Changes to Existing Functionality

This chapter covers both "Critical Changes" and "Important Changes" to existing functionality.

Critical Changes

As part of planning your upgrade, you need to consider that certain changes in later AM versions may have an impact on your environment. Usually, these changes are driven by changes in specification, security policies, or performance.

When possible, the upgrade process makes the appropriate changes on AM configuration. However, sometimes you will need to perform additional configuration based on your environment needs.

In addition to mandatory upgrade steps outlined in Upgrading AM Instances, if you are using features described in the following table you will need to perform additional upgrade tasks:

Critical Changes to Existing Functionality
AM VersionComponent or FeatureChange
7.1Decompressed JWTs

By default, AM rejects any JWT that expands to more than 32 KiB (32768 bytes) when decompressed. For more information about changing this default value, see "Controlling the Maximum Size of Compressed JWTs".

Request Body Size

By default, AM rejects incoming requests with a body larger than 1 MB (1048576 bytes) in size. For more information about changing this default value, see "Limiting the Size of the Request Body".

Pre-Approval for Redirection URIs Enforced

This change affects AM when acting as an OAuth 2.0 and OpenID Connect client.

If a redirection URI uses a scheme, host, or port that differs from that of AM, you must now add it to the global validation service to ensure that it is pre-approved. This is described in "Configuring Success and Failure Redirection URLs".

Otherwise, AM rejects the URI, and redirection fails.

Subject Claim in Access and ID Tokens

The subject claim of access tokens and ID tokens has changed formats to ensure that it is locally unique. The new format is not enforced after upgrading to AM 7.1, but new installations default to it.

The org.forgerock.security.oauth2.enforce.sub.claim.uniqueness advanced server property controls the format of the sub claim.

Before enabling it, ensure that your clients can use the new sub claim format, or a combination of the sub and the subname claims.

The "Retry Limit Decision Node"

The new Save Retry Limit to User feature in this node is enabled by default after upgrade and requires upgrading the identity store schema.

Ensure you update the schema following the instructions in Upgrading AM Instances, or disable the feature. ForgeRock recommends keeping it enabled for security reasons.

Failure to take any of the actions will break the authentication journey for trees using this node.

One-Time Passwords in Authentication Nodes

One-time passwords created by the "HOTP Generator Node" are now stored in the authentication tree's transient state.

Modify any custom authentication nodes or scripts used by the "Scripted Decision Node" to retrieve the one-time passwords from the transient state after upgrading to AM 7.1.

7User Profile Whitelist

The profile attribute whitelist controls the information returned to non-administrative users when accessing json/user endpoints.

Common profile attributes are whitelisted by default, but you need to add any custom attribute you want your non-administrative users to see. For more information, see "Configuring the User Profile Whitelist".

/json/authenticate Endpoint

When a client makes a call to the /json/authenticate endpoint appending a valid SSO token, AM returns the tokenId field empty if HttpOnly cookies are enabled. For example:

{
    "tokenId":"",
    "successUrl":"/openam/console",
    "realm":"/alpha"
}
Secure Authentication Tree State Secret ID

An AES 256-bit key called directenctest must be available in the environment during upgrade, but it does not need to be the same key that AM provides on the default keystore.

After upgrade, ensure that the am.authn.trees.transientstate.encryption secret ID is always mapped to an existing, resolvable secret or key alias. Failure to do so may result in trees not working as expected.

The Embedded DS

The embedded DS can only be used for single AM instances, for test and demo purposes. Sites are not supported.

Sites using embedded DS servers must be migrated to external DS servers before upgrading.

SAML v2.0 Secrets

AM 7 migrated SAML v2.0 to use secret stores. The upgrade process only creates the secret store files on the AM instance where you ran the upgrade process. For more information, see "Configuring Secret Stores After Upgrade".

goto and gotoOnFail Query Parameter Redirection

Redirection URLs for authentication services, agents, and SAML v.2.0 must be configured in the Validation Service if they are not in the same scheme, FQDN, and port as AM, or are not relative to AM's URL.

Web Agents of a Version Earlier than 5.6.3

Several properties that used to be configured as custom properties (com.sun.identity.agents.config.freeformproperties) have been added as regular properties. Due to this change, upgrading to AM 7 will overwrite the value of the original custom properties with the default value of the new UI properties.

To work around this issue, perform one of the following actions:

  • Upgrade to Web Agents 5.6.3 or later before upgrading to AM 7.

  • After upgrading to AM 7, reconfigure the properties that you configured as custom properties in their new UI counterparts.

Changes on the CTS Reaper Tuning Properties

AM 7 changes the way the CTS reaper searches for expired tokens.

After upgrading, retune the CTS Reaper using the information in "Reaper Search Size".

OpenID Connect Clients Authenticating with JWTs

OpenID Connect clients authenticating with JWTs must include in the JWT a jti claim containing a unique identifier, in line with OpenID Connect Core 1.0 incorporating errata set 1.

Cookie Filter

AM flags cookies as secure if they come through a connection marked as secure, or if they come through HTTPS. See "Managing the Secure Cookie Filter".

6.5.0.2 // 6.5.1OAuth 2.0 Refresh Tokens

AM only issues refresh tokens to clients that have the refresh token grant type configured in their client profile.

After an upgrade to 6.5 or later using the UI or the openam-upgrade-tool .jar file, existing OAuth 2.0 clients are configured to use all grant flows, including the Refresh Token Grant flow.

To configure the refresh token grant type manually, see "To Configure AM to Issue Refresh Tokens".

6.5Recovery Codes

Recovery Codes are encrypted, and existing codes are no longer displayed to the user. For more information, see "Upgrading Device Recovery Codes".

Secret Stores

AM 6.5 introduced secret stores for OAuth 2.0 and the persistent cookie module. The upgrade process only creates the secret store files on the AM instance where you ran the upgrade process. For more information, see "Configuring Secret Stores After Upgrade".

External Configuration Store

DS 6.5 introduced setup profiles, which pre-configure instances for different usages, such as CTS or configuration data. The default base DN for a DS configuration store instance (ou=am-config) is different than the default used by previous versions of AM (dc=openam,dc=forgerock,dc=org).

You should not attempt to run multiple instances of AM where the configuration store base DNs do not match. Use the same configuration store base DNs when configuring external DS 6.5+ instances that will be used simultaneously alongside existing DS 6 or earlier configuration store instances.

For more information, see "Preparing Configuration Stores".

6json/ Endpoints

AM's CSRF protection filter requires that either the X-Requested-With or the Accept-API-Version headers are included on requests to endpoints under the json root. For more information, see "Reviewing REST API Versions Before Upgrading".


Tip

For information on the endpoints deprecated or removed in previous versions, and their current equivalents, see the following Knowledge Base article.

Important Changes

This section lists changes done to existing functionality, services, endpoints, and others in the current release of AM.

AM 7.1
  • The SAML v2.0 IdP Discovery Service Now Requires Configuring a List of Valid Redirection URLs

    The IdP discovery service application now includes a mandatory field to configure valid redirection URLs. Those are, for example, the URLs of the SPs configured in the CoT the discovery service belongs to.

    After upgrading to AM 7.1, you must:

    • Redeploy the IdP discovery application and reconfigure it to include the valid redirection URLs.

    • Configure the valid redirection URLs in the Validation Service of each of the IdPs, in the Top Level Realm.

    For more information, see:

  • The Example Remote Consent Service Now Uses Secret Stores

    The Remote Consent Service example has been migrated to use AM's secret store functionality.

    As part of this change, the example Remote Consent Service signing and encryption fields have been removed in the global and realm service configurations. The following secret IDs have been created in their place:

    The following table shows the secret ID mappings used for the example Remote Consent Service:

    Secret IDDefault AliasAlgorithms
    am.services.oauth2.remote.consent.response.signing.RSArsajwtsigningkey
    RS256
    RSA (at least 2048 bits)
    am.services.oauth2.remote.consent.request.encryptionselfserviceenctest
    RSA-OAEP-256
    RSA (at least 2048 bits)

    For more information, see "To Configure the AM Example Remote Consent Service".

    If you have the Remote Consent Service example configured before upgrading, the upgrade process will migrate any secret configuration available to global or realm secret stores.

  • Changes to the sub Claim in Access Tokens and ID Tokens

    The subject claim of access tokens and ID tokens has changed formats to ensure that it is locally unique, as required by the OpenID Connect specification. The new Backchannel logout tokens also use the new format.

    The subject claim is in the format (type!subject), where:

    • subject is the identifier of the user/identity, or the name of the OAuth 2.0/OpenID Connect client that is the subject of the token.

    • type can be one of the following:

      • age. Specifies that the subject is an OAuth 2.0/OpenID Connect-related user-agent or client. For example, an OAuth 2.0 client, a Remote Consent Service agent, and a Web and Java Agent internal client.

      • usr. Specifies that the subject is a user/identity.

    For example, (usr!demo), or (age!myOAuth2Client).

    Clients using the sub claim to determine the identity about which the token asserts information are impacted by this change. To make transitioning to the new format as painless as possible, AM 7.1 also includes the following:

    • A new advanced server property, org.forgerock.security.oauth2.enforce.sub.claim.uniqueness.

      The property controls whether AM should create tokens using the new sub claim format or not, and it is disabled after an upgrade to AM 7.1, and enabled in new installations.

      Tokens using the old sub format will still be accepted after the property is enabled. However, earlier versions of AM cannot read tokens with the new format.

    • A new claim: subname.

      The value of the subname claim matches the value of the sub claim as it was returned in earlier versions of AM, or as returned in AM 7.1 when the new advanced server property is disabled.

      An example of the value of the subname claim is demo, or myOauth2Client.

      AM adds the subname claim to access and logout tokens regardless of the configuration of the new advanced server property. The claim is also available to ID tokens, but it is not included in the OIDC Claims Script. Therefore, AM does not add it to ID tokens by default.

    Before enabling the advanced server property, ensure that your clients can use the new sub claim format, or a combination of the sub and the subname claims.

  • Maximum Size of Decompressed JWTs Enforced

    A number of AM features accept JWTs to receive information. Some examples are:

    • The Remote Consent service, when it receives consent responses.

    • The OAuth 2.0/OpenID Connect authorization service, when:

      • OpenID Connect clients send request parameters as an encrypted JWT instead of as HTTP parameters.

      • OpenID Connect clients register dynamically using software statements.

    • The Authentication service, when configured to issue client-based sessions.

    These JWTs that AM receives can be signed and/or encrypted. Sometimes, if they are fairly large, they can also be compressed so that requests reach AM faster.

    Decompressing a JWT makes it expand in size. By default, AM 7.1 rejects any JWT that expands to more than 32 KiB (32768 bytes).

    Before upgrade, ensure that the decompressed JWTs your clients send to AM are smaller than 32 KiB before compression. If not, change the default value to a larger number after upgrade.

    For more information about changing the default value, see "Controlling the Maximum Size of Compressed JWTs".

  • Maximum Size of Request Body Enforced

    Application servers can usually mitigate against DoS attacks that POST large amounts of form data, but AM endpoints may receive large amounts of POST data in different ways, such as in JSON, JWT, or JWK formats.

    By default, AM 7.1 rejects incoming requests with a body larger than 1 MB (1048576 bytes) in size, and returns an HTTP 413 error response.

    For more information about changing the default value, see "Limiting the Size of the Request Body".

  • Changes to Web and Java Agent Profiles

    • Web Agents

      • AM Load Balancer Cookie Enabled (com.forgerock.agents.config.add.amlbcookie)

      The Agent Profile ID Whitelist property is now Agent Profile ID Allow List.

    • Java Agents

      • Load Balancer Cookie Enabled (org.forgerock.agents.load.balancer.cookies.enabled)

      • Load Balancer Cookie Name (org.forgerock.agents.load.balancer.cookie.name)

      • Client IP Validation Mode (org.forgerock.agents.original.ip.check.mode.map)

      • Client IP Validation Address Range (org.forgerock.agents.acceptable.ip.address.map)

      • Perform Policy Evaluation in User Authenticated Realm (org.forgerock.agents.user.realm.overrides.policy.evaluation.realm.enabled)

      • Accept SSO Tokens (org.forgerock.agents.accept.sso.tokens.enabled)

      • SSO Cookie Domain List (org.forgerock.agents.ipdp.cookie.domain.list)

      • Expired Session Cache Timeout (org.forgerock.agents.sso.expired.session.cache.ttl.minutes)

      • Expired Session Cache Max Records (org.forgerock.agents.expired.session.cache.size)

      • HTTP 302 Redirects Enabled (org.forgerock.agents.302.redirects.enabled)

      • HTTP 302 Redirect Replacement HTTP Code (org.forgerock.agents.302.redirect.http.status.code)

      • HTTP 302 Redirect Content Type (org.forgerock.agents.302.redirect.http.content.type)

      • HTTP 302 Redirect Data (org.forgerock.agents.302.redirect.http.data)

      • HTTP 302 Redirect Not Enforced List (org.forgerock.agents.302.redirect.ner.list)

      • HTTP 302 Redirect Invert Not Enforced List (org.forgerock.agents.302.redirect.invert.enabled)

      The CDSSO Secure Enable property is now Transmit Cookies Securely.

      • Secure Cookies (org.forgerock.agents.jwt.cookie.secure.enabled)

      • Session Logout Notification (org.forgerock.agents.session.change.notifications.enabled)

      • Debug Logfile Directory (com.iplanet.services.debug.directory)

      • Audit Logfile Path (org.forgerock.agents.local.audit.file.path)

      • Service Resolver Class Name (org.forgerock.agents.service.resolver.class.name)

  • The OpenID Connect Discovery Endpoint is Now Disabled by Default

    The /.well-known/webfinger OpenID Connect discovery endpoint is now disabled by default, and can only be enabled by realm.

    To enable the endpoint for a realm, configure the OAuth2 Provider service on the realm and next, enable the new OIDC Provider Discovery switch. Enabling the endpoint for the realm allows searches for users within that realm only.

    After upgrading to AM 7.1, the endpoint will be enabled on realms that had the OAuth2 Provider service configured. Disable the endpoint on those realms that are not using OpenID Connect discovery.

    For more information about the endpoint, see "OpenID Connect Discovery".

  • Changes to the OAuth 2.0 and OpenID Connect Clients

    AM 7.1 returns an error if the administrator tries to save a client configuration containing an unsupported signing or encryption algorithm.

    For example, upon saving the configuration, AM will return an error if there is a typo on an algorithm, or a symmetric signing or encryption algorithm is configured on a public client: these algorithms are derived from the client's secret, which public clients do not have.

    Clients registering dynamically must also send supported algorithms as part of their configuration, or AM will reject the registration request.

    Different features support different algorithms. Refer to the documentation or to the UI for more information.

    The following are examples of the errors:

    • Unknown encryption algorithm configured for User info encrypted response algorithm

    • Symmetric encryption algorithm configured for ID Token Encryption Algorithm is not allowed for a public client

    The error messages are also logged at ERROR level, and identify the client ID that the error relates to.

  • One-Time Passwords Now Stored in Transient State

    One-time passwords created by the "HOTP Generator Node" are now stored in the authentication tree's transient state, instead of in the shared state.

    Modify any custom authentication nodes or scripts used by the "Scripted Decision Node" to retrieve the one-time passwords from the transient state after upgrading to AM 7.1.

    For more information about the transient state, see "Storing Secret Values in Transient Tree State and the Secure State".

Read a different version of :