Notes covering ForgeRock® Identity Management software requirements, fixes, and known issues. This software offers flexible services for automating management of the identity life cycle.
About ForgeRock Identity Management Software
ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see https://www.forgerock.com.
The ForgeRock Common REST API works across the platform to provide common ways to access web resources and collections of resources.
ForgeRock Identity Management software provides centralized, simple management and synchronization of identities for users, devices and things.
ForgeRock Identity Management software is highly flexible and therefore able to fit almost any use case and workflow.
These release notes are written for anyone using the ForgeRock Identity Management 5.5 release. Read these notes before you install or upgrade ForgeRock Identity Management software.
These release notes cover the following topics:
A list of the major new features and functionality provided with this release
Hardware and software prerequisites for installing and upgrading ForgeRock Identity Management software
Compatibility with previous releases
Potential upcoming deprecation and removals that affect scripts and applications
Issues fixed since the previous release
Known issues open at the time of release
See the Installation Guide after you read these Release Notes. The Installation Guide covers installation and upgrade for ForgeRock Identity Management software.
Chapter 1. What's New
This chapter covers new capabilities in IDM 5.5.
1.1. Patch Bundle Releases
ForgeRock patch bundle releases contain a collection of fixes and minor RFEs that have been grouped together and released as part of our commitment to support our customers. For general information on ForgeRock's maintenance and patch releases, see Maintenance and Patch Availability Policy.
IDM 5.5.1.3 is the latest release, targeted for IDM 5.5 deployments and can be downloaded from the ForgeRock Backstage website. To view the list of fixes in this release, see Key Fixes in IDM 5.5.1.3.
The release can be deployed as an initial deployment or updated from an existing IDM 5.5 deployment. IDM 5.5 is available for download at the ForgeRock Backstage website.
1.2. New Features
There are no new features in this release, only bug fixes.
There are no new features in this release, only bug fixes.
There are no new features in this release, only bug fixes.
IDM 5.5.1.0 is a maintenance release that introduces important fixes. This latest maintenance release for IDM 5.5.0 is available from the ForgeRock BackStage website. To view the list of fixes, see Key Fixes in IDM 5.5.1.0.
Note
ForgeRock maintenance releases provide fixes to existing bugs that improve functionality and security for your IDM deployment. No new features have been introduced.
The release can be deployed as an initial deployment or used to upgrade an existing version. You can upgrade from any version listed in "Supported Update Paths".
This release includes the following new features:
- New Default Repository
IDM now uses an embedded ForgeRock Directory Services (DS) instance for its internal repository by default (in place of OrientDB). DS is not supported as a repository in production, however. For more information, see "Selecting a Repository" in the Installation Guide.
- Support for Clustered Reconciliation Operations
You can now configure reconciliation jobs to be distributed across multiple nodes in the cluster. For more information, see "Distributing Reconciliation Operations Across a Cluster" in the Integrator's Guide.
- Numerous Additions to the Default Self-Service UI
The Self-Service UI that is provided with IDM now includes support for account claiming, auto login, user managed access, privacy and consent, and more. For more information, see "Configuring User Self-Service" in the Integrator's Guide.
- New Supported Connectors
IDM 5.5.0 bundles two new connectors - the SCIM connector (see "SCIM Connector" in the Connector Reference), and the Adobe CM connector (see "Adobe Campaign Manager Connector" in the Connector Reference).
- Admin UI Widgets
IDM allows you to customize the Admin UI dashboards with a variety of widgets. The following widgets have been added for IDM 5.5.0:
Daily Social Registration (see "Social Identity Widgets" in the Integrator's Guide)
Cluster Node Status (see "Managing Nodes Through the Admin UI" in the Integrator's Guide)
Identity Relationships (see "Viewing Relationships in Graph Form" in the Integrator's Guide)
Managed Objects Relationship Diagram (see "Viewing the Relationship Configuration in the UI" in the Integrator's Guide)
Audit Events (see "Viewing Audit Events in the Admin UI" in the Integrator's Guide)
For a full list of available widgets, see "Available Admin UI Widgets" in the Integrator's Guide.
- Additional Social Identity Providers
IDM supports a wide variety of social identity providers. Support for Google, Facebook, and LinkedIn was added for IDM 5. With the release of IDM 5.5.0, the following providers are now supported:
Google Facebook LinkedIn Amazon WordPress Yahoo Vkontakte Instagram WeChat Microsoft Salesforce Twitter For more information, see "Configuring Social Identity Providers" in the Integrator's Guide.
- Greater Coverage of the REST API With the API Explorer
The API Explorer now covers most of the endpoints provided with a default IDM installation. For more information, see "API Explorer" in the Integrator's Guide.
- New Password Synchronization Plugin Guide
The documentation that describes installation and configuration of the two password synchronization plugins has been moved out of the Integrator's Guide and into a new Password Synchronization Plugin Guide.
For installation instructions, see "Preparing to Install and Run Servers" in the Installation Guide.
Several samples are provided to familiarize you with the IDM features. For more information, see "Overview of the Samples" in the Samples Guide.
For an architectural overview and a high-level presentation of IDM, see "Architectural Overview" in the Integrator's Guide.
1.3. Security Advisories
ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.
For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.
Chapter 2. Before You Install
This chapter covers requirements to consider before you run ForgeRock Identity Management software, especially before you run the software in your production environment.
If you have a special request to support a component or combination not listed here, contact ForgeRock at info@forgerock.com.
2.1. Supported Repositories
The following JDBC repositories are supported for use in production:
MySQL version 5.5, 5.6, and 5.7 with MySQL JDBC Driver Connector/J 5.1.18 or later
MariaDB version 5.5, 10.0, 10.1, 10.2 with MySQL JDBC Driver Connector/J 5.1.18 or later
Microsoft SQL Server 2012, 2014, and 2016
Oracle Database 11gR2 and 12c
PostgreSQL 9.3.10, 9.4.5, and 9.6
IBM DB2, 10.1, 10.5
The default ForgeRock Directory Services (DS) repository is provided for evaluation only.
2.2. Containers
You must install IDM as a stand-alone service, using Apache Felix and Jetty, as provided. Alternate containers are not supported.
IDM bundles Jetty version 9.2.
2.3. Supported Connectors
IDM bundles the following connectors:
Adobe CM Connector
CSV File Connector
Database Table Connector
Google Apps Connector
Groovy Connector Toolkit
This toolkit enables you to create scripted connectors to virtually any resource, with the following sample implementations:
Scripted SQL Connector
Scripted CREST Connector
Scripted REST Connector
Kerberos Connector
LDAP Connector
Marketo Connector
Salesforce Connector
SCIM Connector
Scripted SSH Connector
Currently supported only as a prerequisite for the Kerberos Connector
A PowerShell Connector Toolkit is available for download from ForgeRock's BackStage site. This Toolkit enables you to create scripted connectors to address the requirements of your Microsoft Windows ecosystem.
Additional connectors are available from ForgeRock's BackStage site.
Use of the LDAP connector to provision to Active Directory is supported with Active Directory Domain Controllers, Active Directory Global Catalogues, and Active Directory Lightweight Directory Services (LDS).
Windows 2012 R2 is supported as the remote system for connectors and password synchronization plugins.
The following table lists the supported connectors, connector servers, and password synchronization plugins for this IDM release.
| Connector/Plugin | Supported Version |
|---|---|
| Adobe CM Connector | 1.5.0.0 |
| CSV File Connector | 1.5.2.0 |
| Database Table Connector | 1.1.1.0 |
| Google Apps Connector | 1.4.2.0 |
| Groovy Connector Toolkit | 1.4.4.0 |
| Kerberos Connector | 1.4.3.0 |
| LDAP Connector | 1.4.6.0 |
| Marketo Connector | 1.4.3.0 |
| Powershell Connector Toolkit | 1.4.4.0 |
| Salesforce Connector | 5.5.0 |
| SAP Connector | 1.4.2.0 |
| SCIM Connector | 1.4.0.0 |
| Active Directory Connector | 1.4.0.0 |
| Java Connector Server | 1.5.4.0, 1.5.2.0, 1.5.1.0, 1.5.0.0, 1.4.1.0 |
| .NET Connector Server | 1.5.4.0, 1.5.2.0, 1.5.1.0, 1.5.0.0, 1.4.1.0 |
| DS Password Synchronization Plugin |
5.5.0, supported with DS 5.5.0 5.0.0, supported with DS 5.0.0 3.5.0, supported with OpenDJ 3.5.0 DS Password Sync plugins are not supported with DS OEM |
| Active Directory Password Synchronization Plugin | 1.2.0, supported on Windows 2008 R2 and Windows 2012 R2 |
You must use the supported versions of the .NET Connector Server, or the Java Connector Server. The 1.5.x Java Connector Server is backward compatible with the version 1.1.x connectors. The 1.5.x .NET Connector Server is compatible only with the 1.4.x and 1.5.x connectors.
The 1.5.4.0 .NET connector server requires the .NET framework (version 4.5 or later) and is supported on Windows Server 2008 R2 and 2012 R2.
Important
Although the scripted connector toolkits are supported, connectors that you build with these toolkits are not supported. You can find examples of how to build connectors with these toolkits in the Samples Guide.
2.4. Choosing a Browser
ForgeRock has tested many browsers with the IDM UI, including the following browsers:
Chrome and Chromium, latest stable version
Firefox, latest stable version
Safari, latest stable version
Internet Explorer 11 and later
2.5. Choosing an Operating System
IDM is supported on the following operating systems:
Red Hat Enterprise Linux (and CentOS Linux) 6.5 and later, 7.x
Ubuntu Linux 16.04
Windows 2008 R2, 2012 R2, 2016
2.6. Preparing the Java Environment
IDM requires Java 8, specifically at least the Java Standard Edition runtime environment.
ForgeRock validates IDM software with Oracle JDK and OpenJDK, and does occasionally run sanity tests with other JDKs. Support for very specific Java and hardware combinations is best-effort. This means that if you encounter an issue when using a particular JVM/hardware combination, you must also demonstrate the problem on a system that is widespread and easily tested by any member of the community.
ForgeRock recommends that you keep your Java installation up to date with the latest security fixes.
Note
If you are using the Oracle JDK and you use 2048-bit SSL certificates, you must install the Unlimited JCE policy to enable IDM to use those certificates.
Download and install the Unlimited JCE Policy for Java 8 from the Oracle
Technetwork site. Unzip the JCE zip file and install the JCE policy
JAR files in the /lib/security folder of the JRE.
2.7. Fulfilling Memory Requirements
You need 250 MB disk space and 1 GB memory for an evaluation installation. For a production installation, disk space and memory requirements will depend on the size of any internal and external repositories, as well as the size of the audit and service log files that IDM creates.
2.8. Supported Update Paths
The following table contains information about the supported update paths to IDM 5.5.1.3:
Chapter 3. Fixes, Limitations, and Known Issues
This chapter covers the status of key issues and limitations for ForgeRock Identity Management 5.5.
3.1. Key Fixes
This section covers key bug fixes in IDM 5.5 software.
OPENIDM-10910: MSSQL upgrade scripts have incorrect SQL syntax when adding columns
OPENIDM-11052: Admin UI Mappings page load delay on system?_action=test REST call
OPENIDM-11393: Assigning a userTask to openidm-admin could cause null pointer exception
OPENIDM-11649: UI error: Service unavailable after changes in Authentication/Session.
OPENIDM-11852: Clustered recon in multi-node environment may never complete
OPENIDM-12038: 'statusCode:null' logged in Audit for successful GET on managed objects
OPENIDM-12080: External Email connects to SMTP servers with TLSv1
OPENIDM-12208: Clustered reconciliation fails due to paging cookie from ldap AD
OPENIDM-12248: Data races in state shared across threads in recon
OPENIDM-12680: Reconciliation stuck in ACTIVE_QUERY_ENTRIES (or other ACTIVE_ state) and cannot be cancelled
OPENIDM-12796: jsonstorage "local" self-service with "uuid" option fails in multi-node cluster scenario
OPENIDM-12804: uuid token expiry doesn't work with jdbc repo
OPENIDM-13135: Do not load JWT signing key if JWT session module is disabled
OPENIDM-13160: PATCH may succeed although If-Match does not match _rev
OPENIDM-13292: IDM trying to initialize SSL Cert for the internal DJ even if it's not configured as the repo, Incompatible with HSM
OPENIDM-13553: Using the query-all-count or query-all-ids-count queryId against a managed object where roles are returned by default causes error
OPENIDM-14163: Workflow: Groovy classpath problem
OPENIDM-14266: Remove security/realm.properties
OPENIDM-10722: investigate high cpu in sun.security.provider package for Create Managed User
OPENIDM-11174: Unable to resume scheduler jobs after successful pause
OPENIDM-11244: Include milliseconds in IDM logs
OPENIDM-11269: process typeError is observed in UI for association tab in mapping details.
OPENIDM-11648: RuntimeException&Server Error is observed on full-stack example.
OPENIDM-12214: OpenAMSessionModule doesn't work with OBF/CRYPT openidm truststore password
OPENIDM-12370: enable HSM data decryption from IDM 3.1.0 instances
OPENIDM-10915: Backport OPENIDM-10887: expose isInitiator flag for IWA module
OPENIDM-10917: Backport OPENIDM-10542: IDM decryption fails with AES 256-bit key
OPENIDM-11087: Backport OPENIDM-11024: NPE can be thrown if the authentication service comes up before the identityService
OPENIDM-11167: Backport OPENIDM-5465: Performance Issue updating conditional role memberships
OPENIDM-11240: Backport OPENIDM-10758: openidm.read() returns different content if called from managed.json action or a custom endpoint
OPENIDM-11243: Backport OPENIDM-9783: Include thread id in all logging statements
OPENIDM-11256: Backport OPENIDM-9329: Self-Service UI has requests in error since workflow.json was removed in default conf
OPENIDM-11259: Backport OPENIDM-9347: Separate workflow widget from notifications widget on enduser dashboard
OPENIDM-11354: Backport COMMONS-314 json-crypto: SimpleEncryptor symmetric no longer works with HSMs
OPENIDM-10020: Backport OPENIDM-9219: Worflow service randomly not starting properly
OPENIDM-10286: Idle timeout for JWT authentication module is not working
OPENIDM-10394: Backport OPENIDM-10231: Unable to use read-only keystore
OPENIDM-10401: Backport OPENIDM-10137: unable to set manager property to nullable via UI
OPENIDM-10754: Backport OPENIDM-10733: Compensate hangs when downstream connector is offline
OPENIDM-10790: Backport OPENIDM-9102: Add workflow switch to system preferences
OPENIDM-10791: Backport OPENIDM-9198: Improve workflow switch in admin to handle situation where workflow.json file is not available
OPENIDM-10792: Backport OPENIDM-9274: Disable Activiti Workflow service by default unless specifically required by a sample
OPENIDM-10797: Backport OPENIDM-10051: Mapping not saving properly when trying to add a condition script and target property not displaying correctly
OPENIDM-10818: Backport OPENIDM-10708: ResourceException when external/rest receives HTTP 204 response
OPENIDM-10820: Backport OPENIDM-9554: Workflow Processes Completed have "Not Found Error" for managed/user
OPENIDM-10909: Backport OPENIDM-9797: Self-signed certificate used for HTTPS not in OpenIDM trust store anymore
OPENIDM-10971: Backport OPENIDM-6782: Password is re-encrypted during any managed object update/patch
OPENIDM-10972: Backport OPENIDM-9643: Separate the logic out for storing the 'lastSync' property out of the all-inclusive ManagedObjetSet#update
OPENIDM-11090: Backport OPENIDM-10411: With embedded DJ repo, truststore configuration does not not fall back to using keystore configuration if no truststore is configured
OPENIDM-11095: Backport OPENIDM-9796: Add backend support to pass the task assignee _id to workflow/taskinstance/ endpoint
OPENIDM-11096: Backport OPENIDM-9738: selecting tasks assigned to manager1 results in 404
OPENIDM-9880: User object relationships lost when using compensate script to handle failed delete
OPENIDM-10386: Backport OPENIDM-9940: onRetrieve script executed for managed attributes not returned by fields
OPENIDM-10387: Backport OPENIDM-10365: Temporal constraints on roles are not working anymore
OPENIDM-9977: Backport OPENIDM-8543: Patch remove on a field succeeds but is not propagated to the target
OPENIDM-10019: Backport OPENIDM-8571: Provisioner should be able to retry connector that fails the startup "test"
OPENIDM-10029: Backport OPENIDM-9966: NullPointerException returned when creating a relationship using the source managed object's attribute within the URI and specifying a _fields parameter
OPENIDM-10030: Backport OPENIDM-9389: Scheduled scripts with file paths are saved incorrectly
OPENIDM-10046: Backport OPENIDM-9819: GenericLDAP Connector setup does not read remote LDAP schema irrespective of readSchema setting
OPENIDM-10047: Backport OPENIDM-9976: Self Service email validation link for Registration leads to blank page in Safari
OPENIDM-10060: Backport OPENIDM-9390: Various problems configuring scheduled scripts in the UI
OPENIDM-10102: Backport OPENIDM-9170: Role Members tab in role won't display if role has assignments
OPENIDM-10115: Backport OPENIDM-8201: Schedule is not saved when configured through the UI
OPENIDM-10192: Backport OPENIDM-10134: self service registration fails with cross-origin restrictions using safari
OPENIDM-10201: Backport OPENIDM-10135: manager field disappears when type is null
OPENIDM-10257: Backport OPENIDM-10220: Pressing Enter key after entering text in the attribute selector field for a role's condition submits form
OPENIDM-10275: Backport OPENIDM-10141: Adding an attribute to a 'The value for' condition causes it to be duplicated in the drop-down list
OPENIDM-10287: Backport OPENIDM-10205: Entered text is lost when using the attribute selector for a role's condition
OPENIDM-10288: Backport OPENIDM-10152: Roles condition queryFilter builder no longer shows all properties on managed/user
OPENIDM-10309: Backport OPENIDM-10126: Incomplete list of role members after condition query.
OPENIDM-10359: Backport OPENIDM-9412: In LDAP connector config page, not possible to remove Update User Filter
OPENIDM-9679: Backport OPENIDM-9045 to 5.5.0.1: Performance problem getting triggers for a scheduler job
OPENIDM-9680: Backport OPENIDM-9312 to 5.5.0.1: Enhance configuration options for External Rest service
OPENIDM-9765: Backport OPENIDM-9207: recon creates incorrect links when using linkQualifiers
OPENIDM-9790: Backport OPENIDM-3330: inconsistent use of uidAttribute in Ldap Provisioner Config
OPENIDM-9801: Backport OPENIDM-5227: LDAP Connector search filters not persisted by the Admin UI
OPENIDM-9812: Backport OPENIDM-7315: Requests on relationship endpoints should not double-log managed object
OPENIDM-9852: Backport OPENIDM-9211: External REST service does not return error details from remote server
OPENIDM-9862: Backport OPENIDM-8543: Patch remove on a field succeeds but is not propagated to the target
OPENIDM-9883: Backport OPENIDM-9855: Trusted Attribute fails with multiple instances using different resources
OPENIDM-9896: 5.5.0.1 Backport OPENIDM-9719: CORS headers returned to client with repeated values
OPENIDM-9897: 5.5.0.1 Backport OPENIDM-9362: Managed.json does not contain all attributes within order array for default managed object types
OPENIDM-9898: Backport OPENIDM-7236: Update AD Powershell samples with new scripts
OPENIDM-9901: Backport OPENIDM-9217: Do not execute managed property's onRetrieve when returnByDefault is false
OPENIDM-9910: Backport OPENIDM-9286: install-service.bat has a broken classpath variable
OPENIDM-9082: Some generic tables are missing foreign key constraints
OPENIDM-9042: KBA - Enforce choosing unique kba questions when editing profile
OPENIDM-9041: KBA Allowed for Inactive (Disabled) User Accounts
OPENIDM-8857: defaultMapping.js throws error during sync
OPENIDM-8856: Role grant conditions do not work on properties of any type other than string
OPENIDM-8834: SQL exception when running oracle script for repo
OPENIDM-8814: patchByQuery returns 500 error when matching more than 1 result
OPENIDM-8722: Patch Remove on Managed Object on property with null value is not removing the property
OPENIDM-8721: When reconSourceQueryPaging is false but a value is set for reconSourceQueryPageSize, only a result set up to the size of reconSourceQueryPageSize is reconciled
OPENIDM-8698: Direct Reports & Managers can be added to a Managed User multiple times
OPENIDM-8688: Untestable nullable encrypted attribute value
OPENIDM-8590: Managed users do not display in the Admin UI when some properties are not searchable and viewable
OPENIDM-8548: Links table searched with large query when performing reconById
OPENIDM-8427: Oracle audit purge scripts not working for empty excludeMapping
OPENIDM-8420: Self-Service page fails to load if no security questions are configured
OPENIDM-8392: Multiple passwords sample does not work as documented
OPENIDM-8328: Long form options no longer work with startup.sh
OPENIDM-8288: Scheduler : NotFoundException when acquiring, releasing and firing triggers
OPENIDM-8287: Deleting a schedule leaves data in schedulerobjectproperties table (oracle repo)
OPENIDM-8276: ReconContext should generate its own Id and not inherit the RootContext Id
OPENIDM-8275: Adding boolean properties to a managed user not saved via Admin UI
OPENIDM-8256: Configure Forgerock Identity Provider does not use custom self-service relative URL
OPENIDM-8202: Unexpected behavior for null values in hashed fields
OPENIDM-8201: Schedule is not saved when configured through the UI
OPENIDM-8160: Remove schema owner from OracleDB update scripts
OPENIDM-8159: Upgrade failure cause should be reported without having to turn finest logging on
OPENIDM-8130: AD LDS provisioner has wrong attributes for groups
OPENIDM-8050: External IDM endpoint does not return response codes and errors
OPENIDM-8049: Self-signed cert not stored in truststore during initialization
OPENIDM-8043: Unable to initialize keystore and truststore when passwords are different
OPENIDM-8005: Error when enabling the csv audit handler for queries
OPENIDM-8004: Salesforce connector mapping page does not allow default values for certain properties
OPENIDM-7984: Full Stack sample: Unable to edit ForgeRock Identity Provider in Admin UI
OPENIDM-7980: A system object can be selected as a resource collection of a managed object
OPENIDM-7978: Full Stack sample: user is able to log in using admin page but appears to not be able
OPENIDM-7968: amAdmin doesn't work with fullStack (or full-stack) sample
OPENIDM-7960: Sample LDAP Provisioner Configs for AD/ AD LDS should align with LDAP Connector 1.4.3.0
OPENIDM-7951: Password policy cannot-contain-others not being evaluated during registration
OPENIDM-7803: Audit activity occurs for update even when before/after show no differences
OPENIDM-7731: UI needs to enforce only one of keyStoreHandlerName or combination of key store path plus keys store password is configured/saved
OPENIDM-7726: Unable to filter by '_id' attribute on Managed Objects in the UI
OPENIDM-7700: Core attributes can specify returnByDefault even though not applicable
OPENIDM-7660: Audit service fails to start with NPE when enabling CSV tamper prevention using keystore path and password
OPENIDM-7659: Updating the CSV audit event handler using the Admin UI may disable the handler
OPENIDM-7572: Incorrect link from Workflow Task to Managed User
OPENIDM-7564: REST and CREST samples have example-v1.json with incorrect configuration
OPENIDM-7561: UI not switching locale based on browser language setting
OPENIDM-7541: Query on Audit Logs with JSON as handler for queries fails with Exception
OPENIDM-7540: Query on Audit Log with query-all-ids returns full records when handler for queries is CSV
OPENIDM-7490: Synchronisation failure when assignment has no attributes
OPENIDM-7469: Absolute location with ".." in path is not recognized as non local during patch
OPENIDM-7445: Scripted REST (CREST) samples use _id in sync.json which is forbidden
OPENIDM-7441: OpenIDM does not throw an error on startup if the provisioner has an incorrect connectorRef
OPENIDM-7439: Filtering data for CSV connector in Admin UI fails with Internal Error
OPENIDM-7431: "purge-by-recon-number-of" query missing from default Oracle DB repo file
OPENIDM-7425: Managed User 'Has to match pattern:' field error in UI
OPENIDM-7422: Certain special characters do not display correctly in Provisioning Roles
OPENIDM-7398: Updates with scriptedcrest2dj sample broken
OPENIDM-7355: transaction-id is not propagated to external DJ resources
OPENIDM-7351: NullPointerException thrown by RepoJobStore.cleanupInstance()
OPENIDM-7344: After failed login with anonymous user, it is not possible to log with openidm-admin
OPENIDM-7337: Adding the same device to two users displays an incorrect error message
OPENIDM-7323: livesync ALL action on OpenICFProvisionerService should be fixed
OPENIDM-7315: Requests on relationship endpoints should not double-log managed object
OPENIDM-7296: Removing a policy in the behavior tab of the UI doesn't work
OPENIDM-7290: ConcurrentExecution gets turned on when updating schedule
OPENIDM-7223: Reconciliation always detects manager field as modified
OPENIDM-7176: Unexpected "Outbound email is disabled" message in User Registration when email is configured
OPENIDM-7163: Task Scanner does not pick up users in explicit mapping
OPENIDM-7158: Admin UI: Managed users properties not shown unless defined in managed.json schema
OPENIDM-7147: Reset button is not active when updating password of managed user with invalid values
OPENIDM-7141: Updating connector info provider failover settings is ignored
OPENIDM-7139: testConfig action validates an invalid config if a valid provisioner exists
OPENIDM-7095: 'Passwords do not match' message on Self Service UI
OPENIDM-6995: scriptedrest2dj sample SyncScript not updating sync token correctly
OPENIDM-6951: Self Service KBA: must hit update button twice
OPENIDM-6950: The length of mapping name is not properly checked
OPENIDM-6922: Social Identities Tab - state of toggles can be incorrect when attempting to unbind last provider
OPENIDM-6842: The after object in csv log contains wrong revision after user internal role is deleted
OPENIDM-6777: Internal Server Error providing empty '{}' value to "manager" property
OPENIDM-6757: Disabled OpenID Connect and oAuth modules still appear as options on login
OPENIDM-6678: 409 Conflict error occurs if user cancels social registration after logging into social idp
OPENIDM-6633: Port number not showing correctly in UI for LDAP connector
OPENIDM-6511: LiveSync schedules are not removed when a connector is deleted in the UI
OPENIDM-6316: Unable to specify attribute substitution in config via REST
OPENIDM-6156: Multi-valued mail attribute causes reconciliation to abort without accurately auditing the failure cause
OPENIDM-6072: Multiple answers to the same security question are possible
OPENIDM-5468: JDBC repo connection pool should retry until DB is available
OPENIDM-3894: Accessing admin/index.html#mapping/ extremely slow
OPENIDM-3845: A space in the "value" key of a PATCH replace request causes the replaced attribute to be removed
OPENIDM-3149: Custom Endpoint Example: object request.patchOperations is wrong for Groovy scripts
OPENIDM-3070: queryFilter over REST contains resultCount whilst openidm.query doesn't
OPENIDM-2016: Sync on unsupported object class with remote java connector returns 500 instead of 400
OPENIDM-1496: Sample provisioner files should not contain the _UID_ attribute in ObjectTypes
3.2. Limitations
There are no new known limitations in functionality in IDM 5.5.1.3.
There are no new known limitations in functionality in IDM 5.5.1.2.
IDM 5.5.1.1 has the following known limitations:
When upgrading from version 5.5.1.0 to 5.5.1.1 and then shutting down the system, IDM throws a harmless exception. After startup, IDM works correctly and no issues are observed.
The following exception is thrown:
-> shutdown -> Sep 12, 2018 3:41:47 PM org.forgerock.openidm.sync.impl.RepoReconProgressStatePersistence getReconIdsForPersistedReconState SEVERE: Exception caught obtaining recon ids for persisted recon state: Resource 'repo/reconprogressstate' not found org.forgerock.json.resource.NotFoundException: Resource 'repo/reconprogressstate' not found at org.forgerock.json.resource.Router.getBestMatch(Router.java:234) ... at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) at java.lang.Thread.run(Thread.java:748)
ForgeRock Identity Management 5.5 has the following known limitations:
The automated update process is not currently supported on Windows platforms.
When you add or edit a connector through the Admin UI, the list of required
Base Connector Detailsis not necessarily accurate for your deployment. Some of these details might be required for specific deployment scenarios only. If you need a connector configuration where not all the Base Connector Details are required, you must create your connector configuration file over REST or by editing the provisioner file directly. For more information, see "Configuring Connectors" in the Integrator's Guide.For OracleDB repositories, queries that use the
queryFiltersyntax do not work on CLOB columns in explicit tables.A conditional GET request, with the
If-Matchrequest header, is not currently supported.IDM provides an embedded workflow and business process engine based on Activiti and the Business Process Model and Notation (BPMN) 2.0 standard. As an embedded system, local integration is supported. Remote integration is not currently supported.
If you're using the
OPENAM_SESSIONmodule to help IDM work with ForgeRock Access Management software, modify theJWT_SESSIONmodule to limit token lifetime to 5 seconds. For more information, see information on the OPENAM_SESSION Module in the Integrator's Guide and "Supported Session Module" in the Integrator's Guide.You cannot use the UI to edit the CSV audit event handler formatting fields. If you need to change these parameters, change them directly in your project's
conf/audit.jsonfile.The default DS repository does not support count queries. As such, the
totalPagedResultsandremainingPagedResultsparameters are not supported with a DS repository.
3.3. Known Issues
The following important issues remained open at the time of this release:
There are no new known issues in this release.
OPENIDM-12660: OpenIDM 5.5.1.2: Update via UI doesn't call resumeJobs
OPENIDM-11265: Unable to pause scheduler jobs with REST call
OPENIDM-11633: Backport OPENIDM-9454: With an explicit mapping in a MySQL repo, you cannot create a managed user with password longer than 13 characters
OPENIDM-11643: Exception could be thrown after update from 5.5.1.0 to 5.5.1.1 (full bits).
OPENIDM-11648: RuntimeException&Server Error is observed on full-stack example
OPENIDM-11649: UI error: Service unavailable after changes in Authentication/Session
OPENIDM-11680: Upgrade process to 5.5.1.1 should contain removing of workflow.json file from conf
There are no known issues in this release.
OPENIDM-9409: stdDev has incorrect value 0 for all clustered recon metrics
OPENIDM-9342: Update process: update binaries frequently disappear from Update tab
OPENIDM-9286: install-service.bat has a broken classpath variable
OPENIDM-9201: Failure to send welcome email leads to user creation failure, inconsistent state
OPENIDM-9138: Unable to create user with virtual attribute defined when using explicit mappings
OPENIDM-9137: Update: 5.0 -> 5.5 Update UI Patch fails to include "Files to be Replaced"
OPENIDM-9081: WARNING about extensions directory not existing appears in felix console upon restart of IDM
OPENIDM-8839: enum values do not display in API Explorer
OPENIDM-8837: Deleting all KBA questions through the UI prevents user registration w/o visible Error Message
OPENIDM-8827: ScriptedCrest samples uses _id in sync.json which is forbidden
OPENIDM-8659: Property onRetrieve hook returns null even though value is absent
OPENIDM-8593: Lots of API Descriptor errors in the logs on startup
OPENIDM-8543: Patch remove on a field succeeds but is not propagated to the target
OPENIDM-8518: Not Found error when accessing a process instance via Admin UI
OPENIDM-8381: Recovery of scheduled jobs following cluster node failure does not work
OPENIDM-8295: Non-required single relationship properties should be nullable
OPENIDM-8196: Router.json - onResponse script's response object does not contain query result for query method
OPENIDM-8140: Mappings page: last recon timestamp not showing most recent
OPENIDM-8122: OpenIDM Cluster incorrectly shows ready and running
OPENIDM-8052: Cannot create a remote (.NET) connector through the UI
OPENIDM-8045: Creating a new managed object with unsupported characters causes an exception
OPENIDM-7947: With DJ as a repo, OpenIDM fails to start when using HSM
OPENIDM-7665: Admin UI mapping view returns HTTP 400 error
OPENIDM-7284: Create manager/reports relationship with POST or PUT work on managed/user/id/reports but fails on managed/user/id/manager
OPENIDM-5914: Role is still showing as assigned in effectiveRoles attribute on query-all output if role is unassigned via the admin UI
OPENIDM-5909: ScriptedSSH incorrect sample provisioner group members nativeName
OPENIDM-5907: ScriptedSSH search script unsupported filter cause timeout exception
OPENIDM-5900: ScriptedSSH ErrorCodes.groovy is not loaded
OPENIDM-5465: Performance Issue updating conditional role memberships
OPENIDM-4149: availableConnectors are not updated after remote ICF shut down
OPENIDM-3197: '%' character in object id of openidm.read calls has to be encoded
OPENIDM-848: Conflicting behavior might be observed between the default fields set by the onCreate script and policy enforcement
Chapter 4. Compatibility
This chapter covers major and minor changes to existing functionality, as well as deprecated and removed functionality. You must read this chapter before you start a migration from a previous release.
4.1. Important Changes to Existing Functionality
Take the following changes into account when you update to IDM 5.5. These changes will have an impact on existing deployments. Adjust existing scripts and clients accordingly:
There are no new important changes in functionality in this release, other than bug fixes.
There are no new important changes in functionality in this release, other than bug fixes.
There are no new important changes in functionality in this release, other than bug fixes.
New default audit event handler for queries
The default audit event handler for queries is now the JSON file-based audit event handler and not the repository. The
repoaudit event handler is disabled by default.For more information, see "Configuring the Audit Service" in the Integrator's Guide.
Renamed and remove samples
IDM 5.5 has undergone substantial refactoring of the samples provided with the product. Some samples have been removed, others renamed or consolidated.
Important
All samples that used the XML connector have been refactored to use the CSV connector. The XML connector itself has been removed (see "Removed Functionality").
The following table shows the previous sample name, the new sample name, where applicable, and the documentation relating to that sample. All sample names (old and new) reference the directories under
path/to/openidm/samples.Changes Made to the Samples Provided With ForgeRock Identity ManagementOld Sample New Sample Documentation sample1sync-with-csv"Synchronizing Data From a CSV File to IDM" in the Samples Guide sample2sync-with-ldap"One Way Synchronization From LDAP to IDM" in the Samples Guide sample2bsync-with-ldap-bidirectional"Two Way Synchronization Between LDAP and IDM" in the Samples Guide sample2csync-with-ldap-group-membership"Synchronizing LDAP Group Membership" in the Samples Guide sample2dsync-with-ldap-groups"Synchronizing LDAP Groups" in the Samples Guide sample5sync-two-external-resources"Synchronizing Data Between Two External Resources" in the Samples Guide sample5bRemoved The procedure for configuring synchronization failure compensation is described in "Configuring Synchronization Failure Compensation" in the Integrator's Guide. sample6livesync-with-ad"LiveSync With an LDAP Server" in the Samples Guide sample8Removed The ability to launch a script from within a mapping to log messages is described in "Using Scripts to Generate Log Messages" in the Integrator's Guide sample9sync-asynchronous"Asynchronous Reconciliation Using a Workflow" in the Samples Guide audit-jms-sampleaudit-jms"Directing Audit Information To a JMS Broker" in the Samples Guide audit-sampleaudit-jdbc"Directing Audit Information To a MySQL Database" in the Samples Guide cdmRemoved; content now available in: "Setting Up Users for Marketo Lead Generation" in the Integrator's Guide customendpointexample-configurations/custom-endpoint"Creating a Custom Endpoint" in the Samples Guide fullStackfull-stack"Integrating IDM With the ForgeRock Identity Platform" in the Samples Guide google-connectorsync-with-google"Synchronizing Accounts With the Google Apps Connector" in the Samples Guide historicalaccountlinkinghistorical-account-linking"Linking Historical Accounts" in the Samples Guide kerberossync-with-kerberos"Synchronizing Kerberos User Principals" in the Samples Guide miscexample-configurations"Example Configuration Files" in the Samples Guide multiaccountlinkingmulti-account-linking"Linking Multiple Accounts to a Single Identity" in the Samples Guide multiplepasswordsmultiple-passwords"Storing Multiple Passwords For Managed Users" in the Samples Guide powershell2ADscripted-powershell-with-ad"Connecting to Active Directory With the PowerShell Connector" in the Samples Guide powershell2AzureADscripted-powershell-with-azure-ad"Connecting to Azure AD With the PowerShell Connector" in the Samples Guide roles/crudopsRemoved The procedure for working with managed roles is comprehensively described in "Working With Managed Roles" in the Integrator's Guide. roles/provroleprovisioning-with-roles"Provisioning With Roles" in the Samples Guide salesforce-connectorsync-with-salesforce"Synchronizing Users Between Salesforce and IDM" in the Samples Guide scriptedJMSSubscriberscripted-jms-subscriber"Subscribing to JMS Messages" in the Samples Guide scriptedcrest2djscripted-crest-with-dj"Connecting to DS With ScriptedCREST" in the Samples Guide scriptedrest2djscripted-rest-with-dj"Connecting to DS With ScriptedREST" in the Samples Guide syncfailureRemoved The synchronization failure mechanism is described in "Setting the Synchronization Failure Configuration" in the Integrator's Guide taskscannerexample-configurations/task-scanner"Scanning Data to Trigger Tasks" in the Integrator's Guide trustedservletfiltertrusted-servlet-filter"Authenticating Using a Trusted Servlet Filter" in the Samples Guide usecaseRemoved workflowprovisioning-with-workflow"Using a Workflow to Provision User Accounts" in the Samples Guide Note
The
/path/to/openidm/samplesdirectory includes two devops samples (devops-gettingstartedanddevops-postgres). These samples are provided for demonstration purposes only and are described in theREADME.mdfile in thedevops-gettingstarteddirectory. For tested DevOps samples with the entire ForgeRock Identity Platform, see the Devops Guide.Change to how the JavaScript log level is set
In previous versions, the JavaScript log level was set by adding the following property to your project's
logging.propertiesfile:org.forgerock.script.javascript.JavaScript.level=LEVEL
In IDM, that setting has changed to:
org.forgerock.openidm.script.javascript.JavaScript.level=LEVEL
LDAP Connector Configuration for SSL/TLS
The LDAP connector now has more control over the keystore that it uses for secure connections. By default, the connector uses the IDM keystore, and you must specify the private key alias. If you do not want to use the default IDM keystore, you can define a separate connector keystore. For more information, see "Configuring the LDAP Connector to Use SSL and StartTLS" in the Connector Reference.
Changes For Multi-Valued Properties
If you declare a multi-valued property in your provisioner file, and the elements of that property are not
strings, you must specify anitemsproperty that indicates the data type of the property values. This change might impact existing provisioner configurations. For more information, seeflagsin the Integrator's Guide.Change to the default source query for clustered and paged reconciliation
The default source query for clustered reconciliations and for paged reconciliations is no longer
query-all-ids, but is aqueryFilter-based construct that returns the full source objects. For more information, see "Improving Reconciliation Query Performance" in the Integrator's Guide.
4.2. Deprecated Functionality
The following functionality is deprecated in ForgeRock Identity Management 5.5 and is likely to be removed in a future release.
No functionality has been deprecated in this release.
No functionality has been deprecated in this release.
No functionality has been deprecated in this release.
Support for the
TLSv1.1protocol has been deprecated and will be removed in a future release. For more information, on the potential vulnerability, see CVE-2011-3389 from the National Vulnerability Database from the US National Institute of Standards and Technology.The default security protocol for IDM is
TLSv1.2. Do not downgrade this protocol toTLSv1.1unless necessary. For more information, see "Setting the TLS Version" in the Integrator's Guide.The
OPENAM_SESSIONauthentication module is deprecated and will be removed in a future release. If you are integrating IDM with ForgeRock Access Management (AM), you should use theOAUTH_CLIENTmodule instead.The Active Directory (AD) .NET Connector is deprecated and support for its use in IDM will be removed in a future release.
For simple Active Directory (and Active Directory LDS) deployments, the Generic LDAP Connector works better than the Active Directory connector, in most circumstances. For more information, see "Generic LDAP Connector" in the Connector Reference.
For more complex Active Directory deployments, use the PowerShell Connector Toolkit, as described in "PowerShell Connector Toolkit" in the Connector Reference.
Note that deprecating the AD Connector has no impact on the PowerShell connector, or on the .NET Connector Server.
When configuring connectors, (see "Configuring Connectors" in the Integrator's Guide), you can set up
nativeTypeproperty level extensions. TheJAVA_TYPE_DATEextension is deprecated.Support for a POST request with
?_action=patchis deprecated, when patching a specific resource. Support for a POST request with?_action=patchis retained, when patching by query on a collection.Clients that do not support the regular PATCH verb should use the
X-HTTP-Method-Overrideheader instead.For example, the following POST request uses the
X-HTTP-Method-Overrideheader to patch user jdoe's entry:$ curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --request POST \ --header "X-HTTP-Method-Override: PATCH" \ --data '[ { "operation":"replace", "field":"/description", "value":"The new description for Jdoe" } ]' \ "http://localhost:8080/openidm/managed/user/jdoe"Support for the Security Management Service has been deprecated, and may be removed at the next release.
Support for a POST request with
?_action=sendEmailis deprecated, when sending an email with a REST call. Support for a POST request with?_action=sendis retained, on the/openidm/external/emailendpoint. For an example of this REST call, see "Sending Mail Over REST" in the Integrator's Guide.
4.3. Removed Functionality
No features or functionality have been removed in this release.
No features or functionality have been removed in this release.
No features or functionality have been removed in this release.
Support for the RACF connector has been removed.
Support for the
TLSv1.0protocol has been removed. For more information, see the following PDF: Migrating from SSL and Early TLS from the PCI Security Standards Council.The default security protocol for IDM is
TLSv1.2. Do not downgrade this protocol unless you have a specific need.Support for Java 7 has been removed.
Before you update to IDM 5.5, install a newer Java version and follow the instructions in "Java Prerequisites" in the Installation Guide.
The
system.propertiesfile no longer allows the use of thedisableConfigSaveproperty.If you use
disableConfigSaveproperty, change it toenableConfigSaveas described in "Disabling Automatic Configuration Updates" in the Integrator's Guide.The XML file connector has been removed. If you need to connect to a custom XML data file, you should create your own scripted connector by using the Groovy connector toolkit. For more information, see "Groovy Connector Toolkit" in the Connector Reference.
The default internal IDM database, OrientDB, has been replaced with ForgeRock Directory Services (DS). For more information, see "Using the Default DS Repository" in the Installation Guide.
Chapter 5. How to Report Problems and Provide Feedback
If you have questions regarding ForgeRock Identity Management software that are not answered by the documentation, you can ask questions on the forum at https://forgerock.org/forum/fr-projects/openidm/.
When requesting help with a problem, include the following information:
Description of the problem, including when the problem occurs and its impact on your operation
Description of the environment, including the following information:
Machine type
Operating system and version
Repository type and version
Java version
IDM release version
Any patches or other software that might be affecting the problem
Steps to reproduce the problem
Any relevant access and error logs, stack traces, or core dumps
Chapter 6. Documentation Updates
"Documentation Change Log" tracks important changes to the documentation:
| Date | Description |
|---|---|
| 2021-03-11 |
|
| 2020-07-18 | Added a description for the maxTokenSize property of the
IWA
authentication module. |
| 2020-05-14 |
Added missing |
| 2021-03-11 |
Release of 5.5.1.3 patch bundle release.
|
| 2019-11-22 |
Updated the IDM 5.5.1.0 Known Issues list in the release notes. For more information, see Known Issues in IDM 5.5.1.0. |
| 2019-10-04 |
Release of 5.5.1.2 patch bundle release. |
| 2019-09-14 |
Release of 5.5.1.1 patch bundle release. |
| 2019-09-10 |
Revised the logging documentation to include security advice on logging
levels. See "Specifying the Logging Level" in the Integrator's Guide
and "Updating |
| 2019-08-19 |
Added information on restricting the maximum payload size in HTTP requests ("Restricting the HTTP Payload Size" in the Integrator's Guide). |
| 2018-07-16 |
Added a known issue to the release notes (see Known Issues in IDM 5.5.1.0). |
| 2018-07-06 |
Added a list of connector dependencies for running connectors remotely (see "Installing Remote Connector Dependencies" in the Integrator's Guide). |
| 2018-06-20 |
Updated the instructions in "Configuring IDM For a Hardware Security Module (HSM) Device" in the Integrator's Guide to specify that symmetric keys must use an HMAC algorithm. |
| 2018-06-15 |
Release of 5.5.1.0 maintenance release (see Key Fixes in IDM 5.5.1.0 fixes). The following documentation updates were made in this release:
|
| 2018-04-20 |
Release of 5.5.0.3 patch bundle release.
|
| 2018-03-23 |
Release of 5.5.0.2 patch bundle release.
|
| 2018-02-16 |
Release of 5.5.0.1 patch bundle release. Updated the release notes. |
| 2017-11-10 |
Added a workaround for the problem related to Quartz schedules and daylight savings time ("Schedules and Daylight Savings Time" in the Integrator's Guide). Added a fix for OPENIDM-9600 (incorrect paths in the Connector Reference). |
Appendix A. Release Levels and Interface Stability
This appendix includes ForgeRock definitions for product release levels and interface stability.
A.1. ForgeRock Product Release Levels
ForgeRock defines Major, Minor, Maintenance, and Patch product release levels. The release level is reflected in the version number. The release level tells you what sort of compatibility changes to expect.
| Release Label | Version Numbers | Characteristics |
|---|---|---|
|
Major |
Version: x[.0.0] (trailing 0s are optional) |
|
|
Minor |
Version: x.y[.0] (trailing 0s are optional) |
|
|
Maintenance, Patch |
Version: x.y.z[.p]
The optional |
|
A.2. ForgeRock Product Interface Stability
ForgeRock products support many protocols, APIs, GUIs, and command-line interfaces. Some of these interfaces are standard and very stable. Others offer new functionality that is continuing to evolve.
ForgeRock acknowledges that you invest in these interfaces, and therefore must know when and how ForgeRock expects them to change. For that reason, ForgeRock defines interface stability labels and uses these definitions in ForgeRock products.
| Stability Label | Definition |
|---|---|
|
Stable |
This documented interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect. |
|
Evolving |
This documented interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release. While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality. |
|
Deprecated |
This interface is deprecated and likely to be removed in a future release. For previously stable interfaces, the change was likely announced in a previous release. Deprecated interfaces will be removed from ForgeRock products. |
|
Removed |
This interface was deprecated in a previous release and has now been removed from the product. |
|
Technology Preview |
Technology previews provide access to new features that are evolving new technology that are not yet supported. Technology preview features may be functionally incomplete and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT. Customers are encouraged to test drive the technology preview features in a non-production environment and are welcome to make comments and suggestions about the features in the associated forums. ForgeRock does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of the ForgeRock platform. Technology previews are provided on an “AS-IS” basis for evaluation purposes only and ForgeRock accepts no liability or obligations for the use thereof. |
|
Internal/Undocumented |
Internal and undocumented interfaces can change without notice. If you depend on one of these interfaces, contact ForgeRock support or email info@forgerock.com to discuss your needs. |
Appendix B. Getting Support
For more information or resources about ${am.abbr} and ForgeRock Support, see the following sections:
B.1. Accessing Documentation Online
ForgeRock publishes comprehensive documentation online:
The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.
While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.
ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.
B.2. Using the ForgeRock.org Site
The ForgeRock.org site has links to source code for ForgeRock open source software, as well as links to the ForgeRock forums and technical blogs.
If you are a ForgeRock customer, raise a support ticket instead of using the forums. ForgeRock support professionals will get in touch to help you.
B.3. Getting Support and Contacting ForgeRock
ForgeRock provides support services, professional services, training through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see https://www.forgerock.com.
ForgeRock has staff members around the globe who support our international customers and partners. For details on ForgeRock's support offering, including support plans and service level agreements (SLAs), visit https://www.forgerock.com/support.