Fixes, Limitations, and Known Issues

This chapter covers the status of key issues and limitations at release 7.1.

Key Fixes

AM 7.1
  • OPENAM-17396: Terms of Service URI Link does not Display in Consent Page

  • OPENAM-17395: SocialOpenIdConnectNode fails to recover from client's connection reset

  • OPENAM-17365: Checking agent type with caller token can cause deadlock

  • OPENAM-17364: Prompt login / session upgrade / OIDC ACR looping with trees

  • OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation

  • OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope

  • OPENAM-17353: HTML pages are not picked up when placing in a theme folder

  • OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh

  • OPENAM-17343: Access token call returns 500 error if password needs to be changed or has expired

  • OPENAM-17322: SAML2 bearer grant returns NoUserExistsException

  • OPENAM-17317: A realm without any modules can cause increased thread count and slow response.

  • OPENAM-17276: AM recorder does not record anymore

  • OPENAM-17271: Typo for Realm in SAML/Federation debug

  • OPENAM-17260: Allow arg=newsession usage in authorize calls

  • OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn't work for ROPC grant

  • OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found

  • OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'

  • OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.

  • OPENAM-17136: OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters

  • OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory

  • OPENAM-17114: Save Consent check box always shown, even when not configured

  • OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC

  • OPENAM-17089: Forgot password functionality broken

  • OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication

  • OPENAM-17060: Audit Logging "Resolve host name" is still available after OPENAM-7849

  • OPENAM-17037: AM Upgrade from to 7.0.0 causing NPE

  • OPENAM-17034: In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated

  • OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config

  • OPENAM-17006: Hosted SAML entity - can not remove bindings

  • OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"

  • OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates

  • OPENAM-16988: Accessed endpoint including port causes verify Assertion Consumer URL to fail

  • OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail

  • OPENAM-16947: Kerberos Node in 7.0 fails to return goTo(false)

  • OPENAM-16944: Regression in OPENAM-15649. LdapDecisionNodes fails if inetuserstatus does not exist

  • OPENAM-16936: Tree nodes create new keystore object each time node is called.

  • OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1

  • OPENAM-16934: sm.getSchemaManager has a typo including a comma

  • OPENAM-16926: Success URL node doesn't work with SAML Node for Idpinit when not using Integrated mode

  • OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'

  • OPENAM-16907: Kerberos Node in 7.0 does not work

  • OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid

  • OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO

  • OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference

  • OPENAM-16866: AM should fail gracefully if id_token fails to generate when swapping refresh token

  • OPENAM-16849: WeChat Social Auth module broken (regression)

  • OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled

  • OPENAM-16847: AM email service failing with 'Start TLS' option

  • OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules

  • OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM

  • OPENAM-16807: The dynamic values for request_uri being stored in client config does not expire and is not automatically removed

  • OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0

  • OPENAM-16784: Upgrade to 7 fails with NullPointerException in Saml2EntitySecretsStep

  • OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow

  • OPENAM-16758: Cannot install AM 7 on Windows

  • OPENAM-16745: client_id in access token ignores what's been registered when idm cache is disabled

  • OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client's subject type'

  • OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)

  • OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent's ID token

  • OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type

  • OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo

  • OPENAM-16617: SuccessURL session property is set to gotoURL in authentication tree

  • OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore

  • OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.

  • OPENAM-16556: Radius Server's does not log IP address into AM Audit logs

  • OPENAM-16555: Audit logging does not tell which policy allowed or denied a resource request

  • OPENAM-16540: Issues with Social Login URLs when navigating quickly between providers

  • OPENAM-16535: "JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set

  • OPENAM-16515: Social auth - insufficient debug logging for troubleshooting

  • OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain

  • OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes

  • OPENAM-16450: 501 when default resource version set to "oldest" and Accept-API-Version header set

  • OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong

  • OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade

  • OPENAM-16367: OIDC request_uri response causes NPE while debug logging

  • OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory

  • OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn't fail chain properly

  • OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive

  • OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save

  • OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented

  • OPENAM-15963: Historical retention files ( csv ) were not deleted

  • OPENAM-15948: Update DS profiles to add VLV indexes for CTS use

  • OPENAM-15743: Excessive CTS logging when Reaper is disabled (

  • OPENAM-15671: LoginContext is missing debug logging for troubleshooting

  • OPENAM-15663: UserInfoClaims is not part of public API

  • OPENAM-14898: OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified

  • OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)

  • OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)

  • OPENAM-12503: SizeBasedRotationPolicy does not delete oldest file


The following limitations and workarounds apply to AM 7.1:

  • Evaluation Installation Limitations

    In some cases, installing AM for evaluation purposes will fail with a message similar to the following if the JDK's default truststore's permissions are 444:

    $JAVA_HOME/lib/security/cacerts (Permission denied), refer to install.log under /usr/share/tomcat/access/var/install.log for more information.

    To work around this issue, locate the truststore that your container is using and change its permissions to 644 before installing AM:

    $ sudo chmod 644 $JAVA_HOME/lib/security/cacerts

    You can change the permissions back as they were originally after installing AM.

  • Identity and Data Store Scaling Limitations

    The connection strings to the data or identity stores are static and not hot-swappable. This means that, if you expand or contract your DS affinity deployment, AM will not detect the change.

    To work around this, either:

    • Manually add or remove the instances from the connection string and restart AM or the container where it runs.

    • Configure a DS proxy in front of the DS instances to distribute data across multiple DS shards, and configure the proxy's URL in the connection string.

  • SAML v2.0 UI Limitations

    The new UI supports SAML v2.0 IDP and SP entities only. After upgrade, entities that do not have IDP or SP roles will be listed, but cannot be inspected or edited using the UI. An error will display in the UI when trying to access these entities.

    Entities containing roles other than IDP and/or SP will only display the IDP and/or SP roles.

  • Web Authentication (WebAuthn) Limitations

    AM 7.1 does not support the following functionality as described in the Web Authentication specification:


    For more information about Web Authentication, see MFA: Web Authentication (WebAuthn).

  • RADIUS Service Only Supports Commons Audit Logging. The new RADIUS service only supports the new Commons Audit Logging, available in this release. The RADIUS service cannot use the older Logging Service, available in releases prior to OpenAM 13.0.0.

  • Administration Console Access Requires the Realm Admin privilege

    In this version of AM, administrators can use the AM console as follows:

    • Delegated administrators with the Realm Admin privilege can access full AM console functionality within the realms they can administer. In addition, delegated administrators in the Top Level Realm who have this privilege can access AM's global configuration.

    • Administrators with lesser privileges, such as the Policy Admin privilege, can not access the AM console.

    • The top-level administrator, such as amAdmin, has access to full AM console functionality in all realms and can access AM's global configuration.

  • Specifying Keys in JWT Headers is Not Supported

    AM ignores keys specified in JWT headers, such as jku and jwe. Configure the public keys/certificates in AM instead, as explained in the relevant sections of the documentation.

  • Different AM Versions Within a Site Are Not Supported

    Do not run different versions of AM together in the same AM site.

  • Use of Special Characters in Policy or Application Creation is Not Supported

    Do not use special characters within policy, application or referral names (for example, "my+referral") using the Policy Editor or REST endpoints as AM returns a 400 Bad Request error. The special characters are: double quotes ("), plus sign (+), command (,), less than (<), equals (=), greater than (>), backslash (\), and null (\u0000). (OPENAM-5262)

  • XACML Policy Import and Export from Different Vendors is Not Supported

    AM can only import XACML 3.0 files that were either created by an AM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.

  • JCEKS Keystore Now Required for User Self-Services

    In OpenAM 13.0.0, the user self-service feature is stateless, which means that the end-user is tracked and replayed by an encrypted and signed JWT token on each AM instance. It also generates key pairs and caches its keys locally on the server instance.

    In a multi-instance deployment behind a load balancer, one server instance with the user self-services enabled will not be able to decrypt the JWT token from the other instance due to the encryption keys being stored locally to its server.

    OpenAM 13.5.0 and later solve this issue by providing a JCEKS keystore that supports asymmetric keys for encryption and symmetric keys for signing. Users who have installed OpenAM 13.0.0 and enabled the user self-service feature will need to run additional steps to configure a JCEKS keystore to get the user self-service feature operating after an upgrade.

    For specific instructions to configure the JCEKS keystore, see "Managing the AM Keystore".


    This procedure is not necessary for the following users:

    • Users upgrading from versions prior to OpenAM 13.0.0 are not impacted.

    • Users who upgrade from OpenAM 13.0.0 and do not enable the user self-services feature are not impacted.

    • Users who do a clean install of OpenAM 13.5.0 or later are not impacted.

Known Issues

The following important known issues remained open at the time release 7.1 became available. For details and information on other issues, see the issue tracker.

AM 7.1
  • Licensing information for some third-party libraries is missing from the legal-notices/third-party-copyrights.txt file, available in the file.

    The following table matches the libraries with their corresponding license:

    geronimo-jta_1.1_spec-1.1.1.jarApache 2.0
    geronimo-ws-metadata_2.0_spec-1.1.3.jarApache 2.0
    jacorb-omgapi-3.9.jarLGPL 2.1
    jakarta.activation-api-1.2.1.jarBSD 3
    jakarta.xml.bind-api-2.3.2.jarBSD 3
    javax.activation-1.2.0.jarCDDL 1.1
    javax.annotation-api-1.3.2.jarCDDL 1.1
    javax.xml.soap-api-1.4.0.jarCDDL 1.0
    jaxb-impl-2.3.0.jarCDDL 1.1
    jaxb-runtime-2.3.0.jarCDDL 1.1
    jboss-rmi-api_1.0_spec-1.0.6.Final.jarLGPL 2.1

    Find the license files in the legal-notices/third-party-licenses directory, available in the file.

  • OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong

  • OPENAM-16449: Filter fields on the Scripts admin page don't work

  • OPENAM-17045: Failing SAML2 flows on ForgeOps environments

  • OPENAM-17315: Update defaults scripts with the change introduced in COMMONS-628

  • OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config dump

  • OPENAM-17418: OpenId account mapping fails because userInfo subject claim has value 'usr!demo'

  • OPENAM-17590: OIDC login hint cookie broken

  • OPENAM-17687: XUI select wrong partials if a new Partial happens to exists with same prefix

  • OPENAM-17760: PEM support incorrectly decodes some EC private keys

  • OPENAM-17768: Enabling whitelisting in trees causes an infinite redirect loop in the registration tree - forgeops

Read a different version of :