What's New

This chapter covers the new features and improvements done in the current release of ForgeRock Access Management.

Release Dates
VersionDate
AM 7.1 2021-05-12

For end of service life dates (EOSL), see the Checking Your Product Versions Are Supported article in the ForgeRock Knowledge Base.

New Features

AM 7.1

ForgeRock Access Management 7.1 is a minor release that introduces new features, functional enhancements, and fixes.

  • OAuth 2.0 and OpenID Connect Token Exchange Support

    Following the OAuth 2.0 Token Exchange specification, AM 7.1 now lets you exchange ID tokens and access tokens in delegation and impersonation use cases.

    For more information, see OAuth 2.0 Token Exchange.

  • Social Identity Provider Client Improvements

    AM 7.1 enhances the OAuth 2.0/OpenID Connect client support offered in the Social Identity Provider Service. To connect to financial-grade identity providers, AM and ForgeRock Identity Platform can now:

    • Configure acr values to specify a set of rules that the authorization request must satisfy when authenticating to the provider; for example, using multi-factor authentication.

      A new property, ACR Values, has been to the OpenID Connect secondary configuration of the Social Identity Provider Service.

    • Accept encrypted ID tokens.

      AM includes a new JWK URI, which the provider can use to obtain keys for verifying request object signatures, and for encrypting ID tokens.

      Two new properties have been added to the OpenID Connect secondary configuration of the Social Identity Provider Service:

      • OP Encrypts ID Tokens

      • Issuer

    • Send request parameters in a JWT, or as a reference to a JWT.

      The JWT is always signed, and optionally encrypted.

      As part of this change, the following fields have been added to the OpenID Connect secondary configuration of the Social Identity Provider Service:

      • Request Parameter JWT Option

      • Request Object Audience

      • Encrypt Request Parameter JWT

      • JWT Signing Algorithm

      • JWT Encryption Algorithm

      • JWT Encryption Method

    • Authenticate using a JWT or mutual TLS (mTLS).

      The JWT is always signed, and optionally encrypted.

      As part of this change, the Use Basic Auth switch in the client has been replaced with the Client Authentication Method drop-down list, which contains the following options:

      • CLIENT_SECRET_POST

      • CLIENT_SECRET_BASIC

      • PRIVATE_KEY_JWT

      • ENCRYPTED_PRIVATE_KEY_JWT

      • TLS_CLIENT_AUTH

      • SELF_SIGNED_TLS_CLIENT_AUTH

      Moreover, AM 7.1 also includes a new advanced server property, openam.private.key.jwt.encryption.algorithm.whitelist, that specifies the algorithms that the client can use to encrypt both authentication JWTs and request object JWTs.

    • Allow providers to return ID tokens by submitting an HTML form using the HTTP POST method, as defined in the OAuth 2.0 Form Post Response Mode specification.

      Moreover, the Response Mode drop-down list has been added to the OpenID Connect secondary configuration of the Social Identity Provider Service.

      Moreover, the Redirect after form post URL property has been added to support the form post response mode in custom login pages.

    Moreover, AM now provides a preconfigured client for Apple and itsme.

    For more details, see Social Authentication and "/oauth2/connect/rp/jwk_uri".

  • OpenID Connect Backchannel Logout Supported

    As the OpenID provider, AM 7.1 now supports the OpenID Connect Back-Channel Logout 1.0 Draft 06. This draft lets AM send logout tokens to relevant relying parties when a session associated with an ID token becomes invalid.

    As part of this change, the Store OPS Tokens switch, used to enable session management at the provider, has been renamed to OIDC Session Management.

    Also, when OIDC Session Management is enabled, ID tokens will now contain a new claim, sid, which specifies a session ID that identifies the relying party's session with the provider. The sid can also be found in the logout tokens, if enabled.

    For more information, see "Informing Relying Parties that a Session has Expired".

  • Add Push Authentication Nodes

    AM 7.1 adds a number of new authentication nodes to assist with push authentication:

  • New Account Active Check Authentication Module

    AM 7.1 includes a new Account Active Check authentication module, which lets you determine whether an account is marked as active, or locked, without having to run through the remainder of the authentication chain.

    For more details, see "Account Active Check Module".

  • New Properties Available to Claims and Access Token Scripts

    AM 7.1 adds new properties to the OpenID Connect Claims and OAuth 2.0 Access Token Modification script types, for accessing the properties of the relevant client, and the incoming request.

    For more details, see "Scripting OpenID Connect 1.0 Claims" and Modifying the Content of Access Tokens.

  • New Live and Ready Status Endpoints

    AM 7.1 includes new endpoints to determine if an instance is alive, and ready to process requests.

    For more details, see Monitoring Instances.

  • New Access to Secrets and Credentials in Authentication Scripts

    AM 7.1 adds the ability for scripted decision nodes to access the secrets configured in AM secret stores.

    For example, a script can access credentials or secrets defined in a file system secret volume in order to make outbound calls to a third-party REST service, without hard-coding those credentials in the script.

    For more details, see "Accessing Credentials and Secrets".

  • New Support for PEM-Formatted Keys and Certificates

    AM 7.1 adds support for loading the following PEM-formatted secrets:

    • Elliptic Curve and RSA private keys

      • OpenSSL format

      • PKCS#8 format

    • X.509 certificates

    • RSA public keys

    • (non-standard) AES secret keys

    • (non-standard) HMAC secret keys

    • (non-standard) Generic secrets, such as connection passwords or API keys

    ForgeRock recommends that you use PEM secrets on the secret stores that support it:

    For more information, see "Importing PEM-Formatted Keys".

  • The Session Service Now Uses Secret Stores

    Client-based sessions and client-based authentication sessions now use secret stores for:

    • Signing JWTs with RSA and elliptic curve algorithms.

    • Encrypting JWTs with RSA algorithms.

    The upgrade process migrates the relevant configuration to secret stores automatically.

    HMAC signing secrets and symmetric AES keys for encryption have not been migrated yet, and are still available in the Session service configuration page.

    For more information, see "Configuring Client-Based Session Security".

  • Loading Secrets from Google Secret Manager Supported

    AM 7.1 now lets you load secrets from Google Secret Manager (GSM).

    For more information, see "Google GSM Secret Stores".

Major Improvements

AM 7.1
  • The SAML v2.0 Node Now Sets the successUrl Parameter

    The SAML v2.0 authentication node now sets the successURL parameter in the tree's shared state to the value of the RelayState parameter in the request, if any.

    If the request does not provide a value, the node uses the default RelayState value configured in the SP.

  • The JWK URI Endpoint Can Now Return Duplicate Key IDs

    Earlier versions of AM removed the alg parameter from the keys returned by the jwk_uri endpoint.

    Removing the alg parameter ensures that each key ID (kid) exposed by the endpoint matches a unique key, as recommended by the RFC7517 specification.

    AM 7.1 includes a toggle, Include all kty and alg combinations in jwk_uri, that lets the endpoint display duplicate key IDs with their corresponding alg and kty parameters.

    The toggle property is disabled by default.

    For more information, see "Displaying Every Algorithm and Key Type Associated to a Key ID".

  • Improved Workflow for Adding Servers to Existing Deployments

    A new option is available when installing an AM instance which lets you choose whether the instance is standalone, or part of an existing deployment.

    For more information, see "To Add a Server to a Site".

  • Improved Client Connection Handling

    AM 7.1 improves the way its ClientHandler code handles connection pools and timeouts. This affects client connections that AM opens against third parties, such as social identity providers.

    As part of this change, AM includes the following new advanced server properties:

    • org.forgerock.openam.httpclienthandler.system.clients.connection.timeout

    • org.forgerock.openam.httpclienthandler.system.clients.max.connections

    • org.forgerock.openam.httpclienthandler.system.clients.pool.ttl

    • org.forgerock.openam.httpclienthandler.system.clients.response.timeout

    • org.forgerock.openam.httpclienthandler.system.clients.retry.failed.requests.enabled

    • org.forgerock.openam.httpclienthandler.system.clients.reuse.connections.enabled

    For more information, see "Advanced Properties".

  • Configuration Upgrade Tool Distributed With AM ZIP

    The AM-7.1.0.zip file now includes a configuration file upgrade tool for converting configuration files exported with the Amster command. The tool is provided in the Config-Upgrader-7.1.0.zip file, which is inside the AM-7.1.0.zip file.

    For more information, see What’s New in the Amster documentation.

  • Changes to the Retry Limit Decision Node

    The "Retry Limit Decision Node" can now persist the number of failed login attempts in the identity store between successful authentications.

    To support this change, the following LDIF schema files have been updated:

    • ad_user_schema.ldif

    • adam_user_schema.ldif

    • odsee_user_schema.ldif

    • opendj_remove_user_schema.ldif

    • opendj_user_schema.ldif

    • tivoli_user_schema.ldif

    Moreover, a new file, opendj_retry_limit_node_count.ldif, has been added to the AM deliverables, and the DS identity setup profile has been updated.

    This new functionality is enabled by default. You must apply the new schema(s) to the identity store when upgrading to AM 7.1.

    For more information, see Upgrading AM Instances.

  • Improved AES Wrap Encryption Performance

    AM 7.1 includes a new advanced server property, org.forgerock.openam.encryption.useextractandexpand, that specifies whether to use an improved algorithm that reduces the cost of AES Key Wrap encryption even when high iteration counts are used.

    The new algorithm is backwards-compatible; data already encrypted will be decrypted at the old performance cost, and newly-encrypted data will benefit from the improvements.

    The property is disabled by default after upgrading to AM 7.1. To enable it, configure it in your container's environment file.

    For more information, see "Preparing AES Key Wrap Encryption".

  • The Social Provider Handler Node Can Now Be Used in Standalone AM Deployments

    Previous versions of AM required a ForgeRock Identity Platform deployment to use the "Social Provider Handler Node".

    AM 7.1 can use the node in standalone mode. The node will use the identity store configured in the realm to retrieve the user's profile, if exists. However, account claiming remains a ForgeRock Identity Platform-only feature.

    As part of this change, the following authentication nodes have been deprecated:

    The Social Authentication Implementations Service is also deprecated.

    The Social Authentication documentation page has been updated with information about configuring the "Social Provider Handler Node", the "Select Identity Provider Node", and the Social Identity Provider Service.

  • Web Authentication Improvements

Security Advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base.

Read a different version of :