Notes covering new features, fixes and known issues in ForgeRock® Access Management. ForgeRock Access Management provides authentication, authorization, entitlement, and federation software.


Read these release notes before you install ForgeRock Access Management or update your existing installation.

The information contained in these release notes cover prerequisites for installation, known issues and improvements to the software, changes and deprecated functionality, and other important information.

About ForgeRock Identity Platform™ Software

ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see

Chapter 1. What's New

This chapter covers the new features and improvements done in the current release of ForgeRock Access Management.

1.1. New Features

Access Management 6.5

ForgeRock Access Management 6.5 is a major release that introduces new features, functional enhancements, and fixes.

  • Secret Stores

    AM introduces secret stores, which are repositories for cryptographic keys, key pairs, and credentials, such as passwords. The OAuth2 providers and the Persistent Cookie Module are now using secret stores.

    AM 6.5 adds support for the following secret store types:

    • Keystore

      AM supports a number of different keystore formats, including JCEKS, JKS, PKCS11, and PKCS12. AM allows key rotation within keystore secret stores.

    • File System Secret Volumes

      AM supports secrets that are stored as files in defined folders. For example, in a cloud deployment you could mount a secret volume that AM can access.

    • Hardware Security Modules (HSM)

      AM supports retrieval of secrets from hardware security modules, either locally or over the network.

    AM also supports secrets stored as environment or system properties.

    After an upgrade to AM 6.5, the following secret stores are deployed and configured for you:

    • default-keystore

    • default-password-store

    If you had Persistent Cookie authentication modules or OAuth 2.0 Providers configured, AM will perform extra tasks to ensure that the upgrade configures your secret stores correctly.

    For more information, see "Setting Up Secret Stores" in the Setup and Maintenance Guide.

  • Added Support for Web Authentication (WebAuthn)

    AM 6.5 adds support for Web Authentication, which allows users to authenticate by using an authenticator device as a second factor, for example the fingerprint scanner on their laptop or phone.

    For more information about Web Authentication, see "About Web Authentication (WebAuthn)" in the Authentication and Single Sign-On Guide.

    For information about the parts of the Web Authentication specification that are not currently supported, see Web Authentication (WebAuthn) Limitations.

  • Added Support for External Policy and Applications Configuration Store

    AM 6.5 adds support for using external DS directory servers instead of the embedded instance for storing the following data:

    • Policy data. Policy-related data, such as policies, policy sets, and resource types.

    • Application data. Application-related data, such as web and Java agent configuration, federation entities and configuration, and OAuth 2.0 client definitions.

    For more information, see "Preparing Policy and Application Stores" in the Installation Guide.

  • Added Support for the Directory Services Entry Expiration and Deletion Feature to Manage CTS Tokens

    AM 6.5 adds support to configure the DS entry expiration and deletion feature to manage CTS tokens. This configuration frees AM resources in the AM servers that can then be used for policy or authorization requests.

    Two possible configurations are supported:

    • DS manages the time to live for all tokens in the CTS and the AM CTS reaper is disabled.

      Disabling the AM CTS reaper completely impacts session-related functionality, such as sending notifications about session expiration or session timeout to agents.

    • The AM CTS reaper manages a subset of the tokens in the CTS, usually the SESSION tokens, while DS manages the non-session tokens.

      This configuration ensures your environment can still make use of all session functionality, while benefiting from DS's capabilities as well.

    For more information, see "Configuring the CTS Reaper" in the Installation Guide.

  • Improved CTS Storage Scheme for OAuth 2.0 tokens

    AM 6.5 introduces a new scheme for storing OAuth 2.0 tokens in the CTS store, called the grant-set scheme.

    The grant-set scheme groups multiple authorizations for a given OAuth 2.0 client and resource owner pair and stores them in a single CTS OAUTH2_GRANT_SET entry. This implementation reduces the size and quantity of entries stored, as well as the number of calls required to perform OAuth 2.0 operations.

    The one-to-one scheme, which stores the state of multiple authorizations for a given OAuth 2.0 client and resource owner pair across multiple entries, will be removed in a future release. You should upgrade to the grant-set scheme once all the servers on your environment have been upgraded to AM 6.5 or later.

    The grant-set scheme is backwards-compatible with existing entries stored in the CTS store. Therefore, any access or refresh token issued before configuring the grant-set scheme is still valid. Existing tokens will be retained in their original form until the refresh token expires or it is actively revoked.

    Users will not notice any change in the tokens they receive, and there is no change to the OAuth 2.0 endpoints.

    To enable the grant-set scheme, navigate to Configure > Global Services > OAuth2 Provider > Global Attributes and set the CTS Storage Scheme drop-down to Grant-Set Storage Scheme. Then, save your changes.

    New OAuth 2.0 tokens stored in the CTS after the change will use the new scheme automatically.

  • Added Support for Customizing User-Facing OAuth 2.0 Pages

    AM 6.5 now supports the logo_uri, client_uri, and policy_uri parameters for OAuth 2.0 clients as defined in RFC 7591.

    Use these parameters to customize the OAuth 2.0 user-facing pages. For more information, see "Advanced" in the OAuth 2.0 Guide.

  • New OAuth 2.0 Provider Properties Added

    AM 6.5 adds a number of new OAuth 2.0 Provider properties, as follows:

    • Properties for controlling the supported signing and encryption algorithms and methods.

    • A property for controlling the supported signing algorithms for the private_key_jwt JWT-based authentication method.

    • A property for controlling the supported grant types.

    For more information about the properties available in OAuth 2.0 providers, see "OAuth2 Provider" in the OAuth 2.0 Guide.

  • New Authentication Nodes Added

    AM 6.5 introduces the following authentication nodes, in addition to the nodes added for Web Authentication (WebAuthn) and for displaying device recovery codes:

1.2. Major Improvements

AM 6.5
  • OAuth 2.0/ OpenID Connect 1.0

    • OAuth 2.0 Clients can be Restricted to a Particular OAuth 2.0 Grant Flow

      In earlier versions of AM, OAuth 2.0 clients could not be restricted to use a particular OAuth 2.0 grant flow and supported any OAuth 2.0 flow without any special configuration.

      OAuth 2.0 clients created in AM 6.5 are assigned the Authorization Code Grant flow by default. You must configure the client if it requires a different flow by navigating to Realms > Realm Name > Applications > OAuth 2.0 > Client Name > Advanced, and then editing the Grant Types field.

      After an upgrade to AM 6.5, all grant flows are added to existing clients to maintain backwards compatibility.

      For more information, see "OAuth 2.0 and OpenID Connect 1.0 Client Settings" in the OAuth 2.0 Guide.

    • Improved Support for PKCE

      In earlier versions of AM, the OAuth 2.0 Provider service could be configured to either require a PKCE code in all client requests, or to not require a code. This configuration was not very flexible for environments with both private clients and public clients.

      AM 6.5 allows configuring the OAuth 2.0 Provider service to specify which clients are required to present a PKCE code. To configure this feature, navigate to Realms > Realm Name > Services > OAuth2 Provider > Advanced, and select one of the following options in the Code Verifier Parameter Required drop-down field:

      • All requests. All clients must present a PKCE code.

      • Requests from all public clients. All public clients must present a PKCE code.

      • Requests from all passwordless public clients. All passwordless public clients must present a PKCE code.

      • No requests. No clients are required present a PCKE code.

    If a client makes a call to AM with the code_challenge parameter, AM will honor the code exchange regardless of the configuration of the Code Verifier Parameter Required field.

1.3. Security Advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base.

Chapter 2. Before You Install

This chapter covers software and hardware prerequisites for installing and running ForgeRock Access Management server software.

ForgeRock supports customers using the versions specified here. Other versions and alternative environments might work as well. When opening a support ticket for an issue, however, make sure you can also reproduce the problem on a combination covered here.

2.1. Files to Download

Access Management software is available at "Access Management Software" describes the files available for download.

Access Management Software

Cross-platform distribution including all software components.

For a list of the files in the .zip archive, see "Obtaining Software" in the Installation Guide.


Deployable web application archive file.

The .zip file that contains tools to manage AM from the command line.

The .zip file that contains tools to configure AM from the command line.

2.2. Operating System Requirements

ForgeRock supports customers using ForgeRock Access Management server software on the following operating system versions:

Supported Operating Systems
Operating SystemVersions
Red Hat Enterprise Linux, Centos6, 7
Amazon Linux

Amazon Linux 2

Amazon Linux 2017.09

Amazon Linux 2018.03


14.04 LTS

16.04 LTS

18.04 LTS

Solaris x6410, 11
Solaris Sparc10, 11
Windows Server

2012 R2


2.3. Web and Java Agents Platform Requirements

The following table summarizes the minimum required version of web and Java agents:

Minimum Agent Version Required
Web Agents5.0.1
Java Agents5.0.1

AM supports several versions of web agents and Java agents. For supported container versions and other platform requirements related to agents, refer to the ForgeRock Access Management Web Agents Release Notes and the ForgeRock Access Management Java Agents Release Notes.

2.4. Java Requirements

The following table lists supported Java versions:

JDK Requirements
Oracle JDK8, 11
IBM SDK, Java Technology Edition (Websphere only)8
OpenJDK8, 11

2.5. Web Application Container Requirements

The following table summarizes supported application containers and their required versions:

Web Containers
Web ContainerVersions
Apache Tomcat

7, 8.5, 9

Oracle WebLogic Server


JBoss Enterprise Application Platform


WildFly AS

10.1, 11, 12

IBM WebSphere


The web application container must be able to write to its own home directory, where AM stores configuration files.

2.6. Directory Server Requirements

This section lists supported directory servers.

As described in "Generic LDAPv3 Configuration Properties" in the Setup and Maintenance Guide, you can configure AM to use LDAPv3-compliant directory servers as user data stores. If you have a special request to deploy AM with a user data store not mentioned in the following table, contact

Supported Directory Servers
Directory ServerVersionsConfigurationApps / PoliciesCTSIdentitiesUMA
Embedded Directory Services6.5
External Directory Services/OpenDJ3.0, 3.5, 5, 5.5, 6. 6.5
Oracle Unified Directory11g R2     
Oracle Directory Server Enterprise Edition11g   
Microsoft Active Directory2012 R2, 2016     
IBM Tivoli Directory Server6.3     

2.7. Supported Clients

The following table summarizes supported clients and their minimum required versions:

Supported Clients
Client Platform Native Apps [a] Chrome 62+Internet Explorer 11+Edge 25+Firefox 57+Safari 11+Mobile Safari
Windows 8 or later [b]   
Mac OS X 10.11 or later     
Ubuntu 14.04 LTS or later      
iOS 9 or later     
Android 6 or later      

[a] Native Apps is a placeholder to indicate AM is not just a browser-based technology product. An example of a native app would be something written to use our REST APIs, such as the sample OAuth 2.0 Token Demo app.

[b] Windows 10 only.

2.8. Supported Upgrade Paths

The following table contains information about the supported upgrade paths to AM 6.5:

Upgrade Paths
VersionUpgrade Supported?
OpenAM 13.x
Access Management 5.x [a]
Access Management 6.x [a]


[a] Access Management is incompatible with SSO session tokens from OpenAM.

Storage and processing of sessions changed in AM 5: CTS-based (stateful) and client-based (stateless) sessions created by earlier versions of OpenAM are not supported.

After upgrading from an earlier version, any existing SSO tokens created by that version will become invalid, and users will need to reauthenticate.

In mixed version deployments, earlier versions of OpenAM will not be able to read or process SSO session tokens created by AM 5 or later.

This incompatibility only affects SSO session tokens. OAuth 2.0 and OpenID Connect 1.0 tokens are interoperable between versions.


Upgrading between Enterprise and OEM versions is not supported.

For more information, see Checking your product versions are supported in the ForgeRock Knowledge Base.

2.9. Special Requests

If you have a special request regarding support for a combination not listed here, contact ForgeRock at

Chapter 3. Installing or Upgrading

This chapter covers installing and upgrading AM 6.5 software.

Before you install AM or upgrade your existing installation, read these release notes. Then, install or upgrade AM.

  • If you are installing AM for the first time, see the Installation Guide.

  • If you have already installed AM, see the Upgrade Guide.

    Do not perform an upgrade by deploying the new version and then importing an existing configuration by running the ssoadm import-svc-config command. Importing an outdated configuration can result in a corrupted installation.

Chapter 4. Changes and Deprecated Functionality

This chapter covers both major changes to existing functionality, and also deprecated and removed functionality.

4.1. Important Changes to Existing Functionality

This section lists changes done to existing functionality, services, endpoints, and others in the current release of AM.


Access Management is incompatible with SSO session tokens from OpenAM.

Storage and processing of sessions changed in AM 5: CTS-based (stateful) and client-based (stateless) sessions created by earlier versions of OpenAM are not supported.

After upgrading from an earlier version, any existing SSO tokens created by that version will become invalid, and users will need to reauthenticate.

In mixed version deployments, earlier versions of OpenAM will not be able to read or process SSO session tokens created by AM 5 or later.

This incompatibility only affects SSO session tokens. OAuth 2.0 and OpenID Connect 1.0 tokens are interoperable between versions.

Access Management 6.5
  • Web and Java Agents Earlier than 5.0.1 Not Supported

    AM 6.5 does not interoperate with web and Java agents earlier than 5.0.1.

  • Stored Device Recovery Codes are now One-way Encrypted

    AM 6.5 encrypts stored device recovery codes by default. This means they can only be shown to users a single time before they become encrypted, and therefore, unreadable.


    To prevent AM from encrypting existing device recovery codes you must add a Java property to your environment, BEFORE starting the container.

    For more information on device recovery code encryption, and how to disable encryption, see "To Prevent AM Encrypting Device Recovery Codes" in the Upgrade Guide.

  • Utils Class Containing SHA-1 Usage Moved

    The class org.forgerock.oauth2.core.Utils#getKid has moved to org.forgerock.openam.secrets.SecretsUtils#getStaticId in AM 6.5.

    This class may get flagged for SHA-1 usage in source code scans. However, reports of this particular use of SHA-1 can be safely ignored.

    For more information, see Security scan shows use of SHA-1 in Utils class in AM/OpenAM (All versions) in the Knowledge Base.

  • Naming Convention Changes on Documentation and UI

    Earlier versions of the AM documentation and the UI classify OAuth 2.0 and OpenID Connect 1.0 tokens as stateful when AM stores tokens in the CTS token store, and stateless when AM returns the token to the client.

    This naming convention is misleading. OAuth 2.0 services are stateless (no information regarding OAuth 2.0 is stored in the AM server memory), and any server in the AM deployment can satisfy any OAuth 2.0-related request.

    AM 6.5 removes the stateful/stateless naming convention and classifies tokens depending on where they are stored:

    • CTS-based tokens (previously referred to as stateful tokens)

    • Client-based tokens (previously referred to as stateless tokens)

  • Signing Methods for Social Authentication with IDM Incompatible with Earlier Versions

    The signing method used by AM 6.5 when performing social authentication with IDM 6.5 has changed, in order to support non-extractable HMAC keys from Hardware Security Modules (HSMs).

    The new signing method is not compatible with IDM 6, or earlier.

    If you have not upgraded to IDM 6.5, or later, enable the new Signing Compatibility Mode property in the IDM Provisioning service in order to use social authentication involving IDM successfully.

    For more information, see "IDM Provisioning" in the User Self-Service Guide.

  • The Amster Configuration Upgrader Utility is not Included in the AM 6.5 Release

    The tool could be used to upgrade configuration files exported by Amster for use in later versions.

    Follow the procedures in the Upgrade Guide to upgrade from previous versions to AM 6.5. Then, use Amster to export configuration files that are compatible with AM 6.5.

  • Data Stores Renamed to Identity Stores

    To differentiate the stores used for identities from those used for configuration, applications, or policies, the Data Stores label in the user interface has been renamed to Identity Stores.

  • Changes to the Prometheus Monitoring Interface

    In earlier versions of AM, Prometheus had to authenticate with a username and a password when accessing the monitoring endpoint. AM 6.5 allows you to configure the monitoring interface such that Prometheus can access the endpoint without authenticating.

    For more information, see "Prometheus Monitoring" in the Setup and Maintenance Guide.

  • Oracle WebLogic Required Packages Now Included by Default

    In earlier versions of AM, Bouncy Castle and Jackson packages needed to be added to the weblogic.xml file in order to deploy AM successfully in Oracle WebLogic.

    This step is no longer required, as the packages are included by default.

    For more information, see"Preparing Oracle WebLogic" in the Installation Guide.

  • Changes to the activity.audit.json Log File

    In earlier versions of AM, the activity.audit.json log file only captured session changes. AM 6.5 captures session, user profile, and device profile changes in the logs.

    For more information, see "Audit Log Topics" in the Setup and Maintenance Guide.

4.2. Deprecated Functionality

Functionality listed under this section has been deprecated and will be removed in a future release of AM.

Access Management 6.5
  • SAML 1.0 Deprecated

    SAML 1.0 functionality is deprecated in AM 6.5, and will be removed in a future version.

4.3. Removed Functionality

Functionality listed under this section has been removed from AM.

Access Management 6.5
  • No features or functionality have been removed in this release.

Chapter 5. Fixes, Limitations, and Known Issues

This chapter covers the status of key issues and limitations at release 6.5.

5.1. Key Fixes

Access Management 6.5
  • OPENAM-13842: OAuth 2.0 Device flow - can no longer use user_code more than once.

  • OPENAM-13786: REST policy evaluation throws 500 Internal Error due to stateless ssotoken encryption alg conflict.

  • OPENAM-13774: SOAP STS for Delegation RelationShip Supported is always false on XUI.

  • OPENAM-13732: Session Remaining Time is displayed with more precision and not rounded up.

  • OPENAM-13712: Unknown Signing Algorithm when Client Based Session set Signing to NONE.

  • OPENAM-13670: Selfservice password reset token doesn't work in site due to OPENAM-6426.

  • OPENAM-13604: IdP Proxy relays wrong AuthnContextClassRef if the AuthLevel requested by the SP is not 0.

  • OPENAM-13577: The xmlsec 2.1.1.jar had issues when linebreaks were enabled.

  • OPENAM-13573: Concurrent changePassword requests to LDAPAuthUtils may cause "insufficient access rights" failures.

  • OPENAM-13531: LDAP Decision node removed username from shared state when it is not found.

  • OPENAM-13530: Datastore Decision node removed username from shared state when it is not found.

  • OPENAM-13511: DN Cache should be cleared after idRepo config change.

  • OPENAM-13496: Unable to view Services when some services have invalid attribute.

  • OPENAM-13481: Stateless OAuth 2.0 Client_credential grant/implicit type has long CTS token timeout.

  • OPENAM-13457: AM XUI favicon icon not being recognised.

  • OPENAM-13456: AM XUI custom FooterTemplate.html and LoginHeaderTemplate.html was not being applied.

  • OPENAM-13414: Upgrade fails if OAuth2 Provider service lacks tokenSigningHmacSharedSecret.

  • OPENAM-13407: AMIdentitySubject.isMember should not check privilege for group in different realm.

  • OPENAM-13359: P11RSAPrivateKey failed RSA key check.

  • OPENAM-13318: Blank passwords using PageNode Auth Tree prevents log in.

  • OPENAM-13316: LDAP Decision Node does not return Inactive Account result correctly in eDirectory.

  • OPENAM-13308: LdapDecisionNode fails when Return UserDN to Datastore is set to false.

  • OPENAM-13302: AM Self-registration kba threw an error when a user inputs an answer and pressed the enter key.

  • OPENAM-13291: Create Identities Page appears broken after upgrade from 5.5 (to 6.0 or 6.5).

  • OPENAM-13255: DefaultIDPAccountMapper does not append domain value for UPN.

  • OPENAM-13249: AM did not recognize custom templates and partials.

  • OPENAM-13183: Concurrent changePassword requests to the "users" REST endpoint caused "insufficient access rights" failures.

  • OPENAM-13162: Policy evaluation returned 403 with expired stateless app token.

  • OPENAM-13154: Lockout Duration Multiplier had no effect.

  • OPENAM-13151: OAuth 2.0 Dynamic Registration did not accept Private-Use URI (for native apps) as redirect_uri.

  • OPENAM-13128: Invalid error message was returned when user with expired password authenticated with persistent cookie module.

  • OPENAM-13112: The showServerConfig.jsp page threw NullPointerException NPE when accessed using Site or LB URL.

  • OPENAM-13100: LDAP Decision node fails with NPE when used with Active Directory.

  • OPENAM-13087: ClassNotFound Exception thrown after upgrade.

  • OPENAM-13085: WSFederation Active Request Profile authentication request hangs on input-less scripted modules.

  • OPENAM-13082: Address claim in default OIDC claims script output non-spec compliant format.

  • OPENAM-13080: Resource owners sharing resources to themselves caused an error message.

  • OPENAM-13079: Importing SAML2 MetaData for RoleDescriptor for AttributeQueryDescriptor failed.

  • OPENAM-13075: Incorrect message displayed when resource is being shared.

  • OPENAM-13072: Case-sensitive usernames resulted in listing UMA resource incorrectly.

  • OPENAM-13053: ScriptingService did not add the new values to whitelist during upgrade.

  • OPENAM-12997: Consent for default scopes were not saved.

  • OPENAM-12985: Debug log files were swamped with message 'LDAPUtils.isDN: Invalid DN' in 'error' level.

  • OPENAM-12984: Access Token Endpoint issued search request against datastore for OAuth Client.

  • OPENAM-12867: IdP-Proxy - Single Logout failed as LogoutResponse was not signed.

  • OPENAM-12866: Subsequent idpSSOInit calls after the first will fail if custom IDPAdapter forces auth step up.

  • OPENAM-12856: User authentication configuration not migrated to XUI.

  • OPENAM-12847: Public API broken - SSOTokenManager.getValidSessions(SSOToken requester, String server).

  • OPENAM-12801: OAuth 2.0 token signing forced PKCS#11 keys to have specific attributes.

  • OPENAM-12784: ProviderConfiguration was not spec compliant.

  • OPENAM-12770: Some SAML assertions were not deserialized from a SAML2 Token.

  • OPENAM-12690: XUI theme configuration realm mapping was case sensitive.

  • OPENAM-12625: JWT OIDC Token could not be valid for over 86400 seconds.

  • OPENAM-12514: IdP initiated SSO - NumberFormatException was raised in session upgrade case.

  • OPENAM-12506: Upgrade could fail with RemoveReferralsStep having too broad base DN.

  • OPENAM-12419: Policy rules not updated when external configuration store connection restarted.

  • OPENAM-12403: LDAP response controls are not logged which complicates troubleshooting.

  • OPENAM-12401: DJLDAPv3Repo - insufficient debug logging to troubleshoot membership issues.

  • OPENAM-12301: Account lockout logs ERROR: ISAccountLockout.getAcInfo: acInfo: null.

  • OPENAM-12293: Audit logging no longer logs REST operation details.

  • OPENAM-12209: The 'acr' and 'acr_sig' parameters can become duplicated during step-up authn, should not be present in url.

  • OPENAM-12174: XUI - Deleting a built-in authentication module will delete any other created by it.

  • OPENAM-12096: API explorer example for PUT on /global-config/services/scripting/contexts/{contexts}/engineConfiguration fails.

  • OPENAM-11962: Calling Logout and passing a goto URL parameter with an expired session, goto URL is ignored.

  • OPENAM-11665: Unable to login in XUI with users endpoint getting 404 due to KBA attribute issues.

  • OPENAM-11642: CustomProperties do not work when creating J2EE/Web Agents via REST.

  • OPENAM-11473: NumberFormatException on startup for External configuration setup.

  • OPENAM-11407: An extra space in the CTS store connection string "" caused OpenDJ-SDK log to grow.

  • OPENAM-11355: Missing Service tab when trying to configure dashboard with Active Directory datastore.

  • OPENAM-11225: During single logout idpSingleLogoutRedirect threw 500 error.

  • OPENAM-11177: Scripted auth module can not be used in auth chain if the username in shared state map does not 'match' the search attribute of the data store.

  • OPENAM-11167: <ActualLockoutDuration> is not updated in the attribute sunStoreInvalidAttemptsData.

  • OPENAM-11048: account lockout did not work when naming attribute and LDAP Users Search Attribute are different.

  • OPENAM-10467: RFC7662: oauth2/introspect returned token_type not as Bearer.

  • OPENAM-10296: Session UI only allows searching for users in datastore.

  • OPENAM-9783: The json/users changePassword option returned the wrong error message with multiple datastores configured.

  • OPENAM-8296: OAuth 2.0 consent screen does not use XUI theme configuration.

  • OPENAM-4040: SSO failed between SPs in separate CoTs with same hosted IDP.

5.2. Limitations

The following limitations and workarounds apply to AM 6.5:

  • Web Authentication (WebAuthn) Limitations

    AM 6.5 does not support the following functionality as described in the Web Authentication specification:


    For more information about Web Authentication, see "About Web Authentication (WebAuthn)" in the Authentication and Single Sign-On Guide.

  • RADIUS Service Only Supports Commons Audit Logging. The new RADIUS service only supports the new Commons Audit Logging, available in this release. The RADIUS service cannot use the older Logging Service, available in releases prior to OpenAM 13.0.0.

  • Administration Console Access Requires the Realm Admin privilege

    In this version of AM, administrators can use the AM console as follows:

    • Delegated administrators with the Realm Admin privilege can access full AM console functionality within the realms they can administer. In addition, delegated administrators in the Top Level Realm who have this privilege can access AM's global configuration.

    • Administrators with lesser privileges, such as the Policy Admin privilege, can not access the AM administration console.

    • The top-level administrator, such as amadmin, has access to full AM console functionality in all realms and can access AM's global configuration.

  • Different AM Versions Within a Site are not Supported

    Do not run different versions of AM together in the same AM site.

  • Use of Special Characters in Policy or Application Creation is Not Supported

    Do not use special characters within policy, application or referral names (for example, "my+referral") using the Policy Editor or REST endpoints as AM returns a 400 Bad Request error. The special characters are: double quotes ("), plus sign (+), command (,), less than (<), equals (=), greater than (>), backslash (\), and null (\u0000). (OPENAM-5262)

  • XACML Policy Import and Export from Different Vendors is Not Supported

    AM can only import XACML 3.0 files that were either created by an AM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.

  • JCEKS Keystore Now Required for User Self-Services

    In OpenAM 13.0.0, the user self-service feature is stateless, which means that the end-user is tracked and replayed by an encrypted and signed JWT token on each AM instance. It also generates key pairs and caches its keys locally on the server instance.

    In a multi-instance deployment behind a load balancer, one server instance with the user self-services enabled will not be able to decrypt the JWT token from the other instance due to the encryption keys being stored locally to its server.

    OpenAM 13.5.0 and later solve this issue by providing a JCEKS keystore that supports asymmetric keys for encryption and symmetric keys for signing. Users who have installed OpenAM 13.0.0 and enabled the user self-service feature will need to run additional steps to configure a JCEKS keystore to get the user self-service feature operating after an upgrade.

    For specific instructions to configure the JCEKS keystore, see "Configuring Keystores" in the Setup and Maintenance Guide.


    This procedure is not necessary for the following users:

    • Users upgrading from versions prior to OpenAM 13.0.0 are not impacted.

    • Users who upgrade from OpenAM 13.0.0 and do not enable the user self-services feature are not impacted.

    • Users who do a clean install of OpenAM 13.5.0 or later are not impacted.

5.3. Known Issues

The following important known issues remained open at the time release 6.5 became available. For details and information on other issues, see the issue tracker.

Access Management 6.5
  • Passwordless OAuth 2.0 Public Clients cannot choose none as Client Authentication Method

    As per RFC 7591, passwordless public client should be able to choose none as their client authentication method.

    At present, AM does not allow registering passwordless public clients with the none authentication method.

    As a workaround, select the client_secret_post client authentication method when registering the client, but omit the password parameters when calling the endpoints. For example, do not use the client_secret parameter.

  • Using the Documented CORS Filter With IDM Integration Causes Errors

    When configuring IDM to delegate authentication to AM, as described in the IDM Samples Guide, you must configure AM with a cross-origin resource sharing (CORS) filter.

    However, when you use a CORS filter based on the org.forgerock.openam.cors.CORSFilter filter class, Unexpected End of JSON Input errors occur.

    To work around the problem, configure AM's web.xml file as described in "Enabling CORS Support" in the Installation Guide, but use a CORS filter specific to the AM web container instead of using a filter based on the org.forgerock.openam.cors.CORSFilter filter class. For example, for Apache Tomcat, use a filter based on the org.apache.catalina.filters.CorsFilter filter class:

    • Add a filter clause similar to the following to the web.xml file, making sure to specify the correct URLs for your deployment in the parameter:

    • Add the following filter-mapping clause to the web.xml file:

  • Large Amounts of Policies in a Policy Set Causes Errors if Unindexed

    If you have large numbers of policies in a policy set, ensure that the directory server has an index on the sunxmlKeyValue attribute.

    This index is created by default if you create an external DS instance by using the setup profiles feature. See "Preparing Policy and Application Stores" in the Installation Guide.

    If you did not use the setup profile feature to create the external DS instance, create an equality and substring index on the sunxmlKeyValue attribute. For example:

    $ ./dsconfig \
     create-backend-index \
     --hostname \
     --port 4444 \
     --bindDN "cn=Directory Manager" \
     --bindPassword "str0ngEx4mplePa55word" \
     --backend-name userRoot \
     --index-name sunxmlKeyValue \
     --set index-type:equality \
     --set index-type:substring \
     --trustAll \

    You will need to rebuild the indexes after adding additional attributes. For more information on creating indexes on attributes, and rebuilding indexes, see Indexing Attribute Values in the Directory Services Administration Guide.

  • Cached JavaScript Files from OpenAM 12.0.0 May Cause Redirect to undefined:8080

    If you configure an OpenAM 12.0.0 instance with long-lived cache times for the /XUI/index.html file, you may experience unexpected redirects to undefined:8080 after upgrading.

    To work around this issue, in your chosen web container, or proxy server, reconfigure the cache time for the /XUI/index.html file to be short-lived, for example, 5 minutes. Allow enough time that cached files with the long-lived cache time will have expired before upgrading.


    This issue does not affect upgrades from OpenAM 12.0.1 or later. OpenAM 12.0.1 and later set a short-lived cache-control header on UI files to work around the problem of having stale files cached locally.

  • OAuth2 Scopes Behavior Affected by Upgrade

    After an upgrade from OpenAM 12.0.x, OAuth v2.0 scope behavior uses a deprecated implementation class, org.forgerock.openam.oauth2.provider.impl.ScopeImpl.

    The workaround is to manually update the OAuth v2.0 providers to use the org.forgerock.openam.oauth2.OpenAMScopeValidator.

    For background information, see OPENAM-6319.

  • Supported ID Token Algorithms and Methods not Updated After Upgrade

    AM 5 added additional algorithms and methods for encrypting ID tokens. Performing an upgrade from OpenAM 13.5 does not add these new values to the affected properties.

    After upgrade, navigate to Realm Name > Services > OAuth2 Provider > OpenID Connect, and manually update the ID Token Encryption Algorithms supported and ID Token Encryption Methods supported properties.

    For more information on the available algorithms and methods, see "Encrypting OpenID Connect ID Tokens" in the OpenID Connect 1.0 Guide.

  • User Interface Not Localized if Locale Parameter Follows Fragment in URL

    The XUI user-facing pages are not localized if the locale parameter appears after the fragment in the URL.

    To ensure correct localization of user-facing pages, ensure the fragment appears at the end of the URL. For example:

    For more information, see "Authenticating Using the XUI" in the Authentication and Single Sign-On Guide.

  • OPENAM-13940: Session quota limits not applied when using trees.

  • OPENAM-13905: XUI Authentication - Switching realms is not possible.

  • OPENAM-13904: Authentication by using the REST API - Switching realms is not possible.

  • OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals.

  • OPENAM-13583: OAuth 2.0 Node Redirect URL does not work.

  • OPENAM-13486: AM Upgrade fails on opendj_remove_session_listener_on_all_sessions.

  • OPENAM-13428: EntitlementException not passed to PLL or JSON policy layer.

  • OPENAM-9098: Changes in do not take effect immediately.

  • OPENAM-3285: OpenID Connect authorization response is not returning required session_state.

Chapter 6. Documentation Updates

The following table tracks changes to the documentation set following the release of AM 6.5:

Documentation Change Log

Initial release of Access Management 6.5.

Added new Authentication Node Development Guide.

Appendix A. Release Levels and Interface Stability

This appendix includes ForgeRock definitions for product release levels and interface stability.

A.1. ForgeRock Product Release Levels

ForgeRock defines Major, Minor, Maintenance, and Patch product release levels. The release level is reflected in the version number. The release level tells you what sort of compatibility changes to expect.

Release Level Definitions
Release LabelVersion NumbersCharacteristics


Version: x[.0.0] (trailing 0s are optional)

  • Bring major new features, minor features, and bug fixes

  • Can include changes even to Stable interfaces

  • Can remove previously Deprecated functionality, and in rare cases remove Evolving functionality that has not been explicitly Deprecated

  • Include changes present in previous Minor and Maintenance releases


Version: x.y[.0] (trailing 0s are optional)

  • Bring minor features, and bug fixes

  • Can include backwards-compatible changes to Stable interfaces in the same Major release, and incompatible changes to Evolving interfaces

  • Can remove previously Deprecated functionality

  • Include changes present in previous Minor and Maintenance releases

Maintenance, Patch

Version: x.y.z[.p]

The optional .p reflects a Patch version.

  • Bring bug fixes

  • Are intended to be fully compatible with previous versions from the same Minor release

A.2. ForgeRock Product Interface Stability

ForgeRock products support many protocols, APIs, GUIs, and command-line interfaces. Some of these interfaces are standard and very stable. Others offer new functionality that is continuing to evolve.

ForgeRock acknowledges that you invest in these interfaces, and therefore must know when and how ForgeRock expects them to change. For that reason, ForgeRock defines interface stability labels and uses these definitions in ForgeRock products.

Interface Stability Definitions
Stability LabelDefinition


This documented interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect.


This documented interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release.

While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality.


This interface is deprecated and likely to be removed in a future release. For previously stable interfaces, the change was likely announced in a previous release. Deprecated interfaces will be removed from ForgeRock products.


This interface was deprecated in a previous release and has now been removed from the product.

Technology Preview

Technology previews provide access to new features that are evolving new technology that are not yet supported. Technology preview features may be functionally incomplete and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT.

Customers are encouraged to test drive the technology preview features in a non-production environment and are welcome to make comments and suggestions about the features in the associated forums.

ForgeRock does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of the ForgeRock platform. Technology previews are provided on an “AS-IS” basis for evaluation purposes only and ForgeRock accepts no liability or obligations for the use thereof.


Internal and undocumented interfaces can change without notice. If you depend on one of these interfaces, contact ForgeRock support or email to discuss your needs.

Appendix B. Getting Support

For more information or resources about AM and ForgeRock Support, see the following sections:

B.1. Accessing Documentation Online

ForgeRock publishes comprehensive documentation online:

  • The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.

    While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.

  • ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

B.2. Using the Site

The site has links to source code for ForgeRock open source software, as well as links to the ForgeRock forums and technical blogs.

If you are a ForgeRock customer, raise a support ticket instead of using the forums. ForgeRock support professionals will get in touch to help you.

B.3. Getting Support and Contacting ForgeRock

ForgeRock provides support services, professional services, training through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see

ForgeRock has staff members around the globe who support our international customers and partners. For details, visit, or send an email to ForgeRock at

Read a different version of :