Notes covering Identity Connect prerequisites, fixes, and known issues.
Chapter 1. What's New
Identity Connect 3 is a completely revised release, based on the latest ForgeRock Identity Management release. Identity Connect 3 has functional parity with previous Identity Connect releases but provides a more streamlined User Interface and resolves a number of issues.
Major functional differences between this release and the previous Identity Connect release include the following:
- Support for a PostgreSQL repository
Identity Connect 3.0.1.2 runs with an embedded PostgreSQL repository by default. This replaces the Orient DB repository provided in previous releases.
You can also set up Identity Connect to use an external PostgreSQL repository, as described in "Configuring Identity Connect With an External PostgreSQL Repository" in the Implementation Guide. Running Identity Connect with a MySQL repository is no longer supported.
1.1. Patches
Patches are issued periodically and contain mainly security fixes. The following patches are available:
1.2. Maintenance Releases
Maintenance releases contain a collection of fixes and minor RFEs. The following maintenance releases are available:
Chapter 2. Before You Install
This chapter covers software and hardware prerequisites for installing and running Identity Connect software.
Identity Connect software supports the following Java environments:
| Vendor | Versions |
|---|---|
| OpenJDK, including OpenJDK-based distributions:
ForgeRock tests most extensively with AdoptOpenJDK/Eclipse Adoptium. | 11 |
| Oracle Java | 11 |
To check the Java version on UNIX or Windows systems, type java -version in a terminal or PowerShell console. For example:
java -versionopenjdk version "11.0.4" 2019-07-16 OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.4+11) OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.4+11, mixed mode)
If you are running Identity Connect on a Windows system, you must also set the JAVA_HOME environment variable to point to the root of a valid Java installation. See the Windows documentation that corresponds to your server version for instructions on setting environment variables.
Increasing the heap size available to the JVM can improve Identity Connect performance. By default, Identity Connect runs with an initial heap and a maximum heap of 2 Gbytes. You can increase both the initial and maximum heap sizes available to the JVM by setting the OPENIDM_OPTS environment variable before you start the server.
The following command changes the initial and maximum heap to 3 Gbytes. Adjust the command, according to your shell. To set the environment variable on Windows Systems, see the Microsoft TechNet article at http://technet.microsoft.com/en-us/library/cc772047.aspx.
export OPENIDM_OPTS="-Xmx3g -Xms3g"Identity Connect 3.0.1.2 is supported on the following operating systems:
Red Hat Enterprise Linux (and CentOS Linux) 6.6, 6.7, 7.0, and 8.0
Ubuntu Linux 16.04, and 18.04
Windows Server 2012 R2, 2016, and 2019
By default, Identity Connect stores user, audit and configuration data in an embedded PostgreSQL repository. The embedded repository is supported in production but for larger deployments and for availability you might want to set up an external PostgreSQL database.
Only PostgreSQL version 10 is supported.
The Identity Connect UI has been tested with the following browsers:
| Browser | Version |
|---|---|
| Google Chrome | Most recent stable version |
| Mozilla Firefox | Most recent stable version |
| Microsoft Internet Explorer | Version 11 and Edge |
| Safari | Version 5 and later |
For information about the browsers that are supported for the Salesforce UI, see the Salesforce documentation.
You need at least 200 MB disk space and 2 GB memory for a minimal evaluation installation. For a production installation, disk space and memory requirements will depend on the number of Active Directory users, and on the size of the log files that Identity Connect writes.
Caution
Identity Connect uses BouncyCastle 1.67 for signing JWTs. The BouncyCastle .JAR file that is bundled with Identity Connect includes the org.bouncycastle.asn1.util.Dump command-line utility. Although this utility is not used directly by IDM, it is possible to reference the utility in your scripts. Due to a security vulnerability in this utility, you should not reference it in your scripts. For more information, see the corresponding BouncyCastle issue.
Chapter 3. Limitations, and Known Issues
This chapter lists the main issues and limitations that are known to exist in this Identity Connect release, as well as major issues that have been fixed since the previous release.
3.1. Key Fixes in Identity Connect 3.0.1.2-patch
Security issues were fixed in this patch.
3.2. Key Fixes in Identity Connect 3.0.1.2
Security issues were fixed in this release.
3.3. Key Fixes in Identity Connect 3.0.1.1
The following important issues were fixed in this release:
OPENIDM-14996: Update the Salesforce managed package installed on a Salesforce org to latest
OPENIDM-14419: IC Setup Wizard gets Error: Failed to update samlssoconfig
OPENIDM-14245: Required fields are missing: [ProfileId] when AD Account is removed from Group mapped to SF Profile
3.4. Key Fixes in Identity Connect 3.0.1
The following important issues were fixed in this release:
OPENIDM-14251: IC Migration does not set the home attribute within the saml.json config
OPENIDM-14250: SSO Page stuck loading (spinning) forever if the SF SSO Config is deleted
OPENIDM-14182: Page and sort results in the 'Change User Association' modal window in IC
OPENIDM-14178: When only one role is assigned to an assignment the UI appears to not save the change in Identity Connect
OPENIDM-14175: Not all groups show up in vue multiselect used in Identity Connect UI
OPENIDM-14165: Debounce search queries and cancel previous search queries for search-as-you-type feature
OPENIDM-14164: Highlighting difference in individual sync does not work in IC UI
OPENIDM-14156: When cancelling a recon we need to display that as part of the spinner data
OPENIDM-14155: Change default log level for the schedules in IdentityConnect by default to debug
OPENIDM-14154: Supply the default 636 port when toggling SSL for the AD connection in Identity Connect
OPENIDM-14153: Add loading spinner to `attributes` and `sso` views in Identity Connect
OPENIDM-14146: Change user association in Identity Connect UI does not display the error message
OPENIDM-14139: Members are only added managed roles during liveSync of user account changes
OPENIDM-14137: Problem retrieving Salesforce SAML when configured on port 443
OPENIDM-14077: Enable the schedule-livesyncADGroups after the wizard recons in the initial AD groups
OPENIDM-14071: Recon association entry api doesn't filter correctly if there are null source or target object ids
OPENIDM-14062: Password Reset for Identity Connect not displaying in the UI for end users
OPENIDM-14042: Change the default.html and 404.html for Identity Connect to use Salesforce 404 page
OPENIDM-14041: Modify create-openidm-rc.sh for Identity Connect to include Salesforce as description
OPENIDM-14040: Allow the Identity Connect Sync grid display to have configurable attributes displayed
OPENIDM-14016: IC - Inoperable & missing Close buttons on "Manage Salesforce Organizations" dialogs
OPENIDM-13917: Add Attribute dialog allows adding a null attribute
OPENIDM-13516: SSO config is created but not shown in UI until refresh
OPENIDM-13513: IC UI bugs while creating New Organization
OPENIDM-13503: Invalid Date range in reports>User Activity on Firefox browser
3.5. Limitations
Identity Connect does not support mapping and synchronization of Salesforce Permission Set License Assignments.
Identity Connect supports mapping between an Active Directory group and a Salesforce Permission Set but not if that Permission Set is available as the result of a Permission Set License Assignment being granted to the user.
For more information about Permission Set License Assignments, see PermissionSetLicense and PermissionSetLicenseAssign in the Salesforce Developer Documentation.
3.6. Known Issues in This Release
This section lists the known issues with Identity Connect 3.0.1.2.
OPENIDM-15364: Scheduled "Live Updates" job execution causes "Resource path '/recon/assoc//entry' contains empty path elements"
OPENIDM-15363: Intermittent 'Direct access to this service is forbidden' alert notification
OPENIDM-15318: A user removed from AD Groups mapped to Salesforce User Roles doesn't get reassigned to the default User Role
OPENIDM-15300: Order weight of Salesforce User Roles not updated
OPENIDM-15257: User added to an AD profile group does not get reassigned from default profile
OPENIDM-15255: A user removed from AD groups doesn't get reassigned to default Salesforce profile
OPENIDM-15114: A deleted AD group is still seen when clicking 'Add AD group' on 'AD Group to Profile' tab
OPENIDM-15003: In mapping preview, after a change to the mapping, isActive is not changed to 'true (default)'
OPENIDM-14980: "Resource path '/recon/assoc//entry' contains empty path elements" notification is shown after click on the Sync Report download button
OPENIDM-14668: When adding PermissionSets or Groups, hitting cancel will not allow any new object selects
OPENIDM-14667: Identity Connect UI - Loading wheel is missing when adding multiple relationships between AD groups and Saleforce objects
OPENIDM-14381: Cannot add attribute in mapping page attributes tab on Windows
OPENIDM-14355: Delete SF Org dialog is shown at second click
OPENIDM-14320: Identity Connect - Mapping Attributes tab Save button is active before any changes
OPENIDM-14318: User can add attribute multiple times on mapping attributes tab
OPENIDM-14309: Association Rules setting disappears even after cancel to save changes
OPENIDM-14308: Change User Association - attribute list is hidden
OPENIDM-14247: Identity Connect - Configuring IC login with a attribute other than sAMAccountName fails
OPENIDM-14246: Typo in Manage Admin Groups help text
OPENIDM-14243: IC sync result drop-down menu contains typo
Chapter 4. Documentation Updates
"Documentation Change Log" tracks important changes to the documentation:
| Date | Description |
|---|---|
| 2021-09-20 |
|
| 2021-03-23 | Fixed an error in the upgrade process in the Implementation Guide for upgrades from version 3.0.1.0 to 3.0.1.2. |
| 2021-02-11 | Fixed an error in the documentation on cluster configuration in the Implementation Guide. |
| 2020-09-30 |
|
| 2020-09-21 |
|
| 2019-12-30 | Release of Identity Connect 3.0.1. |
| 2019-11-18 | An error in the example Service Principal Name (SPN) has been corrected in the IWA documentation. See "Creating the Keytab File" in the Implementation Guide. |