What's New

• AM 7.0.2 is the latest release targeted for AM 7 deployments. Download it from the ForgeRock Backstage website.

• No new features have been added in this release.

• No new features have been added in this release.

ForgeRock Access Management 7 is a major release that introduces new features, functional enhancements, and fixes.

• Added OAuth 2.0 Mutual TLS (mTLS) Support

  AM 7 adds support for draft 12 of the OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens specification, a key component of ForgeRock's Open Banking and Revised Payment Services Directive (PSD2) support.

  For information about authenticating an OAuth 2.0 client using mTLS certificates, see "Authenticating Clients Using Mutual TLS".

  For information about issuing certificate-bound OAuth 2.0 access tokens, see "Certificate-Bound Proof-of-Possession".

• Added OAuth 2.0 Access Token Modification Scripts

  AM 7 adds support for scripting the modification of issued OAuth 2.0 access tokens. You can add properties to the access token, for example values taken from the resource owner's profile such as telephone number or email address.

  For information, see Modifying the Content of Access Tokens.

• Added OpenID Connect Authentication Node

  AM 7 introduces an OpenID Connect authentication node, for authenticating users from an OpenID Connect-compliant identity provider.

  For more information about the OpenID Connect authentication node, see OpenID Connect Node

• Added OpenID Connect Client Initiated Backchannel Authentication (CIBA) Support

  AM 7 introduces support for CIBA, which allows a client application, known as the consumption device, to obtain authentication, and consent from a user without requiring the user to interact with it directly.

  Instead, the user authenticates and consents to the operation using a separate, "decoupled" device, known as the authentication device. For example, an authenticator application, or a mobile banking application on their mobile phone.

  For more information, see "Backchannel Request Grant"

• New Extension Point to Customize Public Key ID (kid)

  By default, AM generates a key ID (kid) for each public key exposed in the jwk_uri URI when AM is configured as an OAuth 2.0 authorization server.

  AM 7 introduces a new extension point, KeyStoreKeyIdProvider, to customize the key ID values associated with public keys stored in keystore secret stores.

  For more information, see "Customizing Public Key IDs".

• SAML v2.0 Changes and Improvements

  AM 7 introduces a new user interface for managing SAML v2.0 entities, and circles of trust. For more details, see Configuring IDPs, SPs, and CoTs.

  The UI is backed by new /federation and /saml2 REST endpoints, for programmatically creating and managing SAML v2.0 deployments. The endpoints are documented in the REST API Explorer.

  The new UI supports SAML v2.0 IDP and SP entities only. After upgrade, entities that do not have IDP or SP roles will be listed, but cannot be inspected or edited using the UI. An error will display in the UI when trying to access these entities.

  Entities containing roles other than IDP and/or SP will only display the IDP and/or SP roles.

  In addition, SAML v2.0 signing and encryption now uses AM's secret stores functionality. AM upgrades SAML v2.0 Service Configurations from previous versions to use secret stores in AM 7. The service itself is no longer required, and is deleted by the upgrade process once the configuration has been migrated. The global service still remains, though.

  For more details, see Signing and Encryption.

  As part of this change, the way metadata is stored and generated by AM has changed. For example:

  • Encryption algorithms in the standard metadata are now part of the extended metadata.

  • Key descriptor elements have been removed from the standard metadata.

  • Attributes related to signing and encryption have been removed from the extended metadata.

  • The Secret ID Identifier property has been added to the extended metadata.

  The exported metadata remains unchanged. You do not need to share the metadata of your providers again due to the changes previously explained.

  Moreover, AM 7 introduces another change as part of hardening the security around the SAML v2.0 implementation. When AM acts as the hosted service provider, the scheme, FQDN, and port of the URLs specified in the Assertion Consumer Service must exactly match those of the service provider as they appear in its metadata.

  To determine the service provider's endpoint URL, AM uses the Base URL service, if configured.

  If the URL does not match, the SAML v2.0 flow will fail and AM will log Invalid Assertion Consumer Location specified in the audit log file.

• New REST-based Method for Configuring CORS Support

  AM 7 introduces a new REST endpoint, /global-config/services/CorsService, for configuring how to handle cross-origin resource sharing (CORS).

  Clients and applications can use the endpoints to configure their own CORS requirements, without having to restart AM or the container in which it runs.

  For more information, see "Configuring CORS Support".

• Added Suspended Authentication Support

  AM 7 introduces support for suspending an authentication tree, and saving any input made so far. The user is sent a URL, sometimes referred to as a magic link, which lets them resume from where they left off, perhaps after closing the browser, in a different browser, or even on a different device.

  For more information, see Suspended Authentication

• Added SameSite Cookie Support

  AM 7 adds support for applying SameSite cookie rules, as per internet-draft Cookies: HTTP State Management Mechanism.

  For more information, see Securing Network Communication.

  As part of this change, AM 7 also introduces a filter in its application description file (web.xml) that sets the Secure flag on the cookies AM produces if any of the following is true:

  • The request comes in through a connection marked as secure. For example, because you have marked an HTTP connector as secure in Tomcat.

  • The request comes in through an HTTPS connector.

  Automatically promoting cookies to secure ensures that the functionality continues to work with the SameSite changes, because you can only opt out of SameSite if a cookie is marked as secure.

  To ensure that non-secure requests are load-balanced correctly, the amlbcookie cookie is already excluded by default. If you are using a custom cookie for sticky load balancing, you may want to add it to the list of excluded cookies.

  For more information, see "Managing the Secure Cookie Filter".

• Added Identity Gateway Agents

  AM 7 adds support for creating Identity Gateway Agents, which configure credentials used by Identity Gateway when making policy evaluation calls, and when registering to receive session and policy configuration notifications over the Web Sockets protocol.

  For more information, see Setting Up AM in the IG Gateway Guide.

• Added Failover and Affinity Support to External Policy and Application Stores

  AM 7 adds support for both failover and affinity deployments of external policy and application stores. Previously you could only specify a single directory server instance, making it a single point of failure.

  For information, see "Setting Up Policy and Application Stores.".

• OAuth 2.0 Dynamic Client Registration Management Protocol (RFC7592) Fully Supported

  AM 7 adds support for OAuth 2.0/OpenID Connect clients to edit and delete their client profile data as per RFC7592.

  Earlier versions of AM offered support for read operations only.

  For more information, see "Dynamic Client Registration Management".

• Added Support for the id_token_hint Parameter on the OAuth 2.0/OpenID Connect Authorization Endpoint

  AM 7 adds support for client relying parties to use the id_token_hint parameter in their request to the authorization endpoint as a hint about the end user's session. AM uses the ID token to verify whether the end user specified on it has a valid session in AM.

  As part of this change, the authorization endpoint supports the new none response type.

  For more information, see "/oauth2/authorize" and "Retrieving Session State without the Check Session Endpoint".

• Added Support for Debug Logging with Logback

  AM 7 adds support for configuring debug logging by using Logback.

  Functionality provided by Logback can now easily be applied to the debug logging output of AM, for example log file rotation, and file compression.

  For more information, see Debug Logging.

• Added Support for the JWT Profile for OAuth 2.0 Authorization Grant

  AM 7 adds support for the JWT profile for OAuth 2.0 Authorization Grant, defined in the RPC 7523 specification.

  As part of this feature, AM includes a new agent of the type Trusted JWT Issuer.

  For more information, see "JWT Profile for OAuth 2.0 Authorization Grant".

• Added Support for Wildcards in OAuth 2.0 Redirection URI Ports

  AM 7 allows the use of wildcards (*) in the redirection URI port to match one or more ports.

  This feature requires that the URL configured in the redirection URI is either localhost, 127.0.0.1, or ::1. For example, http://localhost:*/, https://127.0.0.1:80*/, or http://[::1]:*.

  For more information, see the Allow wildcard ports in redirection URIs property in Core Properties.

• Added Support for the JWT Response for OAuth Token Introspection Internet Draft

  AM 7 adds support for clients to configure whether the token introspection endpoint should return its response in JSON format or as a JWT, as per the JWT Response for OAuth Token Introspection Internet Draft.

  This new feature includes a new drop-down menu to choose the endpoint's output format, as well as several new parameters to configure whether the JWT should be signed, or signed and encrypted.

  By default, even after an upgrade, clients are configured to receive the output in JSON format.

  For more information, see "/oauth2/introspect".

• Added New Session Property Whitelist Setting

  AM 7 introduces a new session property whitelist setting, Session Properties to return for session queries.

  This setting shows a list of properties that can be returned to admins in a REST session query response.

  For more information about the session property whitelist settings, see "Session Property Whitelist Service".

• Added Support for Macaroons

  AM 7 adds support for a new token format called Macaroons, which can be used when issuing OAuth 2.0 access and refresh tokens.

  Macaroons allow caveats to be appended to them, which restrict how a token can be used. Macaroons provide additional security, as tokens can be restricted just before use. For example, you can add a 5-second expiry time to a macaroon access token before sending it to an API, or bind it to a TLS client certificate before use.

  As part of this change, AM has added a new endpoint which can be used to inspect and manipulate macaroons. This endpoint is available under /json/tokens/macaroon.

  For more information, see Macaroons as Access and Refresh Tokens.

• Added New Common Federation Configuration Settings

  AM 7 introduces the following Common Federation Configuration settings:

  • AES Key Wrap Algorithm, which enables you to set which AES key wrap algorithm to use when the remote entity provider does not specify which key wrap algorithm it supports.

  • RSA Key Transport Algorithm, which enables you to set which RSA key transport algorithm to use when the remote entity provider does not specify which key transport algorithm it supports.

  For more information about the Common Federation Configuration settings, see "Common Federation Configuration".

• New Device Nodes Added for Forgerock SDK Support

  AM 7 introduces a number of new nodes for profiling devices when using the ForgeRock SDKs:

  Capture

  • "Device Profile Collector"

  Store

  • "Device Profile Save"

  Compare

  • "Device Match"

  • "Device Profile Location Match"

  • "Device Geofencing"

  • "Device Tampering Verification"

• New Authentication Nodes Added

  AM 7 introduces the following authentication nodes:

  Node	Description
  "Anonymous Session Upgrade Node"	Lets anonymous users upgrade their session to a non-anonymous one.
  "Kerberos Node"	Enables Window desktop single sign-on such that a user who has already authenticated with a Kerberos Key Distribution Center can authenticate to AM without having to provide the login information again.
  "SAML2 Authentication Node"	(Previously in Marketplace) Lets you integrate SAML v2.0 SSO into an AM authentication tree. Use it when deploying SAML v2.0 single sign-on in integrated mode (SP-initiated SSO only).
  "Write Federation Information Node"	(Previously in Marketplace) Creates a persistent link between a remote IdP account and a local account in the SP, if none exists yet. If a transient link exists, it is persisted. Existing account links with different IdPs are not lost.
  "CAPTCHA Node"	Implements Google's and hCaptcha's CAPTCHA widgets.
  "WebAuthn Device Storage Node"	Lets you save FIDO2 device data to a profile after having first captured and analyzed the information; for example, with a Scripted Decision node.
  "Certificate Collector Node"	(Previously in Marketplace) Collects an X.509 digital certificate from the user that is authenticating, so that AM can use it in place of other types of credentials.
  "Certificate Validation Node"	(Previously in Marketplace) Validates a digital X.509 certificate collected by the "Certificate Collector Node".
  "Certificate User Extractor Node"	(Previously in Marketplace) Extracts a value from the certificate collected by the "Certificate Collector Node", and searches for it in the identity store.
  "Authenticate Thing Node"	Authenticates an IoT thing.
  "Register Thing Node"	Registers an IoT thing.

• Added Local Storage Support for SAML v2.0 Single Sign-on

  AM 7 stores SAML v2.0 single sign-on progress as client-side data when using web browsers that support local storage, removing the need to use sticky load balancing.

  For more information, see "Session State Considerations".

• Added Endpoint to Get Session Information and Also Reset Idle Timeout

  AM 7 includes a new getSessionInfoAndResetIdleTime endpoint that resets the idle timeout when obtaining information about a session. The existing getSessionInfo endpoint does not reset the idle timeout.

  For more information, see "Obtaining Information About Sessions Using REST".

• Added a DevOps-friendly Way of Changing the Password of the amAdmin User

  AM 7 includes a DevOps-friendly way of changing the password of the amAdmin user based on the secret stores API.

  For more information, see "Changing the amAdmin Password (Secret Stores)".

• Added Recursive OAuth 2.0 Introspection Scope

  AM 7 adds the am-introspect-all-tokens-any-realm scope, which lets a client introspect tokens issued to other clients, as long as they are registered in the realm of the introspecting client, or in a subrealm of it.

  For more information, see "Special Scopes".

• New Method to Retrieve Data from Authentication Trees' Shared State

  AM 7 introduces a new tree shared state called the secure state. In cases where a node needs to process sensitive information later on in the authentication flow, AM promotes the data stored in the transientState object to the secureState object and encrypts it with the key stored in the new am.authn.trees.transientstate.encryption secret ID.

  What is affected by this new feature?

  • The introduction of the am.authn.trees.transientstate.encryption secret ID requires that you make available an AES 256-bit key called directenctest to your environment before upgrading to AM 7, if one is not already available.

    Failure to do so will result in AM not starting up after upgrade, and the following error will show in the logs:

    Unknown key aliases in configuration: directenctest

    For more information, see Upgrading AM Instances.

    On new installations, ensure that you change the default alias mapped to this secret ID, and that it is always mapped to an existing, resolvable secret. Failure to do so may result in trees not working as expected.

  • The introduction of this new state has changed the way you should retrieve data from the shared state when coding your authentication nodes. Instead of using the context.sharedState.get() or context.transientState.get() methods, use the context.getState() method.

    For a given variable, the context.getState() method tries to retrieve data from the different states in the following order:

    1. sharedState

    2. transientState

    3. secureState

    This change also affects Scripted Decision Node scripts.

    For more information, see "Storing Values in Shared Tree State".

• New Google KMS Secret Store

  AM 7 lets you map secrets retrieved from the Google Cloud Key Management Service (KMS) for any feature in AM that supports secret stores.

  Support includes:

  • Mapping Google Cloud KMS secrets to secret IDs used for signing and verification purposes. Using Google Cloud KMS secrets as mappings for encryption and decryption secret IDs is not supported.

  • Using a Google Cloud KMS secret to decrypt secrets loaded using other secret stores, or to decrypt the hashed password of the amAdmin user.

  For more information, see "Google KMS Secret Stores".

• Added ForgeRock Go Usernameless Web Authentication

  With ForgeRock Go, you can create a secure and seamless login experience by authenticating with any credential on the user’s device that supports FIDO2 WebAuthn.

  You can also extend passwordless authentication to include usernameless authentication with popular authenticators that support resident keys; for example, Windows Hello (biometric authenticators).

  For information, see "Configuring Usernameless Authentication with ForgeRock Go".

• Added Support for Web Authentication Trust Anchors and TPM

  AM 7 adds support for verifying the attestation data provided by FIDO2 devices against certificate chains issued by the device vendor.

  The TM attestation format is now supported.

  You can also enable revocation checking, if the certificate chains contain CRL or OCSP entries.

  For information, see "Configuring WebAuthn Trust Anchors".

• New Account Active Check Authentication Module

  AM 7 includes a new Account Active Check authentication module, which lets you determine whether an account is marked as active, or locked, without having to run through the remainder of the authentication chain.

  For more details, see "Account Active Check Module".

• Improved Workflow for Adding Servers to Existing Deployments

  A new option is available when installing an AM instance which lets you choose whether the instance is standalone, or part of an existing deployment.

  For more information, see "To Add a Server to a Site".

• The JWK URI Endpoint Can Now Return Duplicate Key IDs

  Earlier versions of AM removed the alg parameter from the keys returned by the jwk_uri endpoint.

  Removing the alg parameter ensures that each key ID (kid) exposed by the endpoint matches a unique key, as recommended by the RFC7517 specification.

  AM 7.0.2 includes a toggle, Include all kty and alg combinations in jwk_uri, that lets the endpoint display duplicate key IDs with their corresponding alg and kty parameters.

  The toggle property is disabled by default.

  For more information, see "Displaying Every Algorithm and Key Type Associated to a Key ID".

• Changes to the Retry Limit Decision Node

  The "Retry Limit Decision Node" can now persist the number of failed login attempts in the identity store between successful authentications.

  To support this change, the following LDIF schema files have been updated:

  • ad_user_schema.ldif

  • adam_user_schema.ldif

  • odsee_user_schema.ldif

  • opendj_remove_user_schema.ldif

  • opendj_user_schema.ldif

  • tivoli_user_schema.ldif

  Moreover, a new file, opendj_retry_limit_node_count.ldif, has been added to the AM deliverables, and the DS identity setup profile has been updated.

  The new functionality is not enabled by default since it requires schema changes to the identity store, but ForgeRock recommends that you enable it to harden the security around this node.

  To enable it, apply the schema changes in the opendj_retry_limit_node_count.ldif file to the identity store first, and then reconfigure the "Retry Limit Decision Node".

  How Do I Apply the New Schema?

  To update the identity store schema for the Retry Limit Decision Node, perform the following steps:

  1. Change directories to the path where you deployed the openam.war file. For example, /path/to/tomcat/webapps/openam.

  2. Locate the opendj_retry_limit_node_count.ldif file in the WEB-INF/template/ldif/opendj path.

  3. Update the identity store schema using the LDIF file. For example:

     $ /path/to/opendj/bin/ldapmodify \
     --hostname 'id.example.com' \
     --port 1636 \
     --useSsl \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePasswordFile /path/to/opendj/config/keystore.pin \
     --continueOnError \
     --bindDN uid=admin \
     --bindPassword str0ngAdm1nPa55word \
     /path/to/tomcat/webapps/openam/WEB-INF/template/ldif/opendj/opendj_retry_limit_node_count.ldif

     Now you are ready to enable the Save Retry Limit to User switch in the "Retry Limit Decision Node".

• No major improvements have been added in this release.

• OAuth 2.0/OpenID Connect 1.0

  • Authentication Trees Supported as Authentication Method for Resource Owner Password Credentials Flow

    In earlier versions of AM, only authentication chains could be used to authenticate the credentials of a user during the resource owner password credentials OAuth 2.0 grant flow.

    In AM 7, you can use either a tree or a chain to authenticate a resource owners' credentials.

    You can specify the chain or tree by using any of the following methods:

    • Globally, for all realms, by navigating to Configure > Authentication > Core Attributes > Core, and setting the Organization Authentication Configuration property.

    • Individually for a realm, by navigating to Realms > Realm Name > Authentication > Settings > Core, and setting the Organization Authentication Configuration property.

    • Individually for a realm, overriding the realm-level setting above, by navigating to Realms > Realm Name > Services > OAuth2 Provider > Advanced, and setting the Password Grant Authentication Service property.

    • For a specific access token REST request, by setting the auth_chain parameter.

    For more information, see "Resource Owner Password Credentials Grant".

  • Client Certificate Revocation Check Added for OAuth 2.0 Mutual TLS Client Authentication

    AM 7 adds new settings to check whether client certificates have been revoked when mutual TLS is configured as an OAuth 2.0 client authentication method.

    For more information, see "Mutual TLS Using Public Key Infrastructure".

  • Additional Trusted Header Formats Added for OAuth 2.0 Mutual TLS Client Authentication

    Earlier versions of AM supported receiving client certificates in raw PEM-encoded format for OAuth 2.0 mutual TLS, when SSL is terminated at a reverse proxy or load balancer.

    AM 7 adds support for receiving PEM-encoded certificates in the following formats:

    • URL-encoded, for compatibility with the NGINX $ssl_client_escaped_cert variable.

    • URL-encoded, and included as one field in a multi-field header, for compatibility with the Envoy x-forwarded-client-cert header.

    The Certificate authentication module now also supports PEM-encoded certificates that are also URL-encoded for compatibility with NGINX. The multi-header format of the Envoy headers are not supported by the module.

    For more information, see "Providing Client Certificates to AM".

• Authentication Nodes Reorganized into Categories and Filtering Support Added

  The number of authentication nodes available for creating intelligent authentication trees in AM 7 has increased considerably. To aid in creating authentication trees, authentication nodes are now organized into categories. Also, each node has a number of tags used for filtering, including synonyms and other keywords to help locating the correct node for the job.

  When creating your own nodes, you can add tags to the meta data to include them in an existing category, and to help administrators locate your node.

  For more information, see "To Create an Authentication Tree" and "The Meta Data Annotation".

• Transactional Authorization Can Return HTTP 401 Messages on Authentication Failure

  In earlier versions of AM, a transactional authorization advice that failed due to invalid credentials always returned an HTTP 200 message.

  Then, the user would be redirected to the protected resource, where policy evaluation would fail.

  AM 7 introduces a new advanced server property to control whether transactional authorization should return an HTTP 200 or an HTTP 401 message depending on the needs of your environment.

  In both cases, users cannot access the protected resources when they fail to complete the required actions during transactional authorization.

  For more information, see the org.forgerock.openam.auth.transactionauth.returnErrorOnAuthFailure advanced server property.

• Custom Authentication Nodes Can Set Custom Error Messages Returned on Authentication Failure

  A new errorMessage property has been added to the Action interface. The property allows a custom error string to be set, or updated, by a node. The error message is included in the JSON response sent when an authentication tree reaches the Failure node.

  For more information, see "The Action Interface".

• Scripted Authentication Nodes Can Access Additional Functionality

  AM 7 adds support for the scripted authentication node to use callbacks, and additional features, such as access to transientState.

  For more information, see "Scripted Decision Node API Functionality".

• Relaxed Restrictions for SAML v2.0 with Client-based Sessions

  The restriction against implementing SAML v2.0 single sign-on (SSO) and single logout (SLO) when running AM with client-based sessions has been updated. For more information, see "Session State Considerations".

• Added Support for Affinity-based Deployments of ForgeRock Directory Services Identity Stores

  AM 7 adds support for identity stores to configured as an affinity deployment, in the same way as CTS, application, and policy stores.

  Specify each of the directory server instances that form the affinity deployment in the LDAP Server field, when configuring identity stores.

  In an affinity-based deployment, the Directory Services instance used for each operation is based on the DN of the identity involved.

  For more information, see Directory Services Configuration Properties.

• JMS Audit Logging Batch Configuration has Changed

  The batch configuration for the JMS audit handler has changed to support reconnection if the broker becomes unavailable.

  This change renames the batch.pollTimeoutSec setting to batch.writeInterval setting. It removes the following settings:

  • batch.batchEnabled

  • batch.insertTimeoutSec

  • batch.shutdownTimeoutSec

  • batch.threadCount

  For more information, see Setting Up Audit Logging.

• New LDAP Decision Node Outcome

  AM 7 includes a new Cancelled outcome for the LDAP Decision Node.

  If a password policy forces a user to change their password on first login when using the LDAP Decision Node, the user is sent to a password change screen where they must enter their current password, new password, and new password confirmation. If the user cancels this form, the tree evaluation continues along the Cancelled outcome path and the authentication will fail.

  For more information, see "LDAP Decision Node".

• Delegated Administrators Have Read-Only Access to Other User's Devices

  AM 7 adds support for delegated administrators to have read access to other user's device details, by using the devices REST endpoint.

  For information on delegating admin access, see "To Delegate Privileges".

• Improvements to the CORS Service

  AM 7 adds a user interface to the existing REST interface for configuring CORS configurations.

  You can also now add JavaScript origins directly in OAuth 2.0 clients, rather than having to manually add CORS configuration for them.

  For more information, see "Configuring CORS Support".

• Improvements for Registering ID Repo Plugins by Using Annotations

  AM 7 includes a new method for registering your custom ID repo plugins, without having to use the ssoadm command.

  For more information on the new @IdRepoConfig annotation, see "Identity Repository Plugin Deployment".

• Scripted Decision Nodes Can Now Access the Identity Store

  AM 7 improves the scripted decision node by giving it access to the identity store.

  Now you can look up profile attributes and use them elsewhere in your authentication trees.

  For more details, see "Scripted Decision Node API Functionality".

• New External Login Page URL Property

  AM 7 includes a new External Login Page URL property in the Authentication Service. It specifies the URL of the external login user interface, if the authentication user interface is hosted separately from AM.

  You can specify the external login page URL by using either of the following methods:

  • Globally, for all realms, by navigating to Configure > Authentication > Core Attributes > General, and setting the External Login Page URL property.

  • Individually for a realm, by navigating to Realms > Realm Name > Authentication > Settings > General, and setting the External Login Page URL property.

  For more information, see General.

• Changes to Web and Java Agents Profiles

  • Several properties that used to be configured as custom properties (com.sun.identity.agents.config.freeformproperties) have been added as regular properties.

    During upgrade, the process checks the custom properties configured for each agent profile and converts the properties to their regular counterparts, as appropriate.

    Avoid configuring properties twice. Java Agents of any version and Web Agents 5.6.3 or later honor the configuration of the advanced properties over that of the regular properties.

    Caution

    (Web Agents earlier than 5.6.3) Upgrading to AM 7 will overwrite the value of the original custom properties with the default value of the new UI properties.

    To work around this issue, perform one of the following actions:

    • Upgrade to Web Agents 5.6.3 or later before upgrading to AM 7.

    • After upgrading to AM 7, reconfigure the properties that you configured as custom properties in their new UI counterparts.

  • Several deprecated properties have been removed from the profile:

    Properties Removed from Java Agents

    com.sun.identity.client.notification.url
    com.sun.identity.agents.config.remote.logfile
    com.sun.identity.agents.config.logout.handler
    com.sun.identity.agents.config.shortened.privileged.attribute
    com.sun.identity.agents.config.verification.handler
    com.sun.identity.agents.config.privileged.attribute.mapping.enable
    com.sun.identity.agents.config.privileged.session.attribute
    com.sun.identity.agents.config.auth.handler
    com.sun.identity.agents.config.default.privileged.attribute
    com.sun.identity.agents.config.privileged.attribute.type
    com.sun.identity.agents.config.privileged.attribute.tolowercase
    com.sun.identity.agents.config.privileged.attribute.mapping
    com.sun.identity.agents.config.login.use.internal
    com.sun.identity.agents.config.login.error.uri
    com.sun.identity.agents.config.logout.application.handler
    com.sun.identity.agents.config.notenforced.refresh.session.idletime
    com.sun.identity.agents.config.login.content.file
    com.sun.identity.agents.config.cdsso.clock.skew
    com.sun.identity.agents.config.cdsso.trusted.id.provider
    com.sun.identity.agents.config.cdsso.cdcservlet.url
    com.iplanet.am.cookie.name
    com.sun.identity.agents.config.amsso.cache.enable
    com.sun.identity.agents.config.cdsso.enable
    com.iplanet.am.session.client.polling.period
    com.sun.identity.policy.client.booleanActionValues
    com.sun.identity.agents.config.login.url.prioritized
    com.sun.identity.agents.config.login.url.probe.timeout
    com.sun.identity.policy.client.cacheMode
    com.sun.identity.agents.config.logout.url
    com.sun.identity.agents.config.logout.url.prioritized
    com.sun.identity.agents.config.logout.url.probe.timeout
    com.sun.identity.agents.config.logout.url.probe.enabled
    com.sun.identity.agents.config.login.url.probe.enabled
    com.sun.identity.idm.remote.notification.enabled
    com.sun.identity.sm.cacheTime
    com.sun.identity.sm.notification.enabled
    com.sun.identity.policy.client.clockSkew
    com.iplanet.am.sdk.remote.pollingTime
    com.sun.identity.agents.config.bypass.principal
    com.iplanet.security.encryptor
    com.sun.identity.agents.config.webservice.responseprocessor
    com.sun.identity.agents.config.webservice.autherror.content
    com.sun.identity.agents.config.webservice.enable
    com.sun.identity.agents.config.webservice.endpoint
    com.sun.identity.agents.config.jboss.webauth.available
    com.sun.identity.agents.config.webservice.internalerror.content
    com.sun.identity.agents.config.webservice.process.get.enable
    com.sun.identity.agents.config.webservice.authenticator
    com.iplanet.am.session.client.polling.enable
    com.sun.identity.policy.client.resourceComparators
    com.sun.identity.agents.config.policy.advice.use.redirect

    Properties Removed from Web Agents

    com.sun.identity.agents.config.cleanup.interval
    com.sun.identity.client.notification.url
    com.sun.identity.agents.config.debug.file.rotate
    com.sun.identity.agents.config.remote.logfile
    com.sun.identity.agents.config.local.log.rotate
    com.sun.identity.agents.config.cdsso.enable
    com.sun.identity.agents.config.cdsso.cdcservlet.url
    com.sun.identity.agents.config.auth.connection.timeout
    com.sun.identity.agents.config.poll.primary.server
    com.sun.identity.agents.config.locale
    com.sun.identity.agents.config.ignore.preferred.naming.url
    com.sun.identity.agents.config.ignore.server.check
    com.sun.identity.agents.config.convert.mbyte.enable
    com.sun.identity.agents.config.proxy.override.host.port
    com.sun.identity.agents.config.iis.auth.type
    com.sun.identity.agents.config.iis.filter.priority
    com.sun.identity.agents.config.iis.owa.enable
    com.sun.identity.agents.config.iis.owa.enable.change.protocol
    com.sun.identity.agents.config.iis.owa.enable.session.timeout.url
    com.sun.identity.agents.config.domino.check.name.database
    com.sun.identity.agents.config.domino.ltpa.enable
    com.sun.identity.agents.config.domino.ltpa.cookie.name
    com.sun.identity.agents.config.domino.ltpa.config.name
    com.sun.identity.agents.config.domino.ltpa.org.name
    com.sun.identity.agents.config.load.balancer.enable
    com.sun.identity.agents.config.override.notification.url

  • Several properties have been renamed:

    • The Realm property is now Policy Evaluation Realm.

    • The Application property is now Policy Set.

    • (Java Agents only) The Policy Client Polling Interval property is now Policy Cache TTL.

    • (Java Agents only) The PDP Cache TTL in Minutes property is now PDP Cache TTL in Milliseconds.

    • (Java Agents only) The Not-Enforced IP Invert List property is now Invert Not Enforced IPs.

    • (Java Agents only) The Alternative Agent Port Name property is now Alternative Agent Port Number.

• Improvements to the Documentation

  The AM documentation has been reorganized:

  • Some titles have been rewritten to better reflect the content.

  • Topics are split into individual pages within the book, to help organize content, and to help you locate the documentation you require when using search engines.

  • Reworked the Quick Start Guide into the Evaluation Guide. Use the new guide to quickly set up an AM deployment for evaluation purposes only.

  • Some topics are split into their own books now. For example, the information about sessions has been relocated from the Authentication and Single Sign-On Guide to the Session Guide.

    However, all security-related topics are now covered in the Security Guide. This guide will show you how to manage keystores and secrets, and how to secure realms, sessions, network connections, and others.

    The Setup and Maintenance Guide has also been split into two:

    • Follow the Setup Guide to perform tasks that you need to perform after installing AM, such as creating realms and adding external stores.

    • Read the Maintenance guide to learn about tasks and configurations you might repeat throughout the life cycle of a deployment in your organization. For example, monitoring and tuning instances.

  • Where possible, configuration reference is accessible from the relevant procedures. However, reference pertaining to global services is covered in the Reference.

• Configuration Upgrade Tool Distributed With AM ZIP

  The AM-7.0.2.zip file now includes a configuration file upgrade tool for converting configuration files exported with the Amster command. The tool is provided in the Config-Upgrader-7.0.2.zip file, which is inside the AM-7.0.2.zip file.