Fixes in AM 5.5.x

OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied

OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked

OPENAM-15900: Kerberos fails when used with IBM JDK

OPENAM-15899: Have an option to add <ds:X509Certificate> tag in the signed SLO request

OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection

OPENAM-15853: External UMA store fails on resource creation

OPENAM-15849: An admin cannot DELETE 2fa devices owned by users

OPENAM-15841: DisableSameSiteCookiesFilter broken on WebLogic

OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired

OPENAM-15776: Push Registration fails (QR code invalid) to register

OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server

OPENAM-15722: SAML2 IdP federation endpoint does not set amlbcookie when using host-based cookies

OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect

OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access

OPENAM-15652: Debug.jsp does not update all existing appenders when trying to override -Dcom.iplanet.services.debug.level at runtime

OPENAM-15651: AM 5.5.2 copyrights displayed in XUI pages out of date

OPENAM-15562: SAML2 crosstalk fails when Accept-Language header is missing from the original request

OPENAM-15559: OATH module broken in Japanese locale

OPENAM-15533: WS-Federation doesn’t work with Authentication Trees

OPENAM-15510: Generic amster error message "No Base Entity dc=config,dc=forgerock,dc=com found" needs to detail the actual ldap error - during install-openam

OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token

OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned

OPENAM-15487: OIDC - JWT Request Parameter returns errors in query, not in the fragment with invalid acr essential claim

OPENAM-15483: IDPSSOUtil.doSSOFederate throws NumberFormatException when subrealm is used with federation

OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error

OPENAM-15446: Incorrect error management during SAML SSO

OPENAM-15444: Prepare for Chrome’s move to SameSite=lax by default

OPENAM-15432: Oath User Devices endpoint not accessible for delegated admin

OPENAM-15363: Redirect_uri_mismatch error occurs in Agent 5.x after upgrading from OpenAM 13.5.0

OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example

OPENAM-15286: Upgrade from 12.0.4 fails

OPENAM-15257: XUI freezing when /authenticate returns unhandled http result codes

OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions

OPENAM-15216: LDAP Decision Node does not continue through "Fail" flow when Node Fails with exception

OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules

OPENAM-15198: WS-FED Attribute Mapper returns incorrect map when AM is SP

OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"

OPENAM-15147: HTTP 500 upon accessing openam/json/

OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not

OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL

OPENAM-15073: Missing RelayState query parameter in the AM redirect to fedlet application

OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching

OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment

OPENAM-14989: Configuring Rest STS with a delegated admin fails

OPENAM-14986: AM Cannot connect to TLSv1.2 DJ server (production mode) after JDK 8 update 192

OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain

OPENAM-14973: Monitoring throws StackTrace even if JDMK isn’t being used/needed.

OPENAM-14940: Improve SAML2 Response/Assertion generation to not have carriage return inbetween XML tag

OPENAM-14939: Enable "org.apache.xml.security.ignoreLineBreaks=true" by default

OPENAM-14929: idpSSOInit error when session authLevel does not map to Auth Context

OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration

OPENAM-14874: It would be nice if the x-forwarded-* option was able to parse the comma-separated string and use the first (outermost) proxy host name.

OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)

OPENAM-14858: When NameIDPolicy does not contain Format=.., remoteEntityID is passed as null

OPENAM-14842: Misleading "CTS: Operation failed: Result Code: Connect Error" message when CTS store is still up and running

OPENAM-14829: AuthSchemeCondition doesn’t return realm aware policy condition advice

OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search

OPENAM-14799: Unable to update Agent profile using REST

OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO

OPENAM-14766: introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens

OPENAM-14744: Multivalued DN stops persistent search

OPENAM-14740: idpSingleLogoutRedirect throws error 500 IllegalStateException on SLO

OPENAM-14707: ConsentRequiredResource class does not reuse value in Base url source service

OPENAM-14694: Consent page still shows claim values even when supported claim description is omitted

OPENAM-14643: OIDC Dynamic Client Registration registration_client_uri does not work for root realm

OPENAM-14642: OIDC Dynamic Client Registration registration_client_uri uses only Host header not BaseURL

OPENAM-14581: Handling ManageNameID fails if NameID does not include SPNameQualifier

OPENAM-14572: prompt=login destroys and creates new session

OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore

OPENAM-14539: SAML SLO with multi protocols

OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding

OPENAM-14466: Logs show MissingResource for key unableToCreateArtifactResponse during SAML2 login

OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on

OPENAM-14450: userinfo typo in Claims.java

OPENAM-14427: Certificate Module with option "Match Certificate in LDAP" does not work

OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application

OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

OPENAM-14369: Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure

OPENAM-14356: Deleting OAuth 2.0 Client triggers unfiltered search

OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client

OPENAM-14336: Unable to use Signed Metadata to Re-Import

OPENAM-14313: Audit Logging - STS transformations create duplicate entries

OPENAM-14310: CheckSession page indicates the session is not valid

OPENAM-14308: LDAP Connection Pool Minimum Size for Identity Store missing from XUI

OPENAM-14307: ConcurrentModificationException when creating resource_set

OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef

OPENAM-14239: FMSigProvider.verify NPE with null input for certificates

OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number

OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set

OPENAM-14189: effectiveRange of Time environment has issue

OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception

OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered

OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.

OPENAM-14147: arg=newsession in XUI just shows the "Loading…​" page

OPENAM-14138: Self registration url does not include realm parameter after upgrade from 13.5.1

OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state

OPENAM-14050: LDAP should reestablish connection to the orignal server after it has recovered

OPENAM-14040: LdifUtils debug logging prints out wrong classname

OPENAM-14022: We shouldn’t be deploying Jetty inside a war file

OPENAM-13997: Include appropriate commons libraries in javadoc

OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

OPENAM-13978: Session Upgrade - AuthLevel format changes

OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given

OPENAM-13927: Some javadoc not generated

OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user

OPENAM-13890: Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext

OPENAM-13861: Social Authentication Tree does not complete its flow with ForceAuth parameter

OPENAM-13842: OAuth2 Device flow - can no longer use user_code more than once

OPENAM-13838: Wording on "Maximum Caching Time" requires an update

OPENAM-13793: Building AM with the suppress-upgrade causes an exception

OPENAM-13786: REST policy evaluation throws 500 Internal Error due to stateless ssotoken encryption alg conflict

OPENAM-13779: Session API - _action=refresh requires an admin token

OPENAM-13750: HTTP 500 error when trying v3.1 /sessions in API explorer

OPENAM-13741: After upgrade from 12.0.4 there are two additional service endpoints listed in API Explorer

OPENAM-13740: File descriptor / Connection leak when LDAP connection handshake fails/times out

OPENAM-13728: I can create new user with uid=testuser* after upgrade from 13.0.0

OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

OPENAM-13670: Selfservice password reset token doesn’t work in site due to OPENAM-6426

OPENAM-13617: IDP initiated MNI requests to terminate link fail

OPENAM-13612: OAuth2 CTS Grants without RefreshToken should expire with AccessToken timeout for one-to-one mapping

OPENAM-13610: X-Frame-Options: SAMEORIGIN prevents use of check_session_iframe

OPENAM-13582: token_endpoint_auth_signing_alg_values_supported not implemented

OPENAM-13578: KBA are not updatable after upgrade

OPENAM-13577: xmlsec 2.1.1.jar used in AM has issues when linebreaks enabled

OPENAM-13574: Scripting class whitelist is missing classes after upgrade from 13.5.2 to 5.5.2

OPENAM-13573: Concurrent changePassword requests to LDAPAuthUtils may cause "insufficient access rights" failures

OPENAM-13563: Help link on the "Services" XUI page points to out of date documentation

OPENAM-13530: Datastore Decision node removes username from shared state when it is not found

OPENAM-13511: DN Cache should be cleared after idRepo config change

OPENAM-13499: Incorrect transaction ID used in access events for CREST endpoints

OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent

OPENAM-13465: Dynamic client registration sets wrong subjectType

OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain

OPENAM-13438: Setting org.forgerock.openam.ldap.heartbeat.timeout=-1 makes AM unusable

OPENAM-13430: Invalid request is returned instead of Invalid request parameter error

OPENAM-13426: EncryptSAMLIDPSPBasicAuthPwdStep fails in upgrade

OPENAM-13411: Policy Configuration in Primary LDAP Server behaves different when there is one entry compared to many

OPENAM-13407: AMIdentitySubject.isMember should not check privilege for group in different realm

OPENAM-13398: SAML SSO broken after performing Session upgrade

OPENAM-13359: P11RSAPrivateKey fails RSA key check.

OPENAM-13330: Improve SessionReource Authz Module processing

OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"

OPENAM-13255: DefaultIDPAccountMapper does not append domain value for UPN

OPENAM-13183: Concurrent changePassword requests to the "users" REST endpoint causes "insufficient access rights" failures

OPENAM-13162: Policy evaluation returns 403 with expired stateless app token

OPENAM-13154: Lockout Duration Multiplier has no effect

OPENAM-13151: OAuth2 Dynamic Registration does not accept Private-Use URI (for native apps) as redirect_uri

OPENAM-13128: Invalid error message returned when user with expired password authenticates with persistent cookie module

OPENAM-13112: showServerConfig.jsp throw NullPointerException NPE when accessed using Site or LB URL

OPENAM-13104: Introspection of access token fails when the wrong case of realm is used in the FIRST request

OPENAM-13088: RFE: add option for isInitiator=false to WDSSO configuration

OPENAM-13085: WSFederation Active Request Profile authentication request hangs on input-less scripted modules

OPENAM-13082: Address claim in default OIDC claims script outputs non-spec compliant format

OPENAM-13079: Import SAML2 MetaData for RoleDescriptor for AttributeQueryDescriptor fails

OPENAM-13072: Case Sensitive of Username Result in Listing UMA Resource Incorrectly

OPENAM-13064: OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional

OPENAM-13053: ScriptingService doesn’t add the new values to whitelist during upgrade

OPENAM-13031: Failed search for non-existent user in datastore when fetching session properties and user profile is set to ignore

OPENAM-13008: Occasional shutdown error for AM

OPENAM-13006: Missing upgrade steps for OAuth2 ID Token Signing and Encryption Algorithms

OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation

OPENAM-12997: Consent for default scopes are not saved

OPENAM-12994: Unable to install AM using default configuration wizard when built with 'suppress-upgrade'

OPENAM-12984: Access Token Endpoint issues search request against datastore for OAuth Client

OPENAM-12972: SAML2 Auth Module fails with empty SAML2 Advice assertion.

OPENAM-12965: httpClient not exposed to OIDC Claim Script

OPENAM-12920: LDAPConnectionFactory is not closed when PersistentSearch is restarted

OPENAM-12898: DNS alias results in audience validation failure for clients authenticating using JWT

OPENAM-12867: IdP-Proxy - Single Logout fails as LogoutResponse is not signed

OPENAM-12866: Subsequent idpSSOInit calls after the first will fail if custom IDPAdapter forces auth step up

OPENAM-12826: WS-Federation extended metadata import fails when using ssoadm

OPENAM-12822: No URL resource is created for subsubrealms

OPENAM-12784: ProviderConfiguration is not spec compliant

OPENAM-12770: Some SAML assertions are not deserialized from SAML2 Token.

OPENAM-12703: UnsupportedOperationException seen on SAML related session logout

OPENAM-12651: Configuration objects not cleaned up as part of realm deletion

OPENAM-12650: PluginSchemaImpl should clear CachedSMSEntry instance before throwing it away

OPENAM-12649: Incorrect equality check in CachedSubEntries#notifySMSEvent

OPENAM-12648: AgentsRepo instances are leaked during realm creation

OPENAM-12647: SMS*LdapObject entriesPresent/NotPresent caches are access inconsistently

OPENAM-12646: SMSEmbeddedLdapObject initialization fails the first time with an NPE

OPENAM-12645: Non-threadsafe fields are missing volatile keyword

OPENAM-12644: ServiceConfigManagerImpl initialization is not synchronized correctly

OPENAM-12643: Notification listeners are stored in sets potentially allowing loss of listeners

OPENAM-12642: ServiceConfigManagerImpl does not implement equals/hashCode consistently

OPENAM-12627: Initiating TransactionConditionAdvice with a wrong credential resulting in a non-error response

OPENAM-12626: OIDC endSession endpoint does not call post authentication plugin onLogout functions

OPENAM-12610: AM cannot recognize version on upgrade from older versions

OPENAM-12561: "Failed to create realm" with NullPointerException cause

OPENAM-12553: IdP Logout is ignored when using SAML2 Auth module and trying to use a goto

OPENAM-12533: Internal server error if JSON cannot be parsed by the json/authenticate endpoint

OPENAM-12531: Running webagent 5.0.0 against OpenAM 5.5.1 or later which is upgraded from previous version will result in segmentation fault or crash

OPENAM-12514: IdP initiated SSO - NumberFormatException is raised in session upgrade case

OPENAM-12511: User with the name "amadmin" can be created via the /users REST endpoint

OPENAM-12498: Authorization Grant response returns scope(s) in the URL

OPENAM-12477: id_token requested using grant_type=authorization_code returns auth_time in milliseconds

OPENAM-12440: User status is ignored

OPENAM-12419: Policy rules not updated when external configuration store connection restarted

OPENAM-12418: Unable to access Forgerock OATH for users with Profile when caching disable

OPENAM-12415: Self-Service KBA questions of TopLevel Realm(or Global Service) override SubRealm’s

OPENAM-12413: Enabled "'Return User DN to DataStore" of LDAP auth-module is resulting in one redundant search for "uid=uid=demo" in the configuration store

OPENAM-12412: Multi-valued LDAP attributes are not added to the OIDC id_token as expected

OPENAM-12403: LDAP response controls are not logged which complicates troubleshooting

OPENAM-12401: DJLDAPv3Repo - insufficient debug logging to troubleshoot membership issues

OPENAM-12384: Guice binding error when handling WSFed entities via ssoadm

OPENAM-12380: client ip audit logging is not storing as IP but a list of IPs

OPENAM-12377: WS-Fed extended metadata with unknown COT value should generate an error

OPENAM-12373: amster transport key makes rest operations too slow

OPENAM-12370: JWT verification fails when token idle time is too long

OPENAM-12357: ssoadmin tools distro include release canditate libraries

OPENAM-12338: policies?_action=evaluate checks all policy sets

OPENAM-12333: AMIdentitySubject policy evaluation not cache when a lot of groups and datastore is use with delegated admin

OPENAM-12328: Inefficient LDAP Search initiated by getRealmFromAlias() call as part of login process

OPENAM-12321: DeviceID showing extra info incorrectly in audit logs

OPENAM-12319: Memory leak in accessing Jato Pages.

OPENAM-12315: NullPointerException after configuration store failover

OPENAM-12293: Audit logging no longer logs REST operation details

OPENAM-12262: CachedSMSEntry should only deregister its listener upon invalidation

OPENAM-12261: Honor org.apache.xml.security.ignoreLineBreaks=true when generating WS-Fed Assertions

OPENAM-12258: ServiceSchemaManagerImpl can lose listeners when it gets invalidated

OPENAM-12257: SMS listeners are not processed in the order they have been registered

OPENAM-12255: Process SMS notifications sequentially by default instead of using a threadpool

OPENAM-12254: ServiceListeners API doesn’t always receive schema notifications

OPENAM-12252: Delegated admin with Stateless Session, causes Admin Console failure.

OPENAM-12245: "Authentication by Module Instance" policy env condition doesn’t work in session upgrade case

OPENAM-12244: Monitoring services unable to connect to Port

OPENAM-12234: Values for objects of type com.sun.xml.bind.util.ListImpl are not printed in debug logs

OPENAM-12232: Dynamic registration is not registering token_endpoint_auth_signing_alg, request_object_encryption_alg and request_object_encryption_enc

OPENAM-12226: Device Match - server side script fails

OPENAM-12219: Resource leak in MonitoringAdapters#getMonAuthList

OPENAM-12215: NPE thrown when calling OIDC authorize endpoint with invalid SSOToken

OPENAM-12194: SLO with the SAML2 Auth Module PAP redirects to 'XUI/nullnull' when IDP has no SingleLogoutService defined

OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme

OPENAM-12184: Extend the DJ/DS SDK affinity LB feature to the userstore connection

OPENAM-12181: REST STS OIDC multi value local attributes not transformed into Claims correctly

OPENAM-12176: ServiceConfigManagerImpl does not retain order of notification events.

OPENAM-12174: XUI - Deleting a built-in authentication module will delete any other created by it

OPENAM-12173: NumberFormatException for AuthLevel in OAuth2 logs

OPENAM-12171: PolicySetCache gets corrupted when the realm name contains upper case characters

OPENAM-12170: NPE in PolicyConfig

OPENAM-12169: REST SMS deadlocks when processing notifications

OPENAM-12166: Resource #3.0 logoutByHandle request fail with status 500 error

OPENAM-12161: Expires attribute in WS-Fed Active Requestor Profile is expected but is optional

OPENAM-12155: Client authenticate JWT with no exp and audience throw a NPE

OPENAM-12144: getSessionInfo endpoint _fields parameter doesn’t work

OPENAM-12140: Allow USS Registration route to be configurable

OPENAM-12109: Syslog Audit Event Handler buffer size should be configurable

OPENAM-12098: Default server property com.sun.identity.urlchecker.dorequest is invalid

OPENAM-12082: Outlook with WS-Fed uses cached credential after AD password change.

OPENAM-12080: OAuth2 Stateless Session Signing Key lost during upgrade

OPENAM-12079: Cannot use prompt=login with device flow

OPENAM-12078: OAuth 2 device flow loses OIDC nonce

OPENAM-12075: OIDC without a datastore returns "User must be authenticated to issue ID tokens"

OPENAM-12071: Error during upgrade with unindex search from UpgradeUtils.deleteService()

OPENAM-12069: Non amadmin admin user can’t edit Policy Sets / Policies

OPENAM-12062: XUI DashBoard does not show trusted devices etc if user search attribute of the data store is not 'uid'

OPENAM-12054: Cumulative upgrades of OpenAM (e.g. 5.1.0 to 5.5.0 to 5.5.1) fail with "Writing Backup; Failed!" error

OPENAM-12037: Memory leak: LDAPFilterCondition creates new ShutdownManager listener on each request

OPENAM-12026: Self-service user registration gets "Bad Request" on LDAP error 19

OPENAM-12022: Self-service registration for existing user displays "Detected conflict in request"

OPENAM-11994: NullPointerException in ResourceOwnerOrSuperUserAuthzModule.getUserIdFromUri

OPENAM-11980: Social OIDC wizards do not work when provisioning accounts locally

OPENAM-11976: XUI Session query session by username does not work with

OPENAM-11968: SAML2 Auth Module does not accept SAML2 AuthResponse with no SessionIndex

OPENAM-11966: SAML2 SSO 'better' auth’n comparison fails with 'Invalid status code in response'

OPENAM-11962: Calling Logout and passing a goto URL parameter with an expired session, goto URL is ignored

OPENAM-11961: KBA update fails if Self service is configured in sub-realm and root realm has no datastore

OPENAM-11956: SAML2 RelayState values are seen as invalid if they are not a URL which appears to go against the spec

OPENAM-11944: REST OAuth2 creation triggers objectClass=* search

OPENAM-11937: Federation UI does not allow empty NameIDMappingService

OPENAM-11935: redirect_uri should be required in the OAuth2 authorization request

OPENAM-11925: CORSFIlter causing failures after moving to 5.x from 13.5.x

OPENAM-11909: Demo user creation is based on whether a userCfg is specified, rather than when it’s set to embedded

OPENAM-11876: Amster has a timeout limit of 10 second and it is not configurable

OPENAM-11863: CORSFilter position in web.xml should come before most filters

OPENAM-11829: SSOToken idletime reset even when it shouldn’t be

OPENAM-11818: Oauth2 authn module incorrectly POST state parameter to token endpoint

OPENAM-11789: User remains on 'Loading' page with 'OAuth2.0/OIDC' auth module if authId token expires before entering credentials

OPENAM-11746: Syslog data is not fully RFC compliant

OPENAM-11678: 'Oldest' REST passwordreset selfservice unusable

OPENAM-11673: Policy evaluation response is incorrect if the URL query string sent for evaluation contains the string ://

OPENAM-1167: WindowsDesktopSSOConfig ClassCastException on saving configuration in admin UI

OPENAM-11665: Improve debug logging when unable to login in XUI with users endpoint getting 404 due to KBA attribute issues

OPENAM-11642: CustomProperties do not work when creating J2EE/Web Agents via REST

OPENAM-11619: Default scope value is incorrect (empty) for Social Auth VKontakte module

OPENAM-11565: Implicit grant flow is not generating an Ops token

OPENAM-11548: Improve Scope validator class loading error handling

OPENAM-11547: Missing entry or corrupted value in "com.iplanet.am.version" causes upgrade failure

OPENAM-11523: Using the LDAP/AD auth module, the change password on next login, if current password is empty it displays the wrong error message

OPENAM-11491: Upgrading OpenAM results in failure due to restSMS.xml

OPENAM-11473: NumberFormatException on startup for External configuration setup

OPENAM-11432: Extra space in Policy 's Resource Type will cause policy evaluation to fails

OPENAM-11407: Extra space in the CTS 's connection string " openam.internal.example.com:50389" cause OpenDJ-SDK log to grow

OPENAM-11402: OpenAM does not enforce OAuth2 spec for "Resource Owner Password Credentials Grant" flow

OPENAM-11398: OpenAM ACI installation instruction does not work for OpenDJ productionMode

OPENAM-11312: Attribute Mapping defined in wsfed remote SP should not be overridden by attribute mapping defined in wsfed OpenAM Hosted IDP

OPENAM-11289: SP initiated SLO with SOAP binding fails with code 400

OPENAM-11240: "Skip This Step" button on the ForgeRock Authenticator (OATH) screen is missing (HOTP)

OPENAM-11225: idpSingleLogoutRedirect throws 500 error SLO

OPENAM-11177: Scripted auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store

OPENAM-11167: <ActualLockoutDuration> is not updated in the attribute sunStoreInvalidAttemptsData

OPENAM-11159: OpenAM Amster export/import for Site have import errors

OPENAM-11157: Oauth2/OIDC Authentication redirect goto value wrong when behind reverse proxy

OPENAM-11118: REST call allows for realm name with space when creating realm

OPENAM-11087: Global Config Email Service SSL State has changed from SSL to non-SSL between versions 13.5.0 and 14.0.0

OPENAM-11055: ssoadm command "set-attr-defs" reports success but does not actually update global service

OPENAM-11048: OpenAM account lockout does not work when naming attribute and LDAP Users Search Attribute are different

OPENAM-10994: Performance degradation of around 30% using defaults JCEKS so as to JKS

OPENAM-10935: DeviceIDSave - stacktrace is lost

OPENAM-10934: Authentication succeeds although DeviceIDSave module fails

OPENAM-10673: SAML2 authentication module fails to redirect to IDP after failing DeviceID match module

OPENAM-10619: Post Authentication Plugin not run during session upgrade

OPENAM-10591: Generate more debug details about the JSON that is failing when JsonPolicyParser throws a UNABLE_TO_SERIALIZE_OBJECT exception

OPENAM-10532: SOAPExceptionImpl: Invalid Content-Type:text/html. Is this an error message instead of a SOAP response?

OPENAM-10371: NPE for notifyGlobalConfigChange in Configuration debug file after OpenAM setup

OPENAM-10296: Session UI only allows searching for users in datastore

OPENAM-10191: Add Skew to NotOnOrAfter and NotBefore Assertion Conditions

OPENAM-10083: Sending READ to sites endpoint sometimes returns 500 error

OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)

OPENAM-9790: Allow IDP to determine request binding from goto url as well as request method

OPENAM-9783: json/users changePassword returns the wrong error message with multiple datastores

OPENAM-9674: Support Active Directory Recursive Group Membership Lookup

OPENAM-8264: Insufficient validator for service property 'iplanet-am-auth-hmac-signing-shared-secret'

OPENAM-6925: When getting a access token with a Basic HTTP client and a invalid grant_type the wrong error is returned

OPENAM-6748: Improve mechanics of the notification cache

OPENAM-6445: UMA policy with self-sharing creating policy despite failure

OPENAM-6426: Forgot password doesn’t print an audit log

OPENAM-6370: REST-SMS: 500 Internal Server Error for Invalid Attribute Update

OPENAM-6141: REST-SMS: Request for sts and dashboard services schema returns 500

OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

OPENAM-5865: AuthLevelCondition will not retrieve request auth level for a capital-letter realm.

OPENAM-4040: SSO failure between SPs in separate CoTs with same hosted IDP

OPENAM-11988: HTTP 500 when validating SSO tokens if API version is omitted in AM 5.5

OPENAM-11834: Passwords being set to empty strings in tabbed forms in XUI

OPENAM-11646: Cookie values wrapped in double quotes

OPENAM-11632: CDCServlet does not work with realm

OPENAM-11610: WindowSSO module broken in AM 5.5 after upgrade

OPENAM-11526: Realm Authentication chain post authentication classes PAP not triggered on chains with multiple modules

OPENAM-11391: Requesting 'OAuth2.0/OIDC' auth module a second time results in display of AM’s "Authentication Failed" page

OPENAM-11300: OIDC request parameter is failing when message level is enabled

OPENAM-11280: authentication with noSession=true fails if post authentication plugin class is present

OPENAM-11218: OpenAM throws service error for Application Module

OPENAM-11217: SAML2 Authentication module is not invoking custom SP Adapter class implementing a preSingleSignOnRequest() method

OPENAM-11196: Incorrect debug logging level used in FMEncProvider.getEncryptionKey

OPENAM-11154: Memory leak in SMSEventListenerManager#subNodeChanges

OPENAM-11115: Push authentication should use alias attributes to find identities

OPENAM-11101: Social Auth links do not contain the goto url

OPENAM-11070: Need OAuth2 authentication to work in Android with implied consent

OPENAM-11057: Global User Self Service UI does not display values

OPENAM-11015: ForceAuth session upgrade does not work

OPENAM-10971: FR-OATH auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store

OPENAM-10970: logout response binding should be selected based on the capabilities of the SP

OPENAM-10965: Stateless OAuth2 can’t verify access and refresh token

OPENAM-10931: IdentitySubject not adding isMember() result to cache after entry has changed

OPENAM-10782: endSession with an id_token generated from a refresh_token request does not destroy the session

OPENAM-10756: setSucessModuleNames in AMLoginModule calls AuthModule’s getPrincipal multiple times

OPENAM-10585: The "claims" Request Parameter from the openid standard isn’t functional

OPENAM-10578: Stateless access token doesn’t contain the grant type

OPENAM-10562: Audit log 'Configuration' entries are not written when using external configuration store

OPENAM-10332: Quota constraints exceeded - Interim Fix

OPENAM-10129: OAuth2 Device flow - user code verification is case-insensitive

OPENAM-10103: output from re-indexing action during initial configuration is lost

OPENAM-10102: insufficient progress information during configuration

OPENAM-10013: HOTP session upgrade not possible in XUI if the wrong code is entered first time

OPENAM-9979: Authentication chain post authentication classes are not used if realm level PAP setting exists

OPENAM-9885: Oauth2 load: Tomcat keeps logging "WARNING: Addition of the standard header "Pragma" is discouraged as a future version of the Restlet API will directly support it"

OPENAM-9156: 'Not Found' error in UI when opening a custom auth module created with ssoadm with the name the same as type

OPENAM-8771: "Unknown Error: Please contact your administrator", shown with FacebookSocialAuthentication option "Prompt for password setting and activation code" (org-forgerock-auth-oauth-prompt-password-flag)

OPENAM-8270: Using client_credentials Grant type with openid scope returns User must be authenticated to issue ID tokens

OPENAM-8063: Merge Debug Files feature does not work correctly

OPENAM-7781: persistent cookie auth module does not allow to change cookie name by default

OPENAM-7437: Finish button of Identity Provider wizard doesn’t work

OPENAM-5864: Quota constraints exceeded in multi-instance with LB and CTS enabled

OPENAM-5153: Auth modules should call setAuthLevel after successful login

OPENAM-5152: AMAuthLevelManager miscalculates auth level

OPENAM-3679: IDP Finder fails to validate relaystate

OPENAM-1325: OpenAM fails to setup when deployed under the root uri ( '/' )