AM 7.2.1


The following limitations and workarounds apply to AM 7.2:

Evaluation installation limitations

In some cases, installing AM for evaluation purposes will fail with a message similar to the following if the JDK’s default truststore’s permissions are 444:

$JAVA_HOME/lib/security/cacerts (Permission denied), refer to install.log under /path/to/install.log for more information.

To work around this issue, locate the truststore that your container is using and change its permissions to 644 before installing AM:

$ sudo chmod 644 $JAVA_HOME/lib/security/cacerts

You can change the permissions to their original settings after you have installed AM.

Identity and data store scaling limitations

The connection strings to the data or identity stores are static and not hot-swappable. This means that, if you expand or contract your DS affinity deployment, AM will not detect the change. To work around this, either:

  • Manually add or remove the instances from the connection string and restart AM or the container where it runs.

  • Configure a DS proxy in front of the DS instances to distribute data across multiple DS shards , and configure the proxy’s URL in the connection string.

SAML v2.0 UI limitations

The UI supports SAML v2.0 IDP and SP entities only. After upgrade, entities that do not have IDP or SP roles will be listed, but cannot be inspected or edited using the UI. An error will display in the UI when trying to access these entities.

Entities that contain roles other than IDP and/or SP will only display the IDP and/or SP roles.

Web Authentication (WebAuthn) limitations

AM 7.2 does not support the following functionality, as described in the Web Authentication specification:


For more information about Web Authentication, see MFA: Web Authentication (WebAuthn).

RADIUS service only supports commons audit logging

The RADIUS service only supports Commons Audit Logging and cannot use the older Logging Service, available in releases prior to OpenAM 13.0.0.

AM admin UI access requires the Realm Admin privilege

In this version of AM, administrators can use the AM admin UI as follows:

  • Delegated administrators with the Realm Admin privilege can access full AM admin UI functionality within the realms they can administer. In addition, delegated administrators in the Top Level Realm who have this privilege can access AM’s global configuration.

  • Administrators with lesser privileges, such as the Policy Admin privilege, can not access the AM admin UI.

  • The top-level administrator, such as amAdmin, has access to full AM admin UI functionality in all realms and can access AM’s global configuration.

Specifying keys in JWT headers is not supported

AM ignores keys specified in JWT headers, such as `jku` and `jwe`. Configure the public keys/certificates in AM instead, as explained in the relevant sections of the documentation.

Different AM versions within a site

Different AM versions within a site are not supported. Do not run different versions of AM together in the same AM site.

Special characters in policy, application, or referral names

Do not use special characters in policy, application or referral names (for example, "my+referral"). AM returns a 400 Bad Request error. The special characters are: double quotes ("), plus sign (+), command (,), less than (<), equals (=), greater than (>), backslash (\), and null (\u0000). (OPENAM-5262)

XACML policy import and export from different vendors

AM can only import XACML 3.0 files that were either created by an AM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.

UMA limitations

UMA is not currently supported in the Platform End User UI.

Copyright © 2010-2023 ForgeRock, all rights reserved.