Fixes, Limitations, and Known Issues
This chapter covers the status of key issues and limitations at release 7.1.
OPENAM-17396: Terms of Service URI Link does not Display in Consent Page
OPENAM-17395: SocialOpenIdConnectNode fails to recover from client's connection reset
OPENAM-17365: Checking agent type with caller token can cause deadlock
OPENAM-17364: Prompt login / session upgrade / OIDC ACR looping with trees
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
OPENAM-17353: HTML pages are not picked up when placing in a theme folder
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
OPENAM-17343: Access token call returns 500 error if password needs to be changed or has expired
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
OPENAM-17276: AM recorder does not record anymore
OPENAM-17271: Typo for Realm in SAML/Federation debug
OPENAM-17260: Allow arg=newsession usage in authorize calls
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn't work for ROPC grant
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
OPENAM-17136: OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
OPENAM-17114: Save Consent check box always shown, even when not configured
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
OPENAM-17089: Forgot password functionality broken
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
OPENAM-17060: Audit Logging "Resolve host name" is still available after OPENAM-7849
OPENAM-17037: AM Upgrade from 220.127.116.11 to 7.0.0 causing NPE
OPENAM-17034: In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
OPENAM-17006: Hosted SAML entity - can not remove bindings
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
OPENAM-16988: Accessed endpoint including port causes verify Assertion Consumer URL to fail
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
OPENAM-16947: Kerberos Node in 7.0 fails to return goTo(false)
OPENAM-16944: Regression in OPENAM-15649. LdapDecisionNodes fails if inetuserstatus does not exist
OPENAM-16936: Tree nodes create new keystore object each time node is called.
OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
OPENAM-16934: sm.getSchemaManager has a typo including a comma
OPENAM-16926: Success URL node doesn't work with SAML Node for Idpinit when not using Integrated mode
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
OPENAM-16907: Kerberos Node in 7.0 does not work
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
OPENAM-16866: AM should fail gracefully if id_token fails to generate when swapping refresh token
OPENAM-16849: WeChat Social Auth module broken (regression)
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
OPENAM-16847: AM email service failing with 'Start TLS' option
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
OPENAM-16807: The dynamic values for request_uri being stored in client config does not expire and is not automatically removed
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
OPENAM-16784: Upgrade to 7 fails with NullPointerException in Saml2EntitySecretsStep
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
OPENAM-16758: Cannot install AM 7 on Windows
OPENAM-16745: client_id in access token ignores what's been registered when idm cache is disabled
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client's subject type'
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent's ID token
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
OPENAM-16617: SuccessURL session property is set to gotoURL in authentication tree
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
OPENAM-16556: Radius Server's does not log IP address into AM Audit logs
OPENAM-16555: Audit logging does not tell which policy allowed or denied a resource request
OPENAM-16540: Issues with Social Login URLs when navigating quickly between providers
OPENAM-16535: "JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
OPENAM-16450: 501 when default resource version set to "oldest" and Accept-API-Version header set
OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn't fail chain properly
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
OPENAM-15963: Historical retention files ( csv ) were not deleted
OPENAM-15948: Update DS profiles to add VLV indexes for CTS use
OPENAM-15743: Excessive CTS logging when Reaper is disabled (com.sun.am.ldap.connnection.idle.seconds=0)
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
OPENAM-15663: UserInfoClaims is not part of public API
OPENAM-14898: OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
OPENAM-12503: SizeBasedRotationPolicy does not delete oldest file
The following limitations and workarounds apply to AM 7.1:
Evaluation Installation Limitations
In some cases, installing AM for evaluation purposes will fail with a message similar to the following if the JDK's default truststore's permissions are
$JAVA_HOME/lib/security/cacerts (Permission denied), refer to install.log under /usr/share/tomcat/access/var/install.log for more information.
To work around this issue, locate the truststore that your container is using and change its permissions to
644before installing AM:
$ sudo chmod 644 $JAVA_HOME/lib/security/cacerts
You can change the permissions back as they were originally after installing AM.
Identity and Data Store Scaling Limitations
The connection strings to the data or identity stores are static and not hot-swappable. This means that, if you expand or contract your DS affinity deployment, AM will not detect the change.
To work around this, either:
Manually add or remove the instances from the connection string and restart AM or the container where it runs.
Configure a DS proxy in front of the DS instances to distribute data across multiple DS shards, and configure the proxy's URL in the connection string.
SAML v2.0 UI Limitations
The new UI supports SAML v2.0 IDP and SP entities only. After upgrade, entities that do not have IDP or SP roles will be listed, but cannot be inspected or edited using the UI. An error will display in the UI when trying to access these entities.
Entities containing roles other than IDP and/or SP will only display the IDP and/or SP roles.
Web Authentication (WebAuthn) Limitations
AM 7.1 does not support the following functionality as described in the Web Authentication specification:RegistrationAuthentication
For more information about Web Authentication, see MFA: Web Authentication (WebAuthn).
RADIUS Service Only Supports Commons Audit Logging. The new RADIUS service only supports the new Commons Audit Logging, available in this release. The RADIUS service cannot use the older Logging Service, available in releases prior to OpenAM 13.0.0.
Administration Console Access Requires the
In this version of AM, administrators can use the AM console as follows:
Delegated administrators with the
Realm Adminprivilege can access full AM console functionality within the realms they can administer. In addition, delegated administrators in the Top Level Realm who have this privilege can access AM's global configuration.
Administrators with lesser privileges, such as the
Policy Adminprivilege, can not access the AM console.
The top-level administrator, such as
amAdmin, has access to full AM console functionality in all realms and can access AM's global configuration.
Specifying Keys in JWT Headers is Not Supported
AM ignores keys specified in JWT headers, such as
jwe. Configure the public keys/certificates in AM instead, as explained in the relevant sections of the documentation.
Different AM Versions Within a Site Are Not Supported
Do not run different versions of AM together in the same AM site.
Use of Special Characters in Policy or Application Creation is Not Supported
Do not use special characters within policy, application or referral names (for example, "my+referral") using the Policy Editor or REST endpoints as AM returns a 400 Bad Request error. The special characters are: double quotes ("), plus sign (+), command (,), less than (<), equals (=), greater than (>), backslash (\), and null (\u0000). (OPENAM-5262)
XACML Policy Import and Export from Different Vendors is Not Supported
AM can only import XACML 3.0 files that were either created by an AM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.
JCEKS Keystore Now Required for User Self-Services
In OpenAM 13.0.0, the user self-service feature is stateless, which means that the end-user is tracked and replayed by an encrypted and signed JWT token on each AM instance. It also generates key pairs and caches its keys locally on the server instance.
In a multi-instance deployment behind a load balancer, one server instance with the user self-services enabled will not be able to decrypt the JWT token from the other instance due to the encryption keys being stored locally to its server.
OpenAM 13.5.0 and later solve this issue by providing a JCEKS keystore that supports asymmetric keys for encryption and symmetric keys for signing. Users who have installed OpenAM 13.0.0 and enabled the user self-service feature will need to run additional steps to configure a JCEKS keystore to get the user self-service feature operating after an upgrade.
For specific instructions to configure the JCEKS keystore, see "Managing the AM Keystore".
This procedure is not necessary for the following users:
Users upgrading from versions prior to OpenAM 13.0.0 are not impacted.
Users who upgrade from OpenAM 13.0.0 and do not enable the user self-services feature are not impacted.
Users who do a clean install of OpenAM 13.5.0 or later are not impacted.
The following important known issues remained open at the time release 7.1 became available. For details and information on other issues, see the issue tracker.
Licensing information for some third-party libraries is missing from the
legal-notices/third-party-copyrights.txtfile, available in the AM-7.1.0.zip file.
The following table matches the libraries with their corresponding license:
Find the license files in the
legal-notices/third-party-licensesdirectory, available in the AM-7.1.0.zip file.
OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong
OPENAM-16449: Filter fields on the Scripts admin page don't work
OPENAM-17045: Failing SAML2 flows on ForgeOps environments
OPENAM-17315: Update defaults scripts with the change introduced in COMMONS-628
OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config dump
OPENAM-17418: OpenId account mapping fails because userInfo subject claim has value 'usr!demo'
OPENAM-17590: OIDC login hint cookie broken
OPENAM-17687: XUI select wrong partials if a new Partial happens to exists with same prefix
OPENAM-17760: PEM support incorrectly decodes some EC private keys
OPENAM-17768: Enabling whitelisting in trees causes an infinite redirect loop in the registration tree - forgeops