This chapter covers the new features and improvements done in the current release of ForgeRock Access Management.
For end of service life dates (EOSL), see Checking Your Product Versions Are Supported in the ForgeRock Knowledge Base.
ForgeRock periodically issues patch releases with important fixes to bugs. Patch releases focus solely on fixing existing bugs, and improve the functionality, performance, and security of your deployment.
Despite our efforts to ensure patch releases contain no changes that impact existing functionality, some security-related fixes may include breaking changes. Always review the release notes before upgrading to a patch release.
Patches can be deployed as an initial deployment or used to upgrade from an existing version (see Supported Upgrade Paths).
AM 7.1.2 is the latest release targeted for AM 7.1 deployments. Download it from the ForgeRock Backstage website.
ForgeRock Access Management 7.1.2 is a minor release that introduces new features, functional enhancements, and fixes.
org.forgerock.openam.encryption.padshortinputssystem property for AES Key Wrap encryption
A new Java system property (
org.forgerock.openam.encryption.padshortinputs) pads short inputs for compatibility with Java 17.
For details, see "Preparing AES Key Wrap Encryption".
org.forgerock.openam.authentication.forceAuth.enabledadvanced server property for authentication chains
A new advanced server property (
org.forgerock.openam.authentication.forceAuth.enabled) controls the
ForceAuthauthentication property for chains.
For details, see
No new features have been added in this release.
ForgeRock Access Management 7.1 is a minor release that introduces new features, functional enhancements, and fixes.
OAuth 2.0 and OpenID Connect Token Exchange Support
Following the OAuth 2.0 Token Exchange specification, AM 7.1 now lets you exchange ID tokens and access tokens in delegation and impersonation use cases.
For more information, see OAuth 2.0 Token Exchange.
Social Identity Provider Client Improvements
AM 7.1 enhances the OAuth 2.0/OpenID Connect client support offered in the Social Identity Provider Service. To connect to financial-grade identity providers, AM and ForgeRock Identity Platform can now:
acrvalues to specify a set of rules that the authorization request must satisfy when authenticating to the provider; for example, using multi-factor authentication.
A new property, ACR Values, has been to the OpenID Connect secondary configuration of the Social Identity Provider Service.
Accept encrypted ID tokens.
AM includes a new JWK URI, which the provider can use to obtain keys for verifying request object signatures, and for encrypting ID tokens.
Two new properties have been added to the OpenID Connect secondary configuration of the Social Identity Provider Service:
OP Encrypts ID Tokens
Send request parameters in a JWT, or as a reference to a JWT.
The JWT is always signed, and optionally encrypted.
As part of this change, the following fields have been added to the OpenID Connect secondary configuration of the Social Identity Provider Service:
Request Parameter JWT Option
Request Object Audience
Encrypt Request Parameter JWT
JWT Signing Algorithm
JWT Encryption Algorithm
JWT Encryption Method
Authenticate using a JWT or mutual TLS (mTLS).
The JWT is always signed, and optionally encrypted.
As part of this change, the Use Basic Auth switch in the client has been replaced with the Client Authentication Method drop-down list, which contains the following options:
Moreover, AM 7.1 also includes a new advanced server property,
openam.private.key.jwt.encryption.algorithm.whitelist, that specifies the algorithms that the client can use to encrypt both authentication JWTs and request object JWTs.
Allow providers to return ID tokens by submitting an HTML form using the HTTP POST method, as defined in the OAuth 2.0 Form Post Response Mode specification.
Moreover, the Response Mode drop-down list has been added to the OpenID Connect secondary configuration of the Social Identity Provider Service.
Moreover, the Redirect after form post URL property has been added to support the form post response mode in custom login pages.
Moreover, AM now provides a preconfigured client for Apple and itsme.
OpenID Connect Backchannel Logout Supported
As the OpenID provider, AM 7.1 now supports the OpenID Connect Back-Channel Logout 1.0 Draft 06. This draft lets AM send logout tokens to relevant relying parties when a session associated with an ID token becomes invalid.
As part of this change, the Store OPS Tokens switch, used to enable session management at the provider, has been renamed to OIDC Session Management.
Also, when OIDC Session Management is enabled, ID tokens will now contain a new claim,
sid, which specifies a session ID that identifies the relying party's session with the provider. The
sidcan also be found in the logout tokens, if enabled.
For more information, see "Informing Relying Parties that a Session has Expired".
Add Push Authentication Nodes
AM 7.1 adds a number of new authentication nodes to assist with push authentication:
New Account Active Check Authentication Module
AM 7.1 includes a new Account Active Check authentication module, which lets you determine whether an account is marked as active, or locked, without having to run through the remainder of the authentication chain.
For more details, see "Account Active Check Module".
New Properties Available to Claims and Access Token Scripts
AM 7.1 adds new properties to the OpenID Connect Claims and OAuth 2.0 Access Token Modification script types, for accessing the properties of the relevant client, and the incoming request.
New Live and Ready Status Endpoints
AM 7.1 includes new endpoints to determine if an instance is alive, and ready to process requests.
For more details, see Monitoring Instances.
New Access to Secrets and Credentials in Authentication Scripts
AM 7.1 adds the ability for scripted decision nodes to access the secrets configured in AM secret stores.
For example, a script can access credentials or secrets defined in a file system secret volume in order to make outbound calls to a third-party REST service, without hard-coding those credentials in the script.
For more details, see "Accessing Credentials and Secrets".
New Support for PEM-Formatted Keys and Certificates
AM 7.1 adds support for loading the following PEM-formatted secrets:
Elliptic Curve and RSA private keys
RSA public keys
(non-standard) AES secret keys
(non-standard) HMAC secret keys
(non-standard) Generic secrets, such as connection passwords or API keys
ForgeRock recommends that you use PEM secrets on the secret stores that support it:
For more information, see "Importing PEM-Formatted Keys".
The Session Service Now Uses Secret Stores
Client-based sessions and client-based authentication sessions now use secret stores for:
Signing JWTs with RSA and elliptic curve algorithms.
Encrypting JWTs with RSA algorithms.
The upgrade process migrates the relevant configuration to secret stores automatically.
HMAC signing secrets and symmetric AES keys for encryption have not been migrated yet, and are still available in the Session service configuration page.
For more information, see "Configuring Client-Based Session Security".
Loading Secrets from Google Secret Manager Supported
AM 7.1 now lets you load secrets from Google Secret Manager (GSM).
For more information, see "Google GSM Secret Stores".
New OATH Nodes
AM 7.1 adds two new multi-factor authentication nodes that replicate the existing OATH module functionality:
Ability to track suspended authentication sessions in the audit log
AM debug logs now use an explicit timezone during logging to improve supportability
Improved locale assessment for message nodes
The "Message Node" now has better assessment of the locale to use when displaying messages to the user.
Improvements to the OTP Email Sender Node
On earlier versions of AM, the amount of time that the "OTP Email Sender Node" waited to declare that an outbound SMTP connection was unavailable depended on the operating system where AM ran.
AM 7.1.1 includes the following advanced server properties to configure the timeout:
For more information, see Advanced Properties.
Proxy advanced server properties
Previous versions of AM could only specify the URL of the proxy to use when sending HTTP client requests to third parties, such as social identity providers, using JVM properties. These properties, however, cannot provide credentials to the proxy.
AM 7.1.1 includes the following advanced server properties to configure the proxy's URI and its credentials:
For more information, see "Configuring AM for Outbound Communication".
The SAML v2.0 Node Now Sets the
The SAML v2.0 authentication node now sets the
successURLparameter in the tree's shared state to the value of the
RelayStateparameter in the request, if any.
If the request does not provide a value, the node uses the default
RelayStatevalue configured in the SP.
The JWK URI Endpoint Can Now Return Duplicate Key IDs
Earlier versions of AM removed the
algparameter from the keys returned by the
algparameter ensures that each key ID (
kid) exposed by the endpoint matches a unique key, as recommended by the RFC7517 specification.
AM 7.1 includes a toggle, Include all kty and alg combinations in jwk_uri, that lets the endpoint display duplicate key IDs with their corresponding
The toggle property is disabled by default.
For more information, see "Displaying Every Algorithm and Key Type Associated to a Key ID".
Improved Workflow for Adding Servers to Existing Deployments
A new option is available when installing an AM instance which lets you choose whether the instance is standalone, or part of an existing deployment.
For more information, see "To Add a Server to a Site".
Improved Client Connection Handling
AM 7.1 improves the way its ClientHandler code handles connection pools and timeouts. This affects client connections that AM opens against third parties, such as social identity providers.
As part of this change, AM includes the following new advanced server properties:
For more information, see "Advanced Properties".
Configuration Upgrade Tool Distributed With AM ZIP
AM-7.1.2.zipfile now includes a configuration file upgrade tool for converting configuration files exported with the Amster command. The tool is provided in the
Config-Upgrader-7.1.2.zipfile, which is inside the
For more information, see What’s New in the Amster documentation.
Changes to the Retry Limit Decision Node
The "Retry Limit Decision Node" can now persist the number of failed login attempts in the identity store between successful authentications.
To support this change, the following LDIF schema files have been updated:
Moreover, a new file,
opendj_retry_limit_node_count.ldif, has been added to the AM deliverables, and the DS identity setup profile has been updated.
This new functionality is enabled by default. You must apply the new schema(s) to the identity store when upgrading to AM 7.1.
For more information, see Upgrading AM Instances.
Improved AES Wrap Encryption Performance
AM 7.1 includes a new advanced server property,
org.forgerock.openam.encryption.useextractandexpand, that specifies whether to use an improved algorithm that reduces the cost of AES Key Wrap encryption even when high iteration counts are used.
The new algorithm is backwards-compatible; data already encrypted will be decrypted at the old performance cost, and newly-encrypted data will benefit from the improvements.
The property is disabled by default after upgrading to AM 7.1. To enable it, configure it in your container's environment file.
For more information, see "Preparing AES Key Wrap Encryption".
The Social Provider Handler Node Can Now Be Used in Standalone AM Deployments
Previous versions of AM required a ForgeRock Identity Platform deployment to use the "Social Provider Handler Node".
AM 7.1 can use the node in standalone mode. The node will use the identity store configured in the realm to retrieve the user's profile, if exists. However, account claiming remains a ForgeRock Identity Platform-only feature.
As part of this change, the following authentication nodes have been deprecated:
The Social Authentication Implementations Service is also deprecated.
The Social Authentication documentation page has been updated with information about configuring the "Social Provider Handler Node", the "Select Identity Provider Node", and the Social Identity Provider Service.
Web Authentication Improvements
You can now use the Android SafetyNet attestation format when registering and authenticating with Android devices using WebAuthn.
ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.
For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base.