Changes in AM 8.0.x
Endpoint for monitoring server activity with Prometheus
To monitor server activity with Prometheus, use one of the new endpoints:
-
/metrics/prometheus
The path of this endpoint is format-agnostic, but the response payload is identical to that from the
/json/metrics/prometheus
endpoint.Although this endpoint is new, it is also deprecated in this release and support for its use will be removed in a future release. Move to the
/metrics/prometheus/0.0.4
endpoint as soon as convenient. -
/metrics/prometheus/0.0.4
The path of this endpoint is format-agnostic, but the response payload is slightly different to that from the
/metrics/prometheus
endpoint.
Learn more in Monitor with Prometheus.
Change to custom OIDC Social IDP configuration
You no longer need to specify a well-known endpoint when configuring a custom OIDC Social Identity Provider service.
If the well-known endpoint isn’t specified, AM verifies signatures using the JWK location, keystore location, or the client secret.
Changes to audit logging
-
The following events have been added to the audit log:
-
AM-TREE-LOGIN-STARTED
Logged when authentication through a tree starts.
-
AM-TREE-LOGIN-COMPLETED
withexception
Learn more in the Audit logging reference.
-
-
The
org.forgerock.openam.audit.identity.activity.events.blacklist
advanced server property contains a comma-separated list of audit events that won’t be logged. In previous releases, you could only add theAM-ACCESS-ATTEMPT
,AM-IDENTITY-CHANGE
, andAM-GROUP-CHANGE
events to this list. From AM 8.0, you can prevent logging of any event.Logging all events can impact performance. You should log only those events you intend to monitor.
WS-Federation com.sun.identity.wsfederation.logout.wreply
URL validation
To facilitate logging out of WS-Federation and multiprotocol environments (WS-Federation communicating with SAML 2.0),
you must add the URL specified in the com.sun.identity.wsfederation.logout.wreply
query parameter to the
Valid goto URL Resources field in the validation service. If you don’t add this URL, redirection fails.
Learn more in Add a URL to the validation service.
Changes to LinkedIn social identity provider configuration
The OAuth 2.0 version of the LinkedIn social identity provider configuration profile is deprecated by LinkedIn.
This deprecated version has been renamed to LinkedIn (Legacy)
.
To configure your social identity provider with the latest OIDC version of the LinkedIn profile,
use the LinkedIn
profile.