresh tokens from the whitelist.

    For more information on revoking client-based tokens, see "Configuring Client-Based OAuth 2.0 Token Blacklisting" in the OAuth 2.0 Guide.

1.4. Security Advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base.

Chapter 2. Before You Install

This chapter covers software and hardware prerequisites for installing and running ForgeRock Access Management server software.

ForgeRock supports customers using the versions specified here. Other versions and alternative environments might work as well. When opening a support ticket for an issue, however, make sure you can also reproduce the problem on a combination covered here.

2.1. Files to Download

AM software is available at https://backstage.forgerock.com. "AM Software" describes the files available for download.

AM Software
FileDescription

AM-6.5.2.1.zip

Cross-platform distribution including all software components.

For a list of the files in the .zip archive, see "Obtaining Software" in the Installation Guide.

AM-6.5.2.1.war

Deployable web application archive file.

SSOAdminTools-5.1.2.11.zip

The .zip file that contains tools to manage AM from the command line.

SSOConfiguratorTools-5.1.2.11.zip

The .zip file that contains tools to configure AM from the command line.


2.2. Operating System Requirements

ForgeRock supports customers using ForgeRock Access Management server software on the following operating system versions:

Supported Operating Systems
Operating SystemVersions
Red Hat Enterprise Linux, Centos6, 7
Amazon Linux

Amazon Linux 2

Amazon Linux 2017.09

Amazon Linux 2018.03

SuSE12
Ubuntu

14.04 LTS

16.04 LTS

18.04 LTS

Solaris x6410, 11
Solaris Sparc10, 11
Windows Server

2012 R2

2016


2.3. Web and Java Agents Platform Requirements

The following table summarizes the minimum required version of web and Java agents:

Minimum Agent Version Required
AgentVersions
Web Agents5.0.1
Java Agents5.0.1

AM supports several versions of web agents and Java agents. For supported container versions and other platform requirements related to agents, refer to the ForgeRock Access Management Web Agents Release Notes and the ForgeRock Access Management Java Agents Release Notes.

2.4. Java Requirements

The following table lists supported Java versions:

JDK Requirements
VendorVersions
Oracle JDK8, 11 [a]
IBM SDK, Java Technology Edition (WebSphere only)8
OpenJDK8, 11 [a]

[a] Federation-related pages do not display when using Java 11. For more information, see the Knowledge Base.


2.5. Web Application Container Requirements

The following table summarizes supported application containers and their required versions:

Web Containers
Web ContainerVersions
Apache Tomcat

7[a], 8.5, 9

Oracle WebLogic Server

12c (12.2.1.3)

JBoss Enterprise Application Platform

7.1

WildFly AS

10.1, 11, 12

IBM WebSphere

8.5.5.8+[b], 9

[a] We recommend that you not use Apache Tomcat version 7.0.15+. We have found a bug where Tomcat throws a SocketTimeoutException when the application tries to read the request InputStream under high load. This issue affects Apache Tomcat 7.0.15+ and was fixed in version 8.5. For more information, see https://github.com/apache/tomcat80/pull/9.

[b] WebSphere 8.5.5.x does not have the required JEE libraries required to support WebSockets; therefore, this feature is impacted. Policy agents use this feature extensively and so would be impacted as well. WebSphere 9.x is not affected by this issue.


The web application container must be able to write to its own home directory, where AM stores configuration files.

Caution

Java Agents and Web Agents require the WebSocket protocol to communicate with AM.

Ensure that the container where AM runs, the web server/container where the agents run, and your network infrastructure all support the WebSocket protocol.

Refer to your network infrastructure and web server/container documentation for more information about WebSocket support.

2.6. Directory Server Requirements

This section lists supported directory servers.

As described in "Generic LDAPv3 Configuration Properties" in the Setup and Maintenance Guide, you can configure AM to use LDAPv3-compliant directory servers as user data stores. If you have a special request to deploy AM with a user data store not mentioned in the following table, contact info@forgerock.com.

Supported Directory Servers
Directory ServerVersionsConfigurationApps / PoliciesCTSIdentitiesUMA
Embedded Directory Services6.5
External Directory Services/OpenDJ3.0+
Oracle Unified Directory11g R2     
Oracle Directory Server Enterprise Edition11g   
Microsoft Active Directory2012 R2, 2016     
IBM Tivoli Directory Server6.3     

2.7. Supported Clients

The following table summarizes supported clients and their minimum required versions:

Supported Clients
Client Platform Native Apps [a] Chrome 62.0.3202[b]Internet Explorer 11+Edge 25.10586Firefox 57+[b]Safari 11[b]Mobile Safari
Windows 8     
Windows 10   
Mac OS X 10.11 or later     
Ubuntu 14.04 LTS or later      
iOS 9 or later     
Android 6 or later      

[a] Native Apps is a placeholder to indicate AM is not just a browser-based technology product. An example of a native app would be something written to use our REST APIs, such as the sample OAuth 2.0 Token Demo app.

[b] Chrome, Firefox, and Safari are configured to update automatically, so customers will typically be running latest. However, for RFP reasons, we specify a minimum version.


2.8. Supported Upgrade Paths

The following table contains information about the supported upgrade paths to AM 6.5:

Upgrade Paths
VersionUpgrade Supported?
AM 6.5.x [a]
AM 6.0.x [a]
AM 5.5
AM 5.0 (14.0)
OpenAM 13.5.x
OpenAM 13.x

Important

[a] The Amster-config-upgrader tool was removed from the AM 6.5.0 and later releases. As a result, after you upgrade your AM servers, you must manually export any Amster configuration files for them to be valid on the upgraded server. The Amster export applies to upgrades to AM 6.5.0, or from AM 6.5.0/6.5.0.x to AM 6.5.x (for example, AM 6.5.1 or 6.5.2). For more information, see the BackStage Knowledge Base.


If you are upgrading from an unsupported version of AM to a later version, you must first upgrade to a supported version. In some cases, you may need to upgrade again depending on the upgrade path.

Upgrading between Enterprise and OEM versions is not supported.

For more information, see Checking your product versions are supported in the ForgeRock Knowledge Base.

2.9. Special Requests

If you have a special request regarding support for a combination not listed here, contact ForgeRock at info@forgerock.com.

Chapter 3. Installing or Upgrading

This chapter covers installing and upgrading AM 6.5 software.

Before you install AM or upgrade your existing installation, read these release notes. Then, install or upgrade AM.

  • If you are installing AM for the first time, see the Installation Guide.

  • If you have already installed AM, see the Upgrade Guide.

    Do not perform an upgrade by deploying the new version and then importing an existing configuration by running the ssoadm import-svc-config command. Importing an outdated configuration can result in a corrupted installation.

Chapter 4. Changes and Deprecated Functionality

This chapter covers both major changes to existing functionality, and also deprecated and removed functionality.

4.1. Critical Changes to Existing Functionality

As part of planning your upgrade, you need to consider that certain changes in later AM versions may have an impact on your environment. Usually, these changes are driven by changes in specification, security policies, or performance.

When possible, the upgrade process makes the appropriate changes on AM configuration. However, sometimes you will need to perform additional configuration based on your environment needs.

In addition to mandatory upgrade steps outlined in "Upgrading AM Instances" in the Upgrade Guide, if you are using features described in the following table you will need to perform additional upgrade tasks:

Critical Changes to Existing Functionality
AM VersionComponent or FeatureChange
6.5.0.2 // 6.5.1OAuth 2.0 Refresh Tokens

AM only issues refresh tokens to clients that have the refresh token grant type configured in their client profile.

After an upgrade to 6.5 or later using the UI or the openam-upgrade-tool .jar file, existing OAuth 2.0 clients are configured to use all grant flows, including the Refresh Token Grant flow.

To configure the refresh token grant type manually, see "To Configure AM to Issue Refresh Tokens" in the OAuth 2.0 Guide.

6.5Recovery Codes Recovery Codes are encrypted, and existing codes are no longer displayed to the user. For more information, see "Upgrading Device Recovery Codes" in the Upgrade Guide.
Secret Stores AM introduced secret stores. The upgrade process only creates the secret store files on the AM instance where you ran the upgrade process. For more information, see "Configuring Secret Stores After Upgrade" in the Upgrade Guide.
Amster The Amster-config-upgrader tool was removed. As a result, you need to upgrade AM following the procedures in the Upgrade Guide and then, export the configuration from the upgraded instance or site using Amster. For more information, see the following Knowledge Base article.
6json/ Endpoints AM's CSRF protection filter requires that either the X-Requested-With or the Accept-API-Version headers are included on requests to endpoints under the json root. For more information, see "Reviewing REST API Versions Before Upgrading" in the Upgrade Guide.
5SSO Tokens

AM SSO session tokens are incompatible with SSO tokens from OpenAM.

CTS-based (stateful) and client-based (stateless) sessions created by earlier versions of OpenAM are not supported. After upgrading from an earlier version, any existing SSO tokens created by that version will become invalid, and users will need to reauthenticate. In mixed version deployments, earlier versions of OpenAM will not be able to read or process SSO session tokens created by AM 5 or later.

This incompatibility only affects SSO session tokens. OAuth 2.0 and OpenID Connect 1.0 tokens are interoperable between versions.

Realms

Realm paths now must be absolute and include the top-level realm, and DNS aliases and realms specified in the query string are no longer concatenated if used together – the query string overrides the DNS alias.

For examples, see "Specifying the Realm in the Login URL" and "Specifying Realms in REST API Calls" in the Authentication and Single Sign-On Guide.

This change also impacts the user self-service feature when deployed in subrealms. For more information, see "Upgrading User Self-Service in Subrealms" in the Upgrade Guide.

Post-Authentication Plugins AM does not maintain state in post-authentication plugins between login and logout anymore. For more information, see "Upgrading Post-Authentication Plugins" in the Upgrade Guide.
13.5User Self-Service The user self-service feature requires two keys in a JCEKS keystore. For more information, see "Upgrading the Keystore for User Self-Service" in the Upgrade Guide.

Tip

For information on the endpoints deprecated or removed in previous versions, and their current equivalents, see the following Knowledge Base article.

4.2. Important Changes to Existing Functionality

This section lists changes done to existing functionality, services, endpoints, and others in the current release of AM.

Important Changes in AM 6.5.2
  • Trusted JWT Issuer on Admin Console under Agents Menu

    The location of the Trusted JWT Issuer is located under the Agents menu on the Admin Console. You can access it by navigating to Applications > Agents > Trusted JWT Issuer.

    Note

    In AM version 7.x, Trusted JWT Issuer will be located at Applications > OAuth 2.0 > Trusted JWT Issuer.

  • Added Key Transport Algorithm Setting

    AM 6.5.2 introduces a new Key Transport Algorithm setting for SAML v2.0 remote IdPs, remote SPs, attribute authority, and attribute query entity roles.

    The Key Transport Algorithm setting allows you to control which key transport algorithm is used when certain parts of the SAML v2.0 messages are encrypted. The key transport algorithm is used when the generated symmetric key is encrypted using the asymmetric encryption key of the remote party.

    As part of this feature, the following supported APIs have been updated:

    • com.sun.identity.saml2.assertion.Assertion

    • com.sun.identity.saml2.assertion.Attribute

    • com.sun.identity.saml2.assertion.NameID

    • com.sun.identity.saml2.protocol.NewID

    • org.forgerock.openam.sts.config.user.SAML2Config

  • Authentication Nodes Now Can Access HttpServletRequest and HttpServletResponse available from ExternalRequestContext

    Authentication nodes now have access to HttpServletRequest and HttpServletResponse, which is available from ExternalRequestContext.

Important Changes in AM 6.5.1
  • Change to OAuth 2.0 Client Issuance of a Refresh Token

    Important

    For OAuth 2.0 clients, the refresh_token grant type must now be provided to obtain a refresh token. In previous AM versions, the OAuth 2.0 client would issue both an access and refresh token even if the refresh token flow was not enabled on the client.

    This has been changed in AM 6.5.2.1 to be more compliant to specification.

    The client will need to have the refresh token configured as a grant type to abe to receive and use the refresh token. For more information, see "To Configure AM to Issue Refresh Tokens" in the OAuth 2.0 Guide.

  • LDAPv3Repos LDAP Servers are Now Stored in Comma-Separated Ordered List

    For multiple data stores behind a load balancer deployment, AM now stores its servers as a comma-separated list, rather than orderedlist.

    For example, given a site configuration, ID 02, with two servers, IDs 01 and 03. In previous releases (prior to AM 6.5.2.1 and earlier), AM would store the servers as an orderedlist:

    $./ldapsearch -p 51389 -D "cn=Directory Manager" -w cangetin -b "ou=services,dc=openam,dc=forgerock,dc=org" "objectclass=*"  > backup.ldif
    $ grep "sun-idrepo-ldapv3-config-ldap-server" backup.ldif
    sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=xxx.example.com:1389|01|02
    sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=zzz.example.com:1389|01|02
    sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=xxx.example.com:1389|03|02
    sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=localhost:51389
    sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=zzz.example.com:1389|03|02

    Now, AM stores its multi-server configuration as a comma-separated ordered list:

    $./ldapsearch -p 51389 -D "cn=Directory Manager" -w cangetin -b "ou=services,dc=openam,dc=forgerock,dc=org" "objectclass=*"  > backup.ldif
    $ grep "sun-idrepo-ldapv3-config-ldap-server" backup.ldif
    sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=[0]=xxx.example.com:1389|01|02,xxx.example.com:1389|03|02,localhost:51389,zzz.example.com:1389|01|02,zzz.example.com:1389|03|02
  • request_uri Values Must Be Pre-Registered

    In earlier versions of AM, you could configure the OAuth 2.0/OpenID Connect provider to require clients to pre-register their request_uri values.

    Now, pre-registration of request_URI values is mandatory, and the option to disable it has been removed.

Important Changes in AM 6.5.0.2
  • Change to OAuth 2.0 Client Issuance of a Refresh Token

    Important

    For OAuth 2.0 clients, the refresh_token grant type must now be provided to obtain a refresh token. In previous AM versions, the OAuth 2.0 client would issue both an access and refresh token even if the refresh token flow was not enabled on the client.

    This has been changed in AM 6.5.2.1 to be more compliant to specification.

    The client will need to have the refresh token configured as a grant type to abe to receive and use the refresh token. For more information, see "To Configure AM to Issue Refresh Tokens" in the OAuth 2.0 Guide.

  • Updated Versions of the Admin Tools and Configurator Tools Utilities

    AM 6.5.0.2 also includes an updated version of the Admin Tools (AM-SSOAdminTools-5.1.2.3.zip) and the Configurator Tools (AM-SSOConfiguratorTools-5.1.2.3.zip) utilities. These upgraded versions of the tools fixes an issue that could cause the ssoadm to malfunction while using JDK 11 or JDK 1.8.0_192+ (see Known Issues in AM 6.5). You can download these versions from the ForgeRock Backstage website.

Important Changes in AM 6.5.0.1
Important Changes in AM 6.5
  • Web and Java Agents Earlier than 5.0.1 Not Supported

    AM 6.5 does not interoperate with web and Java agents earlier than 5.0.1.

  • Stored Device Recovery Codes are now One-way Encrypted

    AM 6.5 encrypts stored device recovery codes by default. This means they can only be shown to users a single time before they become encrypted, and therefore, unreadable.

    Important

    To prevent AM from encrypting existing device recovery codes you must add a Java property to your environment, BEFORE starting the container.

    For more information on device recovery code encryption, and how to disable encryption, see "To Prevent AM Encrypting Device Recovery Codes" in the Upgrade Guide.

  • Utils Class Containing SHA-1 Usage Moved

    The class org.forgerock.oauth2.core.Utils#getKid has moved to org.forgerock.openam.secrets.SecretsUtils#getStaticId in AM 6.5.

    This class may get flagged for SHA-1 usage in source code scans. However, reports of this particular use of SHA-1 can be safely ignored.

    For more information, see Security scan shows use of SHA-1 in Utils class in AM/OpenAM (All versions) in the Knowledge Base.

  • Naming Convention Changes on Documentation and UI

    Earlier versions of the AM documentation and the UI classify OAuth 2.0 and OpenID Connect 1.0 tokens as stateful when AM stores tokens in the CTS token store, and stateless when AM returns the token to the client.

    This naming convention is misleading. OAuth 2.0 services are stateless (no information regarding OAuth 2.0 is stored in the AM server memory), and any server in the AM deployment can satisfy any OAuth 2.0-related request.

    AM 6.5 removes the stateful/stateless naming convention and classifies tokens depending on where they are stored:

    • CTS-based tokens (previously referred to as stateful tokens)

    • Client-based tokens (previously referred to as stateless tokens)

  • Signing Methods for Social Authentication with IDM Incompatible with Earlier Versions

    The signing method used by AM 6.5 when performing social authentication with IDM 6.5 has changed, in order to support non-extractable HMAC keys from Hardware Security Modules (HSMs).

    The new signing method is not compatible with IDM 6, or earlier.

    If you have not upgraded to IDM 6.5, or later, enable the new Signing Compatibility Mode property in the IDM Provisioning service in order to use social authentication involving IDM successfully.

    For more information, see "IDM Provisioning" in the User Self-Service Guide.

  • The Amster Configuration Upgrader Utility is not Included in the AM 6.5 Release

    The tool is used to upgrade configuration files exported by Amster for use in later versions.

    Upgrade Paths
    VersionUpgrade ToManual Amster Export ?
    AM 6.0.0.xAM 6.5.x

    Follow the procedures in the Upgrade Guide to upgrade from previous versions to AM 6.5. Then, use Amster to export configuration files that are compatible with AM 6.5.

  • Data Stores Renamed to Identity Stores

    To differentiate the stores used for identities from those used for configuration, applications, or policies, the Data Stores label in the user interface has been renamed to Identity Stores.

  • Changes to the Prometheus Monitoring Interface

    In earlier versions of AM, Prometheus had to authenticate with a username and a password when accessing the monitoring endpoint. AM 6.5 allows you to configure the monitoring interface such that Prometheus can access the endpoint without authenticating.

    For more information, see "Prometheus Monitoring" in the Setup and Maintenance Guide.

  • Oracle WebLogic Required Packages Now Included by Default

    In earlier versions of AM, Bouncy Castle and Jackson packages needed to be added to the weblogic.xml file in order to deploy AM successfully in Oracle WebLogic.

    This step is no longer required, as the packages are included by default.

    For more information, see"Preparing Oracle WebLogic" in the Installation Guide.

  • Changes to the activity.audit.json Log File

    In earlier versions of AM, the activity.audit.json log file only captured session changes. AM 6.5 captures session, user profile, and device profile changes in the logs.

    For more information, see "Audit Log Topics" in the Setup and Maintenance Guide.

  • UI Source Paths Changed

    In earlier versions of AM, the source code of the UI pages was under openam-ui-ria/src/main. AM 6.5 removes the main directory.

    For more information about the new paths, see "Customizing the XUI" in the UI Customization Guide.

4.3. Deprecated Functionality

Functionality listed under this section has been deprecated and will be removed in a future release of AM.

Deprecated Functionality in AM 6.5.2.1
Deprecated Functionality in AM 6.5.2
Deprecated Functionality in AM 6.5.1
Deprecated Functionality in AM 6.5.0.2
Deprecated Functionality in AM 6.5.0.1
Deprecated Functionality in AM 6.5
  • SAML 1.0 Deprecated

    SAML 1.0 functionality is deprecated in AM 6.5, and will be removed in a future version.

4.4. Removed Functionality

Functionality listed under this section has been removed from AM.

Removed Functionality in AM 6.5.2
  • No features or functionality have been removed in this release.

Removed Functionality in AM 6.5.1
  • No features or functionality have been removed in this release.

Removed Functionality in AM 6.5.0.2
  • No features or functionality have been removed in this release.

Removed Functionality in AM 6.5.0.1
  • No features or functionality have been removed in this release.

Removed Functionality in AM 6.5
  • No features or functionality have been removed in this release.

Chapter 5. Fixes, Limitations, and Known Issues

This chapter covers the status of key issues and limitations at release 6.5.

5.1. Fixed Issues

The following important bugs were fixed in this release:

Key Fixes in AM 6.5.2.1
  • OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)

  • OPENAM-14700: XUI: AM pages don't render in Internet Explorer

  • OPENAM-14744: Multivalued DN stops persistent search

  • OPENAM-14973: Monitoring throws StackTrace even if JDMK isn't being used/needed.

  • OPENAM-15028: Cannot load metadata in ssoadm without extended metadata

  • OPENAM-15063: Trusted JWT Issuer Agents fall under the 'Agents' group in XUI groupings - which doesn't match release notes

  • OPENAM-15065: HTTP 500 authentication error in CIBA workflow when user deny request

  • OPENAM-15105: Unable to get trusted devices using REST API

  • OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )

  • OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field

  • OPENAM-15347: Trusted JWT Issuer is highlighted as current menu item when I choose OAuth2

  • OPENAM-15350: Wrong message when saving Trusted JWT Issuer

Key Fixes in AM 6.5.2
  • OPENAM-10958: Amster cannot import configuration with containing sub realms with --clean if the instance already contains sub realms

  • OPENAM-13402: Race condition in switch realm page display can sometimes result in displaying a login page

  • OPENAM-13779: Session API - _action=refresh requires an admin token

  • OPENAM-14022: We shouldn't be deploying Jetty inside a war file

  • OPENAM-14054: XUI Custom templates and Partials not applied consistently

  • OPENAM-14059: Inconsistent behavior while revoking stateful v/s stateless refresh tokens

  • OPENAM-14138: Self registration url does not include realm parameter after upgrade from 13.5.1

  • OPENAM-14213: Cannot view SAML SP entity imported from AWS in console

  • OPENAM-14231: Passing in a JWT (with jku in the header) to the authorize endpoint fails

  • OPENAM-14295: import-config fails when web-agent already present

  • OPENAM-14310: CheckSession page indicates the session is not valid

  • OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client

  • OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy

  • OPENAM-14356: Deleting OAuth 2.0 Client triggers unfiltered search

  • OPENAM-14362: UMA load test fails with Invalid resource type error

  • OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application

  • OPENAM-14464: XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used

  • OPENAM-14466: Logs show MissingResource for key unableToCreateArtifactResponse during SAML2 login

  • OPENAM-14483: If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ

  • OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding

  • OPENAM-14525: HSM secret store should not use the key alias as stable ID

  • OPENAM-14539: SAML SLO with multi protocols

  • OPENAM-14548: Consent page still shows what's been granted/removed as a result of OAuth2 scope policy evaluation

  • OPENAM-14565: AM Upgrade NPE when unable to read operational attrs from directory

  • OPENAM-14572: prompt=login destroys and creates new session

  • OPENAM-14581: Handling ManageNameID fails if NameID does not include SPNameQualifier

  • OPENAM-14642: OIDC Dynamic Client Registration registration_client_uri uses only Host header not BaseURL

  • OPENAM-14643: OIDC Dynamic Client Registration registration_client_uri does not work for root realm

  • OPENAM-14651: OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads

  • OPENAM-14656: SAML redirect to login page on SP side fails if AM installed into the root context

  • OPENAM-14685: PolicySetCacheImpl is not cleaned up correctly upon realm deletion

  • OPENAM-14694: Consent page still shows claim values even when supported claim description is omit

  • OPENAM-14707: ConsentRequiredResource class does not reuse value in Base url source service

  • OPENAM-14715: Stateless token encryption does not work OOTB when upgrading from < AM 6.0

  • OPENAM-14717: mailto attribute have space between ':' and mail address

  • OPENAM-14740: idpSingleLogoutRedirect throws error 500 IllegalStateException on SLO

  • OPENAM-14766: Introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens

  • OPENAM-14783: PKCS11 KeyStore does not work on IBM JVM

  • OPENAM-14784: AM cannot decrypt JWTs with CBC-HMAC encryption methods using a HSM

  • OPENAM-14785: Give Authentication Nodes Access to the Request and Response

  • OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO

  • OPENAM-14794: User privileges are removed from group if another group is given same privilege

  • OPENAM-14798: Cannot always delete unused resource types in top level realm

  • OPENAM-14799: Unable to update Agent profile using REST

  • OPENAM-14821: Make HttpServletRequest/Response available from ExternalRequestContext

  • OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search

  • OPENAM-14829: AuthSchemeCondition doesn't return realm aware policy condition advice

  • OPENAM-14840: Translation and help text missing for OAuth2 provider property `tokenEncryptionEnabled`

  • OPENAM-14845: Userinfo endpoint does not correctly handle Certificate Bound Access Tokens

  • OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module

  • OPENAM-14853: Intermittent bug caused by partials not being loaded in-time.

  • OPENAM-14859: ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty

  • OPENAM-14865: No error message is provided when login page is supplied with incorrect session cookie domain

  • OPENAM-14881: AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)

  • OPENAM-14889: Upgrade of Peristent Cookie auth module fails

  • OPENAM-14901: XUI - SAML2 module doesn't redirect to IDP if it's 2nd in the chain

  • OPENAM-14919: Unnecessary 'Unable to parse packet received from RADIUS client' log entries in log file

  • OPENAM-14929: idpSSOInit error when session authLevel does not map to Auth Context

  • OPENAM-14938: ID repo setAttributes service call returns the wrong error message with multiple datastores

  • OPENAM-14940: Improve SAML2 Response/Assertion generation to not have carriage return inbetween XML tag

  • OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain

Key Fixes in AM 6.5.1
  • OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

  • OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled

  • OPENAM-11523: Using the LDAP/AD auth module, the change password on next login, if current password is empty it displays the wrong error message

  • OPENAM-11863: CORSFilter position in web.xml should come before most filters

  • OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme

  • OPENAM-12498: Authorization Grant response returns scope(s) in the URL

  • OPENAM-12620: Add more data to Scripted Node Decision binding

  • OPENAM-12627: Initiating TransactionConditionAdvice with a wrong credential resulting in a non-error response

  • OPENAM-12937: Soap STS creation fails when OpenIDConnect token config required

  • OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees

  • OPENAM-12965: httpClient not exposed to OIDC Claim Script

  • OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation

  • OPENAM-13088: Add option for isInitiator=false to WDSSO configuration

  • OPENAM-13217: make transient state available to scripted node type

  • OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"

  • OPENAM-13446: Social Auth Service doesn't redirect if already using another chain

  • OPENAM-13651: Client registration does not support auth method of "none"

  • OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

  • OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6

  • OPENAM-13861: Social Authentication Tree does not complete its flow with ForceAuth parameter

  • OPENAM-13892: Erroneous "Response's InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not

  • OPENAM-13896: Comparison method violates its general contract! seen during amster import

  • OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user

  • OPENAM-13940: Session quota limits not applied when using trees

  • OPENAM-13941: OAuth2 Provider's ID Token Algs lists PS384 algorithm as PS284

  • OPENAM-13978: Session Upgrade - AuthLevel format changes

  • OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

  • OPENAM-14004: AM should support agents deployed to the root context (/), not just /openam

  • OPENAM-14009: Authtree does not proceed for missing Authorization Header

  • OPENAM-14032: In Social authentication nodes and Message node is not possible to change value of attribute maps or dictionaries

  • OPENAM-14040: LdifUtils debug logging prints out wrong classname

  • OPENAM-14049: Amster export failure

  • OPENAM-14050: LDAP should reestablish connection to the orignal server after it has recovered

  • OPENAM-14053: Cannot build openam-ui in Windows for Yarn using mvn

  • OPENAM-14058: Cannot create Elasticsearch audit handler configuration through admin console UI

  • OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive

  • OPENAM-14068: The new Policy and Application Stores only support a single target connection address

  • OPENAM-14078: RetryTask can block notification processing for an extended period of time

  • OPENAM-14080: LDAP Decision Node returns incorrect user attribute to search for in user store

  • OPENAM-14082: Authentication Chains will not open using IE11

  • OPENAM-14092: Custom node can prevent all default nodes appearing in admin view

  • OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow

  • OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state

  • OPENAM-14147: arg=newsession in XUI does shows just the "Loading..." page

  • OPENAM-14165: ThemeConfiguration is Not Exposed in Final UI Production Build

  • OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.

  • OPENAM-14169: XUI does not update for a new PollingWaitCallback

  • OPENAM-14172: Amster Export - Persistent cookie Keystore Mapping inconsistency after upgrade to 6.5.0

  • OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered

  • OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception

  • OPENAM-14183: Cannot change amadmin's password through XUI

  • OPENAM-14189: effectiveRange of Time environment has issue

  • OPENAM-14200: Social auth modules do not work when AM is installed into the root context

  • OPENAM-14205: PageNodes property panel only appears for new PageNodes.

  • OPENAM-14210: Unable to delete a PageNode that has child nodes

  • OPENAM-14212: SAML redirect to login page fails if AM installed into the root context

  • OPENAM-14222: Amster fails exporting Secret Store Mappings in sub-realms

  • OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set

  • OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number

  • OPENAM-14235: mTLS drop down labels dont match the value (or the spec)

  • OPENAM-14239: FMSigProvider.verify NPE with null input for certificates

  • OPENAM-14255: Help text in OAuth 2.0 client "mTLS Self-Signed Certificate" property needs encoding?

  • OPENAM-14270: SocialOpenIdConnectNodeTest does not compile

  • OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef

  • OPENAM-14307: ConcurrentModificationException when creating resource_set

  • OPENAM-14308: LDAP Connection Pool Minimum Size for Identity Store missing from XUI

  • OPENAM-14369: Upgrading from OpenAM 13.5.0 to AM 6.0.0.5 with custom PAPs causes NPE failure

  • OPENAM-14374: Success login URL via trees redirects to profile when already authenticated

  • OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set

  • OPENAM-14384: Allow metadata to be returned in authentication tree API responses

  • OPENAM-14386: JWK keyuse can be customised

  • OPENAM-14387: Dynamic registration PUT is not implemented

  • OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

  • OPENAM-14394: Customise the JWK KIDs

  • OPENAM-14425: JwkSetSecretStore does not reload the SecretStore when it has expired

  • OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS or SSL

  • OPENAM-14427: Certificate Module with option "Match Certificate in LDAP" does not work in AM 6.5.0

  • OPENAM-14450: userinfo typo in Claims.java

  • OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on

  • OPENAM-14471: Failed to create root realm for data store (External Policy | Application)

  • OPENAM-14505: Agent sessions are constrained by Session Quota

  • OPENAM-14509: When a user is marked as inactive, can still perform introspect and tokeninfo endpoint requests

  • OPENAM-14516: Attempt to resolve a named secret containing a `:` character on Windows fails if the filesystem secret store is involved

  • OPENAM-14529: UMA RPT expiry time incorrect in CTS

  • OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore

  • OPENAM-14573: amlbcookie is not secure when authenticating with trees

  • OPENAM-14660: Error in console and unable to Add/Edit/Delete Security Questions for a user via XUI

  • OPENAM-14669: ssoadm does not install using Java 1.8.192 and above

  • OPENAM-14675: Error output in Configuration debug log when creating new realm

Key Fixes in AM 6.5.0.2
  • OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled

  • OPENAM-11523: Using the LDAP/AD auth module, the change password on next login, if current password is empty it displays the wrong error messag

  • OPENAM-13896: Comparison method violates its general contract! seen during amster import

  • OPENAM-14009: Authtree does not proceed for missing Authorization Header

  • OPENAM-14050: LDAP should reestablish connection to the orignal server after it has recovered

  • OPENAM-14082: Authentication Chains will not open using IE11

  • OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow

  • OPENAM-14147: arg=newsession in XUI does shows just the "Loading..." page

  • OPENAM-14189: effectiveRange of Time environment has issue

  • OPENAM-14200: Social auth modules do not work when AM is installed into the root context

  • OPENAM-14212: SAML redirect to login page fails if AM installed into the root context

  • OPENAM-14222: Amster fails exporting Secret Store Mappings in sub-realms

  • OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef

  • OPENAM-14307: ConcurrentModificationException when creating resource_set

  • OPENAM-14308: LDAP Connection Pool Minimum Size for Identity Store missing from XUI

  • OPENAM-14336: Unable to use Signed Metadata to Re-Import

  • OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy

  • OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set

  • OPENAM-14386: JWK keyuse can be customised

  • OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

  • OPENAM-14425: JwkSetSecretStore does not reload the SecretStore when it has expired

  • OPENAM-14427: Certificate Module with option "Match Certificate in LDAP" does not work in AM 6.5.0

  • OPENAM-14505: Agent sessions are constrained by Session Quota

  • OPENAM-14516: Attempt to resolve a named secret containing : character on Windows fail if the filesystem secret store is involved

  • OPENAM-14572: prompt=login destroys and creates new session

Key Fixes in AM 6.5.0.1
  • OPENAM-12498: Authorization Grant response returns scope(s) in the URL

  • OPENAM-12965: httpClient not exposed to OIDC Claim Script

  • OPENAM-13446: Social Auth Service doesn't redirect if already using another chain

  • OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

  • OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user

  • OPENAM-13940: Session quota limits not applied when using trees

  • OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

  • OPENAM-14049: Amster export failure

  • OPENAM-14053: Cannot build openam-ui in Windows for Yarn using mvn

  • OPENAM-14058: Cannot create Elasticsearch audit handler configuration through admin console UI

  • OPENAM-14080: LDAP Decision Node returns incorrect user attribute to search for in user store

  • OPENAM-14092: Custom node can prevent all default nodes appearing in admin view

  • OPENAM-14165: ThemeConfiguration is Not Exposed in Final UI Production Build

Key Fixes in AM 6.5
  • OPENAM-13842: OAuth 2.0 Device flow - can no longer use user_code more than once.

  • OPENAM-13786: REST policy evaluation throws 500 Internal Error due to stateless ssotoken encryption alg conflict.

  • OPENAM-13774: SOAP STS for Delegation RelationShip Supported is always false on XUI.

  • OPENAM-13732: Session Remaining Time is displayed with more precision and not rounded up.

  • OPENAM-13712: Unknown Signing Algorithm when Client Based Session set Signing to NONE.

  • OPENAM-13670: Selfservice password reset token doesn't work in site due to OPENAM-6426.

  • OPENAM-13604: IdP Proxy relays wrong AuthnContextClassRef if the AuthLevel requested by the SP is not 0.

  • OPENAM-13577: The xmlsec 2.1.1.jar had issues when linebreaks were enabled.

  • OPENAM-13573: Concurrent changePassword requests to LDAPAuthUtils may cause "insufficient access rights" failures.

  • OPENAM-13531: LDAP Decision node removed username from shared state when it is not found.

  • OPENAM-13530: Datastore Decision node removed username from shared state when it is not found.

  • OPENAM-13511: DN Cache should be cleared after idRepo config change.

  • OPENAM-13496: Unable to view Services when some services have invalid attribute.

  • OPENAM-13481: Stateless OAuth 2.0 Client_credential grant/implicit type has long CTS token timeout.

  • OPENAM-13457: AM XUI favicon icon not being recognised.

  • OPENAM-13456: AM XUI custom FooterTemplate.html and LoginHeaderTemplate.html was not being applied.

  • OPENAM-13414: Upgrade fails if OAuth2 Provider service lacks tokenSigningHmacSharedSecret.

  • OPENAM-13407: AMIdentitySubject.isMember should not check privilege for group in different realm.

  • OPENAM-13359: P11RSAPrivateKey failed RSA key check.

  • OPENAM-13318: Blank passwords using PageNode Auth Tree prevents log in.

  • OPENAM-13316: LDAP Decision Node does not return Inactive Account result correctly in eDirectory.

  • OPENAM-13308: LdapDecisionNode fails when Return UserDN to Datastore is set to false.

  • OPENAM-13302: AM Self-registration kba threw an error when a user inputs an answer and pressed the enter key.

  • OPENAM-13291: Create Identities Page appears broken after upgrade from 5.5 (to 6.0 or 6.5).

  • OPENAM-13255: DefaultIDPAccountMapper does not append domain value for UPN.

  • OPENAM-13249: AM did not recognize custom templates and partials.

  • OPENAM-13183: Concurrent changePassword requests to the "users" REST endpoint caused "insufficient access rights" failures.

  • OPENAM-13162: Policy evaluation returned 403 with expired stateless app token.

  • OPENAM-13154: Lockout Duration Multiplier had no effect.

  • OPENAM-13151: OAuth 2.0 Dynamic Registration did not accept Private-Use URI (for native apps) as redirect_uri.

  • OPENAM-13128: Invalid error message was returned when user with expired password authenticated with persistent cookie module.

  • OPENAM-13112: The showServerConfig.jsp page threw NullPointerException NPE when accessed using Site or LB URL.

  • OPENAM-13100: LDAP Decision node fails with NPE when used with Active Directory.

  • OPENAM-13087: ClassNotFound Exception thrown after upgrade.

  • OPENAM-13085: WSFederation Active Request Profile authentication request hangs on input-less scripted modules.

  • OPENAM-13082: Address claim in default OIDC claims script output non-spec compliant format.

  • OPENAM-13080: Resource owners sharing resources to themselves caused an error message.

  • OPENAM-13079: Importing SAML2 MetaData for RoleDescriptor for AttributeQueryDescriptor failed.

  • OPENAM-13075: Incorrect message displayed when resource is being shared.

  • OPENAM-13072: Case-sensitive usernames resulted in listing UMA resource incorrectly.

  • OPENAM-13053: ScriptingService did not add the new values to whitelist during upgrade.

  • OPENAM-12997: Consent for default scopes were not saved.

  • OPENAM-12985: Debug log files were swamped with message 'LDAPUtils.isDN: Invalid DN' in 'error' level.

  • OPENAM-12984: Access Token Endpoint issued search request against datastore for OAuth Client.

  • OPENAM-12867: IdP-Proxy - Single Logout failed as LogoutResponse was not signed.

  • OPENAM-12866: Subsequent idpSSOInit calls after the first will fail if custom IDPAdapter forces auth step up.

  • OPENAM-12856: User authentication configuration not migrated to XUI.

  • OPENAM-12847: Public API broken - SSOTokenManager.getValidSessions(SSOToken requester, String server).

  • OPENAM-12801: OAuth 2.0 token signing forced PKCS#11 keys to have specific attributes.

  • OPENAM-12784: ProviderConfiguration was not spec compliant.

  • OPENAM-12770: Some SAML assertions were not deserialized from a SAML2 Token.

  • OPENAM-12690: XUI theme configuration realm mapping was case sensitive.

  • OPENAM-12625: JWT OIDC Token could not be valid for over 86400 seconds.

  • OPENAM-12514: IdP initiated SSO - NumberFormatException was raised in session upgrade case.

  • OPENAM-12506: Upgrade could fail with RemoveReferralsStep having too broad base DN.

  • OPENAM-12419: Policy rules not updated when external configuration store connection restarted.

  • OPENAM-12403: LDAP response controls are not logged which complicates troubleshooting.

  • OPENAM-12401: DJLDAPv3Repo - insufficient debug logging to troubleshoot membership issues.

  • OPENAM-12301: Account lockout logs ERROR: ISAccountLockout.getAcInfo: acInfo: null.

  • OPENAM-12293: Audit logging no longer logs REST operation details.

  • OPENAM-12209: The 'acr' and 'acr_sig' parameters can become duplicated during step-up authn, should not be present in url.

  • OPENAM-12174: XUI - Deleting a built-in authentication module will delete any other created by it.

  • OPENAM-12096: API explorer example for PUT on /global-config/services/scripting/contexts/{contexts}/engineConfiguration fails.

  • OPENAM-11962: Calling Logout and passing a goto URL parameter with an expired session, goto URL is ignored.

  • OPENAM-11665: Unable to login in XUI with users endpoint getting 404 due to KBA attribute issues.

  • OPENAM-11642: CustomProperties do not work when creating J2EE/Web Agents via REST.

  • OPENAM-11473: NumberFormatException on startup for External configuration setup.

  • OPENAM-11407: An extra space in the CTS store connection string " openam.internal.example.com:50389" caused OpenDJ-SDK log to grow.

  • OPENAM-11355: Missing Service tab when trying to configure dashboard with Active Directory datastore.

  • OPENAM-11225: During single logout idpSingleLogoutRedirect threw 500 error.

  • OPENAM-11177: Scripted auth module can not be used in auth chain if the username in shared state map does not 'match' the search attribute of the data store.

  • OPENAM-11167: <ActualLockoutDuration> is not updated in the attribute sunStoreInvalidAttemptsData.

  • OPENAM-11048: account lockout did not work when naming attribute and LDAP Users Search Attribute are different.

  • OPENAM-10467: RFC7662: oauth2/introspect returned token_type not as Bearer.

  • OPENAM-10296: Session UI only allows searching for users in datastore.

  • OPENAM-9783: The json/users changePassword option returned the wrong error message with multiple datastores configured.

  • OPENAM-8296: OAuth 2.0 consent screen does not use XUI theme configuration.

  • OPENAM-4040: SSO failed between SPs in separate CoTs with same hosted IDP.

5.2. Limitations

Limitations in AM 6.5.2.1
Limitations in AM 6.5.2
Limitations in AM 6.5.1
Limitations in AM 6.5.0.2
Limitations in AM 6.5.0.1
Limitations in AM 6.5

The following limitations and workarounds apply to AM 6.5:

  • Web Authentication (WebAuthn) Limitations

    AM 6.5 does not support the following functionality as described in the Web Authentication specification:

    Registration
    Authentication

    For more information about Web Authentication, see "About Web Authentication (WebAuthn)" in the Authentication and Single Sign-On Guide.

  • RADIUS Service Only Supports Commons Audit Logging. The new RADIUS service only supports the new Commons Audit Logging, available in this release. The RADIUS service cannot use the older Logging Service, available in releases prior to OpenAM 13.0.0.

  • Administration Console Access Requires the Realm Admin privilege

    In this version of AM, administrators can use the AM console as follows:

    • Delegated administrators with the Realm Admin privilege can access full AM console functionality within the realms they can administer. In addition, delegated administrators in the Top Level Realm who have this privilege can access AM's global configuration.

    • Administrators with lesser privileges, such as the Policy Admin privilege, can not access the AM administration console.

    • The top-level administrator, such as amadmin, has access to full AM console functionality in all realms and can access AM's global configuration.

5.3. Known Issues

The following important known issues remained open at the time release 6.5 became available. For details and information on other issues, see the issue tracker.

Known Issues in AM 6.5.2.1
  • OPENAM-15370: ssoadm import-svc-cfg fails with Unable to obtain Server URL

  • OPENAM-15371: ssoadm import-svc-cfg fails with unable to recognize the data store type error

Known Issues in AM 6.5.2
  • FRA-69: CIBA message is not displayed on Android 8.1.0

  • OPENAM-15040: CIBA authorization request returns HTTP 500 NPE when file is wrong

  • OPENAM-15049: wrong JWT while obtaining CIBA auth request id will result in HTTP 500 NPE

  • OPENAM-15052: when id_token_hint is not JWT, CIBA authorization request returns HTTP 500

  • OPENAM-15063: when there is quote in binding message of CIBA request, notification fail to be sent

  • OPENAM-15064: HTTP 500 authentication error in CIBA workflow when user do not have registered mobile device

  • OPENAM-15065: HTTP 500 authentication error in CIBA workflow when user deny request

Known Issues in AM 6.5.1
  • OPENAM-13905: XUI Authentication - Switching realms is not possible

  • OPENAM-14666: XUI - InternalError: "too much recursion" error can appear when Adding/Viewing/Updating realms

Known Issues in AM 6.5.0.2
Known Issues in AM 6.5.0.1
Known Issues in AM 6.5
  • ssoadm May Not Work with JDK 11 or JDK 1.8.0_192+

    In AM 6.5, ssoadm may not work with JDK 11 or JDK 1.8.0_192+ when AM is installed with DS in production mode or DS with restricted or strong ciphers.

    The workaround is to upgrade your AM deployment and tools to AM 6.5.2.

  • Passwordless OAuth 2.0 Public Clients cannot choose none as Client Authentication Method

    As per RFC 7591, passwordless public client should be able to choose none as their client authentication method.

    At present, AM does not allow registering passwordless public clients with the none authentication method.

    As a workaround, select the client_secret_post client authentication method when registering the client, but omit the password parameters when calling the endpoints. For example, do not use the client_secret parameter.

  • Using the Documented CORS Filter With IDM Integration Causes Errors

    When configuring IDM to delegate authentication to AM, as described in the IDM Samples Guide, you must configure AM with a cross-origin resource sharing (CORS) filter.

    However, when you use a CORS filter based on the org.forgerock.openam.cors.CORSFilter filter class, Unexpected End of JSON Input errors occur.

    To work around the problem, configure AM's web.xml file as described in "Enabling CORS Support" in the Installation Guide, but use a CORS filter specific to the AM web container instead of using a filter based on the org.forgerock.openam.cors.CORSFilter filter class. For example, for Apache Tomcat, use a filter based on the org.apache.catalina.filters.CorsFilter filter class:

    • Add a filter clause similar to the following to the web.xml file, making sure to specify the correct URLs for your deployment in the cors.allowed.origins parameter:

      <filter>
          <filter-name>CORSFilter</filter-name>
          <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
          <init-param>
              <param-name>cors.allowed.headers</param-name>
              <param-value>Content-Type,X-OpenIDM-OAuth-Login,X-OpenIDM-DataStoreToken,X-Requested-With,Cache-Control,Accept-Language,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,X-OpenAM-Username,X-OpenAM-Password,iPlanetDirectoryPro,Accept-API-Version</param-value>
          </init-param>
          <init-param>
              <param-name>cors.allowed.methods</param-name>
              <param-value>GET,POST,HEAD,OPTIONS,PUT,DELETE</param-value>
          </init-param>
          <init-param>
              <param-name>cors.allowed.origins</param-name>
              <param-value>https://openam.example.com:8443,https://openidm.example.com:8443</param-value>
          </init-param>
          <init-param>
              <param-name>cors.exposed.headers</param-name>
              <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Set-Cookie</param-value>
          </init-param>
          <init-param>
              <param-name>cors.preflight.maxage</param-name>
              <param-value>10</param-value>
          </init-param>
          <init-param>
              <param-name>cors.support.credentials</param-name>
              <param-value>true</param-value>
          </init-param>
      </filter>
      
    • Add the following filter-mapping clause to the web.xml file:

      <filter-mapping>
          <filter-name>CORSFilter</filter-name>
          <url-pattern>/json/*</url-pattern>
      </filter-mapping>
      
  • Large Amounts of Policies in a Policy Set Causes Errors if Unindexed

    If you have large numbers of policies in a policy set, ensure that the directory server has an index on the sunxmlKeyValue attribute.

    This index is created by default if you create an external DS instance by using the setup profiles feature. See "Preparing Policy and Application Stores" in the Installation Guide.

    If you did not use the setup profile feature to create the external DS instance, create an equality and substring index on the sunxmlKeyValue attribute. For example:

    $ ./dsconfig \
     create-backend-index \
     --hostname external.example.com \
     --port 4444 \
     --bindDN "cn=Directory Manager" \
     --bindPassword "str0ngEx4mplePa55word" \
     --backend-name userRoot \
     --index-name sunxmlKeyValue \
     --set index-type:equality \
     --set index-type:substring \
     --trustAll \
     --no-prompt

    You will need to rebuild the indexes after adding additional attributes. For more information on creating indexes on attributes, and rebuilding indexes, see Indexing Attribute Values in the Directory Services Administration Guide.

  • Cached JavaScript Files from OpenAM 12.0.0 May Cause Redirect to undefined:8080

    If you configure an OpenAM 12.0.0 instance with long-lived cache times for the /XUI/index.html file, you may experience unexpected redirects to undefined:8080 after upgrading.

    To work around this issue, in your chosen web container, or proxy server, reconfigure the cache time for the /XUI/index.html file to be short-lived, for example, 5 minutes. Allow enough time that cached files with the long-lived cache time will have expired before upgrading.

    Note

    This issue does not affect upgrades from OpenAM 12.0.1 or later. OpenAM 12.0.1 and later set a short-lived cache-control header on UI files to work around the problem of having stale files cached locally.

  • OAuth2 Scopes Behavior Affected by Upgrade

    After an upgrade from OpenAM 12.0.x, OAuth v2.0 scope behavior uses a deprecated implementation class, org.forgerock.openam.oauth2.provider.impl.ScopeImpl.

    The workaround is to manually update the OAuth v2.0 providers to use the org.forgerock.openam.oauth2.OpenAMScopeValidator.

    For background information, see OPENAM-6319.

  • Supported ID Token Algorithms and Methods not Updated After Upgrade

    AM 5 added additional algorithms and methods for encrypting ID tokens. Performing an upgrade from OpenAM 13.5 does not add these new values to the affected properties.

    After upgrade, navigate to Realm Name > Services > OAuth2 Provider > OpenID Connect, and manually update the ID Token Encryption Algorithms supported and ID Token Encryption Methods supported properties.

    For more information on the available algorithms and methods, see "Encrypting OpenID Connect ID Tokens" in the OpenID Connect 1.0 Guide.

  • User Interface Not Localized if Locale Parameter Follows Fragment in URL

    The XUI user-facing pages are not localized if the locale parameter appears after the fragment in the URL.

    To ensure correct localization of user-facing pages, ensure the fragment appears at the end of the URL. For example:

    https://openam.example.com:8443/openam/XUI/?realm=/&locale=de#login

    For more information, see "Authenticating Using the XUI" in the Authentication and Single Sign-On Guide.

  • OPENAM-13905: XUI Authentication - Switching realms is not possible.

  • OPENAM-13904: Authentication by using the REST API - Switching realms is not possible.

  • OPENAM-13583: OAuth 2.0 Node Redirect URL does not work.

  • OPENAM-13486: AM Upgrade fails on opendj_remove_session_listener_on_all_sessions.

  • OPENAM-13428: EntitlementException not passed to PLL or JSON policy layer.

  • OPENAM-9098: Changes in debugconfig.properties do not take effect immediately.

  • OPENAM-3285: OpenID Connect authorization response is not returning required session_state.

Chapter 6. Documentation Updates

The following table tracks changes to the documentation set following the release of AM 6.5:

Documentation Change Log
DateDescription
 

Initial release of AM 6.5.2.1.

2019-06-14

Initial release of AM 6.5.2.

The following documentation updates were made for this release:

  • Added a note about exporting Amster configuration files after running an upgrade to AM 6.5.0, or from AM 6.5.0/6.5.0.x to AM 6.5.x (for example, AM 6.5.1 or 6.5.2). For more information, see "Upgrade Paths" in this Release Notes or "Upgrading AM Instances" in the Upgrade Guide.

  • Updated the procedure for configuring external policy and applications stores. You can now specify multiple URLs, with either active-passive or affinity connectivity. For more information, see "To Connect AM to an External Policy or Application Store" in the Setup and Maintenance Guide.

  • Added an important change in 6.5.1 release notes about the OAuth 2.0/OpenID Connect provider requiring clients to pre-register their request_uri values.

2019-05-07

The restriction against implementing SAML v2.0 single sign-on (SSO) and single logout (SLO) when running AM with client-based sessions has been updated. For more information, see "SAML v2.0 and Session State" in the SAML v2.0 Guide.

2019-04-26

Initial release of AM 6.5.0.2.

2019-04-11

Initial release of AM 6.5.1.

The following documentation updates were made for this release:

2019-02-19

Added missing release note for 6.5.0 regarding a change to the paths of the source code of the UI. For more information, see Important Changes in AM 6.5.

2019-01-28

Added support for audit logging to a PostgreSQL database. For more information, see "Implementing JDBC Audit Event Handlers" in the Setup and Maintenance Guide.

2019-01-22

Added how to validate CSV logs configured for the detection of tampering. For more information, see "Configuring CSV Audit Event Handlers" in the Setup and Maintenance Guide.

2019-01-17

Initial release of AM 6.5.0.1.

2018-11-30

Initial release of AM 6.5.

Added new Authentication Node Development Guide.

The following documentation updates were made in this release:


Appendix A. Release Levels and Interface Stability

This appendix includes ForgeRock definitions for product release levels and interface stability.

A.1. ForgeRock Product Release Levels

ForgeRock defines Major, Minor, Maintenance, and Patch product release levels. The release level is reflected in the version number. The release level tells you what sort of compatibility changes to expect.

Release Level Definitions
Release LabelVersion NumbersCharacteristics

Major

Version: x[.0.0] (trailing 0s are optional)

  • Bring major new features, minor features, and bug fixes

  • Can include changes even to Stable interfaces

  • Can remove previously Deprecated functionality, and in rare cases remove Evolving functionality that has not been explicitly Deprecated

  • Include changes present in previous Minor and Maintenance releases

Minor

Version: x.y[.0] (trailing 0s are optional)

  • Bring minor features, and bug fixes

  • Can include backwards-compatible changes to Stable interfaces in the same Major release, and incompatible changes to Evolving interfaces

  • Can remove previously Deprecated functionality

  • Include changes present in previous Minor and Maintenance releases

Maintenance, Patch

Version: x.y.z[.p]

The optional .p reflects a Patch version.

  • Bring bug fixes

  • Are intended to be fully compatible with previous versions from the same Minor release


A.2. ForgeRock Product Interface Stability

ForgeRock products support many protocols, APIs, GUIs, and command-line interfaces. Some of these interfaces are standard and very stable. Others offer new functionality that is continuing to evolve.

ForgeRock acknowledges that you invest in these interfaces, and therefore must know when and how ForgeRock expects them to change. For that reason, ForgeRock defines interface stability labels and uses these definitions in ForgeRock products.

Interface Stability Definitions
Stability LabelDefinition

Stable

This documented interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect.

Evolving

This documented interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release.

While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality.

Deprecated

This interface is deprecated and likely to be removed in a future release. For previously stable interfaces, the change was likely announced in a previous release. Deprecated interfaces will be removed from ForgeRock products.

Removed

This interface was deprecated in a previous release and has now been removed from the product.

Technology Preview

Technology previews provide access to new features that are evolving new technology that are not yet supported. Technology preview features may be functionally incomplete and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT.

Customers are encouraged to test drive the technology preview features in a non-production environment and are welcome to make comments and suggestions about the features in the associated forums.

ForgeRock does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of the ForgeRock platform. Technology previews are provided on an “AS-IS” basis for evaluation purposes only and ForgeRock accepts no liability or obligations for the use thereof.

Internal/Undocumented

Internal and undocumented interfaces can change without notice. If you depend on one of these interfaces, contact ForgeRock support or email info@forgerock.com to discuss your needs.


Appendix B. Getting Support

For more information or resources about AM and ForgeRock Support, see the following sections:

B.1. Accessing Documentation Online

ForgeRock publishes comprehensive documentation online:

  • The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.

    While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.

  • ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

B.2. Using the ForgeRock.org Site

The ForgeRock.org site has links to source code for ForgeRock open source software, as well as links to the ForgeRock forums and technical blogs.

If you are a ForgeRock customer, raise a support ticket instead of using the forums. ForgeRock support professionals will get in touch to help you.

B.3. Getting Support and Contacting ForgeRock

ForgeRock provides support services, professional services, training through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see https://www.forgerock.com.

ForgeRock has staff members around the globe who support our international customers and partners. For details, visit https://www.forgerock.com, or send an email to ForgeRock at info@forgerock.com.

Read a different version of :