What's New
This chapter covers the new features and improvements done in the current release of ForgeRock Access Management.
Version | Date |
---|---|
AM 7.1.2 | 2022-03-15 |
AM 7.1.1 | 2021-12-06 |
AM 7.1 | 2021-05-12 |
For end of service life dates (EOSL), see Checking Your Product Versions Are Supported in the ForgeRock Knowledge Base.
Patch Releases
ForgeRock periodically issues patch releases with important fixes to bugs. Patch releases focus solely on fixing existing bugs, and improve the functionality, performance, and security of your deployment.
Despite our efforts to ensure patch releases contain no changes that impact existing functionality, some security-related fixes may include breaking changes. Always review the release notes before upgrading to a patch release.
Patches can be deployed as an initial deployment or used to upgrade from an existing version (see Supported Upgrade Paths).
AM 7.1.2 is the latest release targeted for AM 7.1 deployments. Download it from the ForgeRock Backstage website.
New Features
ForgeRock Access Management 7.1.2 is a minor release that introduces new features, functional enhancements, and fixes.
org.forgerock.openam.encryption.padshortinputs
system property for AES Key Wrap encryptionA new Java system property (
org.forgerock.openam.encryption.padshortinputs
) pads short inputs for compatibility with Java 17.For details, see "Preparing AES Key Wrap Encryption".
org.forgerock.openam.authentication.forceAuth.enabled
advanced server property for authentication chainsA new advanced server property (
org.forgerock.openam.authentication.forceAuth.enabled
) controls theForceAuth
authentication property for chains.For details, see
org.forgerock.openam.authentication.forceAuth.enabled
.
No new features have been added in this release.
ForgeRock Access Management 7.1 is a minor release that introduces new features, functional enhancements, and fixes.
OAuth 2.0 and OpenID Connect Token Exchange Support
Following the OAuth 2.0 Token Exchange specification, AM 7.1 now lets you exchange ID tokens and access tokens in delegation and impersonation use cases.
For more information, see OAuth 2.0 Token Exchange.
Social Identity Provider Client Improvements
AM 7.1 enhances the OAuth 2.0/OpenID Connect client support offered in the Social Identity Provider Service. To connect to financial-grade identity providers, AM and ForgeRock Identity Platform can now:
Configure
acr
values to specify a set of rules that the authorization request must satisfy when authenticating to the provider; for example, using multi-factor authentication.A new property, ACR Values, has been to the OpenID Connect secondary configuration of the Social Identity Provider Service.
Accept encrypted ID tokens.
AM includes a new JWK URI, which the provider can use to obtain keys for verifying request object signatures, and for encrypting ID tokens.
Two new properties have been added to the OpenID Connect secondary configuration of the Social Identity Provider Service:
OP Encrypts ID Tokens
Issuer
Send request parameters in a JWT, or as a reference to a JWT.
The JWT is always signed, and optionally encrypted.
As part of this change, the following fields have been added to the OpenID Connect secondary configuration of the Social Identity Provider Service:
Request Parameter JWT Option
Request Object Audience
Encrypt Request Parameter JWT
JWT Signing Algorithm
JWT Encryption Algorithm
JWT Encryption Method
Authenticate using a JWT or mutual TLS (mTLS).
The JWT is always signed, and optionally encrypted.
As part of this change, the Use Basic Auth switch in the client has been replaced with the Client Authentication Method drop-down list, which contains the following options:
CLIENT_SECRET_POST
CLIENT_SECRET_BASIC
PRIVATE_KEY_JWT
ENCRYPTED_PRIVATE_KEY_JWT
TLS_CLIENT_AUTH
SELF_SIGNED_TLS_CLIENT_AUTH
Moreover, AM 7.1 also includes a new advanced server property,
openam.private.key.jwt.encryption.algorithm.whitelist
, that specifies the algorithms that the client can use to encrypt both authentication JWTs and request object JWTs.Allow providers to return ID tokens by submitting an HTML form using the HTTP POST method, as defined in the OAuth 2.0 Form Post Response Mode specification.
Moreover, the Response Mode drop-down list has been added to the OpenID Connect secondary configuration of the Social Identity Provider Service.
Moreover, the Redirect after form post URL property has been added to support the form post response mode in custom login pages.
Moreover, AM now provides a preconfigured client for Apple and itsme.
For more details, see Social Authentication and "/oauth2/connect/rp/jwk_uri".
OpenID Connect Backchannel Logout Supported
As the OpenID provider, AM 7.1 now supports the OpenID Connect Back-Channel Logout 1.0 Draft 06. This draft lets AM send logout tokens to relevant relying parties when a session associated with an ID token becomes invalid.
As part of this change, the Store OPS Tokens switch, used to enable session management at the provider, has been renamed to OIDC Session Management.
Also, when OIDC Session Management is enabled, ID tokens will now contain a new claim,
sid
, which specifies a session ID that identifies the relying party's session with the provider. Thesid
can also be found in the logout tokens, if enabled.For more information, see "Informing Relying Parties that a Session has Expired".
Add Push Authentication Nodes
AM 7.1 adds a number of new authentication nodes to assist with push authentication:
New Account Active Check Authentication Module
AM 7.1 includes a new Account Active Check authentication module, which lets you determine whether an account is marked as active, or locked, without having to run through the remainder of the authentication chain.
For more details, see "Account Active Check Module".
New Properties Available to Claims and Access Token Scripts
AM 7.1 adds new properties to the OpenID Connect Claims and OAuth 2.0 Access Token Modification script types, for accessing the properties of the relevant client, and the incoming request.
For more details, see "Scripting OpenID Connect 1.0 Claims" and Modifying the Content of Access Tokens.
New Live and Ready Status Endpoints
AM 7.1 includes new endpoints to determine if an instance is alive, and ready to process requests.
For more details, see Monitoring Instances.
New Access to Secrets and Credentials in Authentication Scripts
AM 7.1 adds the ability for scripted decision nodes to access the secrets configured in AM secret stores.
For example, a script can access credentials or secrets defined in a file system secret volume in order to make outbound calls to a third-party REST service, without hard-coding those credentials in the script.
For more details, see "Accessing Credentials and Secrets".
New Support for PEM-Formatted Keys and Certificates
AM 7.1 adds support for loading the following PEM-formatted secrets:
Elliptic Curve and RSA private keys
OpenSSL format
PKCS#8 format
X.509 certificates
RSA public keys
(non-standard) AES secret keys
(non-standard) HMAC secret keys
(non-standard) Generic secrets, such as connection passwords or API keys
ForgeRock recommends that you use PEM secrets on the secret stores that support it:
For more information, see "Importing PEM-Formatted Keys".
The Session Service Now Uses Secret Stores
Client-based sessions and client-based authentication sessions now use secret stores for:
Signing JWTs with RSA and elliptic curve algorithms.
Encrypting JWTs with RSA algorithms.
The upgrade process migrates the relevant configuration to secret stores automatically.
HMAC signing secrets and symmetric AES keys for encryption have not been migrated yet, and are still available in the Session service configuration page.
For more information, see "Configuring Client-Based Session Security".
Loading Secrets from Google Secret Manager Supported
AM 7.1 now lets you load secrets from Google Secret Manager (GSM).
For more information, see "Google GSM Secret Stores".
New OATH Nodes
AM 7.1 adds two new multi-factor authentication nodes that replicate the existing OATH module functionality:
Major Improvements
Ability to track suspended authentication sessions in the audit log
AM debug logs now use an explicit timezone during logging to improve supportability
Improved locale assessment for message nodes
The "Message Node" now has better assessment of the locale to use when displaying messages to the user.
Improvements to the OTP Email Sender Node
On earlier versions of AM, the amount of time that the "OTP Email Sender Node" waited to declare that an outbound SMTP connection was unavailable depended on the operating system where AM ran.
AM 7.1.1 includes the following advanced server properties to configure the timeout:
org.forgerock.openam.smtp.system.connect.timeout
org.forgerock.openam.smtp.system.socket.read.timeout
org.forgerock.openam.smtp.system.socket.write.timeout
For more information, see Advanced Properties.
Proxy advanced server properties
Previous versions of AM could only specify the URL of the proxy to use when sending HTTP client requests to third parties, such as social identity providers, using JVM properties. These properties, however, cannot provide credentials to the proxy.
AM 7.1.1 includes the following advanced server properties to configure the proxy's URI and its credentials:
org.forgerock.openam.httpclienthandler.system.proxy.uri
org.forgerock.openam.httpclienthandler.system.proxy.username
org.forgerock.openam.httpclienthandler.system.proxy.password
org.forgerock.openam.httpclienthandler.system.nonProxyHosts
For more information, see "Configuring AM for Outbound Communication".
The SAML v2.0 Node Now Sets the
successUrl
ParameterThe SAML v2.0 authentication node now sets the
successURL
parameter in the tree's shared state to the value of theRelayState
parameter in the request, if any.If the request does not provide a value, the node uses the default
RelayState
value configured in the SP.The JWK URI Endpoint Can Now Return Duplicate Key IDs
Earlier versions of AM removed the
alg
parameter from the keys returned by thejwk_uri
endpoint.Removing the
alg
parameter ensures that each key ID (kid
) exposed by the endpoint matches a unique key, as recommended by the RFC7517 specification.AM 7.1 includes a toggle, Include all kty and alg combinations in jwk_uri, that lets the endpoint display duplicate key IDs with their corresponding
alg
andkty
parameters.The toggle property is disabled by default.
For more information, see "Displaying Every Algorithm and Key Type Associated to a Key ID".
Improved Workflow for Adding Servers to Existing Deployments
A new option is available when installing an AM instance which lets you choose whether the instance is standalone, or part of an existing deployment.
For more information, see "To Add a Server to a Site".
Improved Client Connection Handling
AM 7.1 improves the way its ClientHandler code handles connection pools and timeouts. This affects client connections that AM opens against third parties, such as social identity providers.
As part of this change, AM includes the following new advanced server properties:
org.forgerock.openam.httpclienthandler.system.clients.connection.timeout
org.forgerock.openam.httpclienthandler.system.clients.max.connections
org.forgerock.openam.httpclienthandler.system.clients.pool.ttl
org.forgerock.openam.httpclienthandler.system.clients.response.timeout
org.forgerock.openam.httpclienthandler.system.clients.retry.failed.requests.enabled
org.forgerock.openam.httpclienthandler.system.clients.reuse.connections.enabled
For more information, see "Advanced Properties".
Configuration Upgrade Tool Distributed With AM ZIP
The
AM-7.1.2.zip
file now includes a configuration file upgrade tool for converting configuration files exported with the Amster command. The tool is provided in theConfig-Upgrader-7.1.2.zip
file, which is inside theAM-7.1.2.zip
file.For more information, see What’s New in the Amster documentation.
Changes to the Retry Limit Decision Node
The "Retry Limit Decision Node" can now persist the number of failed login attempts in the identity store between successful authentications.
To support this change, the following LDIF schema files have been updated:
ad_user_schema.ldif
adam_user_schema.ldif
odsee_user_schema.ldif
opendj_remove_user_schema.ldif
opendj_user_schema.ldif
tivoli_user_schema.ldif
Moreover, a new file,
opendj_retry_limit_node_count.ldif
, has been added to the AM deliverables, and the DS identity setup profile has been updated.This new functionality is enabled by default. You must apply the new schema(s) to the identity store when upgrading to AM 7.1.
For more information, see Upgrading AM Instances.
Improved AES Wrap Encryption Performance
AM 7.1 includes a new advanced server property,
org.forgerock.openam.encryption.useextractandexpand
, that specifies whether to use an improved algorithm that reduces the cost of AES Key Wrap encryption even when high iteration counts are used.The new algorithm is backwards-compatible; data already encrypted will be decrypted at the old performance cost, and newly-encrypted data will benefit from the improvements.
The property is disabled by default after upgrading to AM 7.1. To enable it, configure it in your container's environment file.
For more information, see "Preparing AES Key Wrap Encryption".
The Social Provider Handler Node Can Now Be Used in Standalone AM Deployments
Previous versions of AM required a ForgeRock Identity Platform deployment to use the "Social Provider Handler Node".
AM 7.1 can use the node in standalone mode. The node will use the identity store configured in the realm to retrieve the user's profile, if exists. However, account claiming remains a ForgeRock Identity Platform-only feature.
As part of this change, the following authentication nodes have been deprecated:
The Social Authentication Implementations Service is also deprecated.
The Social Authentication documentation page has been updated with information about configuring the "Social Provider Handler Node", the "Select Identity Provider Node", and the Social Identity Provider Service.
Web Authentication Improvements
You can now use the Android SafetyNet attestation format when registering and authenticating with Android devices using WebAuthn.
The "WebAuthn Authentication Node" also now supports FacetID for mobile as per the FIDO AppID and Facet Specification.
Both the "WebAuthn Registration Node" and the "WebAuthn Authentication Node" now return a JSON as part of their metadata callbacks.
Security Advisories
ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.
For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base.