AM release notes

Documentation updates

In addition to the changes described elsewhere in these notes, the published documentation for each AM version includes the following important changes.

AM 7.3

Date Description


Initial release of Access Management 7.3 software.

  • Removed instructions on using deprecated chains and modules to set up push authentication. Use authentication trees instead, as described in Push authentication journeys.

  • Updated the format of these release notes to list cumulative changes, instead of reflecting only the changes for the current release.

  • Clarified that AM truncates sequences of whitespace with a single whitespace when creating SAML v2.0 values such as entity IDs.

  • Removed use of deprecated with method from Scripted decision node API callbacks.

  • Documented new Use mixed case for password change messages property for the LDAP Decision node.

  • Added missing HTTP connector settings to WildFly setup instructions.

  • Updated information about --acceptLicense parameter in the Set up administration tools steps.

  • Removed access token from header in call to /oauth2/connect/endSession.

  • Documented how to mark configuration properties as passwords in the Node development guide.

  • Improved documentation for dynamic client registration.

  • Improved description of the Transformation Script field for the Social Provider Handler node.

  • Documented how to use the amupgrade tool to upgrade configuration.

  • Improved navigation of the authentication nodes configuration reference.

  • Clarified that the ForgeRockĀ® Authenticator app supports JPEG and PNG image formats.

  • Clarified location of setenv script in the Evaluation guide.

  • Updated installation and deployment graphics to show less complex DS installations.

  • Described the role of the Latest Access Time Update Frequency property in session management.

AM 7.2

Date Description


Release of AM 7.2.1. In addition to these release notes, the following changes were made to the documentation:

September 30, 2022

  • Updated the Choice Collector node documentation to clarify that the default choice is the first in the list if no default choice is specified.

  • Recommended the removal of the velocity-1.7.jar library after install or upgrade.

  • Added a step to the instructions on building custom nodes.

  • Added Logback.jsp logger names to the Debug logging documentation.


Initial release of Access Management 7.2.

AM 7.1

Date Description


Release of AM 7.1.4


Release of AM 7.1.3



Release of AM 7.1.2

For information on how to create and test an authentication tree using the OATH nodes, refer to One-Time Password Authentication Using Trees.


Initial release of AM 7.1.1

  • Updated the examples in the Accessing Shared State Data section.

  • Added documentation in Supported Callbacks about the following callbacks:

    • BooleanAttributeInputCallback

    • BooleanAttributeInputCallback

    • ConsentMappingCallback

    • KbaCreateCallback

    • NumberAttributeInputCallback

    • StringAttributeInputCallback

    • TermsAndConditionsCallback

    • ValidatedCreatePasswordCallback

    • ValidatedCreateUsernameCallback

  • Updated the Preparing for Development section to specify that you must include a nodeDescription property in nodes to ensure that they appear in the authentication tree designer.

  • Improved the procedure on mapping files in file system secret volumes to add more detail about how to encrypt and create filesystem-based secrets.

  • Updated the Directory Server Requirements to indicate that DS 5.+ is required as External Directory Server for 7.1.+.


Added a change in behavior to the logging on session timeout.


Release of AM 7.1.

AM 7.0

Date Description


Release of AM 7.0.3.


Release of AM 7.0.2.

  • Indicated that scripts should be upgraded as part of the upgrade process.

  • Improved the documentation about the request parameter of the /oauth2/authorize endpoint.

  • Noted support for Internet Explorer 11 ends August 17, 2021, in alignment with the announcement from Microsoft ending support for Internet Explorer 11.

  • Updated Session Upgrade documentation to clarify that the ForceAuth parameter used with an authentication tree causes AM to issue a new session token, regardless of the security requirements.


  • Updated the Supported Upgrade Paths section to remove the upgrade from OpenAM 13.X and add upgrade path from AM 7.x.

  • Added a new section, Managing the Secure Cookie Filter.

  • Removed information about Oracle Weblogic from the installation guide as it is not supported in this version.

  • Added a new section, OAuth 2.0 Scopes Policy Script API Functionality.

  • Updated the Scripting Environment documentation to show how to obtain the Groovy and JavaScript engine version that AM is using.

  • As part of hardening the security around the SAML v2.0 implementation that occurred in AM 7, the URLs specified in the Assertion Consumer Service must exactly match the SP’s scheme, FQDN, and port.

  • Added a new section, Setting Session Properties.


Release of AM 7.0.1.


Initial release of AM 7.

AM 6.5

Date Description


Initial release of AM 6.5.5.

In addition to the Release Note updates, the following changes were made to the documentation:


Initial release of AM 6.5.4.


  • Noted that support for Internet Explorer 11 ends August 17, 2021, in alignment with the announcement from Microsoft ending support for Internet Explorer 11.

  • Added information to the reference entry of the /oauth2/authorize request parameter.

  • Updated Authentication Parameters to clarify that the ForceAuth parameter used with an authentication tree causes AM to issue a new session token, regardless of the security requirements.

  • Added a deprecation notice for Oracle WebLogic Server. It is not, supported in AM 7.

  • Added a step to the Upgrade From a Supported Version procedure to indicate that scripts must be upgraded manually.




Initial release of AM 6.5.3.


Updated and improved the documentation around keystores, secret stores, and the AM startup process.

As part of this change, the advice about creating a bootstrap keystore separate from the default AM keystore has been removed and replaced with instructions on creating an AM keystore that is also the bootstrap keystore.


Release of AM


Release of AM


Release of AM


Release of AM 6.5.2.

  • Added a note about exporting Amster configuration files after running an upgrade to AM 6.5.

  • Updated the procedure for link:[configuring external policy and applications stores. You can now specify multiple URLs, with either active-passive or affinity connectivity.


Update the restriction on implementing SAML v2.0 single sign-on (SSO) and single logout (SLO) when running AM with client-based sessions. For details, refer to Session State Considerations.


Release of AM


Release of AM 6.5.1.


Documentation on audit logging to a PostgreSQL database.


Information on validating CSV logs to detect tampering.


Release of AM


Initial release of AM 6.5.

AM 6.0

Date Description


Release of the AM patch bundle release.


Release of the AM patch bundle release.


Release of the AM patch bundle release.


Release of the AM patch bundle release.


Release of the AM patch bundle release.

  • Added a note about the increase in the entropy of stateful OAuth 2.0 access/refresh tokens and authorization codes.


Release of the AM patch bundle release.


Release of the AM patch bundle release.


Added an admonition about enabling the org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH. For details, refer to Preparing Apache Tomcat in the Installation Guide.


Initial release of AM 6.0.

AM 5.5

Date Description


Initial release of AM 5.5.2.

The following documentation changes were made:

  • Added a note that we do not recommend more than one writeable repo per realm. For details, refer to Important Considerations for Using External Identity Repositories in the Installation Guide.

  • Added documentation for PKCE (RFC 7636) support. For details, refer to OAuth 2.0 in the OAuth 2.0 Guide.

  • Added clarification that amAdmin is a special account. For features that require a user profile (such as Device Match or Push notifications), create dedicated users or groups and delegate administrator privileges to them. For details, refer to Web-Based AM Console in the Setup and Maintenance Guide.

  • Added an example using authIndexType. For details, refer to Authentication and Logout in the Development Guide.

  • Updated the Installation Guide with an extra ACI requirement when running DS in production mode.

  • Added the --offline option, to the rebuild-index command-line examples.

  • Clarified that JWT Bearer claims for client authentication have a TTL of 30 minutes (non-configurable).

  • Removed the section on the third-party sample RADIUS client, which is no longer delivered with AM.

  • Removed the`iPlanetDirectoryPro` header in the REST-STS translate examples.

  • Added JSON responses for all settings of "Destination After Successful Self-Registration". For details, refer to To Register a User with the REST APIs in the User Self Service Guide.

  • Removed references to the deprecated endpoint, /ffrest.

  • Added a note that sticky load-balancing is required in a load balancer deployment.

  • Added documentation on generating a list of ACIs. For details, refer to To Prevent Anonymous Access in External Configuration Stores in the Installation Guide.

  • Updated the documentation so that configstorepwd and dsameuserpwd now use .keypass instead of .storepass. For details, refer to To Change Key Aliases' Passwords in the Setup and Maintenance Guide.

  • Removed references to Oracle WebLogic required packages, Bouncy Castle and Jackson, which are not included by default.

  • Updated the WebLogic installation steps.

  • Added expire header information in the Preparing Apache Tomcat instructions.

  • Added the One Time Password Max Retry parameter to the ForgeRock Authenticator (OATH) Authentication Module Properties.

  • Updated documentation on configuring the CTS connection pool size.

  • Fixed the ACI example in the CTS preparation instructions.

  • Removed mention of the Federation Connectivity Test, which no longer exists.

  • Added a note about opening the JCEKS keystore during upgrade.

  • Corrected an error in the JVM startup settings.

  • Added a tip about account lockout being triggered by counting invalid password exceptions. For details, refer to The Sample Authentication Logic.

  • Added the isInitiator parameter for the JDK Kerberos LoginModule.

  • Updated the documentation to add an optional ACI step if DS is in production mode. For details, refer to To Create a Non-Admin User in the Installation Guide.

  • Simplified the session logout section and corrected curl examples.

  • Added a warning that if AM cannot access the CTS token store, users will be unable to log in.

  • Added an entry for a new property, Affinity Enabled to the AM cannot access the External Store Configuration.

  • Fixed the example for logging out a session using a session handle.

  • Updated documentation to alter scopes used in UMA examples to avoid clashing with an earlier policy.

  • Indicated that sunserviceID must be indexed for a large number of OAuth2 clients, or if any agents are registered on the system.

  • Added information on a new advanced property, org.forgerock.allow.http.client.debug.



Updated the following information about stateless sessions across the guides:

  • It was stated that the same AM server could process fewer stateless sessions than stateful sessions in the same time. This information was incorrect based on ForgeRock’s internal testing.

  • It was stated that the size of the stateless cookie was ten times larger than the size of the stateful cookie. This information was incorrect. The size of the stateless cookie varies depending on the signing, encryption, and compression algorithms applied to it.

  • It was stated that stateless sessions do not require sticky load balancing. While this information is correct, the documentation has been amended to specify that AM caches the decrypt sequence of the cookie to improve performance and, therefore, stateless sessions benefit from sticky load balancing.


Added a note that the JWT expiry lifetime is set to 30 minutes maximum.


Added documentation about a new OATH/HOTP property, One Time Password Max Retry that lets you configure the number of retry attempts for the OTP.


Added information about the need to update the script or Maven pom.xml file used to build a custom authentication module when the module uses a service loader.


Release of AM 5.5.1

Copyright Ā© 2010-2023 ForgeRock, all rights reserved.