AM release notes

Changes in AM 5.5.x

SSO tokens

AM SSO session tokens are incompatible with SSO tokens from versions prior to AM 5.

CTS-based (stateful) and client-based (stateless) sessions created by earlier versions of OpenAM are not supported. After upgrading from an earlier version, any existing SSO tokens created by that version will become invalid. Users will need to reauthenticate. In mixed version deployments, earlier versions of OpenAM will not be able to read or process SSO session tokens created by AM 5 or later.

This incompatibility only affects SSO session tokens. OAuth 2.0 and OpenID Connect 1.0 tokens are interoperable between versions.


Realm paths must be absolute and include the top-level realm. DNS aliases and realms specified in the query string are no longer concatenated if used together; the query string overrides the DNS alias.

This change also impacts the user self-service feature when deployed in subrealms. For details, refer to Upgrading User Self-Service in Subrealms.

Post-authentication plugins

AM no longer maintains state in post-authentication plugins between login and logout.

Copyright © 2010-2024 ForgeRock, all rights reserved.