PingAM release notes

Fixes in AM 7.0.x

This page lists the cumulative fixes in AM 7.0.x releases:

AM 7.0.2

  • OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost

  • OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile

  • OPENAM-17683: Selfservice user registration auto login fails for a sub-realm

  • OPENAM-17673: Nodes within a Page node do not have access to secure state

  • OPENAM-17672: Page Node does not expose inner nodes inputs or outputs

  • OPENAM-17630: JMS Audit logging broken and cannot start up

  • OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session

  • OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret

  • OPENAM-17570: OIDC request parameter decryption fails to find any applicable keys

  • OPENAM-17555: AM 7.x versions of Amster use Java 8 format of debug port

  • OPENAM-17517: JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error.

  • OPENAM-17515: Sub attribute in access token can be in wrong casing

  • OPENAM-17483: SecretsPlugin upgrade from 6.5.x failing

  • OPENAM-17477: Thread-safety issue in AMAuthenticationManager

  • OPENAM-17436: JS version of the OIDC Claims script does not work due to a casting error.

  • OPENAM-17405: Token introspection response not spec compliant

  • OPENAM-17397: ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check

  • OPENAM-17365: Checking agent type with caller token can cause deadlock

  • OPENAM-17364: prompt login / session upgrade / OIDC ACR looping with trees

  • OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation

  • OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope

  • OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh

  • OPENAM-17337: Access token passed in request body results in failure

  • OPENAM-17324: Client credentials grant in FBC config with group inheritance causes User not Valid Error

  • OPENAM-17322: SAML2 bearer grant returns NoUserExistsException

  • OPENAM-17321: Prometheus Endpoint returns http 500 error when used with file based config

  • OPENAM-17317: A realm without any modules can cause increased thread count and slow response.

  • OPENAM-17310: 'ssoadm list-datastore-types' sub-command broken

  • OPENAM-17277: AM Recording with thread dump only shows depth of 8

  • OPENAM-17276: AM recorder does not record anymore

  • OPENAM-17274: AM should not change the supported subject types for an existing install

  • OPENAM-17271: Typo for Realm in SAML/Federation debug

  • OPENAM-17265: Wrong authorized_keys file updated

  • OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant

  • OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found

  • OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'

  • OPENAM-17175: XUI OAuth2 consent page does not render when using themes

  • OPENAM-17157: Password reset via admin console with Proxied Authorization enabled is not possible

  • OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.

  • OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory

  • OPENAM-17117: Service config XML dump consumes a lot of memory (whole config is read to memory)

  • OPENAM-17114: Save Consent check box always shown, even when not configured

  • OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication

  • OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC

  • OPENAM-17089: Forgot password flow not working after initial attempt to reset password fails

  • OPENAM-17081: OAuth2 client agent group settings are not taken into account

  • OPENAM-17079: Identities and Session : unexpected returned error when trying to request for unexisting identity

  • OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication

  • OPENAM-17066: Unable to add server to existing deployment through UI

  • OPENAM-17042: User Self Registration REST API does not generate SSO token

  • OPENAM-17019: Allowing wildcards in OAuth 2.0 clients prevents exact matching from working

  • OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config

  • OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"

  • OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates

  • OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail

  • OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist

  • OPENAM-16932: PageNode does not pick up outcomes if ScriptedDecisionNode is used inside

  • OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'

  • OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid

  • OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO

  • OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters

  • OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference

  • OPENAM-16849: WeChat Social Auth module broken (regression)

  • OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0

  • OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'

  • OPENAM-16651: Default configuration fails if the trust store type JVM property is not defined for the JVM

  • OPENAM-16638: AM with embedded DS setup fails when Java system keystore properties is set

  • OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore

  • OPENAM-16581: SAML Authentication Module on hosted SP gets SAML No authentication context error

  • OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs

  • OPENAM-16515: Social auth - insufficient debug logging for troubleshooting

  • OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes

  • OPENAM-16364: Macaroon access tokens don’t work with the new any-realm token introspection

  • OPENAM-16262: Javadocs for IdUtils needs updating

  • OPENAM-15963: Historical retention files ( csv ) were not deleted

  • OPENAM-15214: Auth Tree - Clicking save with no changes causes render problem with node attributes inside page node

  • OPENAM-14240: FMSigProvider.verify does not tell if certificates are provided

  • OPENAM-13783: REST STS: Cannot add or modify nameID format in SAML config, and default value stated in help is incorrect

  • OPENAM-13575: Unhelpful log message when OIDC public client wants to use HMAC id token signing

AM 7.0.1

  • OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1

  • OPENAM-16934: sm.getSchemaManager has a typo including a comma

  • OPENAM-16907: Kerberos Node in 7.0 does not work

  • OPENAM-16877: Error when creating AM "Self-service Trees" service in native admin ui

  • OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled

  • OPENAM-16847: AM email service failing with 'Start TLS' option

  • OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules

  • OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM

  • OPENAM-16802: Upgrade from OpenAM 7.0 to 7.1.0 SNAPSHOT causes NPE

  • OPENAM-16794: Google KMS options missing after upgrade from 6.5

  • OPENAM-16791: AMAccessAuditEventBuilder#forRequest can generate an entry with :-1 for the port

  • OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow

  • OPENAM-16759: Amster on windows : AM does not restart properly after setup

  • OPENAM-16758: Cannot install AM 7 on Windows

  • OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled

  • OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)

  • OPENAM-16702: Saving engine configuration in FBC mode makes that config non-readable

  • OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token

  • OPENAM-16697: Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format

  • OPENAM-16686: Cannot create a User after upgrade from 6.5.2 to 7.0.1

  • OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type

  • OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo

  • OPENAM-16650: Authz Policy Subjects Policy.title is showing property name text

  • OPENAM-16641: OAuth2 provider supported grant types attribute missing localization property on XUI

  • OPENAM-16606: Missing "org.forgerock.openam.saml2.authenticatorlookup.skewAllowance" property in server defaults

  • OPENAM-16594: ssoadm help should be updated to reflect changes in AME-18650 / OPENAM-16155

  • OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.

  • OPENAM-16555: (audit) logging does not tell which policy allowed or denied a resource request

  • OPENAM-16551: Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token

  • OPENAM-16545: Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents

  • OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain

  • OPENAM-16483: XUI - Typo in SAML SP "Default Relay State Url" label

  • OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade

  • OPENAM-16367: OIDC request_uri response causes NPE while debug logging

  • OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory

  • OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly

  • OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive

  • OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save

  • OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented

  • OPENAM-15671: LoginContext is missing debug logging for troubleshooting

  • OPENAM-15663: UserInfoClaims is not part of public API

  • OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)

  • OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)

  • OPENAM-11706: Policies in a policy set are not visible in Internet Explorer IE

AM 7.0

  • OPENAM-16433: Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.

  • OPENAM-16425: AM does not handle malformed/incorrect signature correctly

  • OPENAM-16402: The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.

  • OPENAM-16379: URL fragments like # cause forbidden login in the XUI

  • OPENAM-16284: XUI does not handle Special Chars / UTF-8 in realms properly.

  • OPENAM-16279: AgentsRepo cannot recover when it fails especially on external Application store.

  • OPENAM-16251: OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication

  • OPENAM-16240: REST STS under subrealm cannot generate id_token with realm claim

  • OPENAM-16233: Policy evaluation fails when subject not found (even in ignore profile)

  • OPENAM-16214: Push Authentication Module does not work on Session Upgrade when User Cache disabled

  • OPENAM-16184: Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords

  • OPENAM-16165: social authmodule causes NullPointerException

  • OPENAM-16164: social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token

  • OPENAM-16136: queryFilter only matches against first entry in array

  • OPENAM-16132: When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates

  • OPENAM-16032: Unable to delete devices with Recovery Code Collector Decision Node

  • OPENAM-16031: Intermittent error message when concurrent obtain SSO Token ID with session quota constraints

  • OPENAM-16014: An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow

  • OPENAM-16013: Mismatched kid from Json Web Key URI when Specified Encryption Algorithm

  • OPENAM-16009: Windows Desktop SSO node full adoption and compliance with tree node specifications

  • OPENAM-15989: OAuth2 client_id should be url-decoded when using basic auth

  • OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied

  • OPENAM-15970: Access Token introspect Fails in subrealm after root realm modified

  • OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked

  • OPENAM-15905: Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException

  • OPENAM-15900: Kerberos fails when used with IBM JDK

  • OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection

  • OPENAM-15881: Custom AM User (amUser.xml) field does not use default values from the schema

  • OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used

  • OPENAM-15853: External UMA store fails on resource creation

  • OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired

  • OPENAM-15785: OIDC spec violation - HTTP POST can not be used to send Authentication Request

  • OPENAM-15784: Form elements in policy environment condition tab are displayed twice

  • OPENAM-15766: LoginState - account lockout is checkout although AM AccountLockout is disabled

  • OPENAM-15758: KeyStore Secret Store fails to start due to secretId having some characters.

  • OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL

  • OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server

  • OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect

  • OPENAM-15698: IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'

  • OPENAM-15697: Default ACR values from OAuth2 provider not taken into account

  • OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access

  • OPENAM-15679: The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling

  • OPENAM-15670: DeviceIdSave auth module initialization fails if username is null

  • OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting

  • OPENAM-15645: The &refresh=true|false parameter for _action=validate is not working as expected

  • OPENAM-15632: OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support

  • OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow

  • OPENAM-15627: Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"

  • OPENAM-15579: AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'

  • OPENAM-15559: OATH module broken in Japanese locale

  • OPENAM-15533: WS-Federation doesn’t work with Authentication Trees

  • OPENAM-15530: OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS

  • OPENAM-15520: XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default

  • OPENAM-15508: moduleMessageEnabledInPasswordGrant does not apply to Trees

  • OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token

  • OPENAM-15501: Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly

  • OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned

  • OPENAM-15491: Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.

  • OPENAM-15489: WebAuthN Auth Node Doesn’t Respect UV=Discouraged During AuthN

  • OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication

  • OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error

  • OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported

  • OPENAM-15374: OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims

  • OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback

  • OPENAM-15349: Access Token request returns a 500 error

  • OPENAM-15345: at_hash value generated does not take the latest modified access token

  • OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree

  • OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example

  • OPENAM-15303: Claims with multiple values in issued_token from REST STS represented inconsistently.

  • OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions

  • OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules

  • OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"

  • OPENAM-15160: LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind

  • OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field

  • OPENAM-15147: HTTP 500 upon accessing openam/json/

  • OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken

  • OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )

  • OPENAM-15117: KeyVault KeyStoreType not supported

  • OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not

  • OPENAM-15105: Unable to get trusted devices using REST API

  • OPENAM-15101: Remove the ability to disable XUI

  • OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL

  • OPENAM-15076: webAuthn config does not allow for multiple origins under the same rpId

  • OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching

  • OPENAM-15036: Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file

  • OPENAM-15028: Cannot load metadata in ssoadm without extended metadata

  • OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment

  • OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache

  • OPENAM-14991: Changes to boot.json are overwritten

  • OPENAM-14979: NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade

  • OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain

  • OPENAM-14966: Performing access_token with arbitrary text as trusted cert header causes server error

  • OPENAM-14919: Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file

  • OPENAM-14901: XUI - SAML2 module doesn’t redirect to IDP if it’s 2nd in the chain

  • OPENAM-14895: user identity creation fails with "Identity \*" of type user not found.

  • OPENAM-14893: XUI displays multiple error messages when an authentication session times out

  • OPENAM-14889: Upgrade of Peristent Cookie auth module fails

  • OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration

  • OPENAM-14881: AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)

  • OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)

  • OPENAM-14859: ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty

  • OPENAM-14858: When NameIDPolicy does not contain Format=.., remoteEntityID is passed as null

  • OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module

  • OPENAM-14845: user info endpoint does not correctly handle Certificate Bound Access Tokens

  • OPENAM-14829: AuthSchemeCondition doesn’t return realm aware policy condition advice

  • OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search

  • OPENAM-14804: Memory leak when running UMA RPT soak test

  • OPENAM-14799: Unable to update Agent profile using REST

  • OPENAM-14794: User privileges are removed from group if another group is given same privilege

  • OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO

  • OPENAM-14783: PKCS11 KeyStore does not work on IBM JVM

  • OPENAM-14782: AuthTree created Session does not use per User Session Service settings

  • OPENAM-14766: introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens

  • OPENAM-14717: mailto attribute have space between ':' and mail address

  • OPENAM-14694: Consent page still shows claim values even when supported claim description is omitted

  • OPENAM-14651: OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads

  • OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier

  • OPENAM-14578: WDSSO failing but no fallback…​

  • OPENAM-14573: amlbcookie is not secure when authenticating with trees

  • OPENAM-14572: prompt=login destroys and creates new session

  • OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different

  • OPENAM-14548: consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation

  • OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore

  • OPENAM-14539: SAML SLO with multi protocols

  • OPENAM-14529: UMA RPT expiry time incorrect in CTS

  • OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding

  • OPENAM-14503: SAML2 - Key Transport Algorithm - RSA OAEP must be supported

  • OPENAM-14483: If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ

  • OPENAM-14480: AuthLoginException is lost

  • OPENAM-14471: Failed to create root realm for data store (External Policy | Application)

  • OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on

  • OPENAM-14464: XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used

  • OPENAM-14450: userinfo typo in Claims.java

  • OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS/SSL

  • OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application

  • OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

  • OPENAM-14391: Self Service Link not Display when Using Authentication Tree

  • OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set

  • OPENAM-14369: Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure

  • OPENAM-14362: UMA load test fails with Invalid resource type error

  • OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy

  • OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client

  • OPENAM-14313: Audit Logging - STS transformations create duplicate entries

  • OPENAM-14310: CheckSession page indicates the session is not valid

  • OPENAM-14294: am-external Git repository 6.5 have bad source

  • OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef

  • OPENAM-14239: FMSigProvider.verify NPE with null input for certificates

  • OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number

  • OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set

  • OPENAM-14229: custom AuthorizeTemplate under theme not used

  • OPENAM-14213: Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute

  • OPENAM-14212: SAML redirect to login page fails if AM installed into the root context

  • OPENAM-14200: Social auth modules do not work when AM is installed into the root context

  • OPENAM-14189: effectiveRange of Time environment has issue

  • OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception

  • OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered

  • OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.

  • OPENAM-14147: arg=newsession in XUI just shows the "Loading…​" page

  • OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state

  • OPENAM-14112: Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie

  • OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow

  • OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive

  • OPENAM-14054: XUI Custom templates and Partials not applied consistently

  • OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn

  • OPENAM-14040: LdifUtils debug logging prints out wrong classname

  • OPENAM-14018: Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server

  • OPENAM-13999: Custom node containing ConfirmationCallbacks fails when dropped in a page node.

  • OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

  • OPENAM-13978: Session Upgrade - AuthLevel format changes

  • OPENAM-13942: SAML2 Circle of Trust - REST Update doesn’t update the metadata of the provider

  • OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given

  • OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user

  • OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not

  • OPENAM-13890: Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext

  • OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6

  • OPENAM-13831: RP-Initiated Logout does not handle state parameter

  • OPENAM-13779: Session API - _action=refresh requires an admin token

  • OPENAM-13764: Monitoring logs in ERROR for "Agent.configAgentsOnly:agent type = OAuth2Client"

  • OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

  • OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent

  • OPENAM-13465: Dynamic client registration sets wrong subjectType

  • OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain

  • OPENAM-13419: LDAPPolicyFilterCondition doesn’t set request timeout

  • OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"

  • OPENAM-13064: OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional

  • OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation

  • OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees

  • OPENAM-12759: max_age should a number, not a string

  • OPENAM-12574: SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies

  • OPENAM-12498: Authorization Grant response returns scope(s) in the URL

  • OPENAM-12228: WebAgent REST API queryFilter expression does not work and acts all "true"

  • OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme

  • OPENAM-11921: Incorrect NameId Format offered for SAML2 auth module in console

  • OPENAM-11863: CORSFilter position in web.xml should come before most filters

  • OPENAM-11778: Getting accessToken using authorization_code result in Unhandled exception

  • OPENAM-11338: OpenID Connect id_token bearer auth module mixes up aud, azp during verification

  • OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.

  • OPENAM-10843: When generating an OIDC token through STS a "kid" value is not specified

  • OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled

  • OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)

  • OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly

  • OPENAM-9459: 500 Internal Server Error from changePassword endpoint with AD repo

  • OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

Copyright © 2010-2024 ForgeRock, all rights reserved.