What's New

• AM 7.1.2 is the latest release targeted for AM 7.1 deployments. Download it from the ForgeRock Backstage website.

ForgeRock Access Management 7.1.2 is a minor release that introduces new features, functional enhancements, and fixes.

• org.forgerock.openam.encryption.padshortinputs system property for AES Key Wrap encryption

  A new Java system property (org.forgerock.openam.encryption.padshortinputs) pads short inputs for compatibility with Java 17.

  For details, see "Preparing AES Key Wrap Encryption".

• org.forgerock.openam.authentication.forceAuth.enabled advanced server property for authentication chains

  A new advanced server property (org.forgerock.openam.authentication.forceAuth.enabled) controls the ForceAuth authentication property for chains.

  For details, see org.forgerock.openam.authentication.forceAuth.enabled.

• No new features have been added in this release.

ForgeRock Access Management 7.1 is a minor release that introduces new features, functional enhancements, and fixes.

• OAuth 2.0 and OpenID Connect Token Exchange Support

  Following the OAuth 2.0 Token Exchange specification, AM 7.1 now lets you exchange ID tokens and access tokens in delegation and impersonation use cases.

  For more information, see OAuth 2.0 Token Exchange.

• Social Identity Provider Client Improvements

  AM 7.1 enhances the OAuth 2.0/OpenID Connect client support offered in the Social Identity Provider Service. To connect to financial-grade identity providers, AM and ForgeRock Identity Platform can now:

  • Configure acr values to specify a set of rules that the authorization request must satisfy when authenticating to the provider; for example, using multi-factor authentication.

    Learn More

    A new property, ACR Values, has been to the OpenID Connect secondary configuration of the Social Identity Provider Service.

  • Accept encrypted ID tokens.

    Learn More

    AM includes a new JWK URI, which the provider can use to obtain keys for verifying request object signatures, and for encrypting ID tokens.

    Two new properties have been added to the OpenID Connect secondary configuration of the Social Identity Provider Service:

    • OP Encrypts ID Tokens

    • Issuer

  • Send request parameters in a JWT, or as a reference to a JWT.

    Learn More

    The JWT is always signed, and optionally encrypted.

    As part of this change, the following fields have been added to the OpenID Connect secondary configuration of the Social Identity Provider Service:

    • Request Parameter JWT Option

    • Request Object Audience

    • Encrypt Request Parameter JWT

    • JWT Signing Algorithm

    • JWT Encryption Algorithm

    • JWT Encryption Method

  • Authenticate using a JWT or mutual TLS (mTLS).

    Learn More

    The JWT is always signed, and optionally encrypted.

    As part of this change, the Use Basic Auth switch in the client has been replaced with the Client Authentication Method drop-down list, which contains the following options:

    • CLIENT_SECRET_POST

    • CLIENT_SECRET_BASIC

    • PRIVATE_KEY_JWT

    • ENCRYPTED_PRIVATE_KEY_JWT

    • TLS_CLIENT_AUTH

    • SELF_SIGNED_TLS_CLIENT_AUTH

    Moreover, AM 7.1 also includes a new advanced server property, openam.private.key.jwt.encryption.algorithm.whitelist, that specifies the algorithms that the client can use to encrypt both authentication JWTs and request object JWTs.

  • Allow providers to return ID tokens by submitting an HTML form using the HTTP POST method, as defined in the OAuth 2.0 Form Post Response Mode specification.

    Learn More

    Moreover, the Response Mode drop-down list has been added to the OpenID Connect secondary configuration of the Social Identity Provider Service.

    Moreover, the Redirect after form post URL property has been added to support the form post response mode in custom login pages.

  Moreover, AM now provides a preconfigured client for Apple and itsme.

  For more details, see Social Authentication and "/oauth2/connect/rp/jwk_uri".

• OpenID Connect Backchannel Logout Supported

  As the OpenID provider, AM 7.1 now supports the OpenID Connect Back-Channel Logout 1.0 Draft 06. This draft lets AM send logout tokens to relevant relying parties when a session associated with an ID token becomes invalid.

  As part of this change, the Store OPS Tokens switch, used to enable session management at the provider, has been renamed to OIDC Session Management.

  Also, when OIDC Session Management is enabled, ID tokens will now contain a new claim, sid, which specifies a session ID that identifies the relying party's session with the provider. The sid can also be found in the logout tokens, if enabled.

  For more information, see "Informing Relying Parties that a Session has Expired".

• Add Push Authentication Nodes

  AM 7.1 adds a number of new authentication nodes to assist with push authentication:

  • Opt-out Multi-Factor Authentication Node

  • Push Registration Node

  • MFA Registration Options Node

  • Get Authenticator App Node

• New Account Active Check Authentication Module

  AM 7.1 includes a new Account Active Check authentication module, which lets you determine whether an account is marked as active, or locked, without having to run through the remainder of the authentication chain.

  For more details, see "Account Active Check Module".

• New Properties Available to Claims and Access Token Scripts

  AM 7.1 adds new properties to the OpenID Connect Claims and OAuth 2.0 Access Token Modification script types, for accessing the properties of the relevant client, and the incoming request.

  For more details, see "Scripting OpenID Connect 1.0 Claims" and Modifying the Content of Access Tokens.

• New Live and Ready Status Endpoints

  AM 7.1 includes new endpoints to determine if an instance is alive, and ready to process requests.

  For more details, see Monitoring Instances.

• New Access to Secrets and Credentials in Authentication Scripts

  AM 7.1 adds the ability for scripted decision nodes to access the secrets configured in AM secret stores.

  For example, a script can access credentials or secrets defined in a file system secret volume in order to make outbound calls to a third-party REST service, without hard-coding those credentials in the script.

  For more details, see "Accessing Credentials and Secrets".

• New Support for PEM-Formatted Keys and Certificates

  AM 7.1 adds support for loading the following PEM-formatted secrets:

  • Elliptic Curve and RSA private keys

    • OpenSSL format

    • PKCS#8 format

  • X.509 certificates

  • RSA public keys

  • (non-standard) AES secret keys

  • (non-standard) HMAC secret keys

  • (non-standard) Generic secrets, such as connection passwords or API keys

  ForgeRock recommends that you use PEM secrets on the secret stores that support it:

  • "The Environment and System Property Secrets Store"

  • "File System Secret Volumes Secret Stores"

  • "Google GSM Secret Stores"

  For more information, see "Importing PEM-Formatted Keys".

• The Session Service Now Uses Secret Stores

  Client-based sessions and client-based authentication sessions now use secret stores for:

  • Signing JWTs with RSA and elliptic curve algorithms.

  • Encrypting JWTs with RSA algorithms.

  The upgrade process migrates the relevant configuration to secret stores automatically.

  HMAC signing secrets and symmetric AES keys for encryption have not been migrated yet, and are still available in the Session service configuration page.

  For more information, see "Configuring Client-Based Session Security".

• Loading Secrets from Google Secret Manager Supported

  AM 7.1 now lets you load secrets from Google Secret Manager (GSM).

  For more information, see "Google GSM Secret Stores".

• New OATH Nodes

  AM 7.1 adds two new multi-factor authentication nodes that replicate the existing OATH module functionality:

  • OATH Registration Node

  • OATH Token Verifier Node

• Ability to track suspended authentication sessions in the audit log

• AM debug logs now use an explicit timezone during logging to improve supportability

• Improved locale assessment for message nodes

  The "Message Node" now has better assessment of the locale to use when displaying messages to the user.

• Improvements to the OTP Email Sender Node

  On earlier versions of AM, the amount of time that the "OTP Email Sender Node" waited to declare that an outbound SMTP connection was unavailable depended on the operating system where AM ran.

  AM 7.1.1 includes the following advanced server properties to configure the timeout:

  • org.forgerock.openam.smtp.system.connect.timeout

  • org.forgerock.openam.smtp.system.socket.read.timeout

  • org.forgerock.openam.smtp.system.socket.write.timeout

  For more information, see Advanced Properties.

• Proxy advanced server properties

  Previous versions of AM could only specify the URL of the proxy to use when sending HTTP client requests to third parties, such as social identity providers, using JVM properties. These properties, however, cannot provide credentials to the proxy.

  AM 7.1.1 includes the following advanced server properties to configure the proxy's URI and its credentials:

  • org.forgerock.openam.httpclienthandler.system.proxy.uri

  • org.forgerock.openam.httpclienthandler.system.proxy.username

  • org.forgerock.openam.httpclienthandler.system.proxy.password

  • org.forgerock.openam.httpclienthandler.system.nonProxyHosts

  For more information, see "Configuring AM for Outbound Communication".

• The SAML v2.0 Node Now Sets the successUrl Parameter

  The SAML v2.0 authentication node now sets the successURL parameter in the tree's shared state to the value of the RelayState parameter in the request, if any.

  If the request does not provide a value, the node uses the default RelayState value configured in the SP.

• The JWK URI Endpoint Can Now Return Duplicate Key IDs

  Earlier versions of AM removed the alg parameter from the keys returned by the jwk_uri endpoint.

  Removing the alg parameter ensures that each key ID (kid) exposed by the endpoint matches a unique key, as recommended by the RFC7517 specification.

  AM 7.1 includes a toggle, Include all kty and alg combinations in jwk_uri, that lets the endpoint display duplicate key IDs with their corresponding alg and kty parameters.

  The toggle property is disabled by default.

  For more information, see "Displaying Every Algorithm and Key Type Associated to a Key ID".

• Improved Workflow for Adding Servers to Existing Deployments

  A new option is available when installing an AM instance which lets you choose whether the instance is standalone, or part of an existing deployment.

  For more information, see "To Add a Server to a Site".

• Improved Client Connection Handling

  AM 7.1 improves the way its ClientHandler code handles connection pools and timeouts. This affects client connections that AM opens against third parties, such as social identity providers.

  As part of this change, AM includes the following new advanced server properties:

  • org.forgerock.openam.httpclienthandler.system.clients.connection.timeout

  • org.forgerock.openam.httpclienthandler.system.clients.max.connections

  • org.forgerock.openam.httpclienthandler.system.clients.pool.ttl

  • org.forgerock.openam.httpclienthandler.system.clients.response.timeout

  • org.forgerock.openam.httpclienthandler.system.clients.retry.failed.requests.enabled

  • org.forgerock.openam.httpclienthandler.system.clients.reuse.connections.enabled

  For more information, see "Advanced Properties".

• Configuration Upgrade Tool Distributed With AM ZIP

  The AM-7.1.2.zip file now includes a configuration file upgrade tool for converting configuration files exported with the Amster command. The tool is provided in the Config-Upgrader-7.1.2.zip file, which is inside the AM-7.1.2.zip file.

  For more information, see What’s New in the Amster documentation.

• Changes to the Retry Limit Decision Node

  The "Retry Limit Decision Node" can now persist the number of failed login attempts in the identity store between successful authentications.

  To support this change, the following LDIF schema files have been updated:

  • ad_user_schema.ldif

  • adam_user_schema.ldif

  • odsee_user_schema.ldif

  • opendj_remove_user_schema.ldif

  • opendj_user_schema.ldif

  • tivoli_user_schema.ldif

  Moreover, a new file, opendj_retry_limit_node_count.ldif, has been added to the AM deliverables, and the DS identity setup profile has been updated.

  This new functionality is enabled by default. You must apply the new schema(s) to the identity store when upgrading to AM 7.1.

  For more information, see Upgrading AM Instances.

• Improved AES Wrap Encryption Performance

  AM 7.1 includes a new advanced server property, org.forgerock.openam.encryption.useextractandexpand, that specifies whether to use an improved algorithm that reduces the cost of AES Key Wrap encryption even when high iteration counts are used.

  The new algorithm is backwards-compatible; data already encrypted will be decrypted at the old performance cost, and newly-encrypted data will benefit from the improvements.

  The property is disabled by default after upgrading to AM 7.1. To enable it, configure it in your container's environment file.

  For more information, see "Preparing AES Key Wrap Encryption".

• The Social Provider Handler Node Can Now Be Used in Standalone AM Deployments

  Previous versions of AM required a ForgeRock Identity Platform deployment to use the "Social Provider Handler Node".

  AM 7.1 can use the node in standalone mode. The node will use the identity store configured in the realm to retrieve the user's profile, if exists. However, account claiming remains a ForgeRock Identity Platform-only feature.

  As part of this change, the following authentication nodes have been deprecated:

  • "OpenID Connect Node"

  • "OAuth 2.0 Node"

  • "Social Facebook Node"

  • "Social Google Node"

  • "Provision IDM Account Node"

  The Social Authentication Implementations Service is also deprecated.

  The Social Authentication documentation page has been updated with information about configuring the "Social Provider Handler Node", the "Select Identity Provider Node", and the Social Identity Provider Service.

• Web Authentication Improvements

  • You can now use the Android SafetyNet attestation format when registering and authenticating with Android devices using WebAuthn.

  • The "WebAuthn Authentication Node" also now supports FacetID for mobile as per the FIDO AppID and Facet Specification.

  • Both the "WebAuthn Registration Node" and the "WebAuthn Authentication Node" now return a JSON as part of their metadata callbacks.