Fixes, Limitations, and Known Issues

This chapter covers the status of key issues and limitations at release 7.1.2.

Key Fixes

Key Fixes in AM 7.1.2
  • OPENAM-18928: Client credential OAuth2 request results in searches for OAuth2 client against Identity Store

  • OPENAM-18921: Double slashes in oauth2 claim name handled incorrectly

  • OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt

  • OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared

  • OPENAM-18836: No TransactionId on "debug.out" for the AM recording.

  • OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null

  • OPENAM-18780: JwksOAuth2AgentEventListener class not setting the correct default cache miss time value

  • OPENAM-18756: Entering correct otp after entering wrong otp fails authentication

  • OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures

  • OPENAM-18711: AES Encryption/Decryption fails when running in Java 17

  • OPENAM-18705: Problem with Page Node using node relying on secureState

  • OPENAM-18684: redirect to /authorize endpoint fails for 2nd OIDC App for Federated Users w/ multi OIDC Clients

  • OPENAM-18679: OATH Registration node doesn't work when placed inside a 'Page' node

  • OPENAM-18663: AM should check new realm with rest end-point names by ignoring case

  • OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted

  • OPENAM-18646: Upgrade for AM 7.1.0 to 7.2+ may fail, because of upgrading existing java agent profile

  • OPENAM-18644: IdRepo cache can not be disabled anymore

  • OPENAM-18640: REST-STS is using the old path to reach /users endpoint

  • OPENAM-18623: issue with jwk_uri endpoint called in parallel

  • OPENAM-18610: RealmOAuth2ProviderSettings for getJwks is broken in that it permits empty set.

  • OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication

  • OPENAM-18586: Lack of debugging message when AM is not able to read the encrypted_base64 folder after upgrade

  • OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL

  • OPENAM-18536: Java agent property org.forgerock.agents.session.change.notifications.enabled should be presented in XUI

  • OPENAM-18511: Missing navigation options when an expired link from "Email Suspend" node is used

  • OPENAM-18443: Transactional authentication is disabled on new installs

  • OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore

  • OPENAM-18297: Outbound calls to Jwks_URI endpoint does not support proxy settings

  • OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically

  • OPENAM-18175: SMSUtils#addAttributesToMap inconsistency with array ordering

  • OPENAM-18141: AM no longer uses global SAML configuration

  • OPENAM-18130: "Agent Configuration Change Notification" use the same help text in the XUI for Java and Web agents, but the property name is different

  • OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter

  • OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes

  • OPENAM-18030: Message node shows inconsistent behaviour regarding the default locale

  • OPENAM-18005: Insufficient error message to troubleshoot persistent search issue

  • OPENAM-17949: Account lockout applied to tree even when ignore profile selected

  • OPENAM-17904: Json Audit Log Location not working when modifying location to only include %SERVER_URI% variable

  • OPENAM-17833: Internal accepted Audience AUD formed from DNS Alias could be wrong when BaseURL does not have port

  • OPENAM-17830: Error messages are logged when the Push Notification Service is absent

  • OPENAM-17829: External UMA Resource Set using SSL but not StartTLS fails

  • OPENAM-17593: Deadlock when admin token is invalid and when config data is getting cleared

  • OPENAM-17271: Typo for Realm in SAML/Federation debug

  • OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication

Key Fixes in AM 7.1.1
  • OPENAM-18604: Formatting issues in Upgrade Report

  • OPENAM-18573: URLPatternMatcher or RedirectURLValidator does fails when query string contains "%20"

  • OPENAM-18566: Missing 'org.forgerock.security.oauth2.enforce.sub.claim.uniqueness' after upgrade from 7.1.0

  • OPENAM-18559: Upgrade from 6.5.3 to 7.1.0 fails with UpgradeException - "com.sun.identity.sm.InvalidAttributeValueException: Saved Consent Attribute Name is required."

  • OPENAM-18532: Web Agent property org.forgerock.agents.pdp.javascript.repost has incorrect description in XUI

  • OPENAM-18523: NullPointerException when AgentsRepo with from group is changed

  • OPENAM-18459: IdTokenInfo endpoint behaviours change from 6.x and fails when using client_id in POST

  • OPENAM-18422: Email Template node creates threads without terminating them

  • OPENAM-18421: In Platform environment, using a Email Template node creates new thread that does not terminate

  • OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth

  • OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name

  • OPENAM-18366: Upgrade Report contains unformatted line feeds "%LF%"

  • OPENAM-18359: Choice Collector Node appears to not be present following upgrade

  • OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server

  • OPENAM-18319: Realm is added more than once when session upgrade happens more than once with modules.

  • OPENAM-18316: Typo in oauth2 template (templates/touch/authorize.ftl)

  • OPENAM-18306: OAuth2 Authorization Code Grant Fails when including scope parameter at access_token endpoint

  • OPENAM-18258: Failed to load configuration for OAuth2Provider observed after upgrade

  • OPENAM-18241: Permit OAuth2 Modification Script to return scopes as space delimeter string

  • OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session

  • OPENAM-18227: Upgrade from 6.0.x / 6.5.x can fail at Unsupported node type PersistentCookieDecisionNode

  • OPENAM-18212: Check for user/agent profile condition during login can be refined further

  • OPENAM-18207: Global Service cache is not updated by changes from other servers in a site

  • OPENAM-18205: Excessive logging occurs when agent profile is not found

  • OPENAM-18180: No TransactionId present for AuthTreeExecutor

  • OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout

  • OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST

  • OPENAM-18154: Wrong AMR returned with prompt=login and force authn setting enabled

  • OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings

  • OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops

  • OPENAM-18121: Slow loading in Authentication Tree

  • OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amadmin

  • OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes

  • OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM

  • OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exist

  • OPENAM-18065: Logback.jsp can not be used to set log levels loggers in custom code

  • OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined

  • OPENAM-18043: Device Match module not setting correct AuthLevel

  • OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes

  • OPENAM-18009: AM return HTTP error code 500 when authenticate with authIndexType service without authIndexValue

  • OPENAM-18006: Persistent search for identity store does not recover

  • OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees

  • OPENAM-17993: The org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation

  • OPENAM-17979: Backchannel authentication - auth_req_id can be used to obtain multiple access tokens

  • OPENAM-17962: LDAP Decision Node does not put updated password in transient state

  • OPENAM-17954: Accept-Language header locale ignored on OAuth2 Consent page

  • OPENAM-17935: Missing 'return' statement in the happy flow of the kerberos node

  • OPENAM-17923: Retry Limit Decision Should Not Have User Involvement when Save Retry Limit to User is Disabled

  • OPENAM-17916: When no session exists logout page redirects to login

  • OPENAM-17912: Account lockout count is not reset correctly

  • OPENAM-17896: ForgottenPassword Reset on multiple cluster not working when reset link clicked

  • OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does work after upgrade.

  • OPENAM-17863: Authorization code is not issued when nonce is not supplied when using OpenID Hybrid profile

  • OPENAM-17828: Apostrophe in username breaks Push/OATH device registration

  • OPENAM-17826: Introspect endpoint returns a static value for "expires_in" when using client based tokens

  • OPENAM-17814: Auth Tree step-up fails if username case does not match

  • OPENAM-17801: OIDC userinfo subname claim returns incorrect value

  • OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname

  • OPENAM-17782: Policy evaluation fails with 400 error when user does not exist

  • OPENAM-17774: Missing exp claim throws NullPointerException on CIBA bc-authorize endpoint

  • OPENAM-17773: The acr_values parameter is mandatory on CIBA bc-authorize endpoint

  • OPENAM-17760: PEM support incorrectly decodes some EC private keys

  • OPENAM-17738: Java Agent "Client IP Validation Mode" property does not work when key is empty from XUI

  • OPENAM-17718: OAuth2 Introspection endpoint does not accept Accept header with with extra accept extension param (like weight q=0.8) or charset

  • OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed

  • OPENAM-17677: The oauth2/device/code endpoint does not support locale parameter

  • OPENAM-17663: Improve the error response code for "Failed to revoke access token"

  • OPENAM-17630: JMS Audit logging broken and cannot start up

  • OPENAM-17610: OTP Email Sender node does not allow to specify connect timeout and IO/read timeout for underlying transport.

  • OPENAM-17590: OIDC login hint cookie broken since 7.0

  • OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret

  • OPENAM-17493: OAuth2 node does not support external proxy authentication (user/pass)

  • OPENAM-17405: Token introspection response not spec compliant

  • OPENAM-17320: Revisit prompt=login behaviour change that keeps existing session

  • OPENAM-17265: Wrong authorized_keys file updated

  • OPENAM-17262: Subname claim inconsistences

  • OPENAM-16988: The accessedEndpoint including port causes verify Assertion Consumer URL to fail

  • OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters

  • OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator

  • OPENAM-16642: Server id creation can fail when id is greater than 100

  • OPENAM-16554: Misplaced bufferingEnabled checkbox in New Syslog configuration

  • OPENAM-16491: SAML Update introduces javascript calls that aren't available in IE8 and below (or IE11 using Enterprise mode)

  • OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong

  • OPENAM-16216: Get Session Data node improvements

  • OPENAM-15861: NullPointerException in CollectionHelper.getServerMapAttrs

  • OPENAM-15740: Document _fields is case sensitive

  • OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in

  • OPENAM-13855: CTS creates too many connections to DS

  • OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"

  • OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

Key Fixes in AM 7.1
  • OPENAM-17396: Terms of Service URI Link does not Display in Consent Page

  • OPENAM-17395: SocialOpenIdConnectNode fails to recover from client's connection reset

  • OPENAM-17365: Checking agent type with caller token can cause deadlock

  • OPENAM-17364: Prompt login / session upgrade / OIDC ACR looping with trees

  • OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation

  • OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope

  • OPENAM-17353: HTML pages are not picked up when placing in a theme folder

  • OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh

  • OPENAM-17343: Access token call returns 500 error if password needs to be changed or has expired

  • OPENAM-17322: SAML2 bearer grant returns NoUserExistsException

  • OPENAM-17317: A realm without any modules can cause increased thread count and slow response.

  • OPENAM-17276: AM recorder does not record anymore

  • OPENAM-17271: Typo for Realm in SAML/Federation debug

  • OPENAM-17260: Allow arg=newsession usage in authorize calls

  • OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn't work for ROPC grant

  • OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found

  • OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'

  • OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.

  • OPENAM-17136: OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters

  • OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory

  • OPENAM-17114: Save Consent check box always shown, even when not configured

  • OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC

  • OPENAM-17089: Forgot password functionality broken

  • OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication

  • OPENAM-17060: Audit Logging "Resolve host name" is still available after OPENAM-7849

  • OPENAM-17037: AM Upgrade from 6.0.0.7 to 7.0.0 causing NPE

  • OPENAM-17034: In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated

  • OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config

  • OPENAM-17006: Hosted SAML entity - can not remove bindings

  • OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"

  • OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates

  • OPENAM-16988: Accessed endpoint including port causes verify Assertion Consumer URL to fail

  • OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail

  • OPENAM-16947: Kerberos Node in 7.0 fails to return goTo(false)

  • OPENAM-16944: Regression in OPENAM-15649. LdapDecisionNodes fails if inetuserstatus does not exist

  • OPENAM-16936: Tree nodes create new keystore object each time node is called.

  • OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1

  • OPENAM-16934: sm.getSchemaManager has a typo including a comma

  • OPENAM-16926: Success URL node doesn't work with SAML Node for Idpinit when not using Integrated mode

  • OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'

  • OPENAM-16907: Kerberos Node in 7.0 does not work

  • OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid

  • OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO

  • OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference

  • OPENAM-16866: AM should fail gracefully if id_token fails to generate when swapping refresh token

  • OPENAM-16849: WeChat Social Auth module broken (regression)

  • OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled

  • OPENAM-16847: AM email service failing with 'Start TLS' option

  • OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules

  • OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM

  • OPENAM-16807: The dynamic values for request_uri being stored in client config does not expire and is not automatically removed

  • OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0

  • OPENAM-16784: Upgrade to 7 fails with NullPointerException in Saml2EntitySecretsStep

  • OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow

  • OPENAM-16758: Cannot install AM 7 on Windows

  • OPENAM-16745: client_id in access token ignores what's been registered when idm cache is disabled

  • OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client's subject type'

  • OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)

  • OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent's ID token

  • OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type

  • OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo

  • OPENAM-16617: SuccessURL session property is set to gotoURL in authentication tree

  • OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore

  • OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.

  • OPENAM-16556: Radius Server's does not log IP address into AM Audit logs

  • OPENAM-16555: Audit logging does not tell which policy allowed or denied a resource request

  • OPENAM-16540: Issues with Social Login URLs when navigating quickly between providers

  • OPENAM-16535: "JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set

  • OPENAM-16515: Social auth - insufficient debug logging for troubleshooting

  • OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain

  • OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes

  • OPENAM-16450: 501 when default resource version set to "oldest" and Accept-API-Version header set

  • OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong

  • OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade

  • OPENAM-16367: OIDC request_uri response causes NPE while debug logging

  • OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory

  • OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn't fail chain properly

  • OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive

  • OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save

  • OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented

  • OPENAM-15963: Historical retention files ( csv ) were not deleted

  • OPENAM-15948: Update DS profiles to add VLV indexes for CTS use

  • OPENAM-15743: Excessive CTS logging when Reaper is disabled (com.sun.am.ldap.connnection.idle.seconds=0)

  • OPENAM-15671: LoginContext is missing debug logging for troubleshooting

  • OPENAM-15663: UserInfoClaims is not part of public API

  • OPENAM-14898: OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified

  • OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)

  • OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)

  • OPENAM-12503: SizeBasedRotationPolicy does not delete oldest file

Limitations

The following limitations and workarounds apply to AM 7.1.x:

  • Evaluation Installation Limitations

    In some cases, installing AM for evaluation purposes will fail with a message similar to the following if the JDK's default truststore's permissions are 444:

    $JAVA_HOME/lib/security/cacerts (Permission denied), refer to install.log under /usr/share/tomcat/access/var/install.log for more information.

    To work around this issue, locate the truststore that your container is using and change its permissions to 644 before installing AM:

    $ sudo chmod 644 $JAVA_HOME/lib/security/cacerts

    You can change the permissions back as they were originally after installing AM.

  • Identity and Data Store Scaling Limitations

    The connection strings to the data or identity stores are static and not hot-swappable. This means that, if you expand or contract your DS affinity deployment, AM will not detect the change.

    To work around this, either:

    • Manually add or remove the instances from the connection string and restart AM or the container where it runs.

    • Configure a DS proxy in front of the DS instances to distribute data across multiple DS shards, and configure the proxy's URL in the connection string.

  • SAML v2.0 UI Limitations

    The new UI supports SAML v2.0 IDP and SP entities only. After upgrade, entities that do not have IDP or SP roles will be listed, but cannot be inspected or edited using the UI. An error will display in the UI when trying to access these entities.

    Entities containing roles other than IDP and/or SP will only display the IDP and/or SP roles.

  • Web Authentication (WebAuthn) Limitations

    AM 7.1.2 does not support the following functionality as described in the Web Authentication specification:

    Registration
    Authentication

    For more information about Web Authentication, see MFA: Web Authentication (WebAuthn).

  • RADIUS Service Only Supports Commons Audit Logging. The new RADIUS service only supports the new Commons Audit Logging, available in this release. The RADIUS service cannot use the older Logging Service, available in releases prior to OpenAM 13.0.0.

  • Administration Console Access Requires the Realm Admin privilege

    In this version of AM, administrators can use the AM console as follows:

    • Delegated administrators with the Realm Admin privilege can access full AM console functionality within the realms they can administer. In addition, delegated administrators in the Top Level Realm who have this privilege can access AM's global configuration.

    • Administrators with lesser privileges, such as the Policy Admin privilege, can not access the AM console.

    • The top-level administrator, such as amAdmin, has access to full AM console functionality in all realms and can access AM's global configuration.

  • Specifying Keys in JWT Headers is Not Supported

    AM ignores keys specified in JWT headers, such as jku and jwe. Configure the public keys/certificates in AM instead, as explained in the relevant sections of the documentation.

  • Different AM Versions Within a Site Are Not Supported

    Do not run different versions of AM together in the same AM site.

  • Use of Special Characters in Policy or Application Creation is Not Supported

    Do not use special characters within policy, application or referral names (for example, "my+referral") using the Policy Editor or REST endpoints as AM returns a 400 Bad Request error. The special characters are: double quotes ("), plus sign (+), command (,), less than (<), equals (=), greater than (>), backslash (\), and null (\u0000). (OPENAM-5262)

  • XACML Policy Import and Export from Different Vendors is Not Supported

    AM can only import XACML 3.0 files that were either created by an AM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.

  • JCEKS Keystore Now Required for User Self-Services

    In OpenAM 13.0.0, the user self-service feature is stateless, which means that the end-user is tracked and replayed by an encrypted and signed JWT token on each AM instance. It also generates key pairs and caches its keys locally on the server instance.

    In a multi-instance deployment behind a load balancer, one server instance with the user self-services enabled will not be able to decrypt the JWT token from the other instance due to the encryption keys being stored locally to its server.

    OpenAM 13.5.0 and later solve this issue by providing a JCEKS keystore that supports asymmetric keys for encryption and symmetric keys for signing. Users who have installed OpenAM 13.0.0 and enabled the user self-service feature will need to run additional steps to configure a JCEKS keystore to get the user self-service feature operating after an upgrade.

    For specific instructions to configure the JCEKS keystore, see "Managing the AM Keystore".

    Note

    This procedure is not necessary for the following users:

    • Users upgrading from versions prior to OpenAM 13.0.0 are not impacted.

    • Users who upgrade from OpenAM 13.0.0 and do not enable the user self-services feature are not impacted.

    • Users who do a clean install of OpenAM 13.5.0 or later are not impacted.

Known Issues

The following important known issues remained open at the time release 7.1.2 became available. For details and information on other issues, see the issue tracker.

Known Issues in AM 7.1.2
  • OPENAM-18834: AM fails to start when upgrading after using am-upgrader

  • OPENAM-18818: persistent search error message shows wrong DS identifier

Known Issues in AM 7.1.1
  • OPENAM-18613: Web upgrader fails during second instance upgrade

  • OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication

  • OPENAM-18558: OIDC Client Group Inheritance not honoured immediately

  • OPENAM-17938: Upgrade stops at Migrating SAML2 entity signing and encryption aliases to new secret store. This impacts only some AM versions.

Known Issues in AM 7.1
  • Licensing information for some third-party libraries is missing from the legal-notices/third-party-copyrights.txt file, available in the AM-7.1.0.zip file.

    The following table matches the libraries with their corresponding license:

    LibraryLicense
    geronimo-jta_1.1_spec-1.1.1.jarApache 2.0
    geronimo-ws-metadata_2.0_spec-1.1.3.jarApache 2.0
    jacorb-omgapi-3.9.jarLGPL 2.1
    jakarta.activation-api-1.2.1.jarBSD 3
    jakarta.xml.bind-api-2.3.2.jarBSD 3
    javax.activation-1.2.0.jarCDDL 1.1
    javax.annotation-api-1.3.2.jarCDDL 1.1
    javax.xml.soap-api-1.4.0.jarCDDL 1.0
    jaxb-impl-2.3.0.jarCDDL 1.1
    jaxb-runtime-2.3.0.jarCDDL 1.1
    jboss-rmi-api_1.0_spec-1.0.6.Final.jarLGPL 2.1

    Find the license files in the legal-notices/third-party-licenses directory, available in the AM-7.1.2.zip file.

  • OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong

  • OPENAM-16449: Filter fields on the Scripts admin page don't work

  • OPENAM-17045: Failing SAML2 flows on ForgeOps environments

  • OPENAM-17315: Update defaults scripts with the change introduced in COMMONS-628

  • OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config dump

  • OPENAM-17418: OpenId account mapping fails because userInfo subject claim has value 'usr!demo'

  • OPENAM-17590: OIDC login hint cookie broken

  • OPENAM-17687: XUI select wrong partials if a new Partial happens to exists with same prefix

  • OPENAM-17760: PEM support incorrectly decodes some EC private keys

  • OPENAM-17768: Enabling whitelisting in trees causes an infinite redirect loop in the registration tree - forgeops

Read a different version of :