AM release notes

Fixes in AM 7.2.x

This page lists the cumulative fixes in AM 7.2.x releases, since 6.5:

AM 7.2.1

  • OPENAM-20360: Ampersand is double encoded in the Destination of a SAML Assertion

  • OPENAM-20318: Accessing AM end user login page for PlatformLogin journey in platform environment shows non-rendered html

  • OPENAM-20260: Unable to log into AM when external application store is down

  • OPENAM-20230: Class allowlisting fails with permission denied after an extended period

  • OPENAM-20181: AD account notification fails

  • OPENAM-20082: Locked out users are shown a misleading error message

  • OPENAM-20031: Access token modification can no longer access refresh token reference

  • OPENAM-19884: AM returns 500 error when ; is used in the access token header

  • OPENAM-19684: Error EntitlementService.getSubjectAttributesCollectorConfiguration logged on initial agent access

  • OPENAM-19537: UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong

  • OPENAM-19515: Unable to update session service with read-only identity store

  • OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page

  • OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity

  • OPENAM-18818: Persistent search error message shows wrong DS identifier

  • OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level

  • OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found

  • OPENAM-16241: Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset

  • OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect

AM 7.2

  • OPENAM-19427: KBA question are not falling back to the default language when French is present in the restart password flow

  • OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing /

  • OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node

  • OPENAM-19380: Social Google node does not work if placed after an input collector in a tree

  • OPENAM-19359: Social authentication not working on Subrealms

  • OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception

  • OPENAM-19290: In a cluster, changing AM debug level on local AM2 to remote AM1 does not take effect until the remote AM1 is restarted

  • OPENAM-19281: OIDC dynamic client registration cannot take \n in the client_description

  • OPENAM-19266: Cannot add Page Headers or Page Descriptions to page nodes in tree editor

  • OPENAM-19220: WebAuthN/Fido - Cannot authenticate with recovery codes on Windows

  • OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade

  • OPENAM-19196: JavaScript origins in the OAuth2 Client need a restart to apply the changes

  • OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters

  • OPENAM-19162: REST API definition inaccurate for endpoint /realm-config/saml

  • OPENAM-19123: AM validates duplicate registration tokens

  • OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set

  • OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions

  • OPENAM-19086: rest-sts endpoint is not included when CORS is enabled

  • OPENAM-19083: Creating a client-based access and refresh token breaks subsequent use of Session Quotas

  • OPENAM-19042: When using Apple SSO, the Social Identity Provider Handler node ignores the user info returned

  • OPENAM-18996: Issues with trees and navigating quickly between Social Login providers

  • OPENAM-18990: Non-compliant OAuth 2.0 error response generated

  • OPENAM-18953: Insufficient logging when OAuth 2.0 token request fails due to invalid client secret

  • OPENAM-18952: KBA questions are not falling back to the default language when French is present

  • OPENAM-18928: Client credential OAuth 2.0 request results in searches for OAuth 2.0 client against the Identity Store

  • OPENAM-18921: Double slashes in oauth 2.0 claim names are handled incorrectly

  • OPENAM-18891: JWT Profile Oauth 2.0 grant returns invalid_grant

  • OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt

  • OPENAM-18877: Creating SAML providers with entity ids containing the plus (+) symbol results in errors listing and creating new providers

  • OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared

  • OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null

  • OPENAM-18775: LdapDecisionNode throws NullPointerException on shared IDM Repository DataStore when Password change policy triggered

  • OPENAM-18756: Entering correct OTP after an incorrect OTP fails authentication

  • OPENAM-18754: User profile success URL ignored when authenticating with trees

  • OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures

  • OPENAM-18705: Problem with Page Node using node relying on secureState

  • OPENAM-18701: DN cache doesn’t get deleted in some cases

  • OPENAM-18684: Redirect to authorize endpoint fails for 2nd OIDC App for Federated Users with multiple OIDC Clients

  • OPENAM-18679: OATH Registration node doesn’t work when placed inside a Page node

  • OPENAM-18663: AM should check new realm with rest end-point names by ignoring case

  • OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted

  • OPENAM-18655: Deleting OAuth2 Client provides unneeded Notification error message in IdRepo

  • OPENAM-18644: IdRepo cache can not be disabled anymore

  • OPENAM-18640: REST-STS uses the old path to reach the users endpoint

  • OPENAM-18623: Issue with jwk_uri endpoint called in parallel

  • OPENAM-18610: RealmOAuth2ProviderSettings for getJwks permits an empty set

  • OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication

  • OPENAM-18586: No debug message when AM can’t read the encrypted_base64 folder after upgrade

  • OPENAM-18573: URLPatternMatcher or RedirectURLValidator fails when query string contains "%20"

  • OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL

  • OPENAM-18533: Distinguish between standard OIDC and JAR OIDC request parameters

  • OPENAM-18524: Client assertion JWT generated for private_key_jwt OAuth 2.0 client authentication does not provide a "kid" header - can be rejected by external OAuth 2.0providers

  • OPENAM-18523: NullPointerException when Web Agent group is changed

  • OPENAM-18487: Trust anchor check fails with Yubikey

  • OPENAM-18460: max_age parameter is overwritten

  • OPENAM-18459: IdTokenInfo endpoint behavior has changed and fails when using client_id in POST

  • OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP

  • OPENAM-18443: Transactional authentication is disabled on new installs

  • OPENAM-18436: UMA pending requests are stored differently depending on sub claim uniqueness mode

  • OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore

  • OPENAM-18432: Remove the internal idm-delegation grant type from the well known info

  • OPENAM-18422: Email Template node creates threads without terminating them

  • OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth

  • OPENAM-18384: Email Suspend Node clears the secure state

  • OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name

  • OPENAM-18359: Choice Collector Node not present following upgrade

  • OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server

  • OPENAM-18306: OAuth 2.0 Authorization Code Grant Fails when including scope parameter at access_token endpoint

  • OPENAM-18297: Outbound calls to jwk_uri endpoint do not support proxy settings

  • OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD

  • OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically

  • OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication

  • OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session

  • OPENAM-18227: Upgrade from 6.0.x / 6.5.x fails with Unsupported node type PersistentCookieDecisionNode

  • OPENAM-18212: Check for user/agent profile condition during login can be refined further

  • OPENAM-18207: Global Service cache is not updated by changes from other servers in a site

  • OPENAM-18205: Excessive logging occurs when agent profile is not found

  • OPENAM-18180: No TransactionId present for AuthTreeExecutor

  • OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout

  • OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST

  • OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings

  • OPENAM-18149: Wrong log file is used for SAML2 extensions log message

  • OPENAM-18141: AM no longer uses global SAML configuration

  • OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops

  • OPENAM-18132: Failed to get the distinct userIdAttributes for configured identity stores in realm

  • OPENAM-18121: Complex authentication trees load slowly

  • OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter

  • OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amAdmin

  • OPENAM-18118: OAuth 2.0 - AM does not implement 'device authorization grant' as specified in RFC 8628

  • OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server

  • OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes

  • OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM

  • OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exists

  • OPENAM-18065: Logback.jsp cannot be used to set log levels for loggers in custom code

  • OPENAM-18062: SPACSUtils withholds exception and does not log error

  • OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined

  • OPENAM-18043: Device Match module not setting correct AuthLevel

  • OPENAM-18030: Message node shows inconsistent behavior regarding the default locale

  • OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes

  • OPENAM-18009: HTTP error code 500 when authenticating with authIndexType service without authIndexValue

  • OPENAM-18006: Persistent search for identity store does not recover

  • OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees

  • OPENAM-17993: org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation

  • OPENAM-17979: Backchannel authentication auth_req_id can be used to obtain multiple access tokens

  • OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists

  • OPENAM-17962: LDAP Decision Node does not put updated password in transient state

  • OPENAM-17954: Accept-Language header locale ignored on OAuth 2.0 Consent page

  • OPENAM-17935: Missing return statement in the happy flow of the kerberos node

  • OPENAM-17923: Retry Limit Decision should not involve user when Save Retry Limit to User is disabled

  • OPENAM-17916: When no session exists logout page redirects to login

  • OPENAM-17912: Account lockout count is not reset correctly

  • OPENAM-17904: JSON Audit Log Location not working when modifying location to only include %SERVER_URI% variable

  • OPENAM-17896: ForgottenPassword Reset on multiple clusters not working when reset link is clicked

  • OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does not work after upgrade

  • OPENAM-17830: Error messages are logged when the Push Notification Service is absent

  • OPENAM-17828: Apostrophe in username breaks Push/OATH device registration

  • OPENAM-17826: introspect endpoint returns a static value for expires_in when using client-based tokens

  • OPENAM-17814: Auth Tree step-up fails if username case does not match

  • OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname

  • OPENAM-17783: Language tag limited to 5 characters instead of 8

  • OPENAM-17782: Policy evaluation fails with 400 error when user does not exist

  • OPENAM-17760: PEM support incorrectly decodes some EC private keys

  • OPENAM-17718: OAuth 2.0 introspection endpoint does not accept Accept header with extra accept extension param (like weight q=0.8) or charset

  • OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost

  • OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile

  • OPENAM-17683: Selfservice user registration auto login fails for a sub-realm

  • OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed

  • OPENAM-17677: oauth2/device/code endpoint does not support locale parameter

  • OPENAM-17663: Improve the error response code for "Failed to revoke access token"

  • OPENAM-17610: OTP Email Sender node does not let you specify connect timeout and IO/read timeout for underlying transport

  • OPENAM-17593: Deadlock when admin token is invalid and when config data is cleared

  • OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session

  • OPENAM-17590: OIDC login hint cookie broken since 7.0

  • OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret

  • OPENAM-17548: Can’t go back to login page after invoking Social Authentication Nodes

  • OPENAM-17521: Insufficient error logging to track down Multivalued RDNs not supported issue

  • OPENAM-17515: Sub attribute in access token can be in wrong case

  • OPENAM-17493: OAuth 2.0 node does not support external proxy authentication (user/pass)

  • OPENAM-17440: OAuth 2.0 service provider does not error if IAT attribute is mandatory but not issued

  • OPENAM-17426: No validation for attribute collector node

  • OPENAM-17405: Token introspection response not spec compliant

  • OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config

  • OPENAM-17320: Revisit prompt=login behavior change that keeps existing session

  • OPENAM-17308: Custom IdRepo uninstall realm-config/services/id-repositories?_action=nextdescendents fails

  • OPENAM-17265: Amster updates incorrect authorized_keys file

  • OPENAM-17040: UMA policy creation does not work with shared repo

  • OPENAM-16988: accessedEndpoint including port causes verify Assertion Consumer URL to fail

  • OPENAM-16953: Custom idrepo sample using IdRepoConfig does not work

  • OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters

  • OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator

  • OPENAM-16642: Server id creation can fail when id is greater than 100

  • OPENAM-16490: OWASP ESAPI broken

  • OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong

  • OPENAM-16262: Javadocs for IdUtils needs updating

  • OPENAM-16216: Get Session Data node improvements

  • OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable

  • OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile

  • OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in

  • OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration

  • OPENAM-13855: CTS creates too many connections to DS

  • OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"

  • OPENAM-12969: UMA Resource deletion results in a 500 error unless another resource has been created within the same resource set

  • OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

AM 7.1.x

AM 7.1.4
  • OPENAM-21004: AM will always look for valid session when scope=openid

  • OPENAM-21002: CTS task queue full and SeriesTaskExecutorThread can get stuck waiting

  • OPENAM-20897: Issue with logging unsupported callbacks

  • OPENAM-20691: Destroy oldest session may fail to work

  • OPENAM-20396: Authentication trees are selected in order of ACR - tree mapping (not in the default order) and order is not preserved

  • OPENAM-20318: Accessing AM End user login page for PlatformLogin journey in platform environment shows non-rendered HTML

  • OPENAM-20260: Unable to log into AM when external application store is down

  • OPENAM-20230: Class whitelisting fails with permission denied after an extended period

  • OPENAM-20181: AD account notification fails

  • OPENAM-20085: STS token generation does not work with clustered docker pods

  • OPENAM-20082: Locked out users are shown a misleading error message

  • OPENAM-19954: SAML hosted entity uses algorithm set in common federation configuration instead of algorithm set in hosted entity configuration

  • OPENAM-19362: AM to DS certificate log message logged at warning instead of error or critical

  • OPENAM-18818: Persistent search error message shows wrong DS identifier

  • OPENAM-18629: RestSTS should validate sessions with a local call and use asynchronous HTTP calls for remote calls

  • OPENAM-18488: Windows Hello with TPM/platform authenticator returns two certificates

  • OPENAM-17591: Session quota action destroy next expiring token can fail when two new sessions attempt to read and update the same expiring session

  • OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found

  • OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny

AM 7.1.3
  • OPENAM-19884: AM returns 500 when ; used in access token header

  • OPENAM-19865: Memory Leak due to samlResponseDataHash not being cleaned up

  • OPENAM-19649: ID token not linked to session when authorising with sso token

  • OPENAM-19613: PSearch is already removed error message should be warning

  • OPENAM-19537: UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong

  • OPENAM-19530: Upgrade fails when Organization schema defaults are missing for service 'sunFAMSAML2Configuration'

  • OPENAM-19515: Unable to update session service with read only identity store

  • OPENAM-19512: Faulty Legacy OAuth 2.0 frrest/oauth2 endpoints

  • OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page

  • OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity

  • OPENAM-19427: Display security questions in the correct default language

  • OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing '/'

  • OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node

  • OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception

  • OPENAM-19290: In a cluster, changing AM debug level on local (AM2) to remote (AM1) does not have effect until restart of AM1

  • OPENAM-19281: OIDC dynamic client registration cannot handle "\n" in the client_description

  • OPENAM-19220: WebAuthN/Fido - can not authenticate with recovery codes on Windows

  • OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade

  • OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters

  • OPENAM-19162: REST API definition inaccurate for endpoint '/realm-config/saml'

  • OPENAM-19123: AM validates duplicate registration tokens

  • OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set

  • OPENAM-19119: GetAuthenticatorApp Node needs better localization support

  • OPENAM-19112: AM with embedded DJ always runs DJ backup and upgrade

  • OPENAM-19111: insufficient debug logging to troubleshoot error "Illegal arguments: One or more required arguments is null or empty" when performing user identity subject update via REST API

  • OPENAM-19109: Insufficient debug logging to troubleshoot CORS service

  • OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions

  • OPENAM-19086: rest-sts endpoint is not included when CORS is enabled

  • OPENAM-19083: Creating a client-based access & refresh token breaks subsequent use of Session Quotas

  • OPENAM-19016: Logback.jsp should show the actual setting of the loggers instead of defaults

  • OPENAM-19011: QR code message used in MFA Authentication node should be customizable / localizable

  • OPENAM-18990: Non-compliant OAuth2 error response generated

  • OPENAM-18952: KBA questions are not falling back to the default language when French is present

  • OPENAM-18891: JWT Profile Oauth2 Grant returns 'invalid_grant'

  • OPENAM-18835: JCEEncryption throws ArrayIndexOutOfBoundException when decrypting empty bytes

  • OPENAM-18834: AM fails to start when upgrading after using am-upgrader

  • OPENAM-18655: Deleting OAuth2 Client causes unnecessary notification error message in IdRepo

  • OPENAM-18478: XUI shows incorrect subjectType following upgrade from AM < 6.5.3

  • OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP

  • OPENAM-18432: Remove the internal idm-delegation grant type from the well known info

  • OPENAM-18384: Email Suspend Node clears the secure state

  • OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD

  • OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication

  • OPENAM-18196: More meaningful error message when Client Secret is not URL-encoded

  • OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level in logs

  • OPENAM-18149: Wrong log file is used for SAML2 extensions log message

  • OPENAM-18132: Failed to get the distinct userIdAttributes for configured identity stores in realm

  • OPENAM-18113: LDAP authentication node : change of connection mode does not recreate the connection pool

  • OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server

  • OPENAM-18062: SPACSUtils withholds exception and does not log error

  • OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists

  • OPENAM-17882: Slow memory leaks when persistent search starts a retry activity when persistent search fails

  • OPENAM-17835: Do not display "Unable to retrieve instance of the ValidationServiceConfig" after idpinititated sso

  • OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile

  • OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config

  • OPENAM-17308: Custom IdRepo uninstall realm-config/services/id-repositories?_action=nextdescendents fails

  • OPENAM-17201: XMLEncryption does not comply with standard when 'rsa-oaep-mgf1p' is being used

  • OPENAM-16953: Custom idrepo sample using IdRepoConfig does not work

  • OPENAM-16878: Scripted Decision Node secrets binding object does not have public API

  • OPENAM-16490: OWASP ESAPI lib is missing some classes

  • OPENAM-16241: Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset

  • OPENAM-15997: Enhance CookieHelper to perform better cookie detection

  • OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable

  • OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile

  • OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration

  • OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny

  • OPENAM-12992: Misleading error message in XUI console when existing DNS alias is provided

  • OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect

  • OPENAM-11319: Add localized "description" for JSON response content to OAuth2UserApplications#getResourceResponse

AM 7.1.2
  • OPENAM-18928: Client credential OAuth2 request results in searches for OAuth2 client against Identity Store

  • OPENAM-18921: Double slashes in oauth2 claim name handled incorrectly

  • OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt

  • OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared

  • OPENAM-18836: No TransactionId on "debug.out" for the AM recording.

  • OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null

  • OPENAM-18780: JwksOAuth2AgentEventListener class not setting the correct default cache miss time value

  • OPENAM-18756: Entering correct otp after entering wrong otp fails authentication

  • OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures

  • OPENAM-18711: AES Encryption/Decryption fails when running in Java 17

  • OPENAM-18705: Problem with Page Node using node relying on secureState

  • OPENAM-18684: redirect to /authorize endpoint fails for 2nd OIDC App for Federated Users w/ multi OIDC Clients

  • OPENAM-18679: OATH Registration node doesn’t work when placed inside a 'Page' node

  • OPENAM-18663: AM should check new realm with rest end-point names by ignoring case

  • OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted

  • OPENAM-18646: Upgrade for AM 7.1.0 to 7.2+ may fail, because of upgrading existing java agent profile

  • OPENAM-18644: IdRepo cache can not be disabled anymore

  • OPENAM-18640: REST-STS is using the old path to reach /users endpoint

  • OPENAM-18623: issue with jwk_uri endpoint called in parallel

  • OPENAM-18610: RealmOAuth2ProviderSettings for getJwks is broken in that it permits empty set.

  • OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication

  • OPENAM-18586: Lack of debugging message when AM is not able to read the encrypted_base64 folder after upgrade

  • OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL

  • OPENAM-18536: Java agent property org.forgerock.agents.session.change.notifications.enabled should be presented in XUI

  • OPENAM-18511: Missing navigation options when an expired link from "Email Suspend" node is used

  • OPENAM-18443: Transactional authentication is disabled on new installs

  • OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore

  • OPENAM-18297: Outbound calls to Jwks_URI endpoint does not support proxy settings

  • OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically

  • OPENAM-18175: SMSUtils#addAttributesToMap inconsistency with array ordering

  • OPENAM-18141: AM no longer uses global SAML configuration

  • OPENAM-18130: "Agent Configuration Change Notification" use the same help text in the XUI for Java and Web agents, but the property name is different

  • OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter

  • OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes

  • OPENAM-18030: Message node shows inconsistent behaviour regarding the default locale

  • OPENAM-18005: Insufficient error message to troubleshoot persistent search issue

  • OPENAM-17949: Account lockout applied to tree even when ignore profile selected

  • OPENAM-17904: Json Audit Log Location not working when modifying location to only include %SERVER_URI% variable

  • OPENAM-17833: Internal accepted Audience AUD formed from DNS Alias could be wrong when BaseURL does not have port

  • OPENAM-17830: Error messages are logged when the Push Notification Service is absent

  • OPENAM-17829: External UMA Resource Set using SSL but not StartTLS fails

  • OPENAM-17593: Deadlock when admin token is invalid and when config data is getting cleared

  • OPENAM-17271: Typo for Realm in SAML/Federation debug

  • OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication

AM 7.1.1
  • OPENAM-18604: Formatting issues in Upgrade Report

  • OPENAM-18573: URLPatternMatcher or RedirectURLValidator does fails when query string contains "%20"

  • OPENAM-18566: Missing 'org.forgerock.security.oauth2.enforce.sub.claim.uniqueness' after upgrade from 7.1.0

  • OPENAM-18559: Upgrade from 6.5.3 to 7.1.0 fails with UpgradeException - "com.sun.identity.sm.InvalidAttributeValueException: Saved Consent Attribute Name is required."

  • OPENAM-18532: Web Agent property org.forgerock.agents.pdp.javascript.repost has incorrect description in XUI

  • OPENAM-18523: NullPointerException when AgentsRepo with from group is changed

  • OPENAM-18459: IdTokenInfo endpoint behaviours change from 6.x and fails when using client_id in POST

  • OPENAM-18422: Email Template node creates threads without terminating them

  • OPENAM-18421: In Platform environment, using a Email Template node creates new thread that does not terminate

  • OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth

  • OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name

  • OPENAM-18366: Upgrade Report contains unformatted line feeds "%LF%"

  • OPENAM-18359: Choice Collector Node appears to not be present following upgrade

  • OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server

  • OPENAM-18319: Realm is added more than once when session upgrade happens more than once with modules.

  • OPENAM-18316: Typo in oauth2 template (templates/touch/authorize.ftl)

  • OPENAM-18306: OAuth2 Authorization Code Grant Fails when including scope parameter at access_token endpoint

  • OPENAM-18258: Failed to load configuration for OAuth2Provider observed after upgrade

  • OPENAM-18241: Permit OAuth2 Modification Script to return scopes as space delimeter string

  • OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session

  • OPENAM-18227: Upgrade from 6.0.x / 6.5.x can fail at Unsupported node type PersistentCookieDecisionNode

  • OPENAM-18212: Check for user/agent profile condition during login can be refined further

  • OPENAM-18207: Global Service cache is not updated by changes from other servers in a site

  • OPENAM-18205: Excessive logging occurs when agent profile is not found

  • OPENAM-18180: No TransactionId present for AuthTreeExecutor

  • OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout

  • OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST

  • OPENAM-18154: Wrong AMR returned with prompt=login and force authn setting enabled

  • OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings

  • OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops

  • OPENAM-18121: Slow loading in Authentication Tree

  • OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amadmin

  • OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes

  • OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM

  • OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exist

  • OPENAM-18065: Logback.jsp can not be used to set log levels loggers in custom code

  • OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined

  • OPENAM-18043: Device Match module not setting correct AuthLevel

  • OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes

  • OPENAM-18009: AM return HTTP error code 500 when authenticate with authIndexType service without authIndexValue

  • OPENAM-18006: Persistent search for identity store does not recover

  • OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees

  • OPENAM-17993: The org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation

  • OPENAM-17979: Backchannel authentication - auth_req_id can be used to obtain multiple access tokens

  • OPENAM-17962: LDAP Decision Node does not put updated password in transient state

  • OPENAM-17954: Accept-Language header locale ignored on OAuth2 Consent page

  • OPENAM-17935: Missing 'return' statement in the happy flow of the kerberos node

  • OPENAM-17923: Retry Limit Decision Should Not Have User Involvement when Save Retry Limit to User is Disabled

  • OPENAM-17916: When no session exists logout page redirects to login

  • OPENAM-17912: Account lockout count is not reset correctly

  • OPENAM-17896: ForgottenPassword Reset on multiple cluster not working when reset link clicked

  • OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does work after upgrade.

  • OPENAM-17863: Authorization code is not issued when nonce is not supplied when using OpenID Hybrid profile

  • OPENAM-17828: Apostrophe in username breaks Push/OATH device registration

  • OPENAM-17826: Introspect endpoint returns a static value for "expires_in" when using client based tokens

  • OPENAM-17814: Auth Tree step-up fails if username case does not match

  • OPENAM-17801: OIDC userinfo subname claim returns incorrect value

  • OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname

  • OPENAM-17782: Policy evaluation fails with 400 error when user does not exist

  • OPENAM-17774: Missing exp claim throws NullPointerException on CIBA bc-authorize endpoint

  • OPENAM-17773: The acr_values parameter is mandatory on CIBA bc-authorize endpoint

  • OPENAM-17760: PEM support incorrectly decodes some EC private keys

  • OPENAM-17738: Java Agent "Client IP Validation Mode" property does not work when key is empty from XUI

  • OPENAM-17718: OAuth2 Introspection endpoint does not accept Accept header with with extra accept extension param (like weight q=0.8) or charset

  • OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed

  • OPENAM-17677: The oauth2/device/code endpoint does not support locale parameter

  • OPENAM-17663: Improve the error response code for "Failed to revoke access token"

  • OPENAM-17630: JMS Audit logging broken and cannot start up

  • OPENAM-17610: OTP Email Sender node does not allow to specify connect timeout and IO/read timeout for underlying transport.

  • OPENAM-17590: OIDC login hint cookie broken since 7.0

  • OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret

  • OPENAM-17493: OAuth2 node does not support external proxy authentication (user/pass)

  • OPENAM-17405: Token introspection response not spec compliant

  • OPENAM-17320: Revisit prompt=login behaviour change that keeps existing session

  • OPENAM-17265: Wrong authorized_keys file updated

  • OPENAM-17262: Subname claim inconsistences

  • OPENAM-16988: The accessedEndpoint including port causes verify Assertion Consumer URL to fail

  • OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters

  • OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator

  • OPENAM-16642: Server id creation can fail when id is greater than 100

  • OPENAM-16554: Misplaced bufferingEnabled checkbox in New Syslog configuration

  • OPENAM-16491: SAML Update introduces javascript calls that aren’t available in IE8 and below (or IE11 using Enterprise mode)

  • OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong

  • OPENAM-16216: Get Session Data node improvements

  • OPENAM-15861: NullPointerException in CollectionHelper.getServerMapAttrs

  • OPENAM-15740: Document _fields is case sensitive

  • OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in

  • OPENAM-13855: CTS creates too many connections to DS

  • OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"

  • OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

AM 7.1
  • OPENAM-17396: Terms of Service URI Link does not Display in Consent Page

  • OPENAM-17395: SocialOpenIdConnectNode fails to recover from client’s connection reset

  • OPENAM-17365: Checking agent type with caller token can cause deadlock

  • OPENAM-17364: Prompt login / session upgrade / OIDC ACR looping with trees

  • OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation

  • OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope

  • OPENAM-17353: HTML pages are not picked up when placing in a theme folder

  • OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh

  • OPENAM-17343: Access token call returns 500 error if password needs to be changed or has expired

  • OPENAM-17322: SAML2 bearer grant returns NoUserExistsException

  • OPENAM-17317: A realm without any modules can cause increased thread count and slow response.

  • OPENAM-17276: AM recorder does not record anymore

  • OPENAM-17271: Typo for Realm in SAML/Federation debug

  • OPENAM-17260: Allow arg=newsession usage in authorize calls

  • OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant

  • OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found

  • OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'

  • OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.

  • OPENAM-17136: OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters

  • OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory

  • OPENAM-17114: Save Consent check box always shown, even when not configured

  • OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC

  • OPENAM-17089: Forgot password functionality broken

  • OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication

  • OPENAM-17060: Audit Logging "Resolve host name" is still available after OPENAM-7849

  • OPENAM-17037: AM Upgrade from 6.0.0.7 to 7.0.0 causing NPE

  • OPENAM-17034: In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated

  • OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config

  • OPENAM-17006: Hosted SAML entity - can not remove bindings

  • OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"

  • OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates

  • OPENAM-16988: Accessed endpoint including port causes verify Assertion Consumer URL to fail

  • OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail

  • OPENAM-16947: Kerberos Node in 7.0 fails to return goTo(false)

  • OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist

  • OPENAM-16936: Tree nodes create new keystore object each time node is called.

  • OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1

  • OPENAM-16934: sm.getSchemaManager has a typo including a comma

  • OPENAM-16926: Success URL node doesn’t work with SAML Node for Idpinit when not using Integrated mode

  • OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'

  • OPENAM-16907: Kerberos Node in 7.0 does not work

  • OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid

  • OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO

  • OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference

  • OPENAM-16866: AM should fail gracefully if id_token fails to generate when swapping refresh token

  • OPENAM-16849: WeChat Social Auth module broken (regression)

  • OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled

  • OPENAM-16847: AM email service failing with 'Start TLS' option

  • OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules

  • OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM

  • OPENAM-16807: The dynamic values for request_uri being stored in client config does not expire and is not automatically removed

  • OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0

  • OPENAM-16784: Upgrade to 7 fails with NullPointerException in Saml2EntitySecretsStep

  • OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow

  • OPENAM-16758: Cannot install AM 7 on Windows

  • OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled

  • OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'

  • OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)

  • OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token

  • OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type

  • OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo

  • OPENAM-16617: SuccessURL session property is set to gotoURL in authentication tree

  • OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore

  • OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.

  • OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs

  • OPENAM-16555: Audit logging does not tell which policy allowed or denied a resource request

  • OPENAM-16540: Issues with Social Login URLs when navigating quickly between providers

  • OPENAM-16535: "JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set

  • OPENAM-16515: Social auth - insufficient debug logging for troubleshooting

  • OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain

  • OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes

  • OPENAM-16450: 501 when default resource version set to "oldest" and Accept-API-Version header set

  • OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong

  • OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade

  • OPENAM-16367: OIDC request_uri response causes NPE while debug logging

  • OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory

  • OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly

  • OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive

  • OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save

  • OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented

  • OPENAM-15963: Historical retention files ( csv ) were not deleted

  • OPENAM-15948: Update DS profiles to add VLV indexes for CTS use

  • OPENAM-15743: Excessive CTS logging when Reaper is disabled (com.sun.am.ldap.connnection.idle.seconds=0)

  • OPENAM-15671: LoginContext is missing debug logging for troubleshooting

  • OPENAM-15663: UserInfoClaims is not part of public API

  • OPENAM-14898: OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified

  • OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)

  • OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)

  • OPENAM-12503: SizeBasedRotationPolicy does not delete oldest file

AM 7.0.x

AM 7.0.2
  • OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost

  • OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile

  • OPENAM-17683: Selfservice user registration auto login fails for a sub-realm

  • OPENAM-17673: Nodes within a Page node do not have access to secure state

  • OPENAM-17672: Page Node does not expose inner nodes inputs or outputs

  • OPENAM-17630: JMS Audit logging broken and cannot start up

  • OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session

  • OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret

  • OPENAM-17570: OIDC request parameter decryption fails to find any applicable keys

  • OPENAM-17555: AM 7.x versions of Amster use Java 8 format of debug port

  • OPENAM-17517: JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error.

  • OPENAM-17515: Sub attribute in access token can be in wrong casing

  • OPENAM-17483: SecretsPlugin upgrade from 6.5.x failing

  • OPENAM-17477: Thread-safety issue in AMAuthenticationManager

  • OPENAM-17436: JS version of the OIDC Claims script does not work due to a casting error.

  • OPENAM-17405: Token introspection response not spec compliant

  • OPENAM-17397: ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check

  • OPENAM-17365: Checking agent type with caller token can cause deadlock

  • OPENAM-17364: prompt login / session upgrade / OIDC ACR looping with trees

  • OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation

  • OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope

  • OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh

  • OPENAM-17337: Access token passed in request body results in failure

  • OPENAM-17324: Client credentials grant in FBC config with group inheritance causes User not Valid Error

  • OPENAM-17322: SAML2 bearer grant returns NoUserExistsException

  • OPENAM-17321: Prometheus Endpoint returns http 500 error when used with file based config

  • OPENAM-17317: A realm without any modules can cause increased thread count and slow response.

  • OPENAM-17310: 'ssoadm list-datastore-types' sub-command broken

  • OPENAM-17277: AM Recording with thread dump only shows depth of 8

  • OPENAM-17276: AM recorder does not record anymore

  • OPENAM-17274: AM should not change the supported subject types for an existing install

  • OPENAM-17271: Typo for Realm in SAML/Federation debug

  • OPENAM-17265: Wrong authorized_keys file updated

  • OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant

  • OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found

  • OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'

  • OPENAM-17175: XUI OAuth2 consent page does not render when using themes

  • OPENAM-17157: Password reset via admin console with Proxied Authorization enabled is not possible

  • OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.

  • OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory

  • OPENAM-17117: Service config XML dump consumes a lot of memory (whole config is read to memory)

  • OPENAM-17114: Save Consent check box always shown, even when not configured

  • OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication

  • OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC

  • OPENAM-17089: Forgot password flow not working after initial attempt to reset password fails

  • OPENAM-17081: OAuth2 client agent group settings are not taken into account

  • OPENAM-17079: Identities and Session : unexpected returned error when trying to request for unexisting identity

  • OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication

  • OPENAM-17066: Unable to add server to existing deployment through UI

  • OPENAM-17042: User Self Registration REST API does not generate SSO token

  • OPENAM-17019: Allowing wildcards in OAuth 2.0 clients prevents exact matching from working

  • OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config

  • OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"

  • OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates

  • OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail

  • OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist

  • OPENAM-16932: PageNode does not pick up outcomes if ScriptedDecisionNode is used inside

  • OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'

  • OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid

  • OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO

  • OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters

  • OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference

  • OPENAM-16849: WeChat Social Auth module broken (regression)

  • OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0

  • OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'

  • OPENAM-16651: Default configuration fails if the trust store type JVM property is not defined for the JVM

  • OPENAM-16638: AM with embedded DS setup fails when Java system keystore properties is set

  • OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore

  • OPENAM-16581: SAML Authentication Module on hosted SP gets SAML No authentication context error

  • OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs

  • OPENAM-16515: Social auth - insufficient debug logging for troubleshooting

  • OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes

  • OPENAM-16364: Macaroon access tokens don’t work with the new any-realm token introspection

  • OPENAM-16262: Javadocs for IdUtils needs updating

  • OPENAM-15963: Historical retention files ( csv ) were not deleted

  • OPENAM-15214: Auth Tree - Clicking save with no changes causes render problem with node attributes inside page node

  • OPENAM-14240: FMSigProvider.verify does not tell if certificates are provided

  • OPENAM-13783: REST STS: Cannot add or modify nameID format in SAML config, and default value stated in help is incorrect

  • OPENAM-13575: Unhelpful log message when OIDC public client wants to use HMAC id token signing

AM 7.0.1
  • OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1

  • OPENAM-16934: sm.getSchemaManager has a typo including a comma

  • OPENAM-16907: Kerberos Node in 7.0 does not work

  • OPENAM-16877: Error when creating AM "Self-service Trees" service in native admin ui

  • OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled

  • OPENAM-16847: AM email service failing with 'Start TLS' option

  • OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules

  • OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM

  • OPENAM-16802: Upgrade from OpenAM 7.0 to 7.1.0 SNAPSHOT causes NPE

  • OPENAM-16794: Google KMS options missing after upgrade from 6.5

  • OPENAM-16791: AMAccessAuditEventBuilder#forRequest can generate an entry with :-1 for the port

  • OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow

  • OPENAM-16759: Amster on windows : AM does not restart properly after setup

  • OPENAM-16758: Cannot install AM 7 on Windows

  • OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled

  • OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)

  • OPENAM-16702: Saving engine configuration in FBC mode makes that config non-readable

  • OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token

  • OPENAM-16697: Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format

  • OPENAM-16686: Cannot create a User after upgrade from 6.5.2 to 7.0.1

  • OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type

  • OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo

  • OPENAM-16650: Authz Policy Subjects Policy.title is showing property name text

  • OPENAM-16641: OAuth2 provider supported grant types attribute missing localization property on XUI

  • OPENAM-16606: Missing "org.forgerock.openam.saml2.authenticatorlookup.skewAllowance" property in server defaults

  • OPENAM-16594: ssoadm help should be updated to reflect changes in AME-18650 / OPENAM-16155

  • OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.

  • OPENAM-16555: (audit) logging does not tell which policy allowed or denied a resource request

  • OPENAM-16551: Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token

  • OPENAM-16545: Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents

  • OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain

  • OPENAM-16483: XUI - Typo in SAML SP "Default Relay State Url" label

  • OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade

  • OPENAM-16367: OIDC request_uri response causes NPE while debug logging

  • OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory

  • OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly

  • OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive

  • OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save

  • OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented

  • OPENAM-15671: LoginContext is missing debug logging for troubleshooting

  • OPENAM-15663: UserInfoClaims is not part of public API

  • OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)

  • OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)

  • OPENAM-11706: Policies in a policy set are not visible in Internet Explorer IE

AM 7.0
  • OPENAM-16433: Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.

  • OPENAM-16425: AM does not handle malformed/incorrect signature correctly

  • OPENAM-16402: The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.

  • OPENAM-16379: URL fragments like # cause forbidden login in the XUI

  • OPENAM-16284: XUI does not handle Special Chars / UTF-8 in realms properly.

  • OPENAM-16279: AgentsRepo cannot recover when it fails especially on external Application store.

  • OPENAM-16251: OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication

  • OPENAM-16240: REST STS under subrealm cannot generate id_token with realm claim

  • OPENAM-16233: Policy evaluation fails when subject not found (even in ignore profile)

  • OPENAM-16214: Push Authentication Module does not work on Session Upgrade when User Cache disabled

  • OPENAM-16184: Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords

  • OPENAM-16165: social authmodule causes NullPointerException

  • OPENAM-16164: social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token

  • OPENAM-16136: queryFilter only matches against first entry in array

  • OPENAM-16132: When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates

  • OPENAM-16032: Unable to delete devices with Recovery Code Collector Decision Node

  • OPENAM-16031: Intermittent error message when concurrent obtain SSO Token ID with session quota constraints

  • OPENAM-16014: An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow

  • OPENAM-16013: Mismatched kid from Json Web Key URI when Specified Encryption Algorithm

  • OPENAM-16009: Windows Desktop SSO node full adoption and compliance with tree node specifications

  • OPENAM-15989: OAuth2 client_id should be url-decoded when using basic auth

  • OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied

  • OPENAM-15970: Access Token introspect Fails in subrealm after root realm modified

  • OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked

  • OPENAM-15905: Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException

  • OPENAM-15900: Kerberos fails when used with IBM JDK

  • OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection

  • OPENAM-15881: Custom AM User (amUser.xml) field does not use default values from the schema

  • OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used

  • OPENAM-15853: External UMA store fails on resource creation

  • OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired

  • OPENAM-15785: OIDC spec violation - HTTP POST can not be used to send Authentication Request

  • OPENAM-15784: Form elements in policy environment condition tab are displayed twice

  • OPENAM-15766: LoginState - account lockout is checkout although AM AccountLockout is disabled

  • OPENAM-15758: KeyStore Secret Store fails to start due to secretId having some characters.

  • OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL

  • OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server

  • OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect

  • OPENAM-15698: IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'

  • OPENAM-15697: Default ACR values from OAuth2 provider not taken into account

  • OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access

  • OPENAM-15679: The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling

  • OPENAM-15670: DeviceIdSave auth module initialization fails if username is null

  • OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting

  • OPENAM-15645: The &refresh=true|false parameter for _action=validate is not working as expected

  • OPENAM-15632: OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support

  • OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow

  • OPENAM-15627: Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"

  • OPENAM-15579: AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'

  • OPENAM-15559: OATH module broken in Japanese locale

  • OPENAM-15533: WS-Federation doesn’t work with Authentication Trees

  • OPENAM-15530: OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS

  • OPENAM-15520: XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default

  • OPENAM-15508: moduleMessageEnabledInPasswordGrant does not apply to Trees

  • OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token

  • OPENAM-15501: Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly

  • OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned

  • OPENAM-15491: Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.

  • OPENAM-15489: WebAuthN Auth Node Doesn’t Respect UV=Discouraged During AuthN

  • OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication

  • OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error

  • OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported

  • OPENAM-15374: OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims

  • OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback

  • OPENAM-15349: Access Token request returns a 500 error

  • OPENAM-15345: at_hash value generated does not take the latest modified access token

  • OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree

  • OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example

  • OPENAM-15303: Claims with multiple values in issued_token from REST STS represented inconsistently.

  • OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions

  • OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules

  • OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"

  • OPENAM-15160: LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind

  • OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field

  • OPENAM-15147: HTTP 500 upon accessing openam/json/

  • OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken

  • OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )

  • OPENAM-15117: KeyVault KeyStoreType not supported

  • OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not

  • OPENAM-15105: Unable to get trusted devices using REST API

  • OPENAM-15101: Remove the ability to disable XUI

  • OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL

  • OPENAM-15076: webAuthn config does not allow for multiple origins under the same rpId

  • OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching

  • OPENAM-15036: Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file

  • OPENAM-15028: Cannot load metadata in ssoadm without extended metadata

  • OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment

  • OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache

  • OPENAM-14991: Changes to boot.json are overwritten

  • OPENAM-14979: NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade

  • OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain

  • OPENAM-14966: Performing access_token with arbitrary text as trusted cert header causes server error

  • OPENAM-14919: Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file

  • OPENAM-14901: XUI - SAML2 module doesn’t redirect to IDP if it’s 2nd in the chain

  • OPENAM-14895: user identity creation fails with "Identity \*" of type user not found.

  • OPENAM-14893: XUI displays multiple error messages when an authentication session times out

  • OPENAM-14889: Upgrade of Peristent Cookie auth module fails

  • OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration

  • OPENAM-14881: AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)

  • OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)

  • OPENAM-14859: ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty

  • OPENAM-14858: When NameIDPolicy does not contain Format=.., remoteEntityID is passed as null

  • OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module

  • OPENAM-14845: user info endpoint does not correctly handle Certificate Bound Access Tokens

  • OPENAM-14829: AuthSchemeCondition doesn’t return realm aware policy condition advice

  • OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search

  • OPENAM-14804: Memory leak when running UMA RPT soak test

  • OPENAM-14799: Unable to update Agent profile using REST

  • OPENAM-14794: User privileges are removed from group if another group is given same privilege

  • OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO

  • OPENAM-14783: PKCS11 KeyStore does not work on IBM JVM

  • OPENAM-14782: AuthTree created Session does not use per User Session Service settings

  • OPENAM-14766: introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens

  • OPENAM-14717: mailto attribute have space between ':' and mail address

  • OPENAM-14694: Consent page still shows claim values even when supported claim description is omitted

  • OPENAM-14651: OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads

  • OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier

  • OPENAM-14578: WDSSO failing but no fallback…​

  • OPENAM-14573: amlbcookie is not secure when authenticating with trees

  • OPENAM-14572: prompt=login destroys and creates new session

  • OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different

  • OPENAM-14548: consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation

  • OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore

  • OPENAM-14539: SAML SLO with multi protocols

  • OPENAM-14529: UMA RPT expiry time incorrect in CTS

  • OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding

  • OPENAM-14503: SAML2 - Key Transport Algorithm - RSA OAEP must be supported

  • OPENAM-14483: If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ

  • OPENAM-14480: AuthLoginException is lost

  • OPENAM-14471: Failed to create root realm for data store (External Policy | Application)

  • OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on

  • OPENAM-14464: XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used

  • OPENAM-14450: userinfo typo in Claims.java

  • OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS/SSL

  • OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application

  • OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

  • OPENAM-14391: Self Service Link not Display when Using Authentication Tree

  • OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set

  • OPENAM-14369: Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure

  • OPENAM-14362: UMA load test fails with Invalid resource type error

  • OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy

  • OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client

  • OPENAM-14313: Audit Logging - STS transformations create duplicate entries

  • OPENAM-14310: CheckSession page indicates the session is not valid

  • OPENAM-14294: am-external Git repository 6.5 have bad source

  • OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef

  • OPENAM-14239: FMSigProvider.verify NPE with null input for certificates

  • OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number

  • OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set

  • OPENAM-14229: custom AuthorizeTemplate under theme not used

  • OPENAM-14213: Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute

  • OPENAM-14212: SAML redirect to login page fails if AM installed into the root context

  • OPENAM-14200: Social auth modules do not work when AM is installed into the root context

  • OPENAM-14189: effectiveRange of Time environment has issue

  • OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception

  • OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered

  • OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.

  • OPENAM-14147: arg=newsession in XUI just shows the "Loading…​" page

  • OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state

  • OPENAM-14112: Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie

  • OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow

  • OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive

  • OPENAM-14054: XUI Custom templates and Partials not applied consistently

  • OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn

  • OPENAM-14040: LdifUtils debug logging prints out wrong classname

  • OPENAM-14018: Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server

  • OPENAM-13999: Custom node containing ConfirmationCallbacks fails when dropped in a page node.

  • OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

  • OPENAM-13978: Session Upgrade - AuthLevel format changes

  • OPENAM-13942: SAML2 Circle of Trust - REST Update doesn’t update the metadata of the provider

  • OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given

  • OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user

  • OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not

  • OPENAM-13890: Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext

  • OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6

  • OPENAM-13831: RP-Initiated Logout does not handle state parameter

  • OPENAM-13779: Session API - _action=refresh requires an admin token

  • OPENAM-13764: Monitoring logs in ERROR for "Agent.configAgentsOnly:agent type = OAuth2Client"

  • OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

  • OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent

  • OPENAM-13465: Dynamic client registration sets wrong subjectType

  • OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain

  • OPENAM-13419: LDAPPolicyFilterCondition doesn’t set request timeout

  • OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"

  • OPENAM-13064: OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional

  • OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation

  • OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees

  • OPENAM-12759: max_age should a number, not a string

  • OPENAM-12574: SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies

  • OPENAM-12498: Authorization Grant response returns scope(s) in the URL

  • OPENAM-12228: WebAgent REST API queryFilter expression does not work and acts all "true"

  • OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme

  • OPENAM-11921: Incorrect NameId Format offered for SAML2 auth module in console

  • OPENAM-11863: CORSFilter position in web.xml should come before most filters

  • OPENAM-11778: Getting accessToken using authorization_code result in Unhandled exception

  • OPENAM-11338: OpenID Connect id_token bearer auth module mixes up aud, azp during verification

  • OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.

  • OPENAM-10843: When generating an OIDC token through STS a "kid" value is not specified

  • OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled

  • OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)

  • OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly

  • OPENAM-9459: 500 Internal Server Error from changePassword endpoint with AD repo

  • OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

AM 6.5.x

AM 6.5.5
  • OPENAM-19613: PSearch is already removed error message should be warning

  • OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page

  • OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity

  • OPENAM-19380: Social Google node does not work if placed after an input collector in a tree

  • OPENAM-19290: In a cluster, changing AM debug level on local (AM2) to remote (AM1) does not have effect until restart of AM1

  • OPENAM-19281: OIDC dynamic client registration cannot handle "\n" in the client_description

  • OPENAM-19220: WebAuthN/Fido - can not authenticate with recovery codes on Windows

  • OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade

  • OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters

  • OPENAM-19171: Realm admin unable to call "policies?_action=evaluate"

  • OPENAM-19123: AM validates duplicate registration tokens

  • OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set

  • OPENAM-19111: Insufficient debug logging to troubleshoot error "Illegal arguments: One or more required arguments is null or empty" when performing user identity subject update via REST API

  • OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions

  • OPENAM-19083: Creating a client-based access & refresh token breaks subsequent use of Session Quotas

  • OPENAM-18990: Non-compliant OAuth2 error response generated

  • OPENAM-18928: Client credential OAuth2 request results in searches for OAuth2 client against Identity Store

  • OPENAM-18921: Double slashes in oauth2 claim name handled incorrectly

  • OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt

  • OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared

  • OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null

  • OPENAM-18756: Entering correct OTP after an incorrect OTP fails authentication

  • OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures

  • OPENAM-18679: OATH Registration node doesn’t work when placed inside a 'Page' node

  • OPENAM-18655: Deleting OAuth2 Client causes unnecessary notification error message in IdRepo

  • OPENAM-18610: RealmOAuth2ProviderSettings for getJwks permits an empty set

  • OPENAM-18586: No debug message when AM can’t read the encrypted_base64 folder after upgrade

  • OPENAM-18573: URLPatternMatcher or RedirectURLValidator fails when query string contains "%20"

  • OPENAM-18477: Choice Collector Callback fails to replaceSharedState() using Action.send() method inside Page Node

  • OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name

  • OPENAM-18372: After upgrade from 5.1.1 to 6.5.4 Mail server secure connection value is displayed incorrectly in XUI

  • OPENAM-18359: Choice Collector Node not present following upgrade

  • OPENAM-18306: OAuth2 Authorization Code Grant Fails when including scope parameter at access_token endpoint

  • OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD

  • OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops

  • OPENAM-18121: Complex authentication trees load slowly

  • OPENAM-18113: LDAP auth node - change of connection mode does not re-created connection pool

  • OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes

  • OPENAM-18062: SPACSUtils withholds exception and does not log error

  • OPENAM-18030: Message node shows inconsistent behavior regarding the default locale

  • OPENAM-18006: Persistent search for identity store does not recover when re-configuring identity store

  • OPENAM-18005: Insufficient error message to troubleshoot persistent search issue

  • OPENAM-17962: LDAP Decision Node does not put updated password in transient state

  • OPENAM-17904: JSON Audit Log Location not working when modifying location to only include %SERVER_URI% variable

  • OPENAM-17882: Slow memory leaks when persistent search starts a retry activity when persistent search fails

  • OPENAM-17593: Deadlock when admin token is invalid and when config data is cleared

  • OPENAM-16490: OWASP ESAPI lib is missing some classes

  • OPENAM-15682: AM jwks_uri doesn’t reflect changes to secret mappings

  • OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable

  • OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile

  • OPENAM-14343: AM console - localization issue for algorithms in global Common Federation Configuration

  • OPENAM-13912: Node implementations are loading the resource bundles incorrectly

  • OPENAM-13855: CTS creates too many connections to DS

  • OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"

  • OPENAM-12992: Misleading error message in XUI console for existing DNS alias

  • OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect

AM 6.5.4
  • OPENAM-18316: Typo in oauth2 template (templates/touch/authorize.ftl)

  • OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session

  • OPENAM-18212: Check for user/agent profile condition during login can be refined further

  • OPENAM-18205: Excessive logging occurs when agent profile is not found

  • OPENAM-18091: Concurrent JATO COT updates can cause COT list inconsistencies

  • OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes

  • OPENAM-18049: Saml2 Module does not handle the pipe delimeter

  • OPENAM-18043: Device Match module not setting correct AuthLevel

  • OPENAM-18035: Policy retrieval of response attributes can fail when using LdapDecisionNode against different directory to identity store

  • OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes

  • OPENAM-18009: AM return HTTP error code 500 when authenticate with authIndexType service without authIndexValue

  • OPENAM-17954: Accept-Language header locale ignored on OAuth2 Consent page

  • OPENAM-17916: When no session exists logout page redirects to login

  • OPENAM-17896: ForgottenPassword Reset on multiple cluster not working when reset link clicked

  • OPENAM-17828: Apostrophe in username breaks Push/OATH device registration

  • OPENAM-17826: introspect endpoint returns a static value for "expires_in" when using client based tokens

  • OPENAM-17815: client specific token lifetimes are not used when casing of client id differs between authentication request and token request

  • OPENAM-17814: Auth Tree step-up fails if username case does not match

  • OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname

  • OPENAM-17784: Session timeouts (maximum session time, maximum idle timeout) set incorrectly if username is dynamically created in a tree.

  • OPENAM-17783: Language tag limited to 5 characters instead of 8

  • OPENAM-17782: Policy Eval fails with 400 error when user (subject) does not exist

  • OPENAM-17719: JATO Federation does not log trackingId in the audit log to permit traceability

  • OPENAM-17712: SAML2 session state not stored in-memory if it can’t be stored locally

  • OPENAM-17691: lastEmailSent attribute missing when using am-identity-store setup profile

  • OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost

  • OPENAM-17683: Selfservice user registration auto login fails for a sub-realm

  • OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed

  • OPENAM-17677: oauth2/device/code endpoint does not support locale parameter

  • OPENAM-17663: Improve the error response code for "Failed to revoke access token"

  • OPENAM-17610: OTP Email Sender node does not allow to specify connect timeout and IO/read timeout for underlying transport.

  • OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session

  • OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret

  • OPENAM-17548: Can’t go back to login page after invoking Social Authentication Nodes

  • OPENAM-17405: Token introspection response not spec compliant

  • OPENAM-17397: ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check

  • OPENAM-17396: Terms of Service URI Link does not Display in Consent Page

  • OPENAM-17395: SocialOpenIdConnectNode fails to recover from client’s connection reset

  • OPENAM-17365: Checking agent type with caller token can cause deadlock

  • OPENAM-17364: prompt login / session upgrade / OIDC ACR looping with trees

  • OPENAM-17361: API Explorer Swagger Template body needs modification to include configExport, debugLogs and threadDump as per the API Documentation

  • OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope

  • OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh

  • OPENAM-17343: Access token call returns 500 error if password needs to be changed or has expired

  • OPENAM-17322: SAML2 bearer grant returns NoUserExistsException

  • OPENAM-17320: Revisit prompt=login behaviour change that keeps existing session

  • OPENAM-17317: A realm without any modules can cause increased thread count and slow response.

  • OPENAM-17271: Typo for Realm in SAML/Federation debug

  • OPENAM-17260: Allow arg=newsession usage in authorize calls

  • OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant

  • OPENAM-17237: Using ODSEE on LDAP module for password reset, displays the wrong error message

  • OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found

  • OPENAM-17157: Password reset via admin console with Proxied Authorization enabled is not possible

  • OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.

  • OPENAM-17136: OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters

  • OPENAM-17114: Save Consent check box always shown, even when not configured

  • OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC

  • OPENAM-17089: Forgot password flow not working after initial attempt to reset password fails

  • OPENAM-17081: OAuth2 client agent group settings are not taken into account

  • OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication

  • OPENAM-17060: Audit Logging "Resolve host name" is still available after * OPENAM-7849

  • OPENAM-17042: User Self Registration REST API does not generate SSO token

  • OPENAM-17034: In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated

  • OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config

  • OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"

  • OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates

  • OPENAM-16988: accessedEndpoint including port causes verify Assertion Consumer URL to fail

  • OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail

  • OPENAM-16944: LdapDecisionNodes fails if inetuserstatus does not exist

  • OPENAM-16936: Tree nodes create new keystore object each time node is called.

  • OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1

  • OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'

  • OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid

  • OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO

  • OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters

  • OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference

  • OPENAM-16866: AM should fail gracefully if id_token fails to generate when swapping refresh token

  • OPENAM-16849: WeChat Social Auth module broken (regression)

  • OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled

  • OPENAM-16847: AM email service failing with 'Start TLS' option

  • OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules

  • OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled

  • OPENAM-16712: Importing SAML2 Metadata with both IDP and SP with cot ends up with duplicated extended metadata

  • OPENAM-16642: Server id creation can fail when greater id is greater than 100

  • OPENAM-16617: SuccessURL session property is set to gotoURL in authentication tree

  • OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs

  • OPENAM-16540: Issues with Social Login URLs when navigating quickly between providers

  • OPENAM-16535: "JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set

  • OPENAM-16473: Unable to authenticate after UpdatePassword flow

  • OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes

  • OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong

  • OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade

  • OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory

  • OPENAM-16262: Javadocs for IdUtils needs updating

  • OPENAM-16216: Get Session Data node improvements

  • OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented

  • OPENAM-15963: Historical retention files ( csv ) were not deleted

  • OPENAM-15501: Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly

  • OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in

  • OPENAM-15253: Upgrade fails if external data store for Applications and Policies is used

  • OPENAM-14898: OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified

  • OPENAM-14245: Console error when adding entity to circle of trust

  • OPENAM-14240: FMSigProvider.verify does not tell if certificates are provided

  • OPENAM-13586: Removing all SingleSignOnService entries from a hosted IDP entity causes it to vanish from the console (A Bad Federation entry makes other entries not listed)

  • OPENAM-12503: SizeBasedRotationPolicy does not delete oldest file

  • OPENAM-11706: Policies in a policy set are not visible in Internet Explorer IE

AM 6.5.3
  • OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token

  • OPENAM-16697: Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format

  • OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type

  • OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.

  • OPENAM-16566: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration with POST authentication

  • OPENAM-16555: (audit) logging does not tell which policy allowed or denied a resource request

  • OPENAM-16551: Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token

  • OPENAM-16537: AM not validating relative redirects on POST

  • OPENAM-16528: webauthn auth tempalte missing quotation marks aroudn userVerification component

  • OPENAM-16519: access_token call in OIDC flow cause search against Identity Store when Account Lockout is turned on and set to Store Invalid Attempts in Data Store

  • OPENAM-16498: 500 returned when OAuth2 token is submitted with incorrect or non-existent KID

  • OPENAM-16495: typo "Conenct" in Audience help of OpenID Connect id_token bearer authentication module

  • OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain

  • OPENAM-16450: 501 when default resource version set to "oldest" and Accept-API-Version header set

  • OPENAM-16433: Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.

  • OPENAM-16425: AM does not handle malformed/incorrect signature correctly

  • OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong

  • OPENAM-16402: The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.

  • OPENAM-16394: Stress-testing increases am_cts_task_queue_count until a connection timeout

  • OPENAM-16379: URL fragments like # cause forbidden login in the XUI

  • OPENAM-16367: OIDC request_uri response causes NPE while debug logging

  • OPENAM-16352: Policy evaluation performance degraded by 18-20%

  • OPENAM-16345: Nullpointer exception AgentResourceExceptionMappingHandler when no errorCode

  • OPENAM-16343: ScriptCondition initializes AMIdentity with user token

  • OPENAM-16342: Call to AdminTokenAction refreshes token in CTS datastore

  • OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly

  • OPENAM-16334: Checking AgentType with user token triggers permission check

  • OPENAM-16295: Watchdog errors on AM when external CTS with DS Entry Expiration and Deletion used

  • OPENAM-16289: Fedlet fails with NPE when default digest method is missing from FederationConfig.properties

  • OPENAM-16284: XUI does not handle Special Chars / UTF-8 in realms properly.

  • OPENAM-16279: AgentsRepo cannot recover when it fails especially on external Application store.

  • OPENAM-16271: Groovy Sandbox does need explicit whitelist on nested primitive Array type

  • OPENAM-16268: Fedlet root url provider appends additional slash when context root is not available

  • OPENAM-16256: StringIndexOutOfBoundsException when SAML Auth Request 's Reference URI has an empty string

  • OPENAM-16251: OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication

  • OPENAM-16249: AM expects consent_response although agent’s configured for implied consent

  • OPENAM-16242: Lowercase ID attribute does not work with OAuth2 settings.

  • OPENAM-16240: REST STS under subrealm cannot generate id_token with realm claim

  • OPENAM-16233: Policy evaluation fails when subject not found (even in ignore profile)

  • OPENAM-16218: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type JWT_BEARER

  • OPENAM-16214: Push Authentication Module does not work on Session Upgrade when User Cache disabled

  • OPENAM-16203: SAML SSO Admin Create SAML entities does not add attribute mappings

  • OPENAM-16194: SAML jsp scripts do not compile

  • OPENAM-16192: Elastic SAML: ForceAuthn fails if user already has a session when using Authentication tree

  • OPENAM-16184: Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords

  • OPENAM-16177: Unmet lodash dependency warning when building openam-ui-ria module

  • OPENAM-16165: social authmodule causes NullPointerException

  • OPENAM-16164: social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token

  • OPENAM-16161: "same site patch" breaks SAML2 integrated mode on Apache Tomcat 7

  • OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not casesensitive

  • OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save

  • OPENAM-16151: AM account lockout is checked even when it’s disabled

  • OPENAM-16137: JWT PAP claims problem with session upgrade

  • OPENAM-16136: queryFilter only matches against first entry in array

  • OPENAM-16133: IdRepoCache being bypassed with increased usage of search alias

  • OPENAM-16132: When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates

  • OPENAM-16121: com.sun.identity.sm.notification.threadpool.size default should be updated to ensure sequential processing of SMS notifications

  • OPENAM-16118: Deadlock in smIdmThreadPool notifyDescriptorChange

  • OPENAM-16109: Non amadmin admin user can’t edit Policy Sets / Policies

  • OPENAM-16096: AMKeyProvider.mapPk2Cert error when using AWS CloudHSM

  • OPENAM-16049: WPA - Environment Condition TYPE!'s not working when evaluated to false

  • OPENAM-16036: Identity stores configuration broken after upgrade

  • OPENAM-16032: Unable to delete devices with Recovery Code Collector Decision Node

  • OPENAM-16031: Intermittent error message when concurrent obtain SSO Token ID with session quota constraints

  • OPENAM-16014: An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow

  • OPENAM-16013: Mismatched kid from Json Web Key URI when Specified Encryption Algorithm

  • OPENAM-16009: Windows Desktop SSO node full adoption and compliance with tree node specifications

  • OPENAM-15989: OAuth2 client_id should be url-decoded when using basic auth

  • OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied

  • OPENAM-15979: WindowsDesktopSSO WSSO Configuration changes on isInitiator does not refresh configuration

  • OPENAM-15977: _queryFilter is not working with _id field

  • OPENAM-15970: Access Token introspect Fails in subrealm after root realm modified

  • OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked

  • OPENAM-15929: OAuth2 Server Metadata - code challenge methods supported are not discoverable

  • OPENAM-15919: AM OAuth metadata doesn’t list revocation endpoint

  • OPENAM-15918: access_token endpoint returns wrong error if client is incorrect

  • OPENAM-15905: Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException

  • OPENAM-15900: Kerberos fails when used with IBM JDK

  • OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection

  • OPENAM-15888: Long lived Device Code Lifetime cause Token’s Expiry Time to be wrong

  • OPENAM-15881: Custom AM User (amUser.xml) field does not use default values from the schema

  • OPENAM-15864: SP init SSO fails after upgrade

  • OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used

  • OPENAM-15855: AM requires "jti" claim for private_key_jwt client authentication

  • OPENAM-15853: External UMA store fails on resource creation

  • OPENAM-15849: An admin cannot DELETE 2fa devices owned by users

  • OPENAM-15841: DisableSameSiteCookiesFilter broken on WebLogic

  • OPENAM-15835: WebAuthn Nodes does not work when Relying Party domain is used.

  • OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired

  • OPENAM-15784: Form elements in policy environment condition tab are displayed twice

  • OPENAM-15776: Push Registration fails (QR code invalid) to register

  • OPENAM-15758: KeyStore Secret Store fails to start due to secretId having some special characters.

  • OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL

  • OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server

  • OPENAM-15722: SAML2 IdP federation endpoint does not set amlbcookie when using host-based cookies

  • OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect

  • OPENAM-15698: IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'

  • OPENAM-15697: Default ACR values from OAuth2 provider not taken into account

  • OPENAM-15696: The attribute "com.sun.am.ldap.connnection.idle.seconds" with > 0 causes LDAP pool initialization failure when using external CTS / UMA

  • OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access

  • OPENAM-15687: Session endpoint is searching for a long value in CTS that is stored as a string

  • OPENAM-15679: The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling

  • OPENAM-15671: LoginContext is missing debug logging for troubleshooting

  • OPENAM-15670: DeviceIdSave auth module initialization fails if username is null

  • OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting

  • OPENAM-15663: UserInfoClaims is not part of public API

  • OPENAM-15662: RefreshToken does not work if Resource owner not in datastore (or using Ignore Profile)

  • OPENAM-15652: Debug.jsp does not update all existing appenders when trying to override -Dcom.iplanet.services.debug.level at runtime

  • OPENAM-15645: The &refresh=true|false parameter for _action=validate is not working as expected

  • OPENAM-15643: Need to send additional URL parameter values to agents from authorize end-point

  • OPENAM-15632: OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support

  • OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow

  • OPENAM-15627: Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"

  • OPENAM-15594: CsrfFilter should only block requests that contain a cookie

  • OPENAM-15591: When using an OIDC id_token as SSO token composite/txid authenticate event generates 500

  • OPENAM-15579: AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'

  • OPENAM-15574: Amster Import - updating com.iplanet.am.lbcookie.value to a different value to server ID

  • OPENAM-15562: SAML2 crosstalk fails when Accept-Language header is missing from the original request

  • OPENAM-15559: OATH module broken in Japanese locale

  • OPENAM-15548: WS-Fed - allow wreply to use Valid wreply List

  • OPENAM-15533: WS-Federation doesn’t work with Authentication Trees

  • OPENAM-15530: OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS

  • OPENAM-15520: XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default

  • OPENAM-15510: Generic amster error message "No Base Entity dc=config,dc=forgerock,dc=com found" needs to detail the actual ldap error - during install-openam

  • OPENAM-15508: moduleMessageEnabledInPasswordGrant does not apply to Trees

  • OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token

  • OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned

  • OPENAM-15491: Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.

  • OPENAM-15490: Policy evaluation and resource type lookups and creation fail and cannot recover from External Policy Store restart

  • OPENAM-15489: WebAuthN Auth Node Doesn’t Respect UV=Discouraged During AuthN

  • OPENAM-15487: OIDC - JWT Request Parameter returns errors in query, not in the fragment with invalid acr essential claim

  • OPENAM-15483: IDPSSOUtil.doSSOFederate throws NumberFormatException when subrealm is used with federation

  • OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication

  • OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error

  • OPENAM-15446: Incorrect error management during SAML SSO

  • OPENAM-15444: Prepare for Chrome’s move to SameSite=lax by default

  • OPENAM-15432: Oath User Devices endpoint not accessible for delegated admin

  • OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported

  • OPENAM-15421: audit logging does not output when a collector node is wrapped in a page node

  • OPENAM-15382: custom Audit logging node or extending Scripted Node with able to audit

  • OPENAM-15374: OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims

  • OPENAM-15371: Ssoadm import-svc-cfg fails with unable to recognize the data store type error

  • OPENAM-15370: Ssoadm import-svc-cfg fails with Unable to obtain Server URL

  • OPENAM-15363: Redirect_uri_mismatch error occurs in Agent 5.x after upgrading from OpenAM 13.5.0

  • OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback

  • OPENAM-15353: OIDC Verification of a signed Jwt using multiple keys (e.g. jwk_uri) is not attempted against all keys

  • OPENAM-15350: wrong message when saving Trusted JWT Issuer

  • OPENAM-15349: Access Token request returns a 500 error

  • OPENAM-15347: Trusted JWT Issuer is highlighted as current menu item when I choose OAuth2

  • OPENAM-15345: at_hash value generated does not take the latest modified access token

  • OPENAM-15337: Change Advice Format Value

  • OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree

  • OPENAM-15309: JWTs are always SignedThenEncrypted when encrypted using JwtEncryptionHandler#encryptJwt

  • OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example

  • OPENAM-15303: Claims with multiple values in issued_token from REST STS represented inconsistently.

  • OPENAM-15270: token_endpoint_auth_signing_alg should support any signing algorithms supported by the OP

  • OPENAM-15257: XUI freezing when /authenticate returns unhandled http result codes

  • OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions

  • OPENAM-15220: relayState is lost when both a relayState url and intermediate url are used

  • OPENAM-15216: LDAP Decision Node does not continue through "Fail" flow when Node Fails with exception

  • OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules

  • OPENAM-15206: webAuthn returns JavaScript with linebreak characters, and tries to store negative ints in an unsigned array

  • OPENAM-15198: WS-FED Attribute Mapper returns incorrect map when AM is SP

  • OPENAM-15193: moduleMessageEnabledInPasswordGrant is providing a different authentication error since AM 6.5.1

  • OPENAM-15192: WebAuthn doesn’t work on WildFly containers

  • OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"

  • OPENAM-15160: LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind

  • OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field

  • OPENAM-15147: HTTP 500 upon accessing openam/json/

  • OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken

  • OPENAM-15129: registering client with token_endpoint_auth_method=none returns secret

  • OPENAM-15128: webAuthn rpId detection does not account for cross-domain requests

  • OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )

  • OPENAM-15117: KeyVault KeyStoreType not supported

  • OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not

  • OPENAM-15105: Unable to get trusted devices using REST API

  • OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL

  • OPENAM-15076: webAuthn config does not allow for multiple origins under the same rpId

  • OPENAM-15073: Missing RelayState query parameter in the AM redirect to fedlet application

  • OPENAM-15065: HTTP 500 authentication error in CIBA workflow when user deny request

  • OPENAM-15063: when binding message of CIBA request is too long, notification fail to be sent

  • OPENAM-15053: when client send wrong auth_req_id in CIBA polling request, there is HTTP 500 server error

  • OPENAM-15052: when id_token_hint is not JWT, CIBA authorization request returns HTTP 500

  • OPENAM-15050: WebAuthn client script cannot be parsed in Internet Explorer

  • OPENAM-15049: wrong JWT while obtaining CIBA auth request id will result in HTTP 500 NPE

  • OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching

  • OPENAM-15040: CIBA authorization request returns HTTP 500 NPE when file is wrong

  • OPENAM-15028: Cannot load metadata in ssoadm without extended metadata

  • OPENAM-15018: Encrypted stateless tokens contains zip header, even though should not be present if none

  • OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment

  • OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache

  • OPENAM-14979: NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade

  • OPENAM-14973: Monitoring throws StackTrace even if JDMK isn’t being used/needed.

  • OPENAM-14971: Unable to set up ssoadm when AM is installed to the root context

  • OPENAM-14951: OAuth2 provider does not validate RCS clients in an external application store

  • OPENAM-14930: OAuth2 introspect fails with could not find any verification keys for keyId

  • OPENAM-14907: OAuth2/OIDC - jwk_uri returns keys for algorithms that are not listed/supported at the OAuth2 Provider

  • OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration

  • OPENAM-14874: It would be nice if the x-forwarded-* option was able to parse the comma-separated string and use the first (outermost) proxy host name.

  • OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)

  • OPENAM-14858: When NameIDPolicy does not contain Format=.., remoteEntityID is passed as null

  • OPENAM-14842: Misleading "CTS: Operation failed: Result Code: Connect Error" message when CTS store is still up and running

  • OPENAM-14841: WebAuthnAuthentication node inside a Page Node causes UI to fail rendering the tree

  • OPENAM-14782: AuthTree created Session does not use per User Session Service settings

  • OPENAM-14744: Multivalued DN stops persistent search

  • OPENAM-14700: XUI: AM pages don’t render in Internet Explorer

  • OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)

  • OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different

  • OPENAM-14534: The request parameter should accept any signing algorithms supported by the OP

  • OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)

  • OPENAM-14520: CreateMetadataModelImpl determines AM URL incorrectly when AM is deployed to root context

  • OPENAM-14480: Provide better error handling during WDSSO Keytab file permission check

  • OPENAM-14391: Self Service Link not displayed when using authentication tree

  • OPENAM-14313: Audit Logging - STS transformations create duplicate entries

  • OPENAM-14292: AM-LOGIN-COMPLETED does not log name of chain used for login

  • OPENAM-14265: Amster Import with --clean doesn’t delete the secrets store and mappings

  • OPENAM-14229: custom AuthorizeTemplate under theme not used

  • OPENAM-14188: Unable to Generate JSDoc in UI

  • OPENAM-14109: Agent-as-OAuth2-Client cannot create id token when agent realm is different

  • OPENAM-14103: Session REST API does not offer same restricted session functionality as Session Client SDK API

  • OPENAM-13948: When realm have Session service and user has Session service too viewing User’s service fails

  • OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given

  • OPENAM-13840: Creating a Session service on a Subject fails when there is a realm Session service already

  • OPENAM-13831: RP-Initiated Logout does not handle state parameter

  • OPENAM-13764: Monitoring logs in ERROR for "Agent.configAgentsOnly:agent type = OAuth2Client"

  • OPENAM-13549: Enabling Warning Headers causes multiple Secondary Configurations Tabs to generate 500 errors.

  • OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent

  • OPENAM-13465: Dynamic client registration sets wrong subjectType

  • OPENAM-13310: Allow id tokens to be issued when no datastore configured

  • OPENAM-12759: During authorization code grant flow - max_age should be a number, not a string

  • OPENAM-12574: SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies

  • OPENAM-12285: Allow Agents to receive notifications for oauth2 access token revocations

  • OPENAM-12228: WebAgent REST API queryFilter expression does not work and acts all "true"

  • OPENAM-11921: Incorrect NameId Format offered for SAML2 auth module in console

  • OPENAM-11912: LDAPv3 data store type does not handle property 'sun-idrepo-ldapv3-config-auth-kba-attr'

  • OPENAM-11338: OpenID Connect id_token bearer auth module mixes up aud, azp during verification

  • OPENAM-11159: OpenAM Amster export/import for Site have import errors

  • OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.

  • OPENAM-10843: When generating an OIDC token through STS a "kid" value is not specified

  • OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)

  • OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly

  • OPENAM-9459: 500 Internal Server Error from changePassword endpoint with AD repo

AM 6.5.2
6.5.2.3
  • OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used

  • OPENAM-15841: DisableSameSiteCookiesFilter broken on WebLogic

  • OPENAM-15835: WebAuthn Nodes do not work when Relying Party domain is used.

  • OPENAM-15776: Push Registration fails (QR code invalid) to register on AM 6.5.2.2.

  • OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL

  • OPENAM-15700: Dynamic user profile not working for chains

  • OPENAM-15697: Default ACR values from OAuth2 provider not taken into account

  • OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow

  • OPENAM-15562: SAML2 crosstalk fails when Accept-Language header is missing from the original request

  • OPENAM-15533: WS-Federation doesn’t work with Authentication Trees

  • OPENAM-15490: Policy evaluation and resource type lookups and creation fail and cannot recover from External Policy Store restart

  • OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication

  • OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error

  • OPENAM-15446: Incorrect error management during SAML SSO

  • OPENAM-15444: Prepare for Chrome’s move to SameSite=lax by default

  • OPENAM-15193: moduleMessageEnabledInPasswordGrant is providing a different authentication error since AM 6.5.1

  • OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"

  • OPENAM-15053: when client send wrong auth_req_id in CIBA polling request, there is HTTP 500 server error

  • OPENAM-15052: when id_token_hint is not JWT, CIBA authorization request returns HTTP 500

  • OPENAM-15040: CIBA authorization request returns HTTP 500 NPE when file is wrong

  • OPENAM-15018: Encrypted stateless tokens contains zip header, even though should not be present if none

  • OPENAM-14951: OAuth2 provider does not validate RCS clients in an external application store

6.5.2.2
  • OPENAM-15363: Redirect_uri_mismatch error occurs in Agent 5.x after upgrading from OpenAM 13.5.0 to AM 6.5.2

  • OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback

  • OPENAM-15345: at_hash value generated does not take the latest modified access token

  • OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree

  • OPENAM-15192: WebAuthn doesn’t work on WildFly containers

  • OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken

  • OPENAM-15050: WebAuthn client script cannot be parsed in Internet Explorer

  • OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different

  • OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given

6.5.2.1
  • OPENAM-15350: Wrong message when saving Trusted JWT Issuer

  • OPENAM-15347: Trusted JWT Issuer is highlighted as current menu item when I choose OAuth2

  • OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field

  • OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )

  • OPENAM-15105: Unable to get trusted devices using REST API

  • OPENAM-15065: HTTP 500 authentication error in CIBA workflow when user deny request

  • OPENAM-15063: Trusted JWT Issuer Agents fall under the 'Agents' group in XUI groupings - which doesn’t match release notes

  • OPENAM-15028: Cannot load metadata in ssoadm without extended metadata

  • OPENAM-14973: Monitoring throws StackTrace even if JDMK isn’t being used/needed.

  • OPENAM-14744: Multivalued DN stops persistent search

  • OPENAM-14700: XUI: AM pages don’t render in Internet Explorer

  • OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)

6.5.2.0
  • OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain

  • OPENAM-14940: Improve SAML2 Response/Assertion generation to not have carriage return inbetween XML tag

  • OPENAM-14938: ID repo setAttributes service call returns the wrong error message with multiple datastores

  • OPENAM-14929: idpSSOInit error when session authLevel does not map to Auth Context

  • OPENAM-14919: Unnecessary 'Unable to parse packet received from RADIUS client' log entries in log file

  • OPENAM-14901: XUI - SAML2 module doesn’t redirect to IDP if it’s 2nd in the chain

  • OPENAM-14889: Upgrade of Peristent Cookie auth module fails

  • OPENAM-14881: AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)

  • OPENAM-14865: No error message is provided when login page is supplied with incorrect session cookie domain

  • OPENAM-14859: ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty

  • OPENAM-14853: Intermittent bug caused by partials not being loaded in-time.

  • OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module

  • OPENAM-14845: Userinfo endpoint does not correctly handle Certificate Bound Access Tokens

  • OPENAM-14840: Translation and help text missing for OAuth2 provider property tokenEncryptionEnabled

  • OPENAM-14829: AuthSchemeCondition doesn’t return realm aware policy condition advice

  • OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search

  • OPENAM-14821: Make HttpServletRequest/Response available from ExternalRequestContext

  • OPENAM-14799: Unable to update Agent profile using REST

  • OPENAM-14798: Cannot always delete unused resource types in top level realm

  • OPENAM-14794: User privileges are removed from group if another group is given same privilege

  • OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO

  • OPENAM-14785: Give Authentication Nodes Access to the Request and Response

  • OPENAM-14784: AM cannot decrypt JWTs with CBC-HMAC encryption methods using a HSM

  • OPENAM-14783: PKCS11 KeyStore does not work on IBM JVM

  • OPENAM-14766: Introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens

  • OPENAM-14740: idpSingleLogoutRedirect throws error 500 IllegalStateException on SLO

  • OPENAM-14717: mailto attribute have space between ':' and mail address

  • OPENAM-14715: Stateless token encryption does not work OOTB when upgrading from < AM 6.0

  • OPENAM-14707: ConsentRequiredResource class does not reuse value in Base url source service

  • OPENAM-14694: Consent page still shows claim values even when supported claim description is omit

  • OPENAM-14685: PolicySetCacheImpl is not cleaned up correctly upon realm deletion

  • OPENAM-14656: SAML redirect to login page on SP side fails if AM installed into the root context

  • OPENAM-14651: OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads

  • OPENAM-14643: OIDC Dynamic Client Registration registration_client_uri does not work for root realm

  • OPENAM-14642: OIDC Dynamic Client Registration registration_client_uri uses only Host header not BaseURL

  • OPENAM-14581: Handling ManageNameID fails if NameID does not include SPNameQualifier

  • OPENAM-14572: prompt=login destroys and creates new session

  • OPENAM-14565: AM Upgrade NPE when unable to read operational attrs from directory

  • OPENAM-14548: Consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation

  • OPENAM-14539: SAML SLO with multi protocols

  • OPENAM-14525: HSM secret store should not use the key alias as stable ID

  • OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding

  • OPENAM-14503: SAML2 - Key Transport Algorithm - RSA OAEP must be supported

  • OPENAM-14483: If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ

  • OPENAM-14466: Logs show MissingResource for key unableToCreateArtifactResponse during SAML2 login

  • OPENAM-14464: XUI displays "Loading custom partial "${partialPath}" failed. Falling back to default." when a custom theme is used

  • OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application

  • OPENAM-14362: UMA load test fails with Invalid resource type error

  • OPENAM-14356: Deleting OAuth 2.0 Client triggers unfiltered search

  • OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy

  • OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client

  • OPENAM-14310: CheckSession page indicates the session is not valid

  • OPENAM-14295: import-config fails when web-agent already present

  • OPENAM-14231: Passing in a JWT (with jku in the header) to the authorize endpoint fails

  • OPENAM-14231 - Passing in a JWT (with jku in the header) to the authorize endpoint fails

  • OPENAM-14213: Cannot view SAML SP entity imported from AWS in console

  • OPENAM-14138: Self registration url does not include realm parameter after upgrade from 13.5.1

  • OPENAM-14059: Inconsistent behavior while revoking stateful v/s stateless refresh tokens

  • OPENAM-14054: XUI Custom templates and Partials not applied consistently

  • OPENAM-14022: We shouldn’t be deploying Jetty inside a war file

  • OPENAM-13779: Session API - _action=refresh requires an admin token

  • OPENAM-13402: Race condition in switch realm page display can sometimes result in displaying a login page

  • OPENAM-10958: Amster cannot import configuration with containing sub realms with --clean if the instance already contains sub realms

AM 6.5.1
  • OPENAM-14675: Error output in Configuration debug log when creating new realm

  • OPENAM-14669: ssoadm does not install using Java 1.8.192 and above

  • OPENAM-14660: Error in console and unable to Add/Edit/Delete Security Questions for a user via XUI

  • OPENAM-14573: amlbcookie is not secure when authenticating with trees

  • OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore

  • OPENAM-14529: UMA RPT expiry time incorrect in CTS

  • OPENAM-14516: Attempt to resolve a named secret containing a : character on Windows fails if the filesystem secret store is involved

  • OPENAM-14509: When a user is marked as inactive, can still perform introspect and tokeninfo endpoint requests

  • OPENAM-14505: Agent sessions are constrained by Session Quota

  • OPENAM-14471: Failed to create root realm for data store (External Policy | Application)

  • OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on

  • OPENAM-14450: userinfo typo in Claims.java

  • OPENAM-14427: Certificate Module with option "Match Certificate in LDAP" does not work in AM 6.5.0

  • OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS or SSL

  • OPENAM-14425: JwkSetSecretStore does not reload the SecretStore when it has expired

  • OPENAM-14394: Customise the JWK KIDs

  • OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

  • OPENAM-14387: Dynamic registration PUT is not implemented

  • OPENAM-14386: JWK keyuse can be customised

  • OPENAM-14384: Allow metadata to be returned in authentication tree API responses

  • OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set

  • OPENAM-14374: Success login URL via trees redirects to profile when already authenticated

  • OPENAM-14369: Upgrading from OpenAM 13.5.0 to AM 6.0.0.5 with custom PAPs causes NPE failure

  • OPENAM-14308: LDAP Connection Pool Minimum Size for Identity Store missing from XUI

  • OPENAM-14307: ConcurrentModificationException when creating resource_set

  • OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef

  • OPENAM-14270: SocialOpenIdConnectNodeTest does not compile

  • OPENAM-14255: Help text in OAuth 2.0 client "mTLS Self-Signed Certificate" property needs encoding?

  • OPENAM-14239: FMSigProvider.verify NPE with null input for certificates

  • OPENAM-14235: mTLS drop down labels dont match the value (or the spec)

  • OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number

  • OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set

  • OPENAM-14222: Amster fails exporting Secret Store Mappings in sub-realms

  • OPENAM-14212: SAML redirect to login page fails if AM installed into the root context

  • OPENAM-14210: Unable to delete a PageNode that has child nodes

  • OPENAM-14205: PageNodes property panel only appears for new PageNodes.

  • OPENAM-14200: Social auth modules do not work when AM is installed into the root context

  • OPENAM-14189: effectiveRange of Time environment has issue

  • OPENAM-14183: Cannot change amadmin’s password through XUI

  • OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception

  • OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered

  • OPENAM-14172: Amster Export - Persistent cookie Keystore Mapping inconsistency after upgrade to 6.5.0

  • OPENAM-14169: XUI does not update for a new PollingWaitCallback

  • OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.

  • OPENAM-14165: ThemeConfiguration is Not Exposed in Final UI Production Build

  • OPENAM-14147: arg=newsession in XUI does shows just the "Loading…​" page

  • OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state

  • OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow

  • OPENAM-14092: Custom node can prevent all default nodes appearing in admin view

  • OPENAM-14082: Authentication Chains will not open using IE11

  • OPENAM-14080: LDAP Decision Node returns incorrect user attribute to search for in user store

  • OPENAM-14078: RetryTask can block notification processing for an extended period of time

  • OPENAM-14068: The new Policy and Application Stores only support a single target connection address

  • OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive

  • OPENAM-14058: Cannot create Elasticsearch audit handler configuration through admin console UI

  • OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn

  • OPENAM-14050: LDAP should reestablish connection to the orignal server after it has recovered

  • OPENAM-14049: Amster export failure

  • OPENAM-14040: LdifUtils debug logging prints out wrong classname

  • OPENAM-14032: In Social authentication nodes and Message node is not possible to change value of attribute maps or dictionaries

  • OPENAM-14009: Authtree does not proceed for missing Authorization Header

  • OPENAM-14004: AM should support agents deployed to the root context (/), not just /openam

  • OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

  • OPENAM-13978: Session Upgrade - AuthLevel format changes

  • OPENAM-13941: OAuth2 Provider’s ID Token Algs lists PS384 algorithm as PS284

  • OPENAM-13940: Session quota limits not applied when using trees

  • OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user

  • OPENAM-13896: Comparison method violates its general contract! seen during amster import

  • OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not

  • OPENAM-13861: Social Authentication Tree does not complete its flow with ForceAuth parameter

  • OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6

  • OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

  • OPENAM-13651: Client registration does not support auth method of "none"

  • OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain

  • OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"

  • OPENAM-13217: make transient state available to scripted node type

  • OPENAM-13088: Add option for isInitiator=false to WDSSO configuration

  • OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation

  • OPENAM-12965: httpClient not exposed to OIDC Claim Script

  • OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees

  • OPENAM-12937: Soap STS creation fails when OpenIDConnect token config required

  • OPENAM-12627: Initiating TransactionConditionAdvice with a wrong credential resulting in a non-error response

  • OPENAM-12620: Add more data to Scripted Node Decision binding

  • OPENAM-12498: Authorization Grant response returns scope(s) in the URL

  • OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme

  • OPENAM-11863: CORSFilter position in web.xml should come before most filters

  • OPENAM-11523: Using the LDAP/AD auth module, the change password on next login, if current password is empty it displays the wrong error message

  • OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled

  • OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

AM 6.5
6.5.0.2
  • OPENAM-14572: prompt=login destroys and creates new session

  • OPENAM-14516: Attempt to resolve a named secret containing : character on Windows fail if the filesystem secret store is involved

  • OPENAM-14505: Agent sessions are constrained by Session Quota

  • OPENAM-14427: Certificate Module with option "Match Certificate in LDAP" does not work in AM 6.5.0

  • OPENAM-14425: JwkSetSecretStore does not reload the SecretStore when it has expired

  • OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

  • OPENAM-14386: JWK keyuse can be customised

  • OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set

  • OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy

  • OPENAM-14336: Unable to use Signed Metadata to Re-Import

  • OPENAM-14308: LDAP Connection Pool Minimum Size for Identity Store missing from XUI

  • OPENAM-14307: ConcurrentModificationException when creating resource_set

  • OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef

  • OPENAM-14222: Amster fails exporting Secret Store Mappings in sub-realms

  • OPENAM-14212: SAML redirect to login page fails if AM installed into the root context

  • OPENAM-14200: Social auth modules do not work when AM is installed into the root context

  • OPENAM-14189: effectiveRange of Time environment has issue

  • OPENAM-14147: arg=newsession in XUI does shows just the "Loading…​" page

  • OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow

  • OPENAM-14082: Authentication Chains will not open using IE11

  • OPENAM-14050: LDAP should reestablish connection to the orignal server after it has recovered

  • OPENAM-14009: Authtree does not proceed for missing Authorization Header

  • OPENAM-13896: Comparison method violates its general contract! seen during amster import

  • OPENAM-11523: Using the LDAP/AD auth module, the change password on next login, if current password is empty it displays the wrong error messag

  • OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled

6.5.0.1
  • OPENAM-14165: ThemeConfiguration is Not Exposed in Final UI Production Build

  • OPENAM-14092: Custom node can prevent all default nodes appearing in admin view

  • OPENAM-14080: LDAP Decision Node returns incorrect user attribute to search for in user store

  • OPENAM-14058: Cannot create Elasticsearch audit handler configuration through admin console UI

  • OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn

  • OPENAM-14049: Amster export failure

  • OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

  • OPENAM-13940: Session quota limits not applied when using trees

  • OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user

  • OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

  • OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain

  • OPENAM-12965: httpClient not exposed to OIDC Claim Script

  • OPENAM-12498: Authorization Grant response returns scope(s) in the URL

6.5.0.0
  • OPENAM-13842: OAuth 2.0 Device flow - can no longer use user_code more than once.

  • OPENAM-13786: REST policy evaluation throws 500 Internal Error due to stateless ssotoken encryption alg conflict.

  • OPENAM-13774: SOAP STS for Delegation RelationShip Supported is always false on XUI.

  • OPENAM-13732: Session Remaining Time is displayed with more precision and not rounded up.

  • OPENAM-13712: Unknown Signing Algorithm when Client Based Session set Signing to NONE.

  • OPENAM-13670: Selfservice password reset token doesn’t work in site due to OPENAM-6426.

  • OPENAM-13604: IdP Proxy relays wrong AuthnContextClassRef if the AuthLevel requested by the SP is not 0.

  • OPENAM-13577: The xmlsec 2.1.1.jar had issues when linebreaks were enabled.

  • OPENAM-13573: Concurrent changePassword requests to LDAPAuthUtils may cause "insufficient access rights" failures.

  • OPENAM-13531: LDAP Decision node removed username from shared state when it is not found.

  • OPENAM-13530: Datastore Decision node removed username from shared state when it is not found.

  • OPENAM-13511: DN Cache should be cleared after idRepo config change.

  • OPENAM-13496: Unable to view Services when some services have invalid attribute.

  • OPENAM-13481: Stateless OAuth 2.0 Client_credential grant/implicit type has long CTS token timeout.

  • OPENAM-13457: AM XUI favicon icon not being recognised.

  • OPENAM-13456: AM XUI custom FooterTemplate.html and LoginHeaderTemplate.html was not being applied.

  • OPENAM-13414: Upgrade fails if OAuth2 Provider service lacks tokenSigningHmacSharedSecret.

  • OPENAM-13407: AMIdentitySubject.isMember should not check privilege for group in different realm.

  • OPENAM-13359: P11RSAPrivateKey failed RSA key check.

  • OPENAM-13318: Blank passwords using PageNode Auth Tree prevents log in.

  • OPENAM-13316: LDAP Decision Node does not return Inactive Account result correctly in eDirectory.

  • OPENAM-13308: LdapDecisionNode fails when Return UserDN to Datastore is set to false.

  • OPENAM-13302: AM Self-registration kba threw an error when a user inputs an answer and pressed the enter key.

  • OPENAM-13291: Create Identities Page appears broken after upgrade from 5.5 (to 6.0 or 6.5).

  • OPENAM-13255: DefaultIDPAccountMapper does not append domain value for UPN.

  • OPENAM-13249: AM did not recognize custom templates and partials.

  • OPENAM-13183: Concurrent changePassword requests to the "users" REST endpoint caused "insufficient access rights" failures.

  • OPENAM-13162: Policy evaluation returned 403 with expired stateless app token.

  • OPENAM-13154: Lockout Duration Multiplier had no effect.

  • OPENAM-13151: OAuth 2.0 Dynamic Registration did not accept Private-Use URI (for native apps) as redirect_uri.

  • OPENAM-13128: Invalid error message was returned when user with expired password authenticated with persistent cookie module.

  • OPENAM-13112: The showServerConfig.jsp page threw NullPointerException NPE when accessed using Site or LB URL.

  • OPENAM-13100: LDAP Decision node fails with NPE when used with Active Directory.

  • OPENAM-13087: ClassNotFound Exception thrown after upgrade.

  • OPENAM-13085: WSFederation Active Request Profile authentication request hangs on input-less scripted modules.

  • OPENAM-13082: Address claim in default OIDC claims script output non-spec compliant format.

  • OPENAM-13080: Resource owners sharing resources to themselves caused an error message.

  • OPENAM-13079: Importing SAML2 MetaData for RoleDescriptor for AttributeQueryDescriptor failed.

  • OPENAM-13075: Incorrect message displayed when resource is being shared.

  • OPENAM-13072: Case-sensitive usernames resulted in listing UMA resource incorrectly.

  • OPENAM-13053: ScriptingService did not add the new values to whitelist during upgrade.

  • OPENAM-12997: Consent for default scopes were not saved.

  • OPENAM-12985: Debug log files were swamped with message 'LDAPUtils.isDN: Invalid DN' in 'error' level.

  • OPENAM-12984: Access Token Endpoint issued search request against datastore for OAuth Client.

  • OPENAM-12867: IdP-Proxy - Single Logout failed as LogoutResponse was not signed.

  • OPENAM-12866: Subsequent idpSSOInit calls after the first will fail if custom IDPAdapter forces auth step up.

  • OPENAM-12856: User authentication configuration not migrated to XUI.

  • OPENAM-12847: Public API broken - SSOTokenManager.getValidSessions(SSOToken requester, String server).

  • OPENAM-12801: OAuth 2.0 token signing forced PKCS#11 keys to have specific attributes.

  • OPENAM-12784: ProviderConfiguration was not spec compliant.

  • OPENAM-12770: Some SAML assertions were not deserialized from a SAML2 Token.

  • OPENAM-12690: XUI theme configuration realm mapping was case sensitive.

  • OPENAM-12625: JWT OIDC Token could not be valid for over 86400 seconds.

  • OPENAM-12514: IdP initiated SSO - NumberFormatException was raised in session upgrade case.

  • OPENAM-12506: Upgrade could fail with RemoveReferralsStep having too broad base DN.

  • OPENAM-12419: Policy rules not updated when external configuration store connection restarted.

  • OPENAM-12403: LDAP response controls are not logged which complicates troubleshooting.

  • OPENAM-12401: DJLDAPv3Repo - insufficient debug logging to troubleshoot membership issues.

  • OPENAM-12301: Account lockout logs ERROR: ISAccountLockout.getAcInfo: acInfo: null.

  • OPENAM-12293: Audit logging no longer logs REST operation details.

  • OPENAM-12209: The 'acr' and 'acr_sig' parameters can become duplicated during step-up authn, should not be present in url.

  • OPENAM-12174: XUI - Deleting a built-in authentication module will delete any other created by it.

  • OPENAM-12096: API explorer example for PUT on /global-config/services/scripting/contexts/{contexts}/engineConfiguration fails.

  • OPENAM-11962: Calling Logout and passing a goto URL parameter with an expired session, goto URL is ignored.

  • OPENAM-11665: Unable to login in XUI with users endpoint getting 404 due to KBA attribute issues.

  • OPENAM-11642: CustomProperties do not work when creating J2EE/Web Agents via REST.

  • OPENAM-11473: NumberFormatException on startup for External configuration setup.

  • OPENAM-11407: An extra space in the CTS store connection string " openam.internal.example.com:50389" caused OpenDJ-SDK log to grow.

  • OPENAM-11355: Missing Service tab when trying to configure dashboard with Active Directory datastore.

  • OPENAM-11225: During single logout idpSingleLogoutRedirect threw 500 error.

  • OPENAM-11177: Scripted auth module can not be used in auth chain if the username in shared state map does not 'match' the search attribute of the data store.

  • OPENAM-11167: <ActualLockoutDuration> is not updated in the attribute sunStoreInvalidAttemptsData.

  • OPENAM-11048: account lockout did not work when naming attribute and LDAP Users Search Attribute are different.

  • OPENAM-10467: RFC7662: oauth2/introspect returned token_type not as Bearer.

  • OPENAM-10296: Session UI only allows searching for users in datastore.

  • OPENAM-9783: The json/users changePassword option returned the wrong error message with multiple datastores configured.

  • OPENAM-8296: OAuth 2.0 consent screen does not use XUI theme configuration.

  • OPENAM-4040: SSO failed between SPs in separate CoTs with same hosted IDP.

AM 6.0.x

AM 6.0
6.0.0.7
  • OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier

  • OPENAM-14573: amlbcookie is not secure when authenticating with trees

  • OPENAM-14548: consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation

  • OPENAM-14505: Agent sessions are constrained by Session Quota

  • OPENAM-14427: Certificate Module with option "Match Certificate in LDAP" does not work

  • OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

  • OPENAM-14369: Upgrading from OpenAM 13.5.0 to AM 6.0.0.x with custom PAPs causes NPE failure

  • OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy

  • OPENAM-14308: LDAP Connection Pool Minimum Size for Identity Store missing from XUI

  • OPENAM-14307: ConcurrentModificationException when creating resource_set

  • OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef

  • OPENAM-14189: effectiveRange of Time environment has issue

  • OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered

  • OPENAM-14147: arg=newsession in XUI does shows just the "Loading…​" page

  • OPENAM-14080: LDAP Decision Node returns incorrect user attribute to search for in user store

  • OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn

  • OPENAM-14050: LDAP should reestablish connection to the orignal server after it has recovered

  • OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

  • OPENAM-13896: Comparison method violates its general contract! seen during amster import

  • OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not

  • OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6

  • OPENAM-13302: AM Self-registration kba throws an error when a user inputs an answer and presses the enter key.

  • OPENAM-13268: Initial authz eval request for a given realm takes a long time when there are many policies

  • OPENAM-13247: Token info endpoint throwing 401

  • OPENAM-13187: OAuth2 DeviceCode flow does not work with stateless encryption enabled

  • OPENAM-12965: httpClient not exposed to OIDC Claim Script

  • OPENAM-11523: Using the LDAP/AD auth module, the change password on next login, if current password is empty it displays the wrong error message

  • OPENAM-11048: OpenAM account lockout does not work when naming attribute and LDAP Users Search Attribute are different

  • OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled

6.0.0.6
  • OPENAM-13814: User Self Service reCAPTCHA Feature Broken

  • OPENAM-13762: Improve caching of ServiceConfigImpl instances

  • OPENAM-13604: IdP Proxy relays wrong AuthnContextClassRef if the AuthLevel requested by the SP is not 0

  • OPENAM-13291: Create Identities Page appears broken after upgrade from 5.5 (to 6.0 or 6.5)

  • OPENAM-12789: Data store with identities that do not match user search attr cause server error

  • OPENAM-11665: Improve debug logging when unable to login in XUI with users endpoint getting 404 due to KBA attribute issues

  • OPENAM-11177: Scripted auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store

6.0.0.5
  • OPENAM-13670: Selfservice password reset token doesn’t work in site due to OPENAM-6426

  • OPENAM-13649: SuccessUrl redirects not working in Safari

  • OPENAM-13581: "Try Resetting Your Password Again" Link fails if the Single use Token is expired/used

  • OPENAM-13578: KBA are not updatable after upgrade

  • OPENAM-13577: xmlsec 2.1.1.jar used in AM6 have issues when linebreaks enabled

  • OPENAM-13573: Concurrent changePassword requests to LDAPAuthUtils may cause "insufficient access rights" failures

  • OPENAM-13563: Help link on the "Services" XUI page points to out of date documentation

  • OPENAM-13506: OAuth2 Provider Service REST defaultACR input data not validated.

  • OPENAM-13499: Incorrect transaction ID used in access events for CREST endpoints

  • OPENAM-13457: AM 6 XUI favicon icon not being recognised

  • OPENAM-13438: Setting org.forgerock.openam.ldap.heartbeat.timeout=-1 makes AM unusable

  • OPENAM-13414: Upgrade to AM6 fails if OAuth2 Provider service lacks tokenSigningHmacSharedSecret

  • OPENAM-13359: P11RSAPrivateKey fails RSA key check.

  • OPENAM-13350: Upgrade from 12.0.x to 6.0.0.2 fails with embedded user store

  • OPENAM-13315: OIDC no longer supports prompt=consent parameter

  • OPENAM-13310: Allow id tokens to be issued when no datastore configured

  • OPENAM-13301: When creating Java/Web agent groups, some properties are not tag-swapped

  • OPENAM-13183: Concurrent changePassword requests to the "users" REST endpoint causes "insufficient access rights" failures

  • OPENAM-11225: idpSingleLogoutRedirect throws 500 error SLO

  • OPENAM-8296: OAuth consent screen does not use XUI theme configuration

6.0.0.4
  • OPENAM-13456: AM 6 XUI custom FooterTemplate.html and LoginHeaderTemplate.html not being applied

  • OPENAM-13426: EncryptSAMLIDPSPBasicAuthPwdStep fails in upgrade

  • OPENAM-13347: Inner Tree Node "tree" choice field not populated after upgrade

  • OPENAM-13330: Improve SessionResource Authz Module processing

  • OPENAM-13316: LDAP Decision Node does not return Inactive Account result correctly in eDirectory

  • OPENAM-13308: LdapDecisionNode failes when Return UserDN to Datastore is set to false

  • OPENAM-13245: Omitting Node.Metadata annotation kills the loading of all plugins in AM

  • OPENAM-13236: Amster tries to load custom service subconfiguration before loading realm level configurations

  • OPENAM-13128: invalid error message returned when user with expired password authenticates with persistent cookie module

  • OPENAM-13085: WSFederation Active Request Profile authentication request hangs on input-less scripted modules

  • OPENAM-13031: Failed search for non-existent user in datastore when fetching session properties and user profile is set to ignore

  • OPENAM-12984: Access Token Endpoint issues search request against datastore for OAuth Client

  • OPENAM-12173: NumberFormatException for AuthLevel in OAuth2 logs

  • OPENAM-11642: CustomProperties do not work when creating J2EE/Web Agents via REST

  • OPENAM-11407: extra space in the CTS 's connection string " openam.internal.example.com:50389" cause OpenDJ-SDK log to grow

  • OPENAM-10532: SOAPExceptionImpl: Invalid Content-Type:text/html. Is this an error message instead of a SOAP response?

6.0.0.3
  • OPENAM-13298: OIDC requests with claims request parameter fail

  • OPENAM-13249: AM 6 doesn’t recognize custom templates and partials

  • OPENAM-13157: DCustom Authentication Nodes not being exported correctly

  • OPENAM-13144: DeviceID Profiles are not saved

  • OPENAM-13138: 500 internal server error if user does not have a session when providing user code in OAuth2 device flow

  • OPENAM-13102: Device Match - Server side script fails when error level logging is enabled.

  • OPENAM-13090: Social Authentication Implementations UI does not accept an auth tree

  • OPENAM-13078: ScriptedDecisionNode exposes headers in a case sensitive map

  • OPENAM-13053: ScriptingService doesn’t add the new values to whitelist during upgrade

  • OPENAM-12338: policies?_action=evaluate checks all policy sets

  • OPENAM-12209: 'acr' and 'acr_sig' parameters can become duplicated during step-up authn, should not be present in url

  • OPENAM-11962: Calling Logout and passing a goto URL parameter with an expired session, goto URL is ignored

  • OPENAM-11240: "Skip This Step" button on the ForgeRock Authenticator (OATH) screen is missing (HOTP)

  • OPENAM-10296: Session UI only allows searching for users in datastore

6.0.0.2
  • OPENAM-13100: LDAP Decision node fails with NPE when used with Active Directory

  • OPENAM-13083: Profile KBA: custom questions are not displayed

  • OPENAM-13082: address claim in default OIDC claims script outputs non-spec compliant format

  • OPENAM-12912: Upgrade 5.5.x -→ 6.x fails if Amster has been used at some point to export/import

  • OPENAM-12867: IdP-Proxy - Single Logout fails as LogoutResponse is not signed

  • OPENAM-12784: ProviderConfiguration is not spec compliant

  • OPENAM-12419: Policy rules not updated when external configuration store connection restarted

6.0.0.1
  • OPENAM-13103: AM Overview Sample Monitoring Dashboard policy throughput metrics not grouped by AM instance

  • OPENAM-13099: AM Overview Sample Monitoring Dashboard session metrics also count changes to authentication sessions

  • OPENAM-13084: Entity Import ordering in amster

  • OPENAM-13074: Fix UI sections for authentication modules

  • OPENAM-13068: Sample Facebook-ProvisionIDMAccount auth tree has wrong "connections"

  • OPENAM-13008: Occasional shutdown error for AM

  • OPENAM-13006: Missing upgrade steps for OAuth2 ID Token SIgning and Encryption Algorithms

  • OPENAM-12938: ODSEE fails to load identities

  • OPENAM-4040: SSO failure between SPs in separate CoTs with same hosted IDP

6.0.0.0
  • OPENAM-12703: UnsupportedOperationException seen on SAML related session logout

  • OPENAM-12626: OIDC endSession endpoint does not call post authentication plugin onLogout functions

  • OPENAM-12553: IdP Logout is ignored when using SAML2 Auth module and trying to use a goto

  • OPENAM-12477: id_token requested using grant_type=authorization_code returns auth_time in milliseconds

  • OPENAM-12418: Unable to access Forgerock OATH for users with Profile when caching disable

  • OPENAM-12415: Self-Service KBA questions of TopLevel Realm(or Global Service) override SubRealm’s

  • OPENAM-12413: Enabled "'Return User DN to DataStore" of LDAP auth-module is resulting in one redundant search for "uid=uid=demo" in the configuration store

  • OPENAM-12412: Multi-valued LDAP attributes are not added to the OIDC id_token as expected

  • OPENAM-12380: Client ip audit logging is not storing as IP but a list of IPs

  • OPENAM-12377: WS-Fed extended metadata with unknown COT value should generate an error

  • OPENAM-12370: JWT verification fails when token idle time is too long

  • OPENAM-12357: ssoadmin tools distro include release canditate libraries

  • OPENAM-12333: AMIdentitySubject policy evaluation not cache when a lot of groups and datatsore is use with delegated admin

  • OPENAM-12252: Delegated admin with Stateless Session, causes Admin Console failure.

  • OPENAM-12245: "Authentication by Module Instance" policy env condition doesn’t work in session upgrade case

  • OPENAM-12244: Monitoring services unable to connect to Port

  • OPENAM-12234: Values for objects of type com.sun.xml.bind.util.ListImpl are not printed in debug logs

  • OPENAM-12226: Device Match - server side script fails

  • OPENAM-12219: Resource leak in MonitoringAdapters#getMonAuthList

  • OPENAM-12194: SLO with the SAML2 Auth Module PAP redirects to 'XUI/nullnull' when IDP has no SingleLogoutService defined

  • OPENAM-12166: Resource #3.0 logoutByHandle request fail with status 500 error

  • OPENAM-12161: Expires attribute in WS-Fed Active Requestor Profile is expected but is optional

  • OPENAM-12144: getSessionInfo endpoint _fields parameter doesn’t work

  • OPENAM-12135: OIDC token generated with datastore module takes case from request rather than from the datastore

  • OPENAM-12109: Syslog Audit Event Handler buffer size should be configurable

  • OPENAM-12082: Outlook with WS-Fed uses cached credential after AD password change.

  • OPENAM-12075: OIDC without a datastore returns "User must be authenticated to issue ID tokens"

  • OPENAM-12062: XUI DashBoard does not show trusted devices etc if user search attribute of the data store is not 'uid'

  • OPENAM-12054: Cumulative upgrades of OpenAM (e.g. 5.1.0 to 5.5.0 to 5.5.1) fail with "Writing Backup; Failed!" error

  • OPENAM-12026: Self-service user registration gets "Bad Request" on LDAP error 19

  • OPENAM-12022: Self-service registration for existing user displays "Detected conflict in request"

  • OPENAM-12011: Session is not refreshed reliably when using oauth2/authorize endpoint

  • OPENAM-11994: NullPointerException in ResourceOwnerOrSuperUserAuthzModule.getUserIdFromUri

  • OPENAM-11988: HTTP 500 when validating SSO tokens if API version is omitted in AM 5.5

  • OPENAM-11980: Social OIDC wizards do not work when provisioning accounts locally

  • OPENAM-11976: XUI Session query session by username does not work with

  • OPENAM-11968: SAML2 Auth Module does not accept SAML2 AuthResponse with no SessionIndex

  • OPENAM-11966: saml2 SSO 'better' auth’n comparison fails with 'Invalid status code in response'

  • OPENAM-11961: KBA update fails if Self-service is configured in sub-realm and root realm has no datastore

  • OPENAM-11956: SAML2 RelayState values are seen as invalid if they are not a URL which appears to go against the spec

  • OPENAM-11944: REST OAuth2 creation triggers objectClass=* search

  • OPENAM-11937: Federation UI does not allow empty NameIDMappingService

  • OPENAM-11925: CORSFIlter causings failures after moving to 5.x from 13.5.x

  • OPENAM-11909: Demo user creation is based on whether a userCfg is specified, rather than when it’s set to embedded

  • OPENAM-11829: SSOToken idletime reset even when it shouldn’t be

  • OPENAM-11818: Oauth2 authn module incorrectly POST state parameter to token endpoint

  • OPENAM-11789: User remains on 'Loading' page with 'OAuth2.0/OIDC' auth module if authId token expires before entering credentials

  • OPENAM-11759: Memory leak affecting policy evaluation for stateless sessions

  • OPENAM-11746: Syslog data is not fully RFC compliant

  • OPENAM-11678: 'Oldest' REST passwordreset selfservice unusable

  • OPENAM-11673: Policy evaluation response is incorrect if the URL query string sent for evaluation contains the string ://

  • OPENAM-11661: Prevent Restlet from adding the Server header

  • OPENAM-11548: Improve Scope validator class loading error handling

  • OPENAM-11547: Missing entry or corrupted value in "com.iplanet.am.version" causes upgrade failure

  • OPENAM-11491: Upgrading OpenAM results in failure due to restSMS.xml

  • OPENAM-11477: SLO through IDP Proxy loses the RelayState

  • OPENAM-11432: Extra space in Policy 's Resource Type will cause policy evaluation to fails

  • OPENAM-11402: OpenAM does not enforce OAuth2 spec for "Resource Owner Password Credentials Grant" flow

  • OPENAM-11398: OpenAM ACI installation instruction does not work for OpenDJ productionMode

  • OPENAM-11157: Oauth2/OIDC Authentication redirect goto value wrong when behind reverse proxy

  • OPENAM-10673: SAML2 authentication module fails to redirect to IDP after failing DeviceID match module

  • OPENAM-10619: Post Authentication Plugin not run during session upgrade

  • OPENAM-10591: Generate more debug details about the JSON that is failing when JsonPolicyParser throws a UNABLE_TO_SERIALIZE_OBJECT exception

  • OPENAM-9717: TimerPool deadlock on ssoadm shutdown (client SDK)

  • OPENAM-9629: OAuth2 flow creates GENERIC CTS tokens that never expire

  • OPENAM-8264: Insufficient validator for service property 'iplanet-am-auth-hmac-signing-shared-secret'

  • OPENAM-7911: Improve Error Message: "Invalid Suffix"

  • OPENAM-5991: IP Address logging in SAML2 audit logs is not consistent

  • OPENAM-5865: AuthLevelCondition will not retrieve request auth level for a capital-letter realm.

  • OPENAM-1167: WindowsDesktopSSOConfig ClassCastException on saving configuration in admin UI

AM 5.5.x

AM 5.5.2
  • OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied

  • OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked

  • OPENAM-15900: Kerberos fails when used with IBM JDK

  • OPENAM-15899: Have an option to add <ds:X509Certificate> tag in the signed SLO request

  • OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection

  • OPENAM-15853: External UMA store fails on resource creation

  • OPENAM-15849: An admin cannot DELETE 2fa devices owned by users

  • OPENAM-15841: DisableSameSiteCookiesFilter broken on WebLogic

  • OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired

  • OPENAM-15776: Push Registration fails (QR code invalid) to register

  • OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server

  • OPENAM-15722: SAML2 IdP federation endpoint does not set amlbcookie when using host-based cookies

  • OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect

  • OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access

  • OPENAM-15652: Debug.jsp does not update all existing appenders when trying to override -Dcom.iplanet.services.debug.level at runtime

  • OPENAM-15651: AM 5.5.2 copyrights displayed in XUI pages out of date

  • OPENAM-15562: SAML2 crosstalk fails when Accept-Language header is missing from the original request

  • OPENAM-15559: OATH module broken in Japanese locale

  • OPENAM-15533: WS-Federation doesn’t work with Authentication Trees

  • OPENAM-15510: Generic amster error message "No Base Entity dc=config,dc=forgerock,dc=com found" needs to detail the actual ldap error - during install-openam

  • OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token

  • OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned

  • OPENAM-15487: OIDC - JWT Request Parameter returns errors in query, not in the fragment with invalid acr essential claim

  • OPENAM-15483: IDPSSOUtil.doSSOFederate throws NumberFormatException when subrealm is used with federation

  • OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error

  • OPENAM-15446: Incorrect error management during SAML SSO

  • OPENAM-15444: Prepare for Chrome’s move to SameSite=lax by default

  • OPENAM-15432: Oath User Devices endpoint not accessible for delegated admin

  • OPENAM-15363: Redirect_uri_mismatch error occurs in Agent 5.x after upgrading from OpenAM 13.5.0

  • OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example

  • OPENAM-15286: Upgrade from 12.0.4 fails

  • OPENAM-15257: XUI freezing when /authenticate returns unhandled http result codes

  • OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions

  • OPENAM-15216: LDAP Decision Node does not continue through "Fail" flow when Node Fails with exception

  • OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules

  • OPENAM-15198: WS-FED Attribute Mapper returns incorrect map when AM is SP

  • OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"

  • OPENAM-15147: HTTP 500 upon accessing openam/json/

  • OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not

  • OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL

  • OPENAM-15073: Missing RelayState query parameter in the AM redirect to fedlet application

  • OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching

  • OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment

  • OPENAM-14989: Configuring Rest STS with a delegated admin fails

  • OPENAM-14986: AM Cannot connect to TLSv1.2 DJ server (production mode) after JDK 8 update 192

  • OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain

  • OPENAM-14973: Monitoring throws StackTrace even if JDMK isn’t being used/needed.

  • OPENAM-14940: Improve SAML2 Response/Assertion generation to not have carriage return inbetween XML tag

  • OPENAM-14939: Enable "org.apache.xml.security.ignoreLineBreaks=true" by default

  • OPENAM-14929: idpSSOInit error when session authLevel does not map to Auth Context

  • OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration

  • OPENAM-14874: It would be nice if the x-forwarded-* option was able to parse the comma-separated string and use the first (outermost) proxy host name.

  • OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)

  • OPENAM-14858: When NameIDPolicy does not contain Format=.., remoteEntityID is passed as null

  • OPENAM-14842: Misleading "CTS: Operation failed: Result Code: Connect Error" message when CTS store is still up and running

  • OPENAM-14829: AuthSchemeCondition doesn’t return realm aware policy condition advice

  • OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search

  • OPENAM-14799: Unable to update Agent profile using REST

  • OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO

  • OPENAM-14766: introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens

  • OPENAM-14744: Multivalued DN stops persistent search

  • OPENAM-14740: idpSingleLogoutRedirect throws error 500 IllegalStateException on SLO

  • OPENAM-14707: ConsentRequiredResource class does not reuse value in Base url source service

  • OPENAM-14694: Consent page still shows claim values even when supported claim description is omitted

  • OPENAM-14643: OIDC Dynamic Client Registration registration_client_uri does not work for root realm

  • OPENAM-14642: OIDC Dynamic Client Registration registration_client_uri uses only Host header not BaseURL

  • OPENAM-14581: Handling ManageNameID fails if NameID does not include SPNameQualifier

  • OPENAM-14572: prompt=login destroys and creates new session

  • OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore

  • OPENAM-14539: SAML SLO with multi protocols

  • OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding

  • OPENAM-14466: Logs show MissingResource for key unableToCreateArtifactResponse during SAML2 login

  • OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on

  • OPENAM-14450: userinfo typo in Claims.java

  • OPENAM-14427: Certificate Module with option "Match Certificate in LDAP" does not work

  • OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application

  • OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

  • OPENAM-14369: Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure

  • OPENAM-14356: Deleting OAuth 2.0 Client triggers unfiltered search

  • OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client

  • OPENAM-14336: Unable to use Signed Metadata to Re-Import

  • OPENAM-14313: Audit Logging - STS transformations create duplicate entries

  • OPENAM-14310: CheckSession page indicates the session is not valid

  • OPENAM-14308: LDAP Connection Pool Minimum Size for Identity Store missing from XUI

  • OPENAM-14307: ConcurrentModificationException when creating resource_set

  • OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef

  • OPENAM-14239: FMSigProvider.verify NPE with null input for certificates

  • OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number

  • OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set

  • OPENAM-14189: effectiveRange of Time environment has issue

  • OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception

  • OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered

  • OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.

  • OPENAM-14147: arg=newsession in XUI just shows the "Loading…​" page

  • OPENAM-14138: Self registration url does not include realm parameter after upgrade from 13.5.1

  • OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state

  • OPENAM-14050: LDAP should reestablish connection to the orignal server after it has recovered

  • OPENAM-14040: LdifUtils debug logging prints out wrong classname

  • OPENAM-14022: We shouldn’t be deploying Jetty inside a war file

  • OPENAM-13997: Include appropriate commons libraries in javadoc

  • OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

  • OPENAM-13978: Session Upgrade - AuthLevel format changes

  • OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given

  • OPENAM-13927: Some javadoc not generated

  • OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user

  • OPENAM-13890: Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext

  • OPENAM-13861: Social Authentication Tree does not complete its flow with ForceAuth parameter

  • OPENAM-13842: OAuth2 Device flow - can no longer use user_code more than once

  • OPENAM-13838: Wording on "Maximum Caching Time" requires an update

  • OPENAM-13793: Building AM with the suppress-upgrade causes an exception

  • OPENAM-13786: REST policy evaluation throws 500 Internal Error due to stateless ssotoken encryption alg conflict

  • OPENAM-13779: Session API - _action=refresh requires an admin token

  • OPENAM-13750: HTTP 500 error when trying v3.1 /sessions in API explorer

  • OPENAM-13741: After upgrade from 12.0.4 there are two additional service endpoints listed in API Explorer

  • OPENAM-13740: File descriptor / Connection leak when LDAP connection handshake fails/times out

  • OPENAM-13728: I can create new user with uid=testuser* after upgrade from 13.0.0

  • OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

  • OPENAM-13670: Selfservice password reset token doesn’t work in site due to OPENAM-6426

  • OPENAM-13617: IDP initiated MNI requests to terminate link fail

  • OPENAM-13612: OAuth2 CTS Grants without RefreshToken should expire with AccessToken timeout for one-to-one mapping

  • OPENAM-13610: X-Frame-Options: SAMEORIGIN prevents use of check_session_iframe

  • OPENAM-13582: token_endpoint_auth_signing_alg_values_supported not implemented

  • OPENAM-13578: KBA are not updatable after upgrade

  • OPENAM-13577: xmlsec 2.1.1.jar used in AM has issues when linebreaks enabled

  • OPENAM-13574: Scripting class whitelist is missing classes after upgrade from 13.5.2 to 5.5.2

  • OPENAM-13573: Concurrent changePassword requests to LDAPAuthUtils may cause "insufficient access rights" failures

  • OPENAM-13563: Help link on the "Services" XUI page points to out of date documentation

  • OPENAM-13530: Datastore Decision node removes username from shared state when it is not found

  • OPENAM-13511: DN Cache should be cleared after idRepo config change

  • OPENAM-13499: Incorrect transaction ID used in access events for CREST endpoints

  • OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent

  • OPENAM-13465: Dynamic client registration sets wrong subjectType

  • OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain

  • OPENAM-13438: Setting org.forgerock.openam.ldap.heartbeat.timeout=-1 makes AM unusable

  • OPENAM-13430: Invalid request is returned instead of Invalid request parameter error

  • OPENAM-13426: EncryptSAMLIDPSPBasicAuthPwdStep fails in upgrade

  • OPENAM-13411: Policy Configuration in Primary LDAP Server behaves different when there is one entry compared to many

  • OPENAM-13407: AMIdentitySubject.isMember should not check privilege for group in different realm

  • OPENAM-13398: SAML SSO broken after performing Session upgrade

  • OPENAM-13359: P11RSAPrivateKey fails RSA key check.

  • OPENAM-13330: Improve SessionReource Authz Module processing

  • OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"

  • OPENAM-13255: DefaultIDPAccountMapper does not append domain value for UPN

  • OPENAM-13183: Concurrent changePassword requests to the "users" REST endpoint causes "insufficient access rights" failures

  • OPENAM-13162: Policy evaluation returns 403 with expired stateless app token

  • OPENAM-13154: Lockout Duration Multiplier has no effect

  • OPENAM-13151: OAuth2 Dynamic Registration does not accept Private-Use URI (for native apps) as redirect_uri

  • OPENAM-13128: Invalid error message returned when user with expired password authenticates with persistent cookie module

  • OPENAM-13112: showServerConfig.jsp throw NullPointerException NPE when accessed using Site or LB URL

  • OPENAM-13104: Introspection of access token fails when the wrong case of realm is used in the FIRST request

  • OPENAM-13088: RFE: add option for isInitiator=false to WDSSO configuration

  • OPENAM-13085: WSFederation Active Request Profile authentication request hangs on input-less scripted modules

  • OPENAM-13082: Address claim in default OIDC claims script outputs non-spec compliant format

  • OPENAM-13079: Import SAML2 MetaData for RoleDescriptor for AttributeQueryDescriptor fails

  • OPENAM-13072: Case Sensitive of Username Result in Listing UMA Resource Incorrectly

  • OPENAM-13064: OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional

  • OPENAM-13053: ScriptingService doesn’t add the new values to whitelist during upgrade

  • OPENAM-13031: Failed search for non-existent user in datastore when fetching session properties and user profile is set to ignore

  • OPENAM-13008: Occasional shutdown error for AM

  • OPENAM-13006: Missing upgrade steps for OAuth2 ID Token Signing and Encryption Algorithms

  • OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation

  • OPENAM-12997: Consent for default scopes are not saved

  • OPENAM-12994: Unable to install AM using default configuration wizard when built with 'suppress-upgrade'

  • OPENAM-12984: Access Token Endpoint issues search request against datastore for OAuth Client

  • OPENAM-12972: SAML2 Auth Module fails with empty SAML2 Advice assertion.

  • OPENAM-12965: httpClient not exposed to OIDC Claim Script

  • OPENAM-12920: LDAPConnectionFactory is not closed when PersistentSearch is restarted

  • OPENAM-12898: DNS alias results in audience validation failure for clients authenticating using JWT

  • OPENAM-12867: IdP-Proxy - Single Logout fails as LogoutResponse is not signed

  • OPENAM-12866: Subsequent idpSSOInit calls after the first will fail if custom IDPAdapter forces auth step up

  • OPENAM-12826: WS-Federation extended metadata import fails when using ssoadm

  • OPENAM-12822: No URL resource is created for subsubrealms

  • OPENAM-12784: ProviderConfiguration is not spec compliant

  • OPENAM-12770: Some SAML assertions are not deserialized from SAML2 Token.

  • OPENAM-12703: UnsupportedOperationException seen on SAML related session logout

  • OPENAM-12651: Configuration objects not cleaned up as part of realm deletion

  • OPENAM-12650: PluginSchemaImpl should clear CachedSMSEntry instance before throwing it away

  • OPENAM-12649: Incorrect equality check in CachedSubEntries#notifySMSEvent

  • OPENAM-12648: AgentsRepo instances are leaked during realm creation

  • OPENAM-12647: SMS*LdapObject entriesPresent/NotPresent caches are access inconsistently

  • OPENAM-12646: SMSEmbeddedLdapObject initialization fails the first time with an NPE

  • OPENAM-12645: Non-threadsafe fields are missing volatile keyword

  • OPENAM-12644: ServiceConfigManagerImpl initialization is not synchronized correctly

  • OPENAM-12643: Notification listeners are stored in sets potentially allowing loss of listeners

  • OPENAM-12642: ServiceConfigManagerImpl does not implement equals/hashCode consistently

  • OPENAM-12627: Initiating TransactionConditionAdvice with a wrong credential resulting in a non-error response

  • OPENAM-12626: OIDC endSession endpoint does not call post authentication plugin onLogout functions

  • OPENAM-12610: AM cannot recognize version on upgrade from older versions

  • OPENAM-12561: "Failed to create realm" with NullPointerException cause

  • OPENAM-12553: IdP Logout is ignored when using SAML2 Auth module and trying to use a goto

  • OPENAM-12533: Internal server error if JSON cannot be parsed by the json/authenticate endpoint

  • OPENAM-12531: Running webagent 5.0.0 against OpenAM 5.5.1 or later which is upgraded from previous version will result in segmentation fault or crash

  • OPENAM-12514: IdP initiated SSO - NumberFormatException is raised in session upgrade case

  • OPENAM-12511: User with the name "amadmin" can be created via the /users REST endpoint

  • OPENAM-12498: Authorization Grant response returns scope(s) in the URL

  • OPENAM-12477: id_token requested using grant_type=authorization_code returns auth_time in milliseconds

  • OPENAM-12440: User status is ignored

  • OPENAM-12419: Policy rules not updated when external configuration store connection restarted

  • OPENAM-12418: Unable to access Forgerock OATH for users with Profile when caching disable

  • OPENAM-12415: Self-Service KBA questions of TopLevel Realm(or Global Service) override SubRealm’s

  • OPENAM-12413: Enabled "'Return User DN to DataStore" of LDAP auth-module is resulting in one redundant search for "uid=uid=demo" in the configuration store

  • OPENAM-12412: Multi-valued LDAP attributes are not added to the OIDC id_token as expected

  • OPENAM-12403: LDAP response controls are not logged which complicates troubleshooting

  • OPENAM-12401: DJLDAPv3Repo - insufficient debug logging to troubleshoot membership issues

  • OPENAM-12384: Guice binding error when handling WSFed entities via ssoadm

  • OPENAM-12380: client ip audit logging is not storing as IP but a list of IPs

  • OPENAM-12377: WS-Fed extended metadata with unknown COT value should generate an error

  • OPENAM-12373: amster transport key makes rest operations too slow

  • OPENAM-12370: JWT verification fails when token idle time is too long

  • OPENAM-12357: ssoadmin tools distro include release canditate libraries

  • OPENAM-12338: policies?_action=evaluate checks all policy sets

  • OPENAM-12333: AMIdentitySubject policy evaluation not cache when a lot of groups and datastore is use with delegated admin

  • OPENAM-12328: Inefficient LDAP Search initiated by getRealmFromAlias() call as part of login process

  • OPENAM-12321: DeviceID showing extra info incorrectly in audit logs

  • OPENAM-12319: Memory leak in accessing Jato Pages.

  • OPENAM-12315: NullPointerException after configuration store failover

  • OPENAM-12293: Audit logging no longer logs REST operation details

  • OPENAM-12262: CachedSMSEntry should only deregister its listener upon invalidation

  • OPENAM-12261: Honor org.apache.xml.security.ignoreLineBreaks=true when generating WS-Fed Assertions

  • OPENAM-12258: ServiceSchemaManagerImpl can lose listeners when it gets invalidated

  • OPENAM-12257: SMS listeners are not processed in the order they have been registered

  • OPENAM-12255: Process SMS notifications sequentially by default instead of using a threadpool

  • OPENAM-12254: ServiceListeners API doesn’t always receive schema notifications

  • OPENAM-12252: Delegated admin with Stateless Session, causes Admin Console failure.

  • OPENAM-12245: "Authentication by Module Instance" policy env condition doesn’t work in session upgrade case

  • OPENAM-12244: Monitoring services unable to connect to Port

  • OPENAM-12234: Values for objects of type com.sun.xml.bind.util.ListImpl are not printed in debug logs

  • OPENAM-12232: Dynamic registration is not registering token_endpoint_auth_signing_alg, request_object_encryption_alg and request_object_encryption_enc

  • OPENAM-12226: Device Match - server side script fails

  • OPENAM-12219: Resource leak in MonitoringAdapters#getMonAuthList

  • OPENAM-12215: NPE thrown when calling OIDC authorize endpoint with invalid SSOToken

  • OPENAM-12194: SLO with the SAML2 Auth Module PAP redirects to 'XUI/nullnull' when IDP has no SingleLogoutService defined

  • OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme

  • OPENAM-12184: Extend the DJ/DS SDK affinity LB feature to the userstore connection

  • OPENAM-12181: REST STS OIDC multi value local attributes not transformed into Claims correctly

  • OPENAM-12176: ServiceConfigManagerImpl does not retain order of notification events.

  • OPENAM-12174: XUI - Deleting a built-in authentication module will delete any other created by it

  • OPENAM-12173: NumberFormatException for AuthLevel in OAuth2 logs

  • OPENAM-12171: PolicySetCache gets corrupted when the realm name contains upper case characters

  • OPENAM-12170: NPE in PolicyConfig

  • OPENAM-12169: REST SMS deadlocks when processing notifications

  • OPENAM-12166: Resource #3.0 logoutByHandle request fail with status 500 error

  • OPENAM-12161: Expires attribute in WS-Fed Active Requestor Profile is expected but is optional

  • OPENAM-12155: Client authenticate JWT with no exp and audience throw a NPE

  • OPENAM-12144: getSessionInfo endpoint _fields parameter doesn’t work

  • OPENAM-12140: Allow USS Registration route to be configurable

  • OPENAM-12109: Syslog Audit Event Handler buffer size should be configurable

  • OPENAM-12098: Default server property com.sun.identity.urlchecker.dorequest is invalid

  • OPENAM-12082: Outlook with WS-Fed uses cached credential after AD password change.

  • OPENAM-12080: OAuth2 Stateless Session Signing Key lost during upgrade

  • OPENAM-12079: Cannot use prompt=login with device flow

  • OPENAM-12078: OAuth 2 device flow loses OIDC nonce

  • OPENAM-12075: OIDC without a datastore returns "User must be authenticated to issue ID tokens"

  • OPENAM-12071: Error during upgrade with unindex search from UpgradeUtils.deleteService()

  • OPENAM-12069: Non amadmin admin user can’t edit Policy Sets / Policies

  • OPENAM-12062: XUI DashBoard does not show trusted devices etc if user search attribute of the data store is not 'uid'

  • OPENAM-12054: Cumulative upgrades of OpenAM (e.g. 5.1.0 to 5.5.0 to 5.5.1) fail with "Writing Backup; Failed!" error

  • OPENAM-12037: Memory leak: LDAPFilterCondition creates new ShutdownManager listener on each request

  • OPENAM-12026: Self-service user registration gets "Bad Request" on LDAP error 19

  • OPENAM-12022: Self-service registration for existing user displays "Detected conflict in request"

  • OPENAM-11994: NullPointerException in ResourceOwnerOrSuperUserAuthzModule.getUserIdFromUri

  • OPENAM-11980: Social OIDC wizards do not work when provisioning accounts locally

  • OPENAM-11976: XUI Session query session by username does not work with

  • OPENAM-11968: SAML2 Auth Module does not accept SAML2 AuthResponse with no SessionIndex

  • OPENAM-11966: SAML2 SSO 'better' auth’n comparison fails with 'Invalid status code in response'

  • OPENAM-11962: Calling Logout and passing a goto URL parameter with an expired session, goto URL is ignored

  • OPENAM-11961: KBA update fails if Self service is configured in sub-realm and root realm has no datastore

  • OPENAM-11956: SAML2 RelayState values are seen as invalid if they are not a URL which appears to go against the spec

  • OPENAM-11944: REST OAuth2 creation triggers objectClass=* search

  • OPENAM-11937: Federation UI does not allow empty NameIDMappingService

  • OPENAM-11935: redirect_uri should be required in the OAuth2 authorization request

  • OPENAM-11925: CORSFIlter causing failures after moving to 5.x from 13.5.x

  • OPENAM-11909: Demo user creation is based on whether a userCfg is specified, rather than when it’s set to embedded

  • OPENAM-11876: Amster has a timeout limit of 10 second and it is not configurable

  • OPENAM-11863: CORSFilter position in web.xml should come before most filters

  • OPENAM-11829: SSOToken idletime reset even when it shouldn’t be

  • OPENAM-11818: Oauth2 authn module incorrectly POST state parameter to token endpoint

  • OPENAM-11789: User remains on 'Loading' page with 'OAuth2.0/OIDC' auth module if authId token expires before entering credentials

  • OPENAM-11746: Syslog data is not fully RFC compliant

  • OPENAM-11678: 'Oldest' REST passwordreset selfservice unusable

  • OPENAM-11673: Policy evaluation response is incorrect if the URL query string sent for evaluation contains the string ://

  • OPENAM-1167: WindowsDesktopSSOConfig ClassCastException on saving configuration in admin UI

  • OPENAM-11665: Improve debug logging when unable to login in XUI with users endpoint getting 404 due to KBA attribute issues

  • OPENAM-11642: CustomProperties do not work when creating J2EE/Web Agents via REST

  • OPENAM-11619: Default scope value is incorrect (empty) for Social Auth VKontakte module

  • OPENAM-11565: Implicit grant flow is not generating an Ops token

  • OPENAM-11548: Improve Scope validator class loading error handling

  • OPENAM-11547: Missing entry or corrupted value in "com.iplanet.am.version" causes upgrade failure

  • OPENAM-11523: Using the LDAP/AD auth module, the change password on next login, if current password is empty it displays the wrong error message

  • OPENAM-11491: Upgrading OpenAM results in failure due to restSMS.xml

  • OPENAM-11473: NumberFormatException on startup for External configuration setup

  • OPENAM-11432: Extra space in Policy 's Resource Type will cause policy evaluation to fails

  • OPENAM-11407: Extra space in the CTS 's connection string " openam.internal.example.com:50389" cause OpenDJ-SDK log to grow

  • OPENAM-11402: OpenAM does not enforce OAuth2 spec for "Resource Owner Password Credentials Grant" flow

  • OPENAM-11398: OpenAM ACI installation instruction does not work for OpenDJ productionMode

  • OPENAM-11312: Attribute Mapping defined in wsfed remote SP should not be overridden by attribute mapping defined in wsfed OpenAM Hosted IDP

  • OPENAM-11289: SP initiated SLO with SOAP binding fails with code 400

  • OPENAM-11240: "Skip This Step" button on the ForgeRock Authenticator (OATH) screen is missing (HOTP)

  • OPENAM-11225: idpSingleLogoutRedirect throws 500 error SLO

  • OPENAM-11177: Scripted auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store

  • OPENAM-11167: <ActualLockoutDuration> is not updated in the attribute sunStoreInvalidAttemptsData

  • OPENAM-11159: OpenAM Amster export/import for Site have import errors

  • OPENAM-11157: Oauth2/OIDC Authentication redirect goto value wrong when behind reverse proxy

  • OPENAM-11118: REST call allows for realm name with space when creating realm

  • OPENAM-11087: Global Config Email Service SSL State has changed from SSL to non-SSL between versions 13.5.0 and 14.0.0

  • OPENAM-11055: ssoadm command "set-attr-defs" reports success but does not actually update global service

  • OPENAM-11048: OpenAM account lockout does not work when naming attribute and LDAP Users Search Attribute are different

  • OPENAM-10994: Performance degradation of around 30% using defaults JCEKS so as to JKS

  • OPENAM-10935: DeviceIDSave - stacktrace is lost

  • OPENAM-10934: Authentication succeeds although DeviceIDSave module fails

  • OPENAM-10673: SAML2 authentication module fails to redirect to IDP after failing DeviceID match module

  • OPENAM-10619: Post Authentication Plugin not run during session upgrade

  • OPENAM-10591: Generate more debug details about the JSON that is failing when JsonPolicyParser throws a UNABLE_TO_SERIALIZE_OBJECT exception

  • OPENAM-10532: SOAPExceptionImpl: Invalid Content-Type:text/html. Is this an error message instead of a SOAP response?

  • OPENAM-10371: NPE for notifyGlobalConfigChange in Configuration debug file after OpenAM setup

  • OPENAM-10296: Session UI only allows searching for users in datastore

  • OPENAM-10191: Add Skew to NotOnOrAfter and NotBefore Assertion Conditions

  • OPENAM-10083: Sending READ to sites endpoint sometimes returns 500 error

  • OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)

  • OPENAM-9790: Allow IDP to determine request binding from goto url as well as request method

  • OPENAM-9783: json/users changePassword returns the wrong error message with multiple datastores

  • OPENAM-9674: Support Active Directory Recursive Group Membership Lookup

  • OPENAM-8264: Insufficient validator for service property 'iplanet-am-auth-hmac-signing-shared-secret'

  • OPENAM-6925: When getting a access token with a Basic HTTP client and a invalid grant_type the wrong error is returned

  • OPENAM-6748: Improve mechanics of the notification cache

  • OPENAM-6445: UMA policy with self-sharing creating policy despite failure

  • OPENAM-6426: Forgot password doesn’t print an audit log

  • OPENAM-6370: REST-SMS: 500 Internal Server Error for Invalid Attribute Update

  • OPENAM-6141: REST-SMS: Request for sts and dashboard services schema returns 500

  • OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

  • OPENAM-5865: AuthLevelCondition will not retrieve request auth level for a capital-letter realm.

  • OPENAM-4040: SSO failure between SPs in separate CoTs with same hosted IDP

AM 5.5.1
  • OPENAM-11988: HTTP 500 when validating SSO tokens if API version is omitted in AM 5.5

AM 5.5
  • OPENAM-11834: Passwords being set to empty strings in tabbed forms in XUI

  • OPENAM-11646: Cookie values wrapped in double quotes

  • OPENAM-11632: CDCServlet does not work with realm

  • OPENAM-11610: WindowSSO module broken in AM 5.5 after upgrade

  • OPENAM-11526: Realm Authentication chain post authentication classes PAP not triggered on chains with multiple modules

  • OPENAM-11391: Requesting 'OAuth2.0/OIDC' auth module a second time results in display of AM’s "Authentication Failed" page

  • OPENAM-11300: OIDC request parameter is failing when message level is enabled

  • OPENAM-11280: authentication with noSession=true fails if post authentication plugin class is present

  • OPENAM-11218: OpenAM throws service error for Application Module

  • OPENAM-11217: SAML2 Authentication module is not invoking custom SP Adapter class implementing a preSingleSignOnRequest() method

  • OPENAM-11196: Incorrect debug logging level used in FMEncProvider.getEncryptionKey

  • OPENAM-11154: Memory leak in SMSEventListenerManager#subNodeChanges

  • OPENAM-11115: Push authentication should use alias attributes to find identities

  • OPENAM-11101: Social Auth links do not contain the goto url

  • OPENAM-11070: Need OAuth2 authentication to work in Android with implied consent

  • OPENAM-11057: Global User Self Service UI does not display values

  • OPENAM-11015: ForceAuth session upgrade does not work

  • OPENAM-10971: FR-OATH auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store

  • OPENAM-10970: logout response binding should be selected based on the capabilities of the SP

  • OPENAM-10965: Stateless OAuth2 can’t verify access and refresh token

  • OPENAM-10931: IdentitySubject not adding isMember() result to cache after entry has changed

  • OPENAM-10782: endSession with an id_token generated from a refresh_token request does not destroy the session

  • OPENAM-10756: setSucessModuleNames in AMLoginModule calls AuthModule’s getPrincipal multiple times

  • OPENAM-10585: The "claims" Request Parameter from the openid standard isn’t functional

  • OPENAM-10578: Stateless access token doesn’t contain the grant type

  • OPENAM-10562: Audit log 'Configuration' entries are not written when using external configuration store

  • OPENAM-10332: Quota constraints exceeded - Interim Fix

  • OPENAM-10129: OAuth2 Device flow - user code verification is case-insensitive

  • OPENAM-10103: output from re-indexing action during initial configuration is lost

  • OPENAM-10102: insufficient progress information during configuration

  • OPENAM-10013: HOTP session upgrade not possible in XUI if the wrong code is entered first time

  • OPENAM-9979: Authentication chain post authentication classes are not used if realm level PAP setting exists

  • OPENAM-9885: Oauth2 load: Tomcat keeps logging "WARNING: Addition of the standard header "Pragma" is discouraged as a future version of the Restlet API will directly support it"

  • OPENAM-9156: 'Not Found' error in UI when opening a custom auth module created with ssoadm with the name the same as type

  • OPENAM-8771: "Unknown Error: Please contact your administrator", shown with FacebookSocialAuthentication option "Prompt for password setting and activation code" (org-forgerock-auth-oauth-prompt-password-flag)

  • OPENAM-8270: Using client_credentials Grant type with openid scope returns User must be authenticated to issue ID tokens

  • OPENAM-8063: Merge Debug Files feature does not work correctly

  • OPENAM-7781: persistent cookie auth module does not allow to change cookie name by default

  • OPENAM-7437: Finish button of Identity Provider wizard doesn’t work

  • OPENAM-5864: Quota constraints exceeded in multi-instance with LB and CTS enabled

  • OPENAM-5153: Auth modules should call setAuthLevel after successful login

  • OPENAM-5152: AMAuthLevelManager miscalculates auth level

  • OPENAM-3679: IDP Finder fails to validate relaystate

  • OPENAM-1325: OpenAM fails to setup when deployed under the root uri ( '/' )

Copyright © 2010-2024 ForgeRock, all rights reserved.