Known issues

OPENAM-20751: Authentication errors with AM on Windows and connection errors in session log

OPENAM-20703: Tree secure state retained unnecessarily long

OPENAM-20647: Incorrect exception thrown when trying to access the static method of a non-allowlisted class

OPENAM-20572: End user password reset email field is not validated

OPENAM-20557: OATH recovery codes are not displayed if Registration node is followed by OATH Token Verifier node

OPENAM-20556: OATH recovery codes are not displayed if Store device data in shared state is selected in OATH Registration node

OPENAM-20543: Display page node header, description, and footer, in correct default language

OPENAM-20520: HttpClient sent request is not returning the correct response object

OPENAM-20517: Acceptable variance configuration not working for Device Match node

OPENAM-20516: Create tree command fails when using POST with _action=create

OPENAM-20515: Delete fails for Authentication node, when its _id is not a UUID

OPENAM-20513: Random login failure when using registration tree

OPENAM-20496: Null refresh_token for OAuth 2.0 token exchange delegation case

OPENAM-20324: Default install of AM does not have the updated identity classes in the policy script whitelist

OPENAM-20299: com.iplanet.am.session.agentSessionIdleTime is not honored using Agent authentication tree

OPENAM-20188: Using session cookie created before AM is restarted

OPENAM-20077: Access token modification script does not have access to client for client_credential grant flow if realm configured to ignore profile

OPENAM-19988: Using an id_token generated by AM in a policy condition does not work

OPENAM-19878: ArrayIndexOutOfBoundsException in SAML2

OPENAM-19829: Build fails on module openam-encryption-support when using JDK 18

OPENAM-20546: Ensure AM handles an empty value for the authorization JWT response signing algorithm

OPENAM-20479: OIDC authentication request fails if request is sent as unsecured JWS

OPENAM-20457: DeviceLocationMatchNode fails when location service is disabled in browser and is unable to collect location information

OPENAM-20396: Authentication tree is selected by order of acr to tree mapping, not the default values and order is not preserved

OPENAM-20104: The fragment response_mode for the /oauth2/authorize endpoint is not working

OPENAM-19619: NodeState keys API does not return all keys using a wildcard (*)

OPENAM-19613: PSearch is already removed error message should be warning

OPENAM-19567: InvalidCount variable does not update after successive failed attempts

OPENAM-19480: 500 Internal Server Error on /json/scripts with "not equal" CREST filter

OPENAM-19476: AbstractUpgradeHelper#updateChoiceValues does not handle i18nKey values

OPENAM-19451: When using Chrome WebAuthn simulator and WebAuthn set with attestation DIRECT fails

OPENAM-19422: KeepAlive search filter shouldn’t be Absolute True and False Filters

OPENAM-19375: Searching JavaDoc does not function correctly

OPENAM-19371: Updating an auth tree over REST requires all the nodes to be listed in the payload

OPENAM-19261: Introspect call for tokens obtained via the client credentials grant produces error, warning

OPENAM-19213: AM doesn’t work in Tomcat 10

OPENAM-19187: Unable to remove Saml2 IDP Attribute Mapper scripts using UI

OPENAM-19139: AM reports authorization errors using fragments on form_post requests

OPENAM-19118: Authentication audit events not logged when ScriptedDecisionNode script contains a syntax error

OPENAM-19084: Response does not comply to Standard when Requesting Claim that are Unavailable

OPENAM-19081: Modules of type OpenID Connect id_token bearer are not correctly handled in UI and in datastore

OPENAM-19030: AM Logs an Error if Resource Type cannot be found

OPENAM-19008: AuthTreesSecretsApiStep creates a potentially invalid secret mapping

OPENAM-18961: BasicOAuth2RequestImpl throws error at "ERROR" level

OPENAM-18935: Inconsistent behavior in ConfigProviderNode when omitting config properties

OPENAM-18544: AM Access Auditing Reports FAILURE on 302

OPENAM-18512: UMA resource set endpoint doesn’t list all relevant resource sets

OPENAM-18481: OIDC client mandates kid value in JOSE header

OPENAM-18469: Persistent Claims doc string references "RFC 123"

OPENAM-18394: Bazel fails to download Maven dependencies on first compilation

OPENAM-18375: Common password policy validation fails when using Registration Tree

OPENAM-18351: Form parameter is not recognized in access_token endpoint

OPENAM-18254: Attempting to create a user via Registration Tree fails after scaling up ds pods

OPENAM-18122: FBC rule written to remove reference to MAY_ACT default script set null instead of [Empty]

OPENAM-17957: Identify Existing User node fails with exception when more than one user is found

OPENAM-13329: Trees Display Character Encoding in Settings Dropdown Menu

OPENAM-12492: Identities: 500 Error when switch to Services tab on anonymous profile

OPENAM-19749: Authentication failure when using a specific locale containing a _ character in Message node

OPENAM-19743: Message node allows empty value for locale name

OPENAM-18818: Persistent search error message shows wrong DS identifier

OPENAM-18613: Web upgrader fails during second instance upgrade

OPENAM-18558: OIDC Client Group Inheritance not honoured immediately

OPENAM-17768: Enabling allowlisting in trees causes an infinite redirect loop in the registration tree

OPENAM-17687: XUI selects wrong partials if a new partial exists with the same prefix

OPENAM-17418: OpenId account mapping fails because userInfo subject claim has value usr!demo

OPENAM-17315: Update defaults scripts with the change introduced in COMMONS-628

OPENAM-16449: Filter fields on the Scripts admin page do not work

OPENAM-17663: Improve the error response code for "Failed to revoke access token"

OPENAM-17452: SAML bearer grant flow using signed assertions fails - signature validation failure

OPENAM-17394: Callback types should be part of the supported API

OPENAM-17256: Text is overlapping buttons in configuration UI in Firefox while adding new server

OPENAM-16939: IDM nodes does not follow proxy settings

OPENAM-16561: OAuth Consent screen does not apply theming

OPENAM-16554: Misplaced bufferingEnabled checkbox in New Syslog configuration

OPENAM-16539: userinfo endpoint does not return expected user attributes

OPENAM-16522: Device Save Node failed on Platform environment

OPENAM-16491: SAML Update introduces javascript calls that aren’t available in IE8 and below (or IE11 using Enterprise mode)

OPENAM-16280: German login page translation is not complete

OPENAM-16261: Node dev guide - CoreWrapper is not supported API

OPENAM-16258: Resource login fails to work to Authenticate to Module instance

OPENAM-16229: Exceptions logged while upgrading to AM7

OPENAM-16202: Deleting SAML2 entities in console does not remove them from COT

OPENAM-16197: social authmodule does not send activaion email if un-authenticated SMTP server is used

OPENAM-16105: AM Login UI cannot handle self service and SDK authentication callbacks

OPENAM-16076: An auth node config marked @password (type char[]) cannot also be Optional

OPENAM-16068: Annotation based service implementation provides no way to deregister service listeners

OPENAM-15892: ScriptingSchemaStep clears whitelist customisations on upgrade

OPENAM-15879: openam > ui-admin > entire sessions view disappears when querying with asterisk

OPENAM-15861: NullPointerException in CollectionHelper.getServerMapAttrs

OPENAM-15860: IdP Init SAML SSO results in two set-cookie: amlbcookie headers in SP Consumer response

OPENAM-15812: WebAuthN Node for a user with a webauthn profile for another site causes authenticator to complain using wrong security key

OPENAM-15791: The /json/groups endpoint is not accessible to the Agents

OPENAM-15727: JWT minted by oauth2/authorize does not have correct acr claim when an upgraded SSO token is used

OPENAM-15699: _fields query parameter for API "Action" end point eg _action=refresh does not work as documented

OPENAM-15609: CorsService API Descriptor text doesn’t match functionality

OPENAM-15534: LDAP connection errors when using DS7 and rest2ldap test

OPENAM-15351: During Upgrade Scripts are not updated

OPENAM-15253: Upgrade fails if external data store for Applications and Policies is used

OPENAM-15037: React-select-multi component - when key pressed to add an entry the previously selected entry remains highlighted

OPENAM-15027: React-select-multi component - when enter is clicked on the 'x' of selected entry to delete, form is submitted

OPENAM-14897: Default values for JWKs URI content cache timeout and miss timeout are not set on upgrade

OPENAM-14887: TimerPool logs error during AM graceful shutdown

OPENAM-14882: OAuth2 do not log scopes while using device code flow

OPENAM-14838: Trusted JWT issuer cache is refreshed inefficiently affecting other lookups

OPENAM-14837: Trusted Issuer lookup does not pick up modified issuer values

OPENAM-14834: JWT bearer grant implementation finds trusted JWT issuers by performing an unindexed search

OPENAM-14755: NullPointerException if auth module callback xml file can not be retrieved by ResourceLookup

OPENAM-14666: XUI - InternalError: "too much recursion" error can appear when Adding/Viewing/Updating realms

OPENAM-14602: The API documentation for some Node API is missing methods/fields in 6.5/7

OPENAM-14594: Possible thread-safety issue in OIDC pairwise subject identifiers

OPENAM-14576: Configuration LDAP accessed when users endpoint accessed

OPENAM-14500: SAML SP-initiated SSO without existing SSO Session - value of 'goto' parameter not URLencoded

OPENAM-14499: SAML IdP-initiated SSO without existing SSO Session - value of 'goto' parameter not URLencoded

OPENAM-14494: In Firefox the text is cropped inside of the realm’s card on Dashboard

OPENAM-14404: Multiple calls being made to session endpoint by XUI when session cookie lost

OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration

OPENAM-14322: Servers → Directory Configuration API Can Be Broken With Crafted Payload

OPENAM-14290: Caching issue for 'users' REST endpoint

OPENAM-14263: Bad title for External Data Stores secondary configuration page

OPENAM-14207: NullPointerException AM Console if IDPSSODescriptor is missing attribute 'WantAuthnRequestsSigned'

OPENAM-13962: Errors during shutdown of AM

OPENAM-13513: Call Authentication Tree in a Radius Client

OPENAM-12207: Created OAuth2 client using curl request with defined scopes breaks the AM UI

OPENAM-11737: http.response.headers not populating in audit logs

OPENAM-11083: Delegated Admin cannot create Oauth2 Provider in realm

OPENAM-10696: Login screen does not show mobile users feedback on failure

OPENAM-10554: AM installation fails if BASE_DIR is different from the path in .openamcfg

OPENAM-10427: LDAP connections created by the configurator wizard are never closed

OPENAM-71: SAML2 error handling in HTTP POST and Redirect bindings

OPENAM-18283: If IDP session is no longer valid, IDPSLO does not redirect to RelayState

OPENAM-18268: webauthnDeviceProfiles is not multi value for AD

OPENAM-18245: Creating a SAML2 entity with a double space results in SAML2 entity with a single space

OPENAM-18039: WebAgent groups with 'Custom Properties' can not be managed via XUI-based AM console after upgrade

OPENAM-18034: Unable to set OAuth2Provider service attributes with ssoadm

OPENAM-17375: Social Auth Provider links only show on login page if using ldapService

OPENAM-17246: LDAP IdRepo - it’s not possible to change the value of the 'LDAP Users Search Attribute' of an user identity subject via identity REST API

OPENAM-17245: 'User Attribute Mapping to Session Attribute' does not work for authentication trees

OPENAM-17203: With the OIDC Hybrid flow and implied consent on, scopes added by a customer scope validator are not available in claims script

OPENAM-17198: "Illegal character in scheme name" error when creating client-based access and refresh tokens with client ID that contains special chars

OPENAM-16976: Resource-based authentication does not evaluate policies in new policy set (not in default iPlanetAMWebAgentService)

OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled

OPENAM-16712: Importing SAML2 Metadata with both IDP and SP with cot ends up with duplicated extended metadata

OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)

OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo

OPENAM-16540: Issues with Social Login URLs when navigating quickly between providers

OPENAM-16282: Upgrade may fails during upgrading SAML2 secret

OPENAM-16223: Product nodes and marketplace/community/custom node cause naming clashes and prevent nodes with same name coinciding together

OPENAM-16067: Potential memory leak when OAuth2 provider config changes

OPENAM-15900: Kerberos fails when used with IBM JDK.

OPENAM-15809: Update CORS service for IE11 compatibility

OPENAM-15785: OIDC spec violation - HTTP POST can not be used to send Authentication Request

OPENAM-15784: Form elements in policy environment condition tab are displayed twice. Workaround Ignore the repeated form field.

OPENAM-15659: WS-Federation IP incorrectly determines login URL when AM is deployed to root context

OPENAM-15501: Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly

OPENAM-15431: Incorrect SHA-256 and DSA config in xml-security-config.xml

OPENAM-15371: ssoadm import-svc-cfg fails with unable to recognize the data store type error

OPENAM-15370: ssoadm import-svc-cfg fails with Unable to obtain Server URL

OPENAM-15297: AM with Embedded DS - baseDN is hard-coded as dc

OPENAM-15154: Update supported ID token encryption algorithms to include ECDH-ES

OPENAM-15101: Remove the ability to disable XUI

OPENAM-15065: HTTP 500 authentication error in CIBA workflow when user deny request

OPENAM-15064: HTTP 500 authentication error in CIBA workflow when user do not have registered mobile device

OPENAM-15063: when there is quote in binding message of CIBA request, notification fail to be sent

OPENAM-15052: when id_token_hint is not JWT, CIBA authorization request returns HTTP 500

OPENAM-15049: wrong JWT while obtaining CIBA auth request id will result in HTTP 500 NPE

OPENAM-15040: CIBA authorization request returns HTTP 500 NPE when file is wrong

OPENAM-15006: A Choice collector inside a Page Node when re-opened does not show choices

OPENAM-14853: Intermittent bug caused by partials not being loaded in-time.

OPENAM-14791: AM does not return scope attribute in response when granted scope is empty

OPENAM-14666: XUI - InternalError: "too much recursion" error can appear when Adding/Viewing/Updating realms

OPENAM-14545: Debug log showing NullPointerException in com.sun.identity.federation.common.FSUtils#getRemoteServiceURLs

OPENAM-14047: SAML1 and ID-FF configuration should no longer be present

OPENAM-14030: Pressing Enter does not submit New Tree form

OPENAM-13985: Authentication Devices Context (Settings) menu is off-screen on mobile devices

OPENAM-13942: SAML2 Circle of Trust - REST Update doesn’t update the metadata of the provider

OPENAM-13937: AM stack trace in container logs

OPENAM-13905: XUI Authentication - Switching realms is not possible

OPENAM-13904: Authentication by using the REST API - Switching realms is not possible.

OPENAM-13836: Logout page is shown even when the server can’t be contacted

OPENAM-13486: AM Upgrade fails on opendj_remove_session_listener_on_all_sessions.

OPENAM-13428: EntitlementException not passed to PLL or JSON policy layer.

OPENAM-12673: Title should display a translation text, not type in the radius sub configuration pages

OPENAM-9098: Changes in debugconfig.properties do not take effect immediately.

OPENAM-3285: OpenID Connect authorization response is not returning required session_state.

OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module

OPENAM-14782: AuthTree created Session does not use per User Session Service settings

OPENAM-14755: NullPointerException if auth module callback xml file can not be retrieved by ResourceLookup

OPENAM-14624: XUI fails to load partial potential issue with webpacks

OPENAM-14594: Possible thread-safety issue in OIDC pairwise subject identifiers

OPENAM-14580: IdP-initiated ManageNameID request fails with "unsuported binding" when IdP meta alias is incorrect.

OPENAM-14576: Configuration LDAP accessed when users endpoint accessed

OPENAM-14500: SAML SP-initiated SSO without existing SSO Session - value of 'goto' parameter not URLencoded

OPENAM-14499: SAML IdP-initiated SSO without existing SSO Session - value of 'goto' parameter not URLencoded

OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration

OPENAM-14309: Import of SAML2 Metadata not signed on EntityDescriptor fails.

OPENAM-14290: Caching issue for 'users' REST endpoint

OPENAM-14277: IdP-Proxy - SP part prompts for authentication if no local user can be found

OPENAM-14240: FMSigProvider.verify does not tell if certificates are provided

OPENAM-14234: NullPointerException in SP-initaited SSO if IDPSSODescriptor is missing attribute 'WantAuthnRequestsSigned'

OPENAM-14229: custom AuthorizeTemplate under theme not used

OPENAM-14215: Automatic login fails after Self Registration with Authentication Trees

OPENAM-14207: NullPointerException AM Console if IDPSSODescriptor is missing attribute 'WantAuthnRequestsSigned'

OPENAM-14146: administrative authentication is not triggered for XUI-based console

OPENAM-13940: Session quota limits not applied when using trees

OPENAM-13905: XUI Authentication - Switching realms is not possible

OPENAM-13904: Authentication via REST API - Switching realms is not possible

OPENAM-13899: XUI - USS - Forgotten Password flow without KBA ends up in a loop

OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error SAML2 failover is enabled" when is is not

OPENAM-13856: Activity audit events are logged for authentication sessions

OPENAM-13740: File descriptor / Connection leak when LDAP connection handshake fails/times out

OPENAM-13046: Applying and then removing RealmAdmin privileges for 'All Authenticated Users' changes user IDs to lowercase

OPENAM-12508: import-entity for SAML remote SP does not work anymore

OPENAM-10377: Agent creates unexpired tokens which are not deleted from CTS

OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly

OPENAM-15809: Update CORS service for IE11 compatibility

OPENAM-15744: com.sun.identity.enableUniqueSSOTokenCookie=true results in infinite redirects

OPENAM-15670: DeviceIdSave auth module initialization fails if username is null

OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting

OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported

OPENAM-15275: user with the name "amadmin" can be created via legacy UI

OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken

OPENAM-15129: registering client with token_endpoint_auth_method=none returns secret

OPENAM-15117: KeyVault KeyStoreType not supported

OPENAM-15036: Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file

OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache

OPENAM-14938: ID repo setAttributes service call returns the wrong error message with multiple datastores

OPENAM-14919: Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file

OPENAM-14865: No error message is provided when login page is supplied with incorrect session cookie domain

OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module

OPENAM-14545: Debug log showing NullPointerException in com.sun.identity.federation.common.FSUtils#getRemoteServiceURLs

OPENAM-14534: The request parameter should accept any signing algorithms supported by the OP

OPENAM-14503: SAML2 - Key Transport Algorithm - RSA OAEP must be supported

OPENAM-14231: Passing in a JWT (with jku in the header) to the authorize endpoint fails

OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.

OPENAM-14112: Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie

OPENAM-14018: Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server

OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not

OPENAM-13831: RP-Initiated Logout does not handle state parameter

OPENAM-13732: Session Remaining Time is displayed with more precision and not rounded up

OPENAM-13481: Stateless OAuth2 Client_credential grant/implicit type has long CTS token timeout

OPENAM-13436: userinfo_signing_alg_values_supported not populated in the well-known

OPENAM-13435: token_endpoint_auth_signing_alg_values_supported not populated in the well-known

OPENAM-13434: grant_types_supported is not returned in the well-know and this is not optional

OPENAM-13291: Create Identities Page appears broken after upgrade from 5.5 (to 6.0 or 6.5)

OPENAM-12996: Config upgraded from AM 5.5.1 containing trees fails to be imported

OPENAM-12985: debug log files are swamped with message 'LDAPUtils.isDN: Invalid DN' in 'error' level

OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees

OPENAM-12946: CTSBlacklist performs initial (and most expensive) search twice

OPENAM-12847: Public API broken - SSOTokenManager.getValidSessions(SSOToken requester, String server)

OPENAM-12801: OAuth2 token signing forces PKCS#11 keys to have specific attributes

OPENAM-12759: max_age should a number, not a string

OPENAM-12729: Prometheus and CREST monitoring endpoint config upgrade step required

OPENAM-12713: Subrealm creation fails if an Inner Tree is present

OPENAM-12690: XUI Theme Configuration Realm Mapping is Case Sensitive

OPENAM-12666: Agent OAuth 2 provider does not support custom login URLs

OPENAM-12625: JWT OIDC Token can’t be valid for over 86400 seconds

OPENAM-12506: Upgrade could fail with RemoveReferralsStep having too broad base DN

OPENAM-12495: When delete an identity it is not being removed from the groups

OPENAM-12436: The ../sessions?_action=validate endpoint always resets the session’s idle time

OPENAM-12357: ssoadmin tools distro include release canditate libraries

OPENAM-12251: API Descriptor using String instead of "Number" type for some settings

OPENAM-12249: Unable to create sub-realms if the parent contains an Inner Tree