PingAM release notes

Changes in AM 8.0.x

AM 8.0

Endpoint for monitoring server activity with Prometheus

To monitor server activity with Prometheus, use one of the new endpoints:

  • /metrics/prometheus

    The path of this endpoint is format-agnostic, but the response payload is identical to that from the /json/metrics/prometheus endpoint.

    Although this endpoint is new, it is also deprecated in this release and support for its use will be removed in a future release. Move to the /metrics/prometheus/0.0.4 endpoint as soon as convenient.

  • /metrics/prometheus/0.0.4

    The path of this endpoint is format-agnostic, but the response payload is slightly different to that from the /metrics/prometheus endpoint.

Learn more in Monitor with Prometheus.

Change to custom OIDC Social IDP configuration

You no longer need to specify a well-known endpoint when configuring a custom OIDC Social Identity Provider service.

If the well-known endpoint isn’t specified, AM verifies signatures using the JWK location, keystore location, or the client secret.

Changes to audit logging

  • The following events have been added to the audit log:

    • AM-TREE-LOGIN-STARTED

      Logged when authentication through a tree starts.

    • AM-TREE-LOGIN-COMPLETED with exception

    Learn more in the Audit logging reference.

  • The org.forgerock.openam.audit.identity.activity.events.blacklist advanced server property contains a comma-separated list of audit events that won’t be logged. In previous releases, you could only add the AM-ACCESS-ATTEMPT, AM-IDENTITY-CHANGE, and AM-GROUP-CHANGE events to this list. From AM 8.0, you can prevent logging of any event.

    Logging all events can impact performance. You should log only those events you intend to monitor.

WS-Federation com.sun.identity.wsfederation.logout.wreply URL validation

To facilitate logging out of WS-Federation and multiprotocol environments (WS-Federation communicating with SAML 2.0), you must add the URL specified in the com.sun.identity.wsfederation.logout.wreply query parameter to the Valid goto URL Resources field in the validation service. If you don’t add this URL, redirection fails.

Changes to LinkedIn social identity provider configuration

The OAuth 2.0 version of the LinkedIn social identity provider configuration profile is deprecated by LinkedIn. This deprecated version has been renamed to LinkedIn (Legacy).

To configure your social identity provider with the latest OIDC version of the LinkedIn profile, use the LinkedIn profile.

Copyright © 2010-2024 ForgeRock, all rights reserved.