Fixes in 7.0.x
This page lists the cumulative fixes in AM 7.0.x releases, since 5.5.0:
7.0.2
-
OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost
-
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
-
OPENAM-17683: Selfservice user registration auto login fails for a sub-realm
-
OPENAM-17673: Nodes within a Page node do not have access to secure state
-
OPENAM-17672: Page Node does not expose inner nodes inputs or outputs
-
OPENAM-17630: JMS Audit logging broken and cannot start up
-
OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session
-
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
-
OPENAM-17570: OIDC request parameter decryption fails to find any applicable keys
-
OPENAM-17555: AM 7.x versions of Amster use Java 8 format of debug port
-
OPENAM-17517: JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error.
-
OPENAM-17515: Sub attribute in access token can be in wrong casing
-
OPENAM-17483: SecretsPlugin upgrade from 6.5.x failing
-
OPENAM-17477: Thread-safety issue in AMAuthenticationManager
-
OPENAM-17436: JS version of the OIDC Claims script does not work due to a casting error.
-
OPENAM-17405: Token introspection response not spec compliant
-
OPENAM-17397: ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check
-
OPENAM-17365: Checking agent type with caller token can cause deadlock
-
OPENAM-17364: prompt login / session upgrade / OIDC ACR looping with trees
-
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
-
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
-
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
-
OPENAM-17337: Access token passed in request body results in failure
-
OPENAM-17324: Client credentials grant in FBC config with group inheritance causes User not Valid Error
-
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
-
OPENAM-17321: Prometheus Endpoint returns http 500 error when used with file based config
-
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
-
OPENAM-17310: 'ssoadm list-datastore-types' sub-command broken
-
OPENAM-17277: AM Recording with thread dump only shows depth of 8
-
OPENAM-17276: AM recorder does not record anymore
-
OPENAM-17274: AM should not change the supported subject types for an existing install
-
OPENAM-17271: Typo for Realm in SAML/Federation debug
-
OPENAM-17265: Wrong authorized_keys file updated
-
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant
-
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
-
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
-
OPENAM-17175: XUI OAuth2 consent page does not render when using themes
-
OPENAM-17157: Password reset via admin console with Proxied Authorization enabled is not possible
-
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
-
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
-
OPENAM-17117: Service config XML dump consumes a lot of memory (whole config is read to memory)
-
OPENAM-17114: Save Consent check box always shown, even when not configured
-
OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication
-
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
-
OPENAM-17089: Forgot password flow not working after initial attempt to reset password fails
-
OPENAM-17081: OAuth2 client agent group settings are not taken into account
-
OPENAM-17079: Identities and Session : unexpected returned error when trying to request for unexisting identity
-
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
-
OPENAM-17066: Unable to add server to existing deployment through UI
-
OPENAM-17042: User Self Registration REST API does not generate SSO token
-
OPENAM-17019: Allowing wildcards in OAuth 2.0 clients prevents exact matching from working
-
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
-
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
-
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
-
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
-
OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist
-
OPENAM-16932: PageNode does not pick up outcomes if ScriptedDecisionNode is used inside
-
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
-
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
-
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
-
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
-
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
-
OPENAM-16849: WeChat Social Auth module broken (regression)
-
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
-
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'
-
OPENAM-16651: Default configuration fails if the trust store type JVM property is not defined for the JVM
-
OPENAM-16638: AM with embedded DS setup fails when Java system keystore properties is set
-
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
-
OPENAM-16581: SAML Authentication Module on hosted SP gets SAML No authentication context error
-
OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs
-
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
-
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
-
OPENAM-16364: Macaroon access tokens don’t work with the new any-realm token introspection
-
OPENAM-16262: Javadocs for IdUtils needs updating
-
OPENAM-15963: Historical retention files ( csv ) were not deleted
-
OPENAM-15214: Auth Tree - Clicking save with no changes causes render problem with node attributes inside page node
-
OPENAM-14240: FMSigProvider.verify does not tell if certificates are provided
-
OPENAM-13783: REST STS: Cannot add or modify nameID format in SAML config, and default value stated in help is incorrect
-
OPENAM-13575: Unhelpful log message when OIDC public client wants to use HMAC id token signing == 7.0.1
-
OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
-
OPENAM-16934: sm.getSchemaManager has a typo including a comma
-
OPENAM-16907: Kerberos Node in 7.0 does not work
-
OPENAM-16877: Error when creating AM "Self-service Trees" service in native admin ui
-
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
-
OPENAM-16847: AM email service failing with 'Start TLS' option
-
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
-
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
-
OPENAM-16802: Upgrade from OpenAM 7.0 to 7.1.0 SNAPSHOT causes NPE
-
OPENAM-16794: Google KMS options missing after upgrade from 6.5
-
OPENAM-16791: AMAccessAuditEventBuilder#forRequest can generate an entry with :-1 for the port
-
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
-
OPENAM-16759: Amster on windows : AM does not restart properly after setup
-
OPENAM-16758: Cannot install AM 7 on Windows
-
OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled
-
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
-
OPENAM-16702: Saving engine configuration in FBC mode makes that config non-readable
-
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token
-
OPENAM-16697: Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format
-
OPENAM-16686: Cannot create a User after upgrade from 6.5.2 to 7.0.1
-
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
-
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
-
OPENAM-16650: Authz Policy Subjects Policy.title is showing property name text
-
OPENAM-16641: OAuth2 provider supported grant types attribute missing localization property on XUI
-
OPENAM-16606: Missing "org.forgerock.openam.saml2.authenticatorlookup.skewAllowance" property in server defaults
-
OPENAM-16594: ssoadm help should be updated to reflect changes in AME-18650 / OPENAM-16155
-
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
-
OPENAM-16555: (audit) logging does not tell which policy allowed or denied a resource request
-
OPENAM-16551: Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token
-
OPENAM-16545: Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents
-
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
-
OPENAM-16483: XUI - Typo in SAML SP "Default Relay State Url" label
-
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
-
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
-
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
-
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly
-
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
-
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
-
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
-
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
-
OPENAM-15663: UserInfoClaims is not part of public API
-
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
-
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
-
OPENAM-11706: Policies in a policy set are not visible in Internet Explorer IE == 7.0.0
-
OPENAM-16433: Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.
-
OPENAM-16425: AM does not handle malformed/incorrect signature correctly
-
OPENAM-16402: The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.
-
OPENAM-16379: URL fragments like # cause forbidden login in the XUI
-
OPENAM-16284: XUI does not handle Special Chars / UTF-8 in realms properly.
-
OPENAM-16279: AgentsRepo cannot recover when it fails especially on external Application store.
-
OPENAM-16251: OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication
-
OPENAM-16240: REST STS under subrealm cannot generate id_token with realm claim
-
OPENAM-16233: Policy evaluation fails when subject not found (even in ignore profile)
-
OPENAM-16214: Push Authentication Module does not work on Session Upgrade when User Cache disabled
-
OPENAM-16184: Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords
-
OPENAM-16165: social authmodule causes NullPointerException
-
OPENAM-16164: social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token
-
OPENAM-16136: queryFilter only matches against first entry in array
-
OPENAM-16132: When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates
-
OPENAM-16032: Unable to delete devices with Recovery Code Collector Decision Node
-
OPENAM-16031: Intermittent error message when concurrent obtain SSO Token ID with session quota constraints
-
OPENAM-16014: An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow
-
OPENAM-16013: Mismatched kid from Json Web Key URI when Specified Encryption Algorithm
-
OPENAM-16009: Windows Desktop SSO node full adoption and compliance with tree node specifications
-
OPENAM-15989: OAuth2 client_id should be url-decoded when using basic auth
-
OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied
-
OPENAM-15970: Access Token introspect Fails in subrealm after root realm modified
-
OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked
-
OPENAM-15905: Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException
-
OPENAM-15900: Kerberos fails when used with IBM JDK
-
OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection
-
OPENAM-15881: Custom AM User (amUser.xml) field does not use default values from the schema
-
OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used
-
OPENAM-15853: External UMA store fails on resource creation
-
OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired
-
OPENAM-15785: OIDC spec violation - HTTP POST can not be used to send Authentication Request
-
OPENAM-15784: Form elements in policy environment condition tab are displayed twice
-
OPENAM-15766: LoginState - account lockout is checkout although AM AccountLockout is disabled
-
OPENAM-15758: KeyStore Secret Store fails to start due to secretId having some characters.
-
OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL
-
OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server
-
OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect
-
OPENAM-15698: IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'
-
OPENAM-15697: Default ACR values from OAuth2 provider not taken into account
-
OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access
-
OPENAM-15679: The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling
-
OPENAM-15670: DeviceIdSave auth module initialization fails if username is null
-
OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting
-
OPENAM-15645: The &refresh=true|false parameter for _action=validate is not working as expected
-
OPENAM-15632: OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support
-
OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow
-
OPENAM-15627: Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"
-
OPENAM-15579: AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'
-
OPENAM-15559: OATH module broken in Japanese locale
-
OPENAM-15533: WS-Federation doesn’t work with Authentication Trees
-
OPENAM-15530: OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS
-
OPENAM-15520: XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default
-
OPENAM-15508: moduleMessageEnabledInPasswordGrant does not apply to Trees
-
OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token
-
OPENAM-15501: Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly
-
OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned
-
OPENAM-15491: Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.
-
OPENAM-15489: WebAuthN Auth Node Doesn’t Respect UV=Discouraged During AuthN
-
OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication
-
OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error
-
OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported
-
OPENAM-15374: OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims
-
OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback
-
OPENAM-15349: Access Token request returns a 500 error
-
OPENAM-15345: at_hash value generated does not take the latest modified access token
-
OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree
-
OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example
-
OPENAM-15303: Claims with multiple values in issued_token from REST STS represented inconsistently.
-
OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions
-
OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules
-
OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"
-
OPENAM-15160: LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind
-
OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field
-
OPENAM-15147: HTTP 500 upon accessing openam/json/
-
OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken
-
OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )
-
OPENAM-15117: KeyVault KeyStoreType not supported
-
OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not
-
OPENAM-15105: Unable to get trusted devices using REST API
-
OPENAM-15101: Remove the ability to disable XUI
-
OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL
-
OPENAM-15076: webAuthn config does not allow for multiple origins under the same rpId
-
OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching
-
OPENAM-15036: Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file
-
OPENAM-15028: Cannot load metadata in ssoadm without extended metadata
-
OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment
-
OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache
-
OPENAM-14991: Changes to boot.json are overwritten
-
OPENAM-14979: NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade
-
OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain
-
OPENAM-14966: Performing access_token with arbitrary text as trusted cert header causes server error
-
OPENAM-14919: Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file
-
OPENAM-14901: XUI - SAML2 module doesn’t redirect to IDP if it’s 2nd in the chain
-
OPENAM-14895: user identity creation fails with "Identity \*" of type user not found.
-
OPENAM-14893: XUI displays multiple error messages when an authentication session times out
-
OPENAM-14889: Upgrade of Peristent Cookie auth module fails
-
OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration
-
OPENAM-14881: AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)
-
OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)
-
OPENAM-14859: ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty
-
OPENAM-14858: When NameIDPolicy does not contain
Format=..
, remoteEntityID is passed as null -
OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module
-
OPENAM-14845: user info endpoint does not correctly handle Certificate Bound Access Tokens
-
OPENAM-14829: AuthSchemeCondition doesn’t return realm aware policy condition advice
-
OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search
-
OPENAM-14804: Memory leak when running UMA RPT soak test
-
OPENAM-14799: Unable to update Agent profile using REST
-
OPENAM-14794: User privileges are removed from group if another group is given same privilege
-
OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO
-
OPENAM-14783: PKCS11 KeyStore does not work on IBM JVM
-
OPENAM-14782: AuthTree created Session does not use per User Session Service settings
-
OPENAM-14766: introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens
-
OPENAM-14717: mailto attribute have space between ':' and mail address
-
OPENAM-14694: Consent page still shows claim values even when supported claim description is omitted
-
OPENAM-14651: OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads
-
OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier
-
OPENAM-14578: WDSSO failing but no fallback…
-
OPENAM-14573: amlbcookie is not secure when authenticating with trees
-
OPENAM-14572: prompt=login destroys and creates new session
-
OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different
-
OPENAM-14548: consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation
-
OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore
-
OPENAM-14539: SAML SLO with multi protocols
-
OPENAM-14529: UMA RPT expiry time incorrect in CTS
-
OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding
-
OPENAM-14503: SAML2 - Key Transport Algorithm - RSA OAEP must be supported
-
OPENAM-14483: If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ
-
OPENAM-14480: AuthLoginException is lost
-
OPENAM-14471: Failed to create root realm for data store (External Policy | Application)
-
OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on
-
OPENAM-14464: XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used
-
OPENAM-14450: userinfo typo in Claims.java
-
OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS/SSL
-
OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application
-
OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done
-
OPENAM-14391: Self Service Link not Display when Using Authentication Tree
-
OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set
-
OPENAM-14369: Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure
-
OPENAM-14362: UMA load test fails with Invalid resource type error
-
OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy
-
OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client
-
OPENAM-14313: Audit Logging - STS transformations create duplicate entries
-
OPENAM-14310: CheckSession page indicates the session is not valid
-
OPENAM-14294: am-external Git repository 6.5 have bad source
-
OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef
-
OPENAM-14239: FMSigProvider.verify NPE with null input for certificates
-
OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number
-
OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set
-
OPENAM-14229: custom AuthorizeTemplate under theme not used
-
OPENAM-14213: Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute
-
OPENAM-14212: SAML redirect to login page fails if AM installed into the root context
-
OPENAM-14200: Social auth modules do not work when AM is installed into the root context
-
OPENAM-14189: effectiveRange of Time environment has issue
-
OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception
-
OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered
-
OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.
-
OPENAM-14147: arg=newsession in XUI just shows the "Loading…" page
-
OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state
-
OPENAM-14112: Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie
-
OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow
-
OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive
-
OPENAM-14054: XUI Custom templates and Partials not applied consistently
-
OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn
-
OPENAM-14040: LdifUtils debug logging prints out wrong classname
-
OPENAM-14018: Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server
-
OPENAM-13999: Custom node containing ConfirmationCallbacks fails when dropped in a page node.
-
OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm
-
OPENAM-13978: Session Upgrade - AuthLevel format changes
-
OPENAM-13942: SAML2 Circle of Trust - REST Update doesn’t update the metadata of the provider
-
OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given
-
OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user
-
OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not
-
OPENAM-13890: Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext
-
OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6
-
OPENAM-13831: RP-Initiated Logout does not handle state parameter
-
OPENAM-13779: Session API - _action=refresh requires an admin token
-
OPENAM-13764: Monitoring logs in ERROR for "Agent.configAgentsOnly:agent type = OAuth2Client"
-
OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals
-
OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent
-
OPENAM-13465: Dynamic client registration sets wrong subjectType
-
OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain
-
OPENAM-13419: LDAPPolicyFilterCondition doesn’t set request timeout
-
OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"
-
OPENAM-13064: OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional
-
OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation
-
OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees
-
OPENAM-12759: max_age should a number, not a string
-
OPENAM-12574: SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies
-
OPENAM-12498: Authorization Grant response returns scope(s) in the URL
-
OPENAM-12228: WebAgent REST API queryFilter expression does not work and acts all "true"
-
OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme
-
OPENAM-11921: Incorrect NameId Format offered for SAML2 auth module in console
-
OPENAM-11863: CORSFilter position in web.xml should come before most filters
-
OPENAM-11778: Getting accessToken using authorization_code result in Unhandled exception
-
OPENAM-11338: OpenID Connect id_token bearer auth module mixes up aud, azp during verification
-
OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.
-
OPENAM-10843: When generating an OIDC token through STS a "kid" value is not specified
-
OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled
-
OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)
-
OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly
-
OPENAM-9459: 500 Internal Server Error from changePassword endpoint with AD repo
-
OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM
6.5.0
6.5.0.2
-
OPENAM-14572: prompt=login destroys and creates new session
-
OPENAM-14516: Attempt to resolve a named secret containing : character on Windows fail if the filesystem secret store is involved
-
OPENAM-14505: Agent sessions are constrained by Session Quota
-
OPENAM-14427: Certificate Module with option "Match Certificate in LDAP" does not work in AM 6.5.0
-
OPENAM-14425: JwkSetSecretStore does not reload the SecretStore when it has expired
-
OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done
-
OPENAM-14386: JWK keyuse can be customised
-
OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set
-
OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy
-
OPENAM-14336: Unable to use Signed Metadata to Re-Import
-
OPENAM-14308: LDAP Connection Pool Minimum Size for Identity Store missing from XUI
-
OPENAM-14307: ConcurrentModificationException when creating resource_set
-
OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef
-
OPENAM-14222: Amster fails exporting Secret Store Mappings in sub-realms
-
OPENAM-14212: SAML redirect to login page fails if AM installed into the root context
-
OPENAM-14200: Social auth modules do not work when AM is installed into the root context
-
OPENAM-14189: effectiveRange of Time environment has issue
-
OPENAM-14147: arg=newsession in XUI does shows just the "Loading…" page
-
OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow
-
OPENAM-14082: Authentication Chains will not open using IE11
-
OPENAM-14050: LDAP should reestablish connection to the orignal server after it has recovered
-
OPENAM-14009: Authtree does not proceed for missing Authorization Header
-
OPENAM-13896: Comparison method violates its general contract! seen during amster import
-
OPENAM-11523: Using the LDAP/AD auth module, the change password on next login, if current password is empty it displays the wrong error messag
-
OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled
6.5.0.1
-
OPENAM-14165: ThemeConfiguration is Not Exposed in Final UI Production Build
-
OPENAM-14092: Custom node can prevent all default nodes appearing in admin view
-
OPENAM-14080: LDAP Decision Node returns incorrect user attribute to search for in user store
-
OPENAM-14058: Cannot create Elasticsearch audit handler configuration through admin console UI
-
OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn
-
OPENAM-14049: Amster export failure
-
OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm
-
OPENAM-13940: Session quota limits not applied when using trees
-
OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user
-
OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals
-
OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain
-
OPENAM-12965: httpClient not exposed to OIDC Claim Script
-
OPENAM-12498: Authorization Grant response returns scope(s) in the URL
6.5.0.0
-
OPENAM-13842: OAuth 2.0 Device flow - can no longer use user_code more than once.
-
OPENAM-13786: REST policy evaluation throws 500 Internal Error due to stateless ssotoken encryption alg conflict.
-
OPENAM-13774: SOAP STS for Delegation RelationShip Supported is always false on XUI.
-
OPENAM-13732: Session Remaining Time is displayed with more precision and not rounded up.
-
OPENAM-13712: Unknown Signing Algorithm when Client Based Session set Signing to NONE.
-
OPENAM-13670: Selfservice password reset token doesn’t work in site due to OPENAM-6426.
-
OPENAM-13604: IdP Proxy relays wrong AuthnContextClassRef if the AuthLevel requested by the SP is not 0.
-
OPENAM-13577: The xmlsec 2.1.1.jar had issues when linebreaks were enabled.
-
OPENAM-13573: Concurrent changePassword requests to LDAPAuthUtils may cause "insufficient access rights" failures.
-
OPENAM-13531: LDAP Decision node removed username from shared state when it is not found.
-
OPENAM-13530: Datastore Decision node removed username from shared state when it is not found.
-
OPENAM-13511: DN Cache should be cleared after idRepo config change.
-
OPENAM-13496: Unable to view Services when some services have invalid attribute.
-
OPENAM-13481: Stateless OAuth 2.0 Client_credential grant/implicit type has long CTS token timeout.
-
OPENAM-13457: AM XUI favicon icon not being recognised.
-
OPENAM-13456: AM XUI custom FooterTemplate.html and LoginHeaderTemplate.html was not being applied.
-
OPENAM-13414: Upgrade fails if OAuth2 Provider service lacks tokenSigningHmacSharedSecret.
-
OPENAM-13407: AMIdentitySubject.isMember should not check privilege for group in different realm.
-
OPENAM-13359: P11RSAPrivateKey failed RSA key check.
-
OPENAM-13318: Blank passwords using PageNode Auth Tree prevents log in.
-
OPENAM-13316: LDAP Decision Node does not return Inactive Account result correctly in eDirectory.
-
OPENAM-13308: LdapDecisionNode fails when Return UserDN to Datastore is set to false.
-
OPENAM-13302: AM Self-registration kba threw an error when a user inputs an answer and pressed the enter key.
-
OPENAM-13291: Create Identities Page appears broken after upgrade from 5.5 (to 6.0 or 6.5).
-
OPENAM-13255: DefaultIDPAccountMapper does not append domain value for UPN.
-
OPENAM-13249: AM did not recognize custom templates and partials.
-
OPENAM-13183: Concurrent changePassword requests to the "users" REST endpoint caused "insufficient access rights" failures.
-
OPENAM-13162: Policy evaluation returned 403 with expired stateless app token.
-
OPENAM-13154: Lockout Duration Multiplier had no effect.
-
OPENAM-13151: OAuth 2.0 Dynamic Registration did not accept Private-Use URI (for native apps) as redirect_uri.
-
OPENAM-13128: Invalid error message was returned when user with expired password authenticated with persistent cookie module.
-
OPENAM-13112: The showServerConfig.jsp page threw NullPointerException NPE when accessed using Site or LB URL.
-
OPENAM-13100: LDAP Decision node fails with NPE when used with Active Directory.
-
OPENAM-13087: ClassNotFound Exception thrown after upgrade.
-
OPENAM-13085: WSFederation Active Request Profile authentication request hangs on input-less scripted modules.
-
OPENAM-13082: Address claim in default OIDC claims script output non-spec compliant format.
-
OPENAM-13080: Resource owners sharing resources to themselves caused an error message.
-
OPENAM-13079: Importing SAML2 MetaData for RoleDescriptor for AttributeQueryDescriptor failed.
-
OPENAM-13075: Incorrect message displayed when resource is being shared.
-
OPENAM-13072: Case-sensitive usernames resulted in listing UMA resource incorrectly.
-
OPENAM-13053: ScriptingService did not add the new values to whitelist during upgrade.
-
OPENAM-12997: Consent for default scopes were not saved.
-
OPENAM-12985: Debug log files were swamped with message 'LDAPUtils.isDN: Invalid DN' in 'error' level.
-
OPENAM-12984: Access Token Endpoint issued search request against datastore for OAuth Client.
-
OPENAM-12867: IdP-Proxy - Single Logout failed as LogoutResponse was not signed.
-
OPENAM-12866: Subsequent idpSSOInit calls after the first will fail if custom IDPAdapter forces auth step up.
-
OPENAM-12856: User authentication configuration not migrated to XUI.
-
OPENAM-12847: Public API broken - SSOTokenManager.getValidSessions(SSOToken requester, String server).
-
OPENAM-12801: OAuth 2.0 token signing forced PKCS#11 keys to have specific attributes.
-
OPENAM-12784: ProviderConfiguration was not spec compliant.
-
OPENAM-12770: Some SAML assertions were not deserialized from a SAML2 Token.
-
OPENAM-12690: XUI theme configuration realm mapping was case sensitive.
-
OPENAM-12625: JWT OIDC Token could not be valid for over 86400 seconds.
-
OPENAM-12514: IdP initiated SSO - NumberFormatException was raised in session upgrade case.
-
OPENAM-12506: Upgrade could fail with RemoveReferralsStep having too broad base DN.
-
OPENAM-12419: Policy rules not updated when external configuration store connection restarted.
-
OPENAM-12403: LDAP response controls are not logged which complicates troubleshooting.
-
OPENAM-12401: DJLDAPv3Repo - insufficient debug logging to troubleshoot membership issues.
-
OPENAM-12301: Account lockout logs ERROR: ISAccountLockout.getAcInfo: acInfo: null.
-
OPENAM-12293: Audit logging no longer logs REST operation details.
-
OPENAM-12209: The 'acr' and 'acr_sig' parameters can become duplicated during step-up authn, should not be present in url.
-
OPENAM-12174: XUI - Deleting a built-in authentication module will delete any other created by it.
-
OPENAM-12096: API explorer example for PUT on /global-config/services/scripting/contexts/{contexts}/engineConfiguration fails.
-
OPENAM-11962: Calling Logout and passing a goto URL parameter with an expired session, goto URL is ignored.
-
OPENAM-11665: Unable to login in XUI with users endpoint getting 404 due to KBA attribute issues.
-
OPENAM-11642: CustomProperties do not work when creating J2EE/Web Agents via REST.
-
OPENAM-11473: NumberFormatException on startup for External configuration setup.
-
OPENAM-11407: An extra space in the CTS store connection string " openam.internal.example.com:50389" caused OpenDJ-SDK log to grow.
-
OPENAM-11355: Missing Service tab when trying to configure dashboard with Active Directory datastore.
-
OPENAM-11225: During single logout idpSingleLogoutRedirect threw 500 error.
-
OPENAM-11177: Scripted auth module can not be used in auth chain if the username in shared state map does not 'match' the search attribute of the data store.
-
OPENAM-11167: <ActualLockoutDuration> is not updated in the attribute sunStoreInvalidAttemptsData.
-
OPENAM-11048: account lockout did not work when naming attribute and LDAP Users Search Attribute are different.
-
OPENAM-10467: RFC7662: oauth2/introspect returned token_type not as Bearer.
-
OPENAM-10296: Session UI only allows searching for users in datastore.
-
OPENAM-9783: The json/users changePassword option returned the wrong error message with multiple datastores configured.
-
OPENAM-8296: OAuth 2.0 consent screen does not use XUI theme configuration.
-
OPENAM-4040: SSO failed between SPs in separate CoTs with same hosted IDP.
6.0.0
6.0.0.7
-
OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier
-
OPENAM-14573: amlbcookie is not secure when authenticating with trees
-
OPENAM-14548: consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation
-
OPENAM-14505: Agent sessions are constrained by Session Quota
-
OPENAM-14427: Certificate Module with option "Match Certificate in LDAP" does not work
-
OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done
-
OPENAM-14369: Upgrading from OpenAM 13.5.0 to AM 6.0.0.x with custom PAPs causes NPE failure
-
OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy
-
OPENAM-14308: LDAP Connection Pool Minimum Size for Identity Store missing from XUI
-
OPENAM-14307: ConcurrentModificationException when creating resource_set
-
OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef
-
OPENAM-14189: effectiveRange of Time environment has issue
-
OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered
-
OPENAM-14147: arg=newsession in XUI does shows just the "Loading…" page
-
OPENAM-14080: LDAP Decision Node returns incorrect user attribute to search for in user store
-
OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn
-
OPENAM-14050: LDAP should reestablish connection to the orignal server after it has recovered
-
OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm
-
OPENAM-13896: Comparison method violates its general contract! seen during amster import
-
OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not
-
OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6
-
OPENAM-13302: AM Self-registration kba throws an error when a user inputs an answer and presses the enter key.
-
OPENAM-13268: Initial authz eval request for a given realm takes a long time when there are many policies
-
OPENAM-13247: Token info endpoint throwing 401
-
OPENAM-13187: OAuth2 DeviceCode flow does not work with stateless encryption enabled
-
OPENAM-12965: httpClient not exposed to OIDC Claim Script
-
OPENAM-11523: Using the LDAP/AD auth module, the change password on next login, if current password is empty it displays the wrong error message
-
OPENAM-11048: OpenAM account lockout does not work when naming attribute and LDAP Users Search Attribute are different
-
OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled
6.0.0.6
-
OPENAM-13814: User Self Service reCAPTCHA Feature Broken
-
OPENAM-13762: Improve caching of ServiceConfigImpl instances
-
OPENAM-13604: IdP Proxy relays wrong AuthnContextClassRef if the AuthLevel requested by the SP is not 0
-
OPENAM-13291: Create Identities Page appears broken after upgrade from 5.5 (to 6.0 or 6.5)
-
OPENAM-12789: Data store with identities that do not match user search attr cause server error
-
OPENAM-11665: Improve debug logging when unable to login in XUI with users endpoint getting 404 due to KBA attribute issues
-
OPENAM-11177: Scripted auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store
6.0.0.5
-
OPENAM-13670: Selfservice password reset token doesn’t work in site due to OPENAM-6426
-
OPENAM-13649: SuccessUrl redirects not working in Safari
-
OPENAM-13581: "Try Resetting Your Password Again" Link fails if the Single use Token is expired/used
-
OPENAM-13578: KBA are not updatable after upgrade
-
OPENAM-13577: xmlsec 2.1.1.jar used in AM6 have issues when linebreaks enabled
-
OPENAM-13573: Concurrent changePassword requests to LDAPAuthUtils may cause "insufficient access rights" failures
-
OPENAM-13563: Help link on the "Services" XUI page points to out of date documentation
-
OPENAM-13506: OAuth2 Provider Service REST defaultACR input data not validated.
-
OPENAM-13499: Incorrect transaction ID used in access events for CREST endpoints
-
OPENAM-13457: AM 6 XUI favicon icon not being recognised
-
OPENAM-13438: Setting org.forgerock.openam.ldap.heartbeat.timeout=-1 makes AM unusable
-
OPENAM-13414: Upgrade to AM6 fails if OAuth2 Provider service lacks tokenSigningHmacSharedSecret
-
OPENAM-13359: P11RSAPrivateKey fails RSA key check.
-
OPENAM-13350: Upgrade from 12.0.x to 6.0.0.2 fails with embedded user store
-
OPENAM-13315: OIDC no longer supports prompt=consent parameter
-
OPENAM-13310: Allow id tokens to be issued when no datastore configured
-
OPENAM-13301: When creating Java/Web agent groups, some properties are not tag-swapped
-
OPENAM-13183: Concurrent changePassword requests to the "users" REST endpoint causes "insufficient access rights" failures
-
OPENAM-11225: idpSingleLogoutRedirect throws 500 error SLO
-
OPENAM-8296: OAuth consent screen does not use XUI theme configuration
6.0.0.4
-
OPENAM-13456: AM 6 XUI custom FooterTemplate.html and LoginHeaderTemplate.html not being applied
-
OPENAM-13426: EncryptSAMLIDPSPBasicAuthPwdStep fails in upgrade
-
OPENAM-13347: Inner Tree Node "tree" choice field not populated after upgrade
-
OPENAM-13330: Improve SessionResource Authz Module processing
-
OPENAM-13316: LDAP Decision Node does not return Inactive Account result correctly in eDirectory
-
OPENAM-13308: LdapDecisionNode failes when Return UserDN to Datastore is set to false
-
OPENAM-13245: Omitting Node.Metadata annotation kills the loading of all plugins in AM
-
OPENAM-13236: Amster tries to load custom service subconfiguration before loading realm level configurations
-
OPENAM-13128: invalid error message returned when user with expired password authenticates with persistent cookie module
-
OPENAM-13085: WSFederation Active Request Profile authentication request hangs on input-less scripted modules
-
OPENAM-13031: Failed search for non-existent user in datastore when fetching session properties and user profile is set to ignore
-
OPENAM-12984: Access Token Endpoint issues search request against datastore for OAuth Client
-
OPENAM-12173: NumberFormatException for AuthLevel in OAuth2 logs
-
OPENAM-11642: CustomProperties do not work when creating J2EE/Web Agents via REST
-
OPENAM-11407: extra space in the CTS 's connection string " openam.internal.example.com:50389" cause OpenDJ-SDK log to grow
-
OPENAM-10532: SOAPExceptionImpl: Invalid Content-Type:text/html. Is this an error message instead of a SOAP response?
6.0.0.3
-
OPENAM-13298: OIDC requests with claims request parameter fail
-
OPENAM-13249: AM 6 doesn’t recognize custom templates and partials
-
OPENAM-13157: DCustom Authentication Nodes not being exported correctly
-
OPENAM-13144: DeviceID Profiles are not saved
-
OPENAM-13138: 500 internal server error if user does not have a session when providing user code in OAuth2 device flow
-
OPENAM-13102: Device Match - Server side script fails when error level logging is enabled.
-
OPENAM-13090: Social Authentication Implementations UI does not accept an auth tree
-
OPENAM-13078: ScriptedDecisionNode exposes headers in a case sensitive map
-
OPENAM-13053: ScriptingService doesn’t add the new values to whitelist during upgrade
-
OPENAM-12338: policies?_action=evaluate checks all policy sets
-
OPENAM-12209: 'acr' and 'acr_sig' parameters can become duplicated during step-up authn, should not be present in url
-
OPENAM-11962: Calling Logout and passing a goto URL parameter with an expired session, goto URL is ignored
-
OPENAM-11240: "Skip This Step" button on the ForgeRock Authenticator (OATH) screen is missing (HOTP)
-
OPENAM-10296: Session UI only allows searching for users in datastore
6.0.0.2
-
OPENAM-13100: LDAP Decision node fails with NPE when used with Active Directory
-
OPENAM-13083: Profile KBA: custom questions are not displayed
-
OPENAM-13082: address claim in default OIDC claims script outputs non-spec compliant format
-
OPENAM-12912: Upgrade 5.5.x -→ 6.x fails if Amster has been used at some point to export/import
-
OPENAM-12867: IdP-Proxy - Single Logout fails as LogoutResponse is not signed
-
OPENAM-12784: ProviderConfiguration is not spec compliant
-
OPENAM-12419: Policy rules not updated when external configuration store connection restarted
6.0.0.1
-
OPENAM-13103: AM Overview Sample Monitoring Dashboard policy throughput metrics not grouped by AM instance
-
OPENAM-13099: AM Overview Sample Monitoring Dashboard session metrics also count changes to authentication sessions
-
OPENAM-13084: Entity Import ordering in amster
-
OPENAM-13074: Fix UI sections for authentication modules
-
OPENAM-13068: Sample Facebook-ProvisionIDMAccount auth tree has wrong "connections"
-
OPENAM-13008: Occasional shutdown error for AM
-
OPENAM-13006: Missing upgrade steps for OAuth2 ID Token SIgning and Encryption Algorithms
-
OPENAM-12938: ODSEE fails to load identities
-
OPENAM-4040: SSO failure between SPs in separate CoTs with same hosted IDP
6.0.0.0
-
OPENAM-12703: UnsupportedOperationException seen on SAML related session logout
-
OPENAM-12626: OIDC endSession endpoint does not call post authentication plugin onLogout functions
-
OPENAM-12553: IdP Logout is ignored when using SAML2 Auth module and trying to use a goto
-
OPENAM-12477: id_token requested using grant_type=authorization_code returns auth_time in milliseconds
-
OPENAM-12418: Unable to access Forgerock OATH for users with Profile when caching disable
-
OPENAM-12415: Self-Service KBA questions of TopLevel Realm(or Global Service) override SubRealm’s
-
OPENAM-12413: Enabled "'Return User DN to DataStore" of LDAP auth-module is resulting in one redundant search for "uid=uid=demo" in the configuration store
-
OPENAM-12412: Multi-valued LDAP attributes are not added to the OIDC id_token as expected
-
OPENAM-12380: Client ip audit logging is not storing as IP but a list of IPs
-
OPENAM-12377: WS-Fed extended metadata with unknown COT value should generate an error
-
OPENAM-12370: JWT verification fails when token idle time is too long
-
OPENAM-12357: ssoadmin tools distro include release canditate libraries
-
OPENAM-12333: AMIdentitySubject policy evaluation not cache when a lot of groups and datatsore is use with delegated admin
-
OPENAM-12252: Delegated admin with Stateless Session, causes Admin Console failure.
-
OPENAM-12245: "Authentication by Module Instance" policy env condition doesn’t work in session upgrade case
-
OPENAM-12244: Monitoring services unable to connect to Port
-
OPENAM-12234: Values for objects of type com.sun.xml.bind.util.ListImpl are not printed in debug logs
-
OPENAM-12226: Device Match - server side script fails
-
OPENAM-12219: Resource leak in MonitoringAdapters#getMonAuthList
-
OPENAM-12194: SLO with the SAML2 Auth Module PAP redirects to 'XUI/nullnull' when IDP has no SingleLogoutService defined
-
OPENAM-12166: Resource #3.0 logoutByHandle request fail with status 500 error
-
OPENAM-12161: Expires attribute in WS-Fed Active Requestor Profile is expected but is optional
-
OPENAM-12144: getSessionInfo endpoint _fields parameter doesn’t work
-
OPENAM-12135: OIDC token generated with datastore module takes case from request rather than from the datastore
-
OPENAM-12109: Syslog Audit Event Handler buffer size should be configurable
-
OPENAM-12082: Outlook with WS-Fed uses cached credential after AD password change.
-
OPENAM-12075: OIDC without a datastore returns "User must be authenticated to issue ID tokens"
-
OPENAM-12062: XUI DashBoard does not show trusted devices etc if user search attribute of the data store is not 'uid'
-
OPENAM-12054: Cumulative upgrades of OpenAM (e.g. 5.1.0 to 5.5.0 to 5.5.1) fail with "Writing Backup; Failed!" error
-
OPENAM-12026: Self-service user registration gets "Bad Request" on LDAP error 19
-
OPENAM-12022: Self-service registration for existing user displays "Detected conflict in request"
-
OPENAM-12011: Session is not refreshed reliably when using oauth2/authorize endpoint
-
OPENAM-11994: NullPointerException in ResourceOwnerOrSuperUserAuthzModule.getUserIdFromUri
-
OPENAM-11988: HTTP 500 when validating SSO tokens if API version is omitted in AM 5.5
-
OPENAM-11980: Social OIDC wizards do not work when provisioning accounts locally
-
OPENAM-11976: XUI Session query session by username does not work with
-
OPENAM-11968: SAML2 Auth Module does not accept SAML2 AuthResponse with no SessionIndex
-
OPENAM-11966: saml2 SSO 'better' auth’n comparison fails with 'Invalid status code in response'
-
OPENAM-11961: KBA update fails if Self-service is configured in sub-realm and root realm has no datastore
-
OPENAM-11956: SAML2 RelayState values are seen as invalid if they are not a URL which appears to go against the spec
-
OPENAM-11944: REST OAuth2 creation triggers objectClass=* search
-
OPENAM-11937: Federation UI does not allow empty NameIDMappingService
-
OPENAM-11925: CORSFIlter causings failures after moving to 5.x from 13.5.x
-
OPENAM-11909: Demo user creation is based on whether a userCfg is specified, rather than when it’s set to embedded
-
OPENAM-11829: SSOToken idletime reset even when it shouldn’t be
-
OPENAM-11818: Oauth2 authn module incorrectly POST state parameter to token endpoint
-
OPENAM-11789: User remains on 'Loading' page with 'OAuth2.0/OIDC' auth module if authId token expires before entering credentials
-
OPENAM-11759: Memory leak affecting policy evaluation for stateless sessions
-
OPENAM-11746: Syslog data is not fully RFC compliant
-
OPENAM-11678: 'Oldest' REST passwordreset selfservice unusable
-
OPENAM-11673: Policy evaluation response is incorrect if the URL query string sent for evaluation contains the string ://
-
OPENAM-11661: Prevent Restlet from adding the Server header
-
OPENAM-11548: Improve Scope validator class loading error handling
-
OPENAM-11547: Missing entry or corrupted value in "com.iplanet.am.version" causes upgrade failure
-
OPENAM-11491: Upgrading OpenAM results in failure due to restSMS.xml
-
OPENAM-11477: SLO through IDP Proxy loses the RelayState
-
OPENAM-11432: Extra space in Policy 's Resource Type will cause policy evaluation to fails
-
OPENAM-11402: OpenAM does not enforce OAuth2 spec for "Resource Owner Password Credentials Grant" flow
-
OPENAM-11398: OpenAM ACI installation instruction does not work for OpenDJ productionMode
-
OPENAM-11157: Oauth2/OIDC Authentication redirect goto value wrong when behind reverse proxy
-
OPENAM-10673: SAML2 authentication module fails to redirect to IDP after failing DeviceID match module
-
OPENAM-10619: Post Authentication Plugin not run during session upgrade
-
OPENAM-10591: Generate more debug details about the JSON that is failing when JsonPolicyParser throws a UNABLE_TO_SERIALIZE_OBJECT exception
-
OPENAM-9717: TimerPool deadlock on ssoadm shutdown (client SDK)
-
OPENAM-9629: OAuth2 flow creates GENERIC CTS tokens that never expire
-
OPENAM-8264: Insufficient validator for service property 'iplanet-am-auth-hmac-signing-shared-secret'
-
OPENAM-7911: Improve Error Message: "Invalid Suffix"
-
OPENAM-5991: IP Address logging in SAML2 audit logs is not consistent
-
OPENAM-5865: AuthLevelCondition will not retrieve request auth level for a capital-letter realm.
-
OPENAM-1167: WindowsDesktopSSOConfig ClassCastException on saving configuration in admin UI == 5.5.0
-
OPENAM-11834: Passwords being set to empty strings in tabbed forms in XUI
-
OPENAM-11646: Cookie values wrapped in double quotes
-
OPENAM-11632: CDCServlet does not work with realm
-
OPENAM-11610: WindowSSO module broken in AM 5.5 after upgrade
-
OPENAM-11526: Realm Authentication chain post authentication classes PAP not triggered on chains with multiple modules
-
OPENAM-11391: Requesting 'OAuth2.0/OIDC' auth module a second time results in display of AM’s "Authentication Failed" page
-
OPENAM-11300: OIDC request parameter is failing when message level is enabled
-
OPENAM-11280: authentication with noSession=true fails if post authentication plugin class is present
-
OPENAM-11218: OpenAM throws service error for Application Module
-
OPENAM-11217: SAML2 Authentication module is not invoking custom SP Adapter class implementing a preSingleSignOnRequest() method
-
OPENAM-11196: Incorrect debug logging level used in FMEncProvider.getEncryptionKey
-
OPENAM-11154: Memory leak in SMSEventListenerManager#subNodeChanges
-
OPENAM-11115: Push authentication should use alias attributes to find identities
-
OPENAM-11101: Social Auth links do not contain the goto url
-
OPENAM-11070: Need OAuth2 authentication to work in Android with implied consent
-
OPENAM-11057: Global User Self Service UI does not display values
-
OPENAM-11015: ForceAuth session upgrade does not work
-
OPENAM-10971: FR-OATH auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store
-
OPENAM-10970: logout response binding should be selected based on the capabilities of the SP
-
OPENAM-10965: Stateless OAuth2 can’t verify access and refresh token
-
OPENAM-10931: IdentitySubject not adding isMember() result to cache after entry has changed
-
OPENAM-10782: endSession with an id_token generated from a refresh_token request does not destroy the session
-
OPENAM-10756: setSucessModuleNames in AMLoginModule calls AuthModule’s getPrincipal multiple times
-
OPENAM-10585: The "claims" Request Parameter from the openid standard isn’t functional
-
OPENAM-10578: Stateless access token doesn’t contain the grant type
-
OPENAM-10562: Audit log 'Configuration' entries are not written when using external configuration store
-
OPENAM-10332: Quota constraints exceeded - Interim Fix
-
OPENAM-10129: OAuth2 Device flow - user code verification is case-insensitive
-
OPENAM-10103: output from re-indexing action during initial configuration is lost
-
OPENAM-10102: insufficient progress information during configuration
-
OPENAM-10013: HOTP session upgrade not possible in XUI if the wrong code is entered first time
-
OPENAM-9979: Authentication chain post authentication classes are not used if realm level PAP setting exists
-
OPENAM-9885: Oauth2 load: Tomcat keeps logging "WARNING: Addition of the standard header "Pragma" is discouraged as a future version of the Restlet API will directly support it"
-
OPENAM-9156: 'Not Found' error in UI when opening a custom auth module created with ssoadm with the name the same as type
-
OPENAM-8771: "Unknown Error: Please contact your administrator", shown with FacebookSocialAuthentication option "Prompt for password setting and activation code" (org-forgerock-auth-oauth-prompt-password-flag)
-
OPENAM-8270: Using client_credentials Grant type with openid scope returns User must be authenticated to issue ID tokens
-
OPENAM-8063: Merge Debug Files feature does not work correctly
-
OPENAM-7781: persistent cookie auth module does not allow to change cookie name by default
-
OPENAM-7437: Finish button of Identity Provider wizard doesn’t work
-
OPENAM-5864: Quota constraints exceeded in multi-instance with LB and CTS enabled
-
OPENAM-5153: Auth modules should call setAuthLevel after successful login
-
OPENAM-5152: AMAuthLevelManager miscalculates auth level
-
OPENAM-3679: IDP Finder fails to validate relaystate
-
OPENAM-1325: OpenAM fails to setup when deployed under the root uri ( '/' )