ForgeRock patch bundle releases contain a collection of fixes that have been grouped together and released as part of our commitment to support our customers. AM 6.0.0.7 is the latest patch bundle release targeted for AM 6.0.0.x deployments and can be downloaded from the ForgeRock Backstage website. To view the list of fixes in this release, see Key Fixes in AM 6.0.0.7.

The AM 6.0.0.7 patch bundle release is cumulative and contains all the fixes included in previous 6.0.0.x releases (see "Fixes, Limitations, and Known Issues"). The release can be deployed as an initial deployment or updated from an existing 6.0.0.x deployment, see "Supported Upgrade Paths". AM 6.0 is available for download at the ForgeRock Backstage website.

For general information on ForgeRock's maintenance and patch releases, see Maintenance and Patch Availability Policy.

Intelligent Authentication

OAuth 2.0

General

Authentication Trees

General

LDAPv3Repos LDAP Servers are Now Stored in Comma-Separated Ordered List

For multiple data stores behind a load balancer deployment, AM now stores its servers as a comma-separated list, rather than orderedlist.

For example, given a site configuration, ID 02, with two servers, IDs 01 and 03. In previous releases (prior to AM ${am.software.version} and earlier), AM would store the servers as an orderedlist:

$./ldapsearch -p 51389 -D "cn=Directory Manager" -w cangetin -b "ou=services,dc=openam,dc=forgerock,dc=org" "objectclass=*"  > backup.ldif
   $ grep "sun-idrepo-ldapv3-config-ldap-server" backup.ldif
   sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=xxx.example.com:1389|01|02
   sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=zzz.example.com:1389|01|02
   sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=xxx.example.com:1389|03|02
   sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=localhost:51389
   sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=zzz.example.com:1389|03|02

Now, AM stores its multi-server configuration as a comma-separated ordered list:

$./ldapsearch -p 51389 -D "cn=Directory Manager" -w cangetin -b "ou=services,dc=openam,dc=forgerock,dc=org" "objectclass=*"  > backup.ldif
   $ grep "sun-idrepo-ldapv3-config-ldap-server" backup.ldif
   sunKeyValue: sun-idrepo-ldapv3-config-ldap-server=[0]=xxx.example.com:1389|01|02,xxx.example.com:1389|03|02,localhost:51389,zzz.example.com:1389|01|02,zzz.example.com:1389|03|02

Authentication Trees

General

User Self-Service Email Verification Code is One-Time Use

In previous versions of AM, the password recovery link AM emails to the user when the email verification feature is enabled could be used several times.

AM 6 whitelists the code contained in the recovery link such that it can only be used once.

Password Replay Post-Authentication Class com.sun.identity.authentication.spi.ReplayPasswd Deprecated

The password replay post-authentication plugin class, com.sun.identity.authentication.spi.ReplayPasswd, is deprecated and will be removed in a future release of AM.

AM 6 includes a new password replay post-authentication class. For more information, see the AM 6 New Features section in the Release Notes.

Agents 2.2 Removed from XUI

The XUI pages for the deprecated Agents 2.2 have been removed. Use the Amster command to configure or modify Agent 2.2 instances.

OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled

OPENAM-11048: OpenAM account lockout does not work when naming attribute and LDAP Users Search Attribute are different

OPENAM-11523: Using the LDAP/AD auth module, the change password on next login, if current password is empty it displays the wrong error message

OPENAM-12965: httpClient not exposed to OIDC Claim Script

OPENAM-13187: OAuth2 DeviceCode flow does not work with stateless encryption enabled

OPENAM-13247: Token info endpoint throwing 401

OPENAM-13268: Initial authz eval request for a given realm takes a long time when there are many policies

OPENAM-13302: AM Self-registration kba throws an error when a user inputs an answer and presses the enter key.

OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6

OPENAM-13892: Erroneous "Response's InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not

OPENAM-13896: Comparison method violates its general contract! seen during amster import

OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

OPENAM-14050: LDAP should reestablish connection to the orignal server after it has recovered

OPENAM-14053: Cannot build openam-ui in Windows for Yarn using mvn

OPENAM-14080: LDAP Decision Node returns incorrect user attribute to search for in user store

OPENAM-14147: arg=newsession in XUI does shows just the "Loading..." page

OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered

OPENAM-14189: effectiveRange of Time environment has issue

OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef

OPENAM-14307: ConcurrentModificationException when creating resource_set

OPENAM-14308: LDAP Connection Pool Minimum Size for Identity Store missing from XUI

OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy

OPENAM-14369: Upgrading from OpenAM 13.5.0 to AM 6.0.0.x with custom PAPs causes NPE failure

OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

OPENAM-14427: Certificate Module with option "Match Certificate in LDAP" does not work

OPENAM-14505: Agent sessions are constrained by Session Quota

OPENAM-14548: consent page still shows what's been granted/removed as a result of OAuth2 scope policy evaluation

OPENAM-14573: amlbcookie is not secure when authenticating with trees

OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier

OPENAM-11177: Scripted auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store

OPENAM-11665: Improve debug logging when unable to login in XUI with users endpoint getting 404 due to KBA attribute issues

OPENAM-12789: Data store with identities that do not match user search attr cause server error

OPENAM-13291: Create Identities Page appears broken after upgrade from 5.5 (to 6.0 or 6.5)

OPENAM-13604: IdP Proxy relays wrong AuthnContextClassRef if the AuthLevel requested by the SP is not 0

OPENAM-13762: Improve caching of ServiceConfigImpl instances

OPENAM-13814: User Self Service reCAPTCHA Feature Broken

OPENAM-8296: OAuth consent screen does not use XUI theme configuration

OPENAM-11225: idpSingleLogoutRedirect throws 500 error SLO

OPENAM-13183: Concurrent changePassword requests to the "users" REST endpoint causes "insufficient access rights" failures

OPENAM-13301: When creating Java/Web agent groups, some properties are not tag-swapped

OPENAM-13310: Allow id tokens to be issued when no datastore configured

OPENAM-13315: OIDC no longer supports prompt=consent parameter

OPENAM-13350: Upgrade from 12.0.x to 6.0.0.2 fails with embedded user store

OPENAM-13359: P11RSAPrivateKey fails RSA key check.

OPENAM-13414: Upgrade to AM6 fails if OAuth2 Provider service lacks tokenSigningHmacSharedSecret

OPENAM-13438: Setting org.forgerock.openam.ldap.heartbeat.timeout=-1 makes AM unusable

OPENAM-13457: AM 6 XUI favicon icon not being recognised

OPENAM-13499: Incorrect transaction ID used in access events for CREST endpoints

OPENAM-13506: OAuth2 Provider Service REST defaultACR input data not validated.

OPENAM-13563: Help link on the "Services" XUI page points to out of date documentation

OPENAM-13573: Concurrent changePassword requests to LDAPAuthUtils may cause "insufficient access rights" failures

OPENAM-13577: xmlsec 2.1.1.jar used in AM6 have issues when linebreaks enabled

OPENAM-13578: KBA are not updatable after upgrade

OPENAM-13581: "Try Resetting Your Password Again" Link fails if the Single use Token is expired/used

OPENAM-13649: SuccessUrl redirects not working in Safari

OPENAM-13670: Selfservice password reset token doesn't work in site due to OPENAM-6426

OPENAM-10532: SOAPExceptionImpl: Invalid Content-Type:text/html. Is this an error message instead of a SOAP response?

OPENAM-11407: extra space in the CTS 's connection string " openam.internal.example.com:50389" cause OpenDJ-SDK log to grow

OPENAM-11642: CustomProperties do not work when creating J2EE/Web Agents via REST

OPENAM-12173: NumberFormatException for AuthLevel in OAuth2 logs

OPENAM-12984: Access Token Endpoint issues search request against datastore for OAuth Client

OPENAM-13031: Failed search for non-existent user in datastore when fetching session properties and user profile is set to ignore

OPENAM-13085: WSFederation Active Request Profile authentication request hangs on input-less scripted modules

OPENAM-13128: invalid error message returned when user with expired password authenticates with persistent cookie module

OPENAM-13236: Amster tries to load custom service subconfiguration before loading realm level configurations

OPENAM-13245: Omitting Node.Metadata annotation kills the loading of all plugins in AM

OPENAM-13308: LdapDecisionNode failes when Return UserDN to Datastore is set to false

OPENAM-13316: LDAP Decision Node does not return Inactive Account result correctly in eDirectory

OPENAM-13330: Improve SessionResource Authz Module processing

OPENAM-13347: Inner Tree Node "tree" choice field not populated after upgrade

OPENAM-13426: EncryptSAMLIDPSPBasicAuthPwdStep fails in upgrade

OPENAM-13456: AM 6 XUI custom FooterTemplate.html and LoginHeaderTemplate.html not being applied

OPENAM-10296: Session UI only allows searching for users in datastore

OPENAM-11240: "Skip This Step" button on the ForgeRock Authenticator (OATH) screen is missing (HOTP)

OPENAM-11962: Calling Logout and passing a goto URL parameter with an expired session, goto URL is ignored

OPENAM-12209: 'acr' and 'acr_sig' parameters can become duplicated during step-up authn, should not be present in url

OPENAM-12338: policies?_action=evaluate checks all policy sets

OPENAM-13053: ScriptingService doesn't add the new values to whitelist during upgrade

OPENAM-13078: ScriptedDecisionNode exposes headers in a case sensitive map

OPENAM-13090: Social Authentication Implementations UI does not accept an auth tree

OPENAM-13102: Device Match - Server side script fails when error level logging is enabled.

OPENAM-13138: 500 internal server error if user does not have a session when providing user code in OAuth2 device flow

OPENAM-13144: DeviceID Profiles are not saved

OPENAM-13157: DCustom Authentication Nodes not being exported correctly

OPENAM-13249: AM 6 doesn't recognize custom templates and partials

OPENAM-13298: OIDC requests with claims request parameter fail

OPENAM-12419: Policy rules not updated when external configuration store connection restarted

OPENAM-12784: ProviderConfiguration is not spec compliant

OPENAM-12867: IdP-Proxy - Single Logout fails as LogoutResponse is not signed

OPENAM-12912: Upgrade 5.5.x --> 6.x fails if Amster has been used at some point to export/import

OPENAM-13082: address claim in default OIDC claims script outputs non-spec compliant format

OPENAM-13083: Profile KBA: custom questions are not displayed

OPENAM-13100: LDAP Decision node fails with NPE when used with Active Directory

OPENAM-4040: SSO failure between SPs in separate CoTs with same hosted IDP

OPENAM-12938: ODSEE fails to load identities

OPENAM-13006: Missing upgrade steps for OAuth2 ID Token SIgning and Encryption Algorithms

OPENAM-13008: Occasional shutdown error for AM

OPENAM-13068: Sample Facebook-ProvisionIDMAccount auth tree has wrong "connections"

OPENAM-13074: Fix UI sections for authentication modules

OPENAM-13084: Entity Import ordering in amster

OPENAM-13099: AM Overview Sample Monitoring Dashboard session metrics also count changes to authentication sessions

OPENAM-13103: AM Overview Sample Monitoring Dashboard policy throughput metrics not grouped by AM instance

OPENAM-12703: UnsupportedOperationException seen on SAML related session logout

OPENAM-12626: OIDC endSession endpoint does not call post authentication plugin onLogout functions

OPENAM-12553: IdP Logout is ignored when using SAML2 Auth module and trying to use a goto

OPENAM-12477: id_token requested using grant_type=authorization_code returns auth_time in milliseconds

OPENAM-12418: Unable to access Forgerock OATH for users with Profile when caching disable

OPENAM-12415: Self-Service KBA questions of TopLevel Realm(or Global Service) override SubRealm's

OPENAM-12413: Enabled "'Return User DN to DataStore" of LDAP auth-module is resulting in one redundant search for "uid=uid=demo" in the configuration store

OPENAM-12412: Multi-valued LDAP attributes are not added to the OIDC id_token as expected

OPENAM-12380: Client ip audit logging is not storing as IP but a list of IPs

OPENAM-12377: WS-Fed extended metadata with unknown COT value should generate an error

OPENAM-12370: JWT verification fails when token idle time is too long

OPENAM-12357: ssoadmin tools distro include release canditate libraries

OPENAM-12333: AMIdentitySubject policy evaluation not cache when a lot of groups and datatsore is use with delegated admin

OPENAM-12252: Delegated admin with Stateless Session, causes Admin Console failure.

OPENAM-12245: "Authentication by Module Instance" policy env condition doesn't work in session upgrade case

OPENAM-12244: Monitoring services unable to connect to Port

OPENAM-12234: Values for objects of type com.sun.xml.bind.util.ListImpl are not printed in debug logs

OPENAM-12226: Device Match - server side script fails

OPENAM-12219: Resource leak in MonitoringAdapters#getMonAuthList

OPENAM-12194: SLO with the SAML2 Auth Module PAP redirects to 'XUI/nullnull' when IDP has no SingleLogoutService defined

OPENAM-12166: Resource #3.0 logoutByHandle request fail with status 500 error

OPENAM-12161: Expires attribute in WS-Fed Active Requestor Profile is expected but is optional

OPENAM-12144: getSessionInfo endpoint _fields parameter doesn't work

OPENAM-12135: OIDC token generated with datastore module takes case from request rather than from the datastore

OPENAM-12109: Syslog Audit Event Handler buffer size should be configurable

OPENAM-12082: Outlook with WS-Fed uses cached credential after AD password change.

OPENAM-12075: OIDC without a datastore returns "User must be authenticated to issue ID tokens"

OPENAM-12062: XUI DashBoard does not show trusted devices etc if user search attribute of the data store is not 'uid'

OPENAM-12054: Cumulative upgrades of OpenAM (e.g. 5.1.0 to 5.5.0 to 5.5.1) fail with "Writing Backup; Failed!" error

OPENAM-12026: Self-service user registration gets "Bad Request" on LDAP error 19

OPENAM-12022: Self-service registration for existing user displays "Detected conflict in request"

OPENAM-12011: Session is not refreshed reliably when using oauth2/authorize endpoint

OPENAM-11994: NullPointerException in ResourceOwnerOrSuperUserAuthzModule.getUserIdFromUri

OPENAM-11988: HTTP 500 when validating SSO tokens if API version is omitted in AM 5.5

OPENAM-11980: Social OIDC wizards do not work when provisioning accounts locally

OPENAM-11976: XUI Session query session by username does not work with +

OPENAM-11968: SAML2 Auth Module does not accept SAML2 AuthResponse with no SessionIndex

OPENAM-11966: saml2 SSO 'better' auth'n comparison fails with 'Invalid status code in response'

OPENAM-11961: KBA update fails if Self-service is configured in sub-realm and root realm has no datastore

OPENAM-11956: SAML2 RelayState values are seen as invalid if they are not a URL which appears to go against the spec

OPENAM-11944: REST OAuth2 creation triggers objectClass=* search

OPENAM-11937: Federation UI does not allow empty NameIDMappingService

OPENAM-11925: CORSFIlter causings failures after moving to 5.x from 13.5.x

OPENAM-11909: Demo user creation is based on whether a userCfg is specified, rather than when it's set to embedded

OPENAM-11829: SSOToken idletime reset even when it shouldn't be

OPENAM-11818: Oauth2 authn module incorrectly POST state parameter to token endpoint

OPENAM-11789: User remains on 'Loading' page with 'OAuth2.0/OIDC' auth module if authId token expires before entering credentials

OPENAM-11759: Memory leak affecting policy evaluation for stateless sessions

OPENAM-11746: Syslog data is not fully RFC compliant

OPENAM-11678: 'Oldest' REST passwordreset selfservice unusable

OPENAM-11673: Policy evaluation response is incorrect if the URL query string sent for evaluation contains the string ://

OPENAM-11661: Prevent Restlet from adding the Server header

OPENAM-11548: Improve Scope validator class loading error handling

OPENAM-11547: Missing entry or corrupted value in "com.iplanet.am.version" causes upgrade failure

OPENAM-11491: Upgrading OpenAM results in failure due to restSMS.xml

OPENAM-11477: SLO through IDP Proxy loses the RelayState

OPENAM-11432: Extra space in Policy 's Resource Type will cause policy evaluation to fails

OPENAM-11402: OpenAM does not enforce OAuth2 spec for "Resource Owner Password Credentials Grant" flow

OPENAM-11398: OpenAM ACI installation instruction does not work for OpenDJ productionMode

OPENAM-11157: Oauth2/OIDC Authentication redirect goto value wrong when behind reverse proxy

OPENAM-10673: SAML2 authentication module fails to redirect to IDP after failing DeviceID match module

OPENAM-10619: Post Authentication Plugin not run during session upgrade

OPENAM-10591: Generate more debug details about the JSON that is failing when JsonPolicyParser throws a UNABLE_TO_SERIALIZE_OBJECT exception

OPENAM-9717: TimerPool deadlock on ssoadm shutdown (client SDK)

OPENAM-9629: OAuth2 flow creates GENERIC CTS tokens that never expire

OPENAM-8264: Insufficient validator for service property 'iplanet-am-auth-hmac-signing-shared-secret'

OPENAM-7911: Improve Error Message: "Invalid Suffix"

OPENAM-5991: IP Address logging in SAML2 audit logs is not consistent

OPENAM-5865: AuthLevelCondition will not retrieve request auth level for a capital-letter realm.

OPENAM-1167: WindowsDesktopSSOConfig ClassCastException on saving configuration in admin UI

Using the Documented CORS Filter With IDM Integration Causes Errors

When configuring IDM to delegate authentication to AM, as described in the IDM Samples Guide, you must configure AM with a cross-origin resource sharing (CORS) filter.

However, when you use a CORS filter based on the org.forgerock.openam.cors.CORSFilter filter class, Unexpected End of JSON Input errors occur.

To work around the problem, configure AM's web.xml file as described in "Enabling CORS Support" in the Installation Guide, but use a CORS filter specific to the AM web container instead of using a filter based on the org.forgerock.openam.cors.CORSFilter filter class. For example, for Apache Tomcat, use a filter based on the org.apache.catalina.filters.CorsFilter filter class:

OAuth2 Scopes Behavior Affected by Upgrade

After an upgrade from OpenAM 12.0.x, OAuth v2.0 scope behavior uses a deprecated implementation class, org.forgerock.openam.oauth2.provider.impl.ScopeImpl.

The workaround is to manually update the OAuth v2.0 providers to use the org.forgerock.openam.oauth2.OpenAMScopeValidator.

For background information, see OPENAM-6319.

Supported ID Token Algorithms and Methods not Updated After Upgrade

AM 5 added additional algorithms and methods for encrypting ID tokens. Performing an upgrade from OpenAM 13.5 does not add these new values to the affected properties.

After upgrade, navigate to Realm Name > Services > OAuth2 Provider > OpenID Connect, and manually update the ID Token Encryption Algorithms supported and ID Token Encryption Methods supported properties.

For more information on the available algorithms and methods, see "Encrypting OpenID Connect ID Tokens" in the OpenID Connect 1.0 Guide.

Different AM Version Within a Site

Do not run different versions of AM together in the same AM site.

Avoid use of Special Characters in Policy or Application Creation

Do not use special characters within policy, application or referral names (for example, "my+referral") using the Policy Editor or REST endpoints as AM returns a 400 Bad Request error. The special characters are: double quotes ("), plus sign (+), command (,), less than (<), equals (=), greater than (>), backslash (\), and null (\u0000). (OPENAM-5262)

XACML Policy Import and Export

AM can only import XACML 3.0 files that were either created by an AM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.

Custom Profile Attributes Are Not Visible in the User Profile Only With the XUI

Custom profile attributes do not appear in the user profile when users log in to AM using the XUI.

OPENAM-4713: Can't use Common Tasks wizards when logged in as a delegated administrator

OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly

OPENAM-10377: Agent creates unexpired tokens which are not deleted from CTS

OPENAM-12508: import-entity for SAML remote SP does not work anymore

OPENAM-14146: administrative authentication is not triggered for XUI-based console

OPENAM-14207: NullPointerException AM Console if IDPSSODescriptor is missing attribute 'WantAuthnRequestsSigned'

OPENAM-14215: Automatic login fails after Self Registration with Authentication Trees

OPENAM-14229: custom AuthorizeTemplate under theme not used

OPENAM-14234: NullPointerException in SP-initaited SSO if IDPSSODescriptor is missing attribute 'WantAuthnRequestsSigned'

OPENAM-14240: FMSigProvider.verify does not tell if certificates are provided

OPENAM-14245: Console error when adding entity to circle of trust

OPENAM-14277: IdP-Proxy - SP part prompts for authentication if no local user can be found

OPENAM-14290: Caching issue for 'users' REST endpoint

OPENAM-14309: Import of SAML2 Metadata not signed on EntityDescriptor fails.

OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration

OPENAM-14499: SAML IdP-initiated SSO without existing SSO Session - value of 'goto' parameter not URLencoded

OPENAM-14500: SAML SP-initiated SSO without existing SSO Session - value of 'goto' parameter not URLencoded

OPENAM-14576: Configuration LDAP accessed when users endpoint accessed

OPENAM-14580: IdP-initiated ManageNameID request fails with "unsuported binding" when IdP meta alias is incorrect.

OPENAM-14594: Possible thread-safety issue in OIDC pairwise subject identifiers

OPENAM-14624: XUI fails to load partial potential issue with webpacks

OPENAM-14755: NullPointerException if auth module callback xml file can not be retrieved by ResourceLookup

OPENAM-14782: AuthTree created Session does not use per User Session Service settings

OPENAM-14808: "User name/password combination is invalid." error message shown when provided with incorrect cookie domain

OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module

OPENAM-14849: Insufficient debug logging in Scripted authentication module

OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

OPENAM-13740: File descriptor / Connection leak when LDAP connection handshake fails/times out

OPENAM-13856: Activity audit events are logged for authentication sessions

OPENAM-13860: REST API "PUT /global-config/realms/{realmref}" broken

OPENAM-13890: Install.log logs AMLDAPUSERPASSWD in plaintext

OPENAM-13892: Erroneous "Response's InResponseTo attribute is not valid error SAML2 failover is enabled" when is is not

OPENAM-13899: XUI - USS - Forgotten Password flow without KBA ends up in a loop

OPENAM-13904: Authentication via REST API - Switching realms is not possible

OPENAM-13905: XUI Authentication - Switching realms is not possible

OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given

OPENAM-13940: Session quota limits not applied when using trees

OPENAM-13978: Session Upgrade - AuthLevel format changes