Notes covering Identity Connect prerequisites, fixes, and known issues.
Chapter 1. What's New
1.1. Maintenance Releases
Maintenance releases contain a collection of fixes and minor RFEs. Identity Connect 7.1.6 is the latest release, targeted for Identity Connect 7.1 deployments. It is recommended that you upgrade to this release to take advantage of security fixes.
The release can be deployed as an initial deployment or updated from an existing 7.1 deployment. For information on updating from 7.1, see "Upgrade From Identity Connect 7.1 to Identity Connect 7.1.6" in the Implementation Guide.
1.2. Identity Connect 7.1
Identity Connect 7.1 is a revised release, based on the latest ForgeRock Identity Management release. Identity Connect 7.1 has functional parity with Identity Connect 3, but fixes a number of UI and backend issues.
Identity Connect 7.1 is a revised release, based on the latest ForgeRock Identity Management release. Identity Connect 7.1 has functional parity with Identity Connect 3, but fixes a number of UI and backend issues.
The following behavior was new in Note that the following behavior has changed in this release:
Previously, when you configured the connection to Active Directory, the password entered here would be read from the configuration the next time that page was loaded. This password is no longer read from the configuration. You must enter your credentials every time you update the page.
Chapter 2. Before You Install
This chapter covers software and hardware prerequisites for installing and running Identity Connect software.
Identity Connect software supports the following Java environments:
| Vendor | Versions |
|---|---|
| OpenJDK, including OpenJDK-based distributions:
ForgeRock tests most extensively with AdoptOpenJDK/Eclipse Adoptium. ForgeRock recommends using the HotSpot JVM. | 11 |
| Oracle Java | 11 |
To check the Java version on UNIX or Windows systems, type java -version in a terminal or PowerShell console. For example:
java -versionopenjdk version "11.0.4" 2019-07-16 OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.4+11) OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.4+11, mixed mode)
If you are running Identity Connect on a Windows system, you must also set the JAVA_HOME environment variable to point to the root of a valid Java installation. See the Windows documentation that corresponds to your server version for instructions on setting environment variables.
Increasing the heap size available to the JVM can improve Identity Connect performance. By default, Identity Connect runs with an initial heap and a maximum heap of 2 Gbytes. You can increase both the initial and maximum heap sizes available to the JVM by setting the OPENIDM_OPTS environment variable before you start the server.
The following command changes the initial and maximum heap to 3 Gbytes. Adjust the command, according to your shell. To set the environment variable on Windows Systems, see the Microsoft TechNet article at http://technet.microsoft.com/en-us/library/cc772047.aspx.
export OPENIDM_OPTS="-Xmx3g -Xms3g"Identity Connect 7.1.6 is supported on the following operating systems:
Red Hat Enterprise Linux (and CentOS Linux) 6.6, 6.7, 7.0, and 8.0
Ubuntu Linux 16.04 and later
Windows Server 2012 R2, 2016, and 2019
By default, Identity Connect stores user, audit and configuration data in an embedded PostgreSQL repository. The embedded repository is supported in production but for larger deployments and for availability you might want to set up an external PostgreSQL database.
Only PostgreSQL version 10 is supported.
The Identity Connect UI has been tested with the following browsers:
| Browser | Version |
|---|---|
| Google Chrome | Most recent stable version |
| Mozilla Firefox | Most recent stable version |
| Microsoft Internet Explorer | Version 11 and Edge |
| Safari | Version 5 and later |
For information about the browsers that are supported for the Salesforce UI, see the Salesforce documentation.
You need at least 200 MB disk space and 2 GB memory for a minimal evaluation installation. For a production installation, disk space and memory requirements will depend on the number of Active Directory users, and on the size of the log files that Identity Connect writes.
Caution
Identity Connect uses BouncyCastle 1.67 for signing JWTs. The BouncyCastle .JAR file that is bundled with Identity Connect includes the org.bouncycastle.asn1.util.Dump command-line utility. Although this utility is not used directly by IDM, it is possible to reference the utility in your scripts. Due to a security vulnerability in this utility, you should not reference it in your scripts. For more information, see the corresponding BouncyCastle issue.
Chapter 3. Limitations, and Known Issues
This chapter lists the main issues and limitations in this Identity Connect release, as well as major issues that have been fixed since the previous release.
3.1. Limitations
Identity Connect does not support mapping and synchronization of Salesforce Permission Set License Assignments.
Identity Connect supports mapping between an Active Directory group and a Salesforce Permission Set but not if that Permission Set is available as the result of a Permission Set License Assignment being granted to the user.
For more information about Permission Set License Assignments, see PermissionSetLicense and PermissionSetLicenseAssign in the Salesforce Developer Documentation.
3.2. Fixes
- 7.1.6
Miscellaneous security fixes.
- 7.1.5
Miscellaneous security fixes.
- 7.1.3
Miscellaneous security fixes.
- 7.1.1
OPENIDM-16379: Removing values from a multi-valued managed/user property fails with policy validation error if the property is set to Required
OPENIDM-16479: Privileges not displayed when user authenticates with certificate
- 7.1.0
OPENIDM-16203: Identity Connect Permission Set needs to be assigned after license assigned
OPENIDM-15721: Functionality to disable ADGroup to UserRole does not contain a checkbox to disable UserRoleId updates
OPENIDM-14668: When adding PermissionSets or Groups, hitting cancel will not allow any new object selects
OPENIDM-14667: Identity Connect UI - Loading wheel is missing when adding multiple relationships between AD groups and Saleforce objects
OPENIDM-14419: IC Setup Wizard gets Error: Failed to update samlssoconfig
OPENIDM-14320: Identity Connect - Mapping Attributes tab Save button is active before any changes
OPENIDM-14318: User can add attribute multiple times on mapping attributes tab
OPENIDM-14309: Association Rules setting disappears after cancel/close prior to save changes
OPENIDM-14308: Change User Association - attribute list is hidden
OPENIDM-14251: IC Migration does not set the home attribute within the saml.json config
OPENIDM-14250: SSO Page stuck loading (spinning) forever if the SF SSO Config is deleted
OPENIDM-14247: Identity Connect - Configuring IC login with a attribute other than sAMAccountName fails
OPENIDM-14245: Required fields are missing: [ProfileId] when AD Account is removed from Group mapped to SF Profile
OPENIDM-14243: IC sync result drop-down menu contains typo
OPENIDM-14182: Page and sort results in the 'Change User Association' modal window in IC
OPENIDM-14178: When only one role is assigned to an assignment the UI appears to not save the change in Identity Connect
OPENIDM-14175: Not all groups show up in vue multiselect used in Identity Connect UI
OPENIDM-14165: Debounce search queries and cancel previous search queries for search-as-you-type feature
OPENIDM-14164: Highlighting difference in individual sync does not work in IC UI
OPENIDM-14159: Missing info text in text-center element using preview menu.
OPENIDM-14156: When cancelling a recon we need to display that as part of the spinner data
OPENIDM-14155: Change default log level for the schedules in IdentityConnect by default to debug
OPENIDM-14154: Supply the default 636 port when toggling SSL for the AD connection in Identity Connect
OPENIDM-14153: Add loading spinner to `attributes` and `sso` views in Identity Connect
OPENIDM-14146: Change user association in Identity Connect UI does not display the error message
OPENIDM-14139: Members are only added managed roles during liveSync of user account changes
OPENIDM-14137: Problem retrieving Salesforce SAML when configured on port 443
OPENIDM-14077: Enable the schedule-livesyncADGroups after the wizard recons in the initial AD groups
OPENIDM-14071: Recon association entry api doesn't filter correctly if there are null source or target object ids
OPENIDM-14062: Password Reset for Identity Connect not displaying in the UI for end users
OPENIDM-14042: Change the default.html and 404.html for Identity Connect to use Salesforce 404 page
OPENIDM-14041: Modify create-openidm-rc.sh for Identity Connect to include Salesforce as description
OPENIDM-14040: Allow the Identity Connect Sync grid display to have configurable attributes displayed
OPENIDM-14016: IC - Inoperable & missing Close buttons on "Manage Salesforce Organizations" dialogs
OPENIDM-13917: Add Attribute dialog allows adding a null attribute
OPENIDM-13904: Sync tab view in Identity Connect takes quite some time to load with a large data set in both source and target
OPENIDM-13779: Intermittent never ending preview analysis/reconciliation
OPENIDM-13518: Advance setting when Connecting to AD not working correctly for User filter
OPENIDM-13516: SSO config is created but not shown in UI until refresh
OPENIDM-13513: IC UI bugs while creating New Organization
OPENIDM-13503: Invalid Date range in reports>User Activity on Firefox browser
OPENIDM-13486: Permission Sets that are assigned to a Profile in Salesforce or the Permission Set is Identity Connect should not be assignable
OPENIDM-13478: IC same cert mapping is written to secrets.json multiple times
OPENIDM-13382: IC: Data is not displayed at sync tab after Run Preview Analysis
Chapter 4. Documentation Updates
"Documentation Change Log" tracks important changes to the documentation:
| Date | Description |
|---|---|
| 2023-12-15 |
|
| 2023-03-15 |
|
| 2022-08-05 |
|
| 2021-08-18 |
|
| 2021-05-11 |
|