Documentation updates

Removed instructions on using deprecated chains and modules to set up push authentication. Use authentication trees instead, as described in Push authentication journeys.

Updated the format of these release notes to list cumulative changes, instead of reflecting only the changes for the current release.

Clarified that AM truncates sequences of whitespace with a single whitespace when creating SAML v2.0 values such as entity IDs.

Removed use of deprecated with method from Scripted decision node API callbacks.

Documented new Use mixed case for password change messages property for the LDAP Decision node.

Added missing HTTP connector settings to WildFly setup instructions.

Updated information about --acceptLicense parameter in the Set up administration tools steps.

Removed access token from header in call to /oauth2/connect/endSession.

Documented how to mark configuration properties as passwords in the Node development guide.

Improved documentation for dynamic client registration.

Improved description of the Transformation Script field for the Social Provider Handler node.

Documented how to use the amupgrade tool to upgrade configuration.

Improved navigation of the authentication nodes configuration reference.

Clarified that the ForgeRock® Authenticator app supports JPEG and PNG image formats.

Clarified location of setenv script in the Evaluation guide.

Updated installation and deployment graphics to show less complex DS installations.

Described the role of the Latest Access Time Update Frequency property in session management.

Updated Changes in 7.2.x with changes to the TreeContext class.

Documented the advanced server properties that determine search settings for keepalive and availability checks. For details, refer to Advanced properties.

Documented the evalThreadSize setting as a tuning parameter for policy evaluation. For details, refer to Policy evaluation settings.

Fixed an error in the Pass-through authentication node documentation.

Noted that the JavaScript origins property of an OAuth 2.0 client does not support non-standard headers.

Clarified that SAML assertions must be signed when using HTTP-POST.

Updated the JVM monitoring metrics.

Clarified the use of the auditEntryDetail for the scripted decision node.

Clarified that Transactional authorization does not trigger account lockout.

Fixed an error in the UI customization documentation.

Updated the documentation on configuring JBoss and WildFly.

Updated the documentation on the validateGoto endpoint.

Indicated that using ID tokens as session tokens requires specific privileges.

Improved the social authentication documentation.

Updated the documentation on stateless session upgrade.

Updated the Choice Collector node documentation to clarify that the default choice is the first in the list if no default choice is specified.

Recommended the removal of the velocity-1.7.jar library after install or upgrade.

Added a step to the instructions on building custom nodes.

Added Logback.jsp logger names to the Debug logging documentation.

Cautioned that host-based cookies should be used for security reasons (Securing the Session Cookie)

Changed the default expiry time of server-side agent sessions (com.iplanet.am.session.agentSessionIdleTime)

Updated docs to indicate that the failureUrl is not included in REST responses if it is empty

Clarified SAML certificates and secrets usage

Clarified supported claims when requesting policy decisions over REST

Fixed an error in the Device Profile Collector node docs

Documented settings for WS-Federation token issuer endpoints (Federation Authentication Module)

Added Inner Tree Node capabilities and restrictions

Documented AM property for LDAPS protocol (org.forgerock.openam.ldap.secure.protocol.version)

Advised that changes to Authentication Naming Attribute after setup require existing identities to be updated

Enhanced the documentation of the Provision Dynamic Account node

Advised administrators to increase DS search limits for large numbers of SAML entities (SAML Deployment Considerations)

Documented evalThreadSize setting as tuning parameter for policy evaluation

Clarified that SAML assertion must be signed when using HTTP-POST

Clarified use of auditEntryDetail for scripted decision node

Added missing HTTP connector setting to JBoss setup instructions

Updated instructions on validating a goto URL

Enhanced the documentation on the LDAP availability / KeepAlive changes, new in 7.1.3

Removed incorrect wording about namespaces in the node development docs

Noted that the JavaScript Origins property of an OAuth2 client does not support non-standard headers

Creating a SAML2 entity with a double space results in SAML2 entity with a single space

Updated Changes in 7.1.x with changes to the TreeContext class

Updated the upgrade instructions with information on custom server default properties

Updated Changes in 7.1.x with changes to the TreeContext class.

Added the org.forgerock.openam.introspect.token.query.param.allowed advanced server property.

Added the org.forgerock.openam.ldap.dncache.expire.time advanced server property, which sets the DN cache timeout.

Updated the OATH Registration node and Push Registration node documentation for the customizable QR code message.

Updated the Remote consent documentation to describe the new JWKs URI.

Clarified the limitation on using ID tokens as access tokens. For details, refer to Additional Use Cases for ID Tokens.

Improved the logback documentation.

Updated the documentation on scripted policy conditions.

Documented the crypto settings in the IDM Provisioning service.

Added information on specifying remote entity encryption methods.

Added subject and body to the OTP Email Sender Node and OTP SMS Sender Node.

Added guidance on naming custom nodes.

Corrected an error in the ForceAuth documentation for authentication trees.

Corrected an error in the OIDC hybrid flow documentation.

Described how to customize account lockout messages.

Updated the documentation on custom post-authentication plugin hooks.

Updated the documentation on the OAuth2 Device flow.

Add information on overriding and customizing OIDC claims scripts.

Clarified change to CORS filter configuration from AM 7 onwards.

Documented the nonProxyHosts advanced server property for HTTP client connections.

Added guidance on protecting user profile attributes.

Updated Multi-Factor Authentication Nodes with details of the OATH nodes that replicate the existing OATH module functionality:

Updated the examples in the Accessing Shared State Data section.

Added documentation in Supported Callbacks about the following callbacks:

Updated the Preparing for Development section to specify that you must include a nodeDescription property in nodes to ensure that they appear in the authentication tree designer.

Improved the procedure on mapping files in file system secret volumes to add more detail about how to encrypt and create filesystem-based secrets.

Updated the Directory Server Requirements to indicate that DS 5.+ is required as External Directory Server for 7.1.+.

Updated Changes in 7.0.x with changes to the TreeContext class.

Indicated that scripts should be upgraded as part of the upgrade process.

Improved the documentation about the request parameter of the /oauth2/authorize endpoint.

Noted support for Internet Explorer 11 ends August 17, 2021, in alignment with the announcement from Microsoft ending support for Internet Explorer 11.

Updated Session Upgrade documentation to clarify that the ForceAuth parameter used with an authentication tree causes AM to issue a new session token, regardless of the security requirements.

Updated the Supported Upgrade Paths section to remove the upgrade from OpenAM 13.X and add upgrade path from AM 7.x.

Added a new section, Managing the Secure Cookie Filter.

Removed information about Oracle Weblogic from the installation guide as it is not supported in this version.

Added a new section, OAuth 2.0 Scopes Policy Script API Functionality.

Updated the Scripting Environment documentation to show how to obtain the Groovy and JavaScript engine version that AM is using.

As part of hardening the security around the SAML v2.0 implementation that occurred in AM 7, the URLs specified in the Assertion Consumer Service must exactly match the SP’s scheme, FQDN, and port.

Added a new section, Setting Session Properties.

Added documentation on Adding Audit Information.

Improved the documentation on Tuning Authentication Node/Module LDAP Connections.

Added information on determining if an existing session is present before using the Get Session Data Node.

Added information on configuring the public key or HMAC secret in Authenticating Clients Using JWT Profiles.

Added information on using the ssoadm command with secure connections in Setting Up Administration Tools.

Updated Web or Java Agents SSO and SLO with Java Agent 5.7 and Web Agent 5.7 properties.

Updated JVM tuning properties.

Documented commands to export policy and application store LDIF files.

Clarified documentation on OAuth 2.0 JWK URI cache settings in To Create and Configure a Client Profile.

Clarified documentation on SAML v2.0 hosted SP attribute map in Hosted Service Provider Configuration Properties.

Corrected the Device Tampering Verification documentation to indicate that the device determines the score, rather than the node or the ForgeRock SDKs.

Updated how to create an HTTPS connector for Tomcat in Configuring AM’s Container for HTTPS.

Corrected the account mapper classes in Example: Protecting a Web Site With OAuth 2.0.

Added documentation about HTTP options when configuring a JVM proxy in front of AM in Preparing the Environment.

Updated the Linking Identities Automatically with Auto-Federation section to use the new UI.

Corrected the user required to perform policy evaluation with REST in To Evaluate a Policy.

Corrected the procedure on SAML v2.0 chains, in Linking Identities by Using Authentication Trees or Chains.

Added guidance on protecting user profile attributes.

Added documentation on the jwk_uri in the Remote Consent services configuration.

Added a step to remove two Apache libraries after installation or upgrade.

Added documentation on the org.forgerock.openam.ldap.dncache.expire.time advanced server property.

Noted that support for Internet Explorer 11 ends August 17, 2021, in alignment with the announcement from Microsoft ending support for Internet Explorer 11.

Added information to the reference entry of the /oauth2/authorize request parameter.

Updated Authentication Parameters to clarify that the ForceAuth parameter used with an authentication tree causes AM to issue a new session token, regardless of the security requirements.

Added a deprecation notice for Oracle WebLogic Server. It is not, supported in AM 7.

Added a step to the Upgrade From a Supported Version procedure to indicate that scripts must be upgraded manually.

Updated the /oauth2/connect/jwk_uri documentation.

Corrected the user required to perform policy evaluation over REST in Scripting a Policy Condition.

Added documentation about HTTP options when configuring a JVM proxy in front of AM.

Corrected the account mapper classes in Configuring AM as an Authorization Server and Client.

Clarified documentation on the OAuth 2.0 JWK URI cache settings.

Clarified documentation on the SAML v2.0 hosted SP attribute map in the Hosted Service Provider Configuration Properties.

Documented the commands to export policy and application store LDIF files.

Added information on configuring the public key or HMAC secret in Authenticating Clients Using JWT Profiles.

Described how to determine if an existing session is present before using the Get Session Data Node.

Improved the documentation on tuning LDAP connections in nodes and modules.

Corrected Linking Identities by Using an Authentication Chain in the SAML v2.0 Guide to reflect that these instructions apply to authentication chains only.

Added a note to the Planning Security Hardening section to recommend changing the dsameuser account during installation.

OAuth2 provider supported scopes property description changed from Supported Scopes to Client Registration Scope Whitelist, (the set of allowed scopes when registering clients dynamically with translations).

Added a missing password change ACI in the external identity store documentation.

Added CIBA binding_message limitations.

Added a user store affinity load balancing option to the Directory Services Configuration Properties.

Updated the OIDC encryption documentation with ECDH-ES support.

Added information on restricting endpoint caching.

Added anonymous session upgrade to the Anonymous User Mapping node.

Updated the Remote Consent Service documentation with the JWKS_URI location.

Added URL-encoding characters to the Basic Authentication documentation.

Added Session Idle Timeout to client-based sessions limitations.

Added additional uses cases for ID tokens.

Instructions to remove the SLF4J library before deploying on Wildfly 12+.

Indicated that keystore secrets store file locations must be the same for all servers. For details, refer to Configuring Secrets, Certificates, and Keys.

Added a step to create base DN from bind user for UMA stores. For details, refer to Preparing External UMA Data Stores.

Noted that the access token modification script works only with a default scope validator.

Indicated that the Data Store Decision node does not lock accounts or adhere to Behera password messages.

Added a step to change the cookie domain when configuring sites.

Documented the getSessionInfoAndResetIdleTime endpoint. For details, refer to Managing Sessions (REST).

Added SAML decryption logging properties. For details, refer to Using Fedlets in Java Web Applications.

Updated Base64URL-encoded DER certificate string. For details, refer to JWK-Based Proof-of-Possession.

Clarified how secret stores resolve secrets.

Added a note about exporting Amster configuration files after running an upgrade to AM 6.5.

Updated the procedure for link:https://backstage.forgerock.com/docs/am/6.5/maintenance-guide/proc-connecting-am-to-external-stores[configuring external policy and applications stores. You can now specify multiple URLs, with either active-passive or affinity connectivity.

Documentation on OAuth 2.0 Mutual TLS support.

Documentation on the OAuth 2.0 Dynamic Client Registration Management Protocol.

Updated the WebAuth node documentation.

Removed the note recommending using the embedded DS server as the configuration data store. Rather implement an external configuration store. For details, see Back End Directory Servers.

Updated documentation on upgrading and configuring secret stores. For details, refer to

Updated UMA urls in the User-Managed Access (UMA) 2.0 Guide.*n

Removed list of endpoint versions in favor of the API Explorer.

Improved the keystore documentation.

Updated the folder references in the UI Customization Guide.

Documented the key ID customization extension endpoint.

Updated section on denylisting client-based tokens to mention the allowlist used by refresh tokens.

New Authentication Node Development Guide.

Added scripting API documentation to the Development Guide.

Added caveats to setting up SAML v2.0 realms for client-based sessions.

Added details to the LDAP People Container Value property, sun-idrepo-ldapv3-config-people-container-value.

Clarified the Auth URL property in the SAML IdP configuration.

Added suggestions for configuring keystores.

Removed deprecated JVM option, -XX:+UseCMSCompactAtFullCollection.

Expanded information on managing OAuth 2.0 consent.

Added information on user self-service forgotten passwords.

Added text to check process limits using ulimit -u. For details, refer to Setting Maximum File Descriptors and Processes Per User.

Indicated that the update process must be able to unlock the keystore.jceks file. For details, refer to Keystore Configuration After Upgrade in the Setup and Maintenance Guide.

Added a section on performing session upgrade.

Fixed an error in the instructions on enabling SNMP monitoring.

Added a note about the increase in the entropy of stateful OAuth 2.0 access/refresh tokens and authorization codes.

Indicated that account lockout settings apply only to authentication modules and chains.

Added information on the supported LDAP types and operations for Sun/Oracle DSEE.

Added a note that we do not recommend more than one writeable repo per realm. For details, refer to Important Considerations for Using External Identity Repositories in the Installation Guide.

Added documentation for PKCE (RFC 7636) support. For details, refer to OAuth 2.0 in the OAuth 2.0 Guide.

Added clarification that amAdmin is a special account. For features that require a user profile (such as Device Match or Push notifications), create dedicated users or groups and delegate administrator privileges to them. For details, refer to Web-Based AM Console in the Setup and Maintenance Guide.

Added an example using authIndexType. For details, refer to Authentication and Logout in the Development Guide.

Updated the Installation Guide with an extra ACI requirement when running DS in production mode.

Added the --offline option, to the rebuild-index command-line examples.

Clarified that JWT Bearer claims for client authentication have a TTL of 30 minutes (non-configurable).

Removed the section on the third-party sample RADIUS client, which is no longer delivered with AM.

Removed the`iPlanetDirectoryPro` header in the REST-STS translate examples.

Added JSON responses for all settings of "Destination After Successful Self-Registration". For details, refer to To Register a User with the REST APIs in the User Self Service Guide.

Removed references to the deprecated endpoint, /ffrest.

Added a note that sticky load-balancing is required in a load balancer deployment.

Added documentation on generating a list of ACIs. For details, refer to To Prevent Anonymous Access in External Configuration Stores in the Installation Guide.

Updated the documentation so that configstorepwd and dsameuserpwd now use .keypass instead of .storepass. For details, refer to To Change Key Aliases' Passwords in the Setup and Maintenance Guide.

Removed references to Oracle WebLogic required packages, Bouncy Castle and Jackson, which are not included by default.

Updated the WebLogic installation steps.

Added expire header information in the Preparing Apache Tomcat instructions.

Added the One Time Password Max Retry parameter to the ForgeRock Authenticator (OATH) Authentication Module Properties.

Updated documentation on configuring the CTS connection pool size.

Fixed the ACI example in the CTS preparation instructions.

Removed mention of the Federation Connectivity Test, which no longer exists.

Added a note about opening the JCEKS keystore during upgrade.

Corrected an error in the JVM startup settings.

Added a tip about account lockout being triggered by counting invalid password exceptions. For details, refer to The Sample Authentication Logic.

Added the isInitiator parameter for the JDK Kerberos LoginModule.

Updated the documentation to add an optional ACI step if DS is in production mode. For details, refer to To Create a Non-Admin User in the Installation Guide.

Simplified the session logout section and corrected curl examples.

Added a warning that if AM cannot access the CTS token store, users will be unable to log in.

Added an entry for a new property, Affinity Enabled to the AM cannot access the External Store Configuration.

Fixed the example for logging out a session using a session handle.

Updated documentation to alter scopes used in UMA examples to avoid clashing with an earlier policy.

Indicated that sunserviceID must be indexed for a large number of OAuth2 clients, or if any agents are registered on the system.

Added information on a new advanced property, org.forgerock.allow.http.client.debug.

Added a procedure to configure ssoadm when using AES key wrap encryption. For details, refer to To Configure ssoadm for AES Key Wrap Encryption in the Installation Guide.

Added an admonition about enabling the org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH. For details, see Preparing Apache Tomcat in the Installation Guide.

It was stated that the same AM server could process fewer stateless sessions than stateful sessions in the same time. This information was incorrect based on ForgeRock’s internal testing.

It was stated that the size of the stateless cookie was ten times larger than the size of the stateful cookie. This information was incorrect. The size of the stateless cookie varies depending on the signing, encryption, and compression algorithms applied to it.

It was stated that stateless sessions do not require sticky load balancing. While this information is correct, the documentation has been amended to specify that AM caches the decrypt sequence of the cookie to improve performance and, therefore, stateless sessions benefit from sticky load balancing.