Limitations
The following limitations are inherent to the design, not bugs to be fixed.
Evaluation installations
In some cases, installing AM for evaluation purposes will fail with a message similar to the following
if the JDK’s default truststore’s permissions are 444
:
$JAVA_HOME/lib/security/cacerts (Permission denied), refer to install.log under /path/to/install.log for more information.
To work around this issue, locate the truststore that your container is using and change its permissions to 644
before
installing AM:
$ sudo chmod 644 $JAVA_HOME/lib/security/cacerts
You can change the permissions to their original settings after you have installed AM.
Identity and data store scaling
The connection strings to the data or identity stores are static and not hot-swappable. This means that, if you expand or contract your DS affinity deployment, AM will not detect the change. To work around this, either:
-
Manually add or remove the instances from the connection string and restart AM or the container where it runs.
-
Configure a DS proxy in front of the DS instances to distribute data across multiple DS shards , and configure the proxy’s URL in the connection string.
SAML v2.0 in the AM admin UI
The AM admin UI supports SAML v2.0 IDP and SP entities only. After upgrade, entities that do not have IDP or SP roles will be listed, but cannot be inspected or edited in the UI. An error is displayed when you try to access these entities.
Entities that contain roles other than IDP or SP will only display the IDP or SP roles.
Web Authentication (WebAuthn)
AM does not support the following functionality, as described in the Web Authentication specification:
- Registration
-
-
Token Binding is not supported.
-
Web Authentication extensions are not supported.
-
Credential ID values are not verified against the credential IDs registered with all existing users.
-
The ECDAA signature of the Packed attestation format is not supported.
-
- Authentication
-
-
Token Binding is not supported.
-
Web Authentication extensions are not supported.
-
Signature counters are not supported.
-
Refer to MFA: Web Authentication (WebAuthn) for more information.
RADIUS service only supports commons audit logging
The RADIUS service only supports Commons Audit Logging and cannot use the older Logging Service, available in releases prior to OpenAM 13.0.0.
AM admin UI access requires the Realm Admin
privilege
In this version of AM, administrators can use the AM admin UI as follows:
-
Delegated administrators with the
Realm Admin
privilege can access full AM admin UI functionality within the realms they administer. In addition, delegated administrators in the Top Level Realm who have this privilege can access AM’s global configuration. -
Administrators with fewer privileges, such as the
Policy Admin
privilege, cannot access the AM admin UI. -
The top-level administrator, such as
amAdmin
, has access to full AM admin UI functionality in all realms and can access AM’s global configuration.
Specifying keys in JWT headers
AM ignores keys specified in JWT headers, such as jku
and jwe
. Configure the public keys or certificates in
AM instead, as explained in the relevant sections of the documentation.
Different AM versions within a site
Different AM versions within a site are not supported. Do not run different versions of AM together in the same AM site.
Special characters in policy, application, or referral names
Do not use special characters in policy, application or referral names (for example, "my+referral"). AM returns a 400 Bad Request error. The special characters are:
-
double quotes (")
-
plus sign (+)
-
comma (,)
-
less than (<)
-
equals (=)
-
greater than (>)
-
backslash (\)
-
null (\u0000)
XACML policy import and export from different vendors
AM can only import XACML 3.0 files that were created by an AM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.
Full stack sample (AM 6.0.x and 5.5.x only)
When you configure IDM to delegate authentication to AM using the Full Stack sample, you must set up a cross-origin resource
sharing (CORS) filter. However, if you use a CORS filter based on the org.forgerock.openam.cors.CORSFilter
filter class,
you will see errors such as Unexpected End of JSON Input
.
To work around this problem, configure AM’s web.xml
file as described in Enabling CORS Support in the Installation Guide. Instead
of using a filter based on the org.forgerock.openam.cors.CORSFilter
filter class, use a CORS filter specific to the
AM web container you are using. For example, for Apache Tomcat, use a filter based on the org.apache.catalina.filters.CorsFilter
filter class.
Example CORS filter for Apache Tomcat
Add a filter clause similar to the following to your web.xml
file. Specify the correct URLs for your deployment in the
cors.allowed.origins parameter
.
<filter>
<filter-name>CORSFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-OpenIDM-OAuth-Login,X-OpenIDM-DataStoreToken,X-Requested-With,Cache-Control,Accept-Language,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,X-OpenAM-Username,X-OpenAM-Password,iPlanetDirectoryPro</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,OPTIONS,PUT,DELETE</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>https://openam.example.com:8443,https://openidm.example.com:8443</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Set-Cookie</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
</filter>
Add the following filter-mapping clause to your web.xml
file:
<filter-mapping>
<filter-name>CORSFilter</filter-name>
<url-pattern>/json/*</url-pattern>
</filter-mapping>