Notes covering ForgeRock® Identity Management software requirements, fixes, and known issues. This software offers flexible services for automating management of the identity life cycle.

About ForgeRock Identity Management Software

ForgeRock Identity Platform™ is the only offering for access management, identity management, user-managed access, directory services, and an identity gateway, designed and built as a single, unified platform.

The platform includes the following components that extend what is available in open source projects to provide fully featured, enterprise-ready software:

  • ForgeRock Access Management (AM)

  • ForgeRock Identity Management (IDM)

  • ForgeRock Directory Services (DS)

  • ForgeRock Identity Gateway (IG)

  • ForgeRock Identity Message Broker (IMB)

The ForgeRock Common REST API works across the platform to provide common ways to access web resources and collections of resources.

ForgeRock Identity Management software provides centralized, simple management and synchronization of identities for users, devices and things.

ForgeRock Identity Management software is highly flexible and therefore able to fit almost any use case and workflow.

These release notes are written for anyone using the ForgeRock Identity Management 5.5 release. Read these notes before you install or upgrade ForgeRock Identity Management software.

These release notes cover the following topics:

  • A list of the major new features and functionality provided with this release

  • Hardware and software prerequisites for installing and upgrading ForgeRock Identity Management software

  • Compatibility with previous releases

  • Potential upcoming deprecation and removals that affect scripts and applications

  • Issues fixed since the previous release

  • Known issues open at the time of release

See the Installation Guide after you read these Release Notes. The Installation Guide covers installation and upgrade for ForgeRock Identity Management software.

Chapter 1. What's New

This chapter covers new capabilities in IDM 5.5.

1.1. Maintenance Releases

  • IDM Maintenance Release

    ForgeRock periodically issues maintenance releases with important fixes to bugs. IDM is the latest release, targeted for IDM 5.5 deployments and can be downloaded from the ForgeRock Backstage website. To view the list of fixes in this release, see Key Fixes in IDM


    ForgeRock maintenance releases are aimed as a fast-track method to provide fixes to existing bugs. These fixes improve the functionality, performance and security of your deployment. No new features have been introduced.

    The IDM patch release can be deployed as an initial deployment or used to upgrade from an existing IDM 5.5 deployment (see Section 2.8, "Supported Update Paths").

    IDM 5.5 is available for download at the ForgeRock Backstage website.

1.2. Previous Releases

  • IDM is a maintenance release that introduces important fixes. This latest maintenance release for IDM 5.5.0 is available from the ForgeRock BackStage website. To view the list of fixes, see Key Fixes in IDM


    ForgeRock maintenance releases provide fixes to existing bugs that improve functionality and security for your IDM deployment. No new features have been introduced.

    The release can be deployed as an initial deployment or used to upgrade an existing version. You can upgrade from any version listed in Section 2.8, "Supported Update Paths".

1.3. New Features


1.4. Security Advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.

Chapter 2. Before You Install

This chapter covers requirements to consider before you run ForgeRock Identity Management software, especially before you run the software in your production environment.

If you have a special request to support a component or combination not listed here, contact ForgeRock at

2.1. Supported Repositories

The following JDBC repositories are supported for use in production:

  • MySQL version 5.5, 5.6, and 5.7 with MySQL JDBC Driver Connector/J 5.1.18 or later

  • MariaDB version 5.5, 10.0, 10.1, 10.2 with MySQL JDBC Driver Connector/J 5.1.18 or later

  • Microsoft SQL Server 2012, 2014, and 2016

  • Oracle Database 11gR2 and 12c

  • PostgreSQL 9.3.10, 9.4.5, and 9.6

  • IBM DB2, 10.1, 10.5

The default ForgeRock Directory Services (DS) repository is provided for evaluation only.

2.2. Containers

You must install IDM as a stand-alone service, using Apache Felix and Jetty, as provided. Alternate containers are not supported.

IDM bundles Jetty version 9.2.

2.3. Supported Connectors

IDM bundles the following connectors:

  • Adobe CM Connector

  • CSV File Connector

  • Database Table Connector

  • Google Apps Connector

  • Groovy Connector Toolkit

    This toolkit enables you to create scripted connectors to virtually any resource, with the following sample implementations:

    • Scripted SQL Connector

    • Scripted CREST Connector

    • Scripted REST Connector

  • Kerberos Connector

  • LDAP Connector

  • Marketo Connector

  • Salesforce Connector

  • SCIM Connector

  • Scripted SSH Connector

    Currently supported only as a prerequisite for the Kerberos Connector

A PowerShell Connector Toolkit is available for download from ForgeRock's BackStage site. This Toolkit enables you to create scripted connectors to address the requirements of your Microsoft Windows ecosystem.

Additional connectors are available from ForgeRock's BackStage site.

Use of the LDAP connector to provision to Active Directory is supported with Active Directory Domain Controllers, Active Directory Global Catalogues, and Active Directory Lightweight Directory Services (LDS).

Windows 2012 R2 is supported as the remote system for connectors and password synchronization plugins.

The following table lists the supported connectors, connector servers, and password synchronization plugins for this IDM release.

Table 2.1. Supported Connectors, Connector Servers, and Plugins
Connector/PluginSupported Version
Adobe CM Connector1.5.0.0
CSV File Connector1.5.2.0
Database Table Connector1.1.1.0
Google Apps Connector1.4.2.0
Groovy Connector Toolkit1.4.4.0
Kerberos Connector1.4.3.0
LDAP Connector1.4.6.0
Marketo Connector1.4.3.0
Powershell Connector Toolkit1.4.4.0
Salesforce Connector5.5.0
SAP Connector1.4.2.0
SCIM Connector1.4.0.0
Active Directory Connector1.4.0.0
Java Connector Server1.5.4.0,,,,
.NET Connector Server1.5.4.0,,,,
DS Password Synchronization Plugin

5.5.0, supported with DS 5.5.0

5.0.0, supported with DS 5.0.0

3.5.0, supported with OpenDJ 3.5.0

DS Password Sync plugins are not supported with DS OEM

Active Directory Password Synchronization Plugin1.2.0, supported on Windows 2008 R2 and Windows 2012 R2

You must use the supported versions of the .NET Connector Server, or the Java Connector Server. The 1.5.x Java Connector Server is backward compatible with the version 1.1.x connectors. The 1.5.x .NET Connector Server is compatible only with the 1.4.x and 1.5.x connectors.

The .NET connector server requires the .NET framework (version 4.5 or later) and is supported on Windows Server 2008 R2 and 2012 R2.


Although the scripted connector toolkits are supported, connectors that you build with these toolkits are not supported. You can find examples of how to build connectors with these toolkits in the Samples Guide.

2.4. Choosing a Browser

ForgeRock has tested many browsers with the IDM UI, including the following browsers:

  • Chrome and Chromium, latest stable version

  • Firefox, latest stable version

  • Safari, latest stable version

  • Internet Explorer 11 and later

2.5. Choosing an Operating System

IDM is supported on the following operating systems:

  • Red Hat Enterprise Linux (and CentOS Linux) 6.5 and later, 7.x

  • Ubuntu Linux 16.04

  • Windows 2008 R2, 2012 R2, 2016

2.6. Preparing the Java Environment

IDM requires Java 8, specifically at least the Java Standard Edition runtime environment.

ForgeRock validates IDM software with Oracle JDK and OpenJDK, and does occasionally run sanity tests with other JDKs. Support for very specific Java and hardware combinations is best-effort. This means that if you encounter an issue when using a particular JVM/hardware combination, you must also demonstrate the problem on a system that is widespread and easily tested by any member of the community.

ForgeRock recommends that you keep your Java installation up to date with the latest security fixes.


If you are using the Oracle JDK and you use 2048-bit SSL certificates, you must install the Unlimited JCE policy to enable IDM to use those certificates.

Download and install the Unlimited JCE Policy for Java 8 from the Oracle Technetwork site. Unzip the JCE zip file and install the JCE policy JAR files in the /lib/security folder of the JRE.

2.7. Fulfilling Memory Requirements

You need 250 MB disk space and 1 GB memory for an evaluation installation. For a production installation, disk space and memory requirements will depend on the size of any internal and external repositories, as well as the size of the audit and service log files that IDM creates.

2.8. Supported Update Paths

The following table contains information about the supported update paths to IDM

Table 2.2. Update Paths
VersionUpdate Supported to IDM[a]
Versions prior to IDM 5.5.0[b]
IDM 5.5.0

[a] You can deploy version as-is for initial deployments.

[b] Must first update to IDM-, then to IDM-

Chapter 3. Fixes, Limitations, and Known Issues

This chapter covers the status of key issues and limitations for ForgeRock Identity Management 5.5.

3.1. Key Fixes

This section covers key bug fixes in IDM 5.5 software.

Key Fixes in IDM
  • OPENIDM-10915: Backport OPENIDM-10887: expose isInitiator flag for IWA module

  • OPENIDM-10917: Backport OPENIDM-10542: IDM decryption fails with AES 256-bit key

  • OPENIDM-11087: Backport OPENIDM-11024: NPE can be thrown if the authentication service comes up before the identityService

  • OPENIDM-11167: Backport OPENIDM-5465: Performance Issue updating conditional role memberships

  • OPENIDM-11240: Backport OPENIDM-10758: returns different content if called from managed.json action or a custom endpoint

  • OPENIDM-11243: Backport OPENIDM-9783: Include thread id in all logging statements

  • OPENIDM-11256: Backport OPENIDM-9329: Self-Service UI has requests in error since workflow.json was removed in default conf

  • OPENIDM-11259: Backport OPENIDM-9347: Separate workflow widget from notifications widget on enduser dashboard

  • OPENIDM-11354: Backport COMMONS-314 json-crypto: SimpleEncryptor symmetric no longer works with HSMs

Key Fixes in IDM
  • OPENIDM-10020: Backport OPENIDM-9219: Worflow service randomly not starting properly

  • OPENIDM-10286: Idle timeout for JWT authentication module is not working

  • OPENIDM-10394: Backport OPENIDM-10231: Unable to use read-only keystore

  • OPENIDM-10401: Backport OPENIDM-10137: unable to set manager property to nullable via UI

  • OPENIDM-10754: Backport OPENIDM-10733: Compensate hangs when downstream connector is offline

  • OPENIDM-10790: Backport OPENIDM-9102: Add workflow switch to system preferences

  • OPENIDM-10791: Backport OPENIDM-9198: Improve workflow switch in admin to handle situation where workflow.json file is not available

  • OPENIDM-10792: Backport OPENIDM-9274: Disable Activiti Workflow service by default unless specifically required by a sample

  • OPENIDM-10797: Backport OPENIDM-10051: Mapping not saving properly when trying to add a condition script and target property not displaying correctly

  • OPENIDM-10818: Backport OPENIDM-10708: ResourceException when external/rest receives HTTP 204 response

  • OPENIDM-10820: Backport OPENIDM-9554: Workflow Processes Completed have "Not Found Error" for managed/user

  • OPENIDM-10909: Backport OPENIDM-9797: Self-signed certificate used for HTTPS not in OpenIDM trust store anymore

  • OPENIDM-10971: Backport OPENIDM-6782: Password is re-encrypted during any managed object update/patch

  • OPENIDM-10972: Backport OPENIDM-9643: Separate the logic out for storing the 'lastSync' property out of the all-inclusive ManagedObjetSet#update

  • OPENIDM-11090: Backport OPENIDM-10411: With embedded DJ repo, truststore configuration does not not fall back to using keystore configuration if no truststore is configured

  • OPENIDM-11095: Backport OPENIDM-9796: Add backend support to pass the task assignee _id to workflow/taskinstance/ endpoint

  • OPENIDM-11096: Backport OPENIDM-9738: selecting tasks assigned to manager1 results in 404

Key Fixes in IDM
  • OPENIDM-9082: Some generic tables are missing foreign key constraints

  • OPENIDM-9042: KBA - Enforce choosing unique kba questions when editing profile

  • OPENIDM-9041: KBA Allowed for Inactive (Disabled) User Accounts

  • OPENIDM-8857: defaultMapping.js throws error during sync

  • OPENIDM-8856: Role grant conditions do not work on properties of any type other than string

  • OPENIDM-8834: SQL exception when running oracle script for repo

  • OPENIDM-8814: patchByQuery returns 500 error when matching more than 1 result

  • OPENIDM-8722: Patch Remove on Managed Object on property with null value is not removing the property

  • OPENIDM-8721: When reconSourceQueryPaging is false but a value is set for reconSourceQueryPageSize, only a result set up to the size of reconSourceQueryPageSize is reconciled

  • OPENIDM-8698: Direct Reports & Managers can be added to a Managed User multiple times

  • OPENIDM-8688: Untestable nullable encrypted attribute value

  • OPENIDM-8590: Managed users do not display in the Admin UI when some properties are not searchable and viewable

  • OPENIDM-8548: Links table searched with large query when performing reconById

  • OPENIDM-8427: Oracle audit purge scripts not working for empty excludeMapping

  • OPENIDM-8420: Self-Service page fails to load if no security questions are configured

  • OPENIDM-8392: Multiple passwords sample does not work as documented

  • OPENIDM-8328: Long form options no longer work with

  • OPENIDM-8288: Scheduler : NotFoundException when acquiring, releasing and firing triggers

  • OPENIDM-8287: Deleting a schedule leaves data in schedulerobjectproperties table (oracle repo)

  • OPENIDM-8276: ReconContext should generate its own Id and not inherit the RootContext Id

  • OPENIDM-8275: Adding boolean properties to a managed user not saved via Admin UI

  • OPENIDM-8256: Configure Forgerock Identity Provider does not use custom self-service relative URL

  • OPENIDM-8202: Unexpected behavior for null values in hashed fields

  • OPENIDM-8201: Schedule is not saved when configured through the UI

  • OPENIDM-8160: Remove schema owner from OracleDB update scripts

  • OPENIDM-8159: Upgrade failure cause should be reported without having to turn finest logging on

  • OPENIDM-8130: AD LDS provisioner has wrong attributes for groups

  • OPENIDM-8050: External IDM endpoint does not return response codes and errors

  • OPENIDM-8049: Self-signed cert not stored in truststore during initialization

  • OPENIDM-8043: Unable to initialize keystore and truststore when passwords are different

  • OPENIDM-8005: Error when enabling the csv audit handler for queries

  • OPENIDM-8004: Salesforce connector mapping page does not allow default values for certain properties

  • OPENIDM-7984: Full Stack sample: Unable to edit ForgeRock Identity Provider in Admin UI

  • OPENIDM-7980: A system object can be selected as a resource collection of a managed object

  • OPENIDM-7978: Full Stack sample: user is able to log in using admin page but appears to not be able

  • OPENIDM-7968: amAdmin doesn't work with fullStack (or full-stack) sample

  • OPENIDM-7960: Sample LDAP Provisioner Configs for AD/ AD LDS should align with LDAP Connector

  • OPENIDM-7951: Password policy cannot-contain-others not being evaluated during registration

  • OPENIDM-7803: Audit activity occurs for update even when before/after show no differences

  • OPENIDM-7731: UI needs to enforce only one of keyStoreHandlerName or combination of key store path plus keys store password is configured/saved

  • OPENIDM-7726: Unable to filter by '_id' attribute on Managed Objects in the UI

  • OPENIDM-7700: Core attributes can specify returnByDefault even though not applicable

  • OPENIDM-7660: Audit service fails to start with NPE when enabling CSV tamper prevention using keystore path and password

  • OPENIDM-7659: Updating the CSV audit event handler using the Admin UI may disable the handler

  • OPENIDM-7572: Incorrect link from Workflow Task to Managed User

  • OPENIDM-7564: REST and CREST samples have example-v1.json with incorrect configuration

  • OPENIDM-7561: UI not switching locale based on browser language setting

  • OPENIDM-7541: Query on Audit Logs with JSON as handler for queries fails with Exception

  • OPENIDM-7540: Query on Audit Log with query-all-ids returns full records when handler for queries is CSV

  • OPENIDM-7490: Synchronisation failure when assignment has no attributes

  • OPENIDM-7469: Absolute location with ".." in path is not recognized as non local during patch

  • OPENIDM-7445: Scripted REST (CREST) samples use _id in sync.json which is forbidden

  • OPENIDM-7441: OpenIDM does not throw an error on startup if the provisioner has an incorrect connectorRef

  • OPENIDM-7439: Filtering data for CSV connector in Admin UI fails with Internal Error

  • OPENIDM-7431: "purge-by-recon-number-of" query missing from default Oracle DB repo file

  • OPENIDM-7425: Managed User 'Has to match pattern:' field error in UI

  • OPENIDM-7422: Certain special characters do not display correctly in Provisioning Roles

  • OPENIDM-7398: Updates with scriptedcrest2dj sample broken

  • OPENIDM-7355: transaction-id is not propagated to external DJ resources

  • OPENIDM-7351: NullPointerException thrown by RepoJobStore.cleanupInstance()

  • OPENIDM-7344: After failed login with anonymous user, it is not possible to log with openidm-admin

  • OPENIDM-7337: Adding the same device to two users displays an incorrect error message

  • OPENIDM-7323: livesync ALL action on OpenICFProvisionerService should be fixed

  • OPENIDM-7315: Requests on relationship endpoints should not double-log managed object

  • OPENIDM-7296: Removing a policy in the behavior tab of the UI doesn't work

  • OPENIDM-7290: ConcurrentExecution gets turned on when updating schedule

  • OPENIDM-7223: Reconciliation always detects manager field as modified

  • OPENIDM-7176: Unexpected "Outbound email is disabled" message in User Registration when email is configured

  • OPENIDM-7163: Task Scanner does not pick up users in explicit mapping

  • OPENIDM-7158: Admin UI: Managed users properties not shown unless defined in managed.json schema

  • OPENIDM-7147: Reset button is not active when updating password of managed user with invalid values

  • OPENIDM-7141: Updating connector info provider failover settings is ignored

  • OPENIDM-7139: testConfig action validates an invalid config if a valid provisioner exists

  • OPENIDM-7095: 'Passwords do not match' message on Self Service UI

  • OPENIDM-6995: scriptedrest2dj sample SyncScript not updating sync token correctly

  • OPENIDM-6951: Self Service KBA: must hit update button twice

  • OPENIDM-6950: The length of mapping name is not properly checked

  • OPENIDM-6922: Social Identities Tab - state of toggles can be incorrect when attempting to unbind last provider

  • OPENIDM-6842: The after object in csv log contains wrong revision after user internal role is deleted

  • OPENIDM-6777: Internal Server Error providing empty '{}' value to "manager" property

  • OPENIDM-6757: Disabled OpenID Connect and oAuth modules still appear as options on login

  • OPENIDM-6678: 409 Conflict error occurs if user cancels social registration after logging into social idp

  • OPENIDM-6633: Port number not showing correctly in UI for LDAP connector

  • OPENIDM-6511: LiveSync schedules are not removed when a connector is deleted in the UI

  • OPENIDM-6316: Unable to specify attribute substitution in config via REST

  • OPENIDM-6156: Multi-valued mail attribute causes reconciliation to abort without accurately auditing the failure cause

  • OPENIDM-6072: Multiple answers to the same security question are possible

  • OPENIDM-5468: JDBC repo connection pool should retry until DB is available

  • OPENIDM-3894: Accessing admin/index.html#mapping/ extremely slow

  • OPENIDM-3845: A space in the "value" key of a PATCH replace request causes the replaced attribute to be removed

  • OPENIDM-3149: Custom Endpoint Example: object request.patchOperations is wrong for Groovy scripts

  • OPENIDM-3070: queryFilter over REST contains resultCount whilst openidm.query doesn't

  • OPENIDM-2016: Sync on unsupported object class with remote java connector returns 500 instead of 400

  • OPENIDM-1496: Sample provisioner files should not contain the _UID_ attribute in ObjectTypes

3.2. Limitations

Limitations in IDM

IDM has the following known limitations:

  • When upgrading from version to and then shutting down the system, IDM throws an exception, which is harmless. After startup, IDM works correctly and no issues are observed.

    The following exception is thrown:

    -> shutdown
    -> Sep 12, 2018 3:41:47 PM org.forgerock.openidm.sync.impl.RepoReconProgressStatePersistence getReconIdsForPersistedReconState
    SEVERE: Exception caught obtaining recon ids for persisted recon state: Resource 'repo/reconprogressstate' not found
    org.forgerock.json.resource.NotFoundException: Resource 'repo/reconprogressstate' not found
    at org.forgerock.json.resource.Router.getBestMatch(
Limitations in IDM 5.5.0

ForgeRock Identity Management 5.5 has the following known limitations:

  • The automated update process is not currently supported on Windows platforms.

  • When you add or edit a connector through the Admin UI, the list of required Base Connector Details is not necessarily accurate for your deployment. Some of these details might be required for specific deployment scenarios only. If you need a connector configuration where not all the Base Connector Details are required, you must create your connector configuration file over REST or by editing the provisioner file directly. For more information, see Section 14.2, "Configuring Connectors" in the Integrator's Guide.

  • For OracleDB repositories, queries that use the queryFilter syntax do not work on CLOB columns in explicit tables.

  • A conditional GET request, with the If-Match request header, is not currently supported.

  • IDM provides an embedded workflow and business process engine based on Activiti and the Business Process Model and Notation (BPMN) 2.0 standard. As an embedded system, local integration is supported. Remote integration is not currently supported.

  • If you're using the OPENAM_SESSION module to help IDM work with ForgeRock Access Management software, modify the JWT_SESSION module to limit token lifetime to 5 seconds. For more information, see information on the OPENAM_SESSION Module in the Integrator's Guide and Section, "Supported Session Module" in the Integrator's Guide.

  • You cannot use the UI to edit the CSV audit event handler formatting fields. If you need to change these parameters, change them directly in your project's conf/audit.json file.

  • The default DS repository does not support count queries. As such, the totalPagedResults and remainingPagedResults parameters are not supported with a DS repository.

3.3. Known Issues

The following important issues remained open at the time of this release:

Known Issues in IDM
  • OPENIDM-11265: Unable to pause scheduler jobs with REST call

  • OPENIDM-11633: Backport OPENIDM-9454: With an explicit mapping in a MySQL repo, you cannot create a managed user with password longer than 13 characters

  • OPENIDM-11643: Exception could be thrown after update from to (full bits).

  • OPENIDM-11648: RuntimeException&Server Error is observed on full-stack example

  • OPENIDM-11649: UI error: Service unavailable after changes in Authentication/Session

  • OPENIDM-11680: Upgrade process to should contain removing of workflow.json file from conf

Known Issues in IDM
  • OPENIDM-11283: Usecase samples have incorrect configuration by default after adding workflow switch

Known Issues in IDM
  • OPENIDM-9409: stdDev has incorrect value 0 for all clustered recon metrics

  • OPENIDM-9342: Update process: update binaries frequently disappear from Update tab

  • OPENIDM-9286: install-service.bat has a broken classpath variable

  • OPENIDM-9201: Failure to send welcome email leads to user creation failure, inconsistent state

  • OPENIDM-9138: Unable to create user with virtual attribute defined when using explicit mappings

  • OPENIDM-9137: Update: 5.0 -> 5.5 Update UI Patch fails to include "Files to be Replaced"

  • OPENIDM-9081: WARNING about extensions directory not existing appears in felix console upon restart of IDM

  • OPENIDM-8839: enum values do not display in API Explorer

  • OPENIDM-8837: Deleting all KBA questions through the UI prevents user registration w/o visible Error Message

  • OPENIDM-8827: ScriptedCrest samples uses _id in sync.json which is forbidden

  • OPENIDM-8659: Property onRetrieve hook returns null even though value is absent

  • OPENIDM-8593: Lots of API Descriptor errors in the logs on startup

  • OPENIDM-8543: Patch remove on a field succeeds but is not propagated to the target

  • OPENIDM-8518: Not Found error when accessing a process instance via Admin UI

  • OPENIDM-8381: Recovery of scheduled jobs following cluster node failure does not work

  • OPENIDM-8295: Non-required single relationship properties should be nullable

  • OPENIDM-8196: Router.json - onResponse script's response object does not contain query result for query method

  • OPENIDM-8140: Mappings page: last recon timestamp not showing most recent

  • OPENIDM-8122: OpenIDM Cluster incorrectly shows ready and running

  • OPENIDM-8052: Cannot create a remote (.NET) connector through the UI

  • OPENIDM-8045: Creating a new managed object with unsupported characters causes an exception

  • OPENIDM-7947: With DJ as a repo, OpenIDM fails to start when using HSM

  • OPENIDM-7665: Admin UI mapping view returns HTTP 400 error

  • OPENIDM-7284: Create manager/reports relationship with POST or PUT work on managed/user/id/reports but fails on managed/user/id/manager

  • OPENIDM-5914: Role is still showing as assigned in effectiveRoles attribute on query-all output if role is unassigned via the admin UI

  • OPENIDM-5909: ScriptedSSH incorrect sample provisioner group members nativeName

  • OPENIDM-5907: ScriptedSSH search script unsupported filter cause timeout exception

  • OPENIDM-5900: ScriptedSSH ErrorCodes.groovy is not loaded

  • OPENIDM-5465: Performance Issue updating conditional role memberships

  • OPENIDM-4149: availableConnectors are not updated after remote ICF shut down

  • OPENIDM-3197: '%' character in object id of calls has to be encoded

  • OPENIDM-848: Conflicting behavior might be observed between the default fields set by the onCreate script and policy enforcement

Chapter 4. Compatibility

This chapter covers major and minor changes to existing functionality, as well as deprecated and removed functionality. You must read this chapter before you start a migration from a previous release.

4.1. Important Changes to Existing Functionality

Take the following changes into account when you update to IDM 5.5. These changes will have an impact on existing deployments. Adjust existing scripts and clients accordingly:

New default audit event handler for queries

The default audit event handler for queries is now the JSON file-based audit event handler and not the repository. The repo audit event handler is disabled by default.

For more information, see Section 22.1, "Configuring the Audit Service" in the Integrator's Guide.

Renamed and removed samples

IDM 5.5 has undergone substantial refactoring of the samples provided with the product. Some samples have been removed, others renamed or consolidated.


All samples that used the XML connector have been refactored to use the CSV connector. The XML connector itself has been removed (see Section 4.3, "Removed Functionality").

The following table shows the previous sample name, the new sample name, where applicable, and the documentation relating to that sample. All sample names (old and new) reference the directories under path/to/openidm/samples.

Table 4.1. Changes Made to the Samples Provided With ForgeRock Identity Management
Old SampleNew SampleDocumentation
sample1sync-with-csvChapter 2, "Synchronizing Data From a CSV File to IDM" in the Samples Guide
sample2sync-with-ldapChapter 3, "One Way Synchronization From LDAP to IDM" in the Samples Guide
sample2bsync-with-ldap-bidirectionalChapter 4, "Two Way Synchronization Between LDAP and IDM" in the Samples Guide
sample2csync-with-ldap-group-membershipChapter 6, "Synchronizing LDAP Group Membership" in the Samples Guide
sample2dsync-with-ldap-groupsChapter 5, "Synchronizing LDAP Groups" in the Samples Guide
sample5sync-two-external-resourcesChapter 7, "Synchronizing Data Between Two External Resources" in the Samples Guide
sample5bRemovedThe procedure for configuring synchronization failure compensation is described in Section 15.12, "Configuring Synchronization Failure Compensation" in the Integrator's Guide.
sample6livesync-with-adChapter 9, "LiveSync With an LDAP Server" in the Samples Guide
sample8Removed The ability to launch a script from within a mapping to log messages is described in Example 15.2, "Using Scripts to Generate Log Messages" in the Integrator's Guide
sample9sync-asynchronous Chapter 8, "Asynchronous Reconciliation Using a Workflow" in the Samples Guide
audit-jms-sampleaudit-jmsChapter 24, "Directing Audit Information To a JMS Broker" in the Samples Guide
audit-sampleaudit-jdbcChapter 23, "Directing Audit Information To a MySQL Database" in the Samples Guide
cdmRemoved; content now available in:Section 11.21, "Setting Up Users for Marketo Lead Generation" in the Integrator's Guide
customendpointexample-configurations/custom-endpointChapter 28, "Creating a Custom Endpoint" in the Samples Guide
fullStackfull-stackChapter 27, "Integrating IDM With the ForgeRock Identity Platform" in the Samples Guide
google-connectorsync-with-googleChapter 10, "Synchronizing Accounts With the Google Apps Connector" in the Samples Guide
historicalaccountlinkinghistorical-account-linkingChapter 15, "Linking Historical Accounts" in the Samples Guide
kerberossync-with-kerberosChapter 12, "Synchronizing Kerberos User Principals" in the Samples Guide
miscexample-configurationsSection 1.2, "Example Configuration Files" in the Samples Guide
multiaccountlinkingmulti-account-linkingChapter 14, "Linking Multiple Accounts to a Single Identity" in the Samples Guide
multiplepasswordsmultiple-passwordsChapter 13, "Storing Multiple Passwords For Managed Users" in the Samples Guide
powershell2ADscripted-powershell-with-adChapter 20, "Connecting to Active Directory With the PowerShell Connector" in the Samples Guide
powershell2AzureADscripted-powershell-with-azure-adChapter 21, "Connecting to Azure AD With the PowerShell Connector" in the Samples Guide
roles/crudopsRemovedThe procedure for working with managed roles is comprehensively described in Section 9.4, "Working With Managed Roles" in the Integrator's Guide.
roles/provroleprovisioning-with-rolesChapter 16, "Provisioning With Roles" in the Samples Guide
salesforce-connectorsync-with-salesforceChapter 11, "Synchronizing Users Between Salesforce and IDM" in the Samples Guide
scriptedJMSSubscriberscripted-jms-subscriberChapter 25, "Subscribing to JMS Messages" in the Samples Guide
scriptedcrest2djscripted-crest-with-djChapter 19, "Connecting to DS With ScriptedCREST" in the Samples Guide
scriptedrest2djscripted-rest-with-djChapter 18, "Connecting to DS With ScriptedREST" in the Samples Guide
syncfailureRemoved The synchronization failure mechanism is described in Section 14.2.8, "Setting the Synchronization Failure Configuration" in the Integrator's Guide
taskscannerexample-configurations/task-scannerSection 17.8, "Scanning Data to Trigger Tasks" in the Integrator's Guide
trustedservletfiltertrusted-servlet-filterChapter 26, "Authenticating Using a Trusted Servlet Filter" in the Samples Guide
workflowprovisioning-with-workflowChapter 17, "Using a Workflow to Provision User Accounts" in the Samples Guide


The /path/to/openidm/samples directory includes two devops samples (devops-gettingstarted and devops-postgres). These samples are provided for demonstration purposes only and are described in the file in the devops-gettingstarted directory. For tested DevOps samples with the entire ForgeRock Identity Platform, see the Devops Guide.

Change to how the JavaScript log level is set

In previous versions, the JavaScript log level was set by adding the following property to your project's file:


In IDM, that setting has changed to:

LDAP Connector Configuration for SSL/TLS

The LDAP connector now has more control over the keystore that it uses for secure connections. By default, the connector uses the IDM keystore, and you must specify the private key alias. If you do not want to use the default IDM keystore, you can define a separate connector keystore. For more information, see Section 2.2, "Configuring the LDAP Connector to Use SSL and StartTLS" in the Connector Reference.

Changes For Multi-Valued Properties

If you declare a multi-valued property in your provisioner file, and the elements of that property are not strings, you must specify an items property that indicates the data type of the property values. This change might impact existing provisioner configurations. For more information, see flags in the Integrator's Guide.

Change to the default source query for clustered and paged reconciliation

The default source query for clustered reconciliations and for paged reconciliations is no longer query-all-ids, but is a queryFilter-based construct that returns the full source objects. For more information, see Section 15.16.4, "Improving Reconciliation Query Performance" in the Integrator's Guide.

4.2. Deprecated Functionality

The following functionality is deprecated in ForgeRock Identity Management 5.5 and is likely to be removed in a future release.

  • The OPENAM_SESSION authentication module is deprecated and will be removed in a future release. If you are integrating IDM with ForgeRock Access Management (AM), you should use the OAUTH_CLIENT module instead.

  • The Active Directory (AD) .NET Connector is deprecated and support for its use in IDM will be removed in a future release.

    For simple Active Directory (and Active Directory LDS) deployments, the Generic LDAP Connector works better than the Active Directory connector, in most circumstances. For more information, see Chapter 2, "Generic LDAP Connector" in the Connector Reference.

    For more complex Active Directory deployments, use the PowerShell Connector Toolkit, as described in Chapter 5, "PowerShell Connector Toolkit" in the Connector Reference.

    Note that deprecating the AD Connector has no impact on the PowerShell connector, or on the .NET Connector Server.

  • When configuring connectors, (see Section 14.2, "Configuring Connectors" in the Integrator's Guide), you can set up nativeType property level extensions. The JAVA_TYPE_DATE extension is deprecated.

  • Support for a POST request with ?_action=patch is deprecated, when patching a specific resource. Support for a POST request with ?_action=patch is retained, when patching by query on a collection.

    Clients that do not support the regular PATCH verb should use the X-HTTP-Method-Override header instead.

    For example, the following POST request uses the X-HTTP-Method-Override header to patch user jdoe's entry:

    $ curl \
     --header "X-OpenIDM-Username: openidm-admin" \
     --header "X-OpenIDM-Password: openidm-admin" \
     --header "Content-Type: application/json" \
     --request POST \
     --header "X-HTTP-Method-Override: PATCH" \
     --data '[
        "value":"The new description for Jdoe"
      ]' \
  • Support for the Security Management Service has been deprecated, and may be removed at the next release.

  • Support for a POST request with ?_action=sendEmail is deprecated, when sending an email with a REST call. Support for a POST request with ?_action=send is retained, on the /openidm/external/email endpoint. For an example of this REST call, see Section 24.1, "Sending Mail Over REST" in the Integrator's Guide.

No additional functionality is deprecated at this time.

4.3. Removed Functionality

  • Support for Java 7 has been removed.

    Before you update to IDM 5.5, install a newer Java version and follow the instructions in Section 1.1.1, "Java Prerequisites" in the Installation Guide.

  • The file no longer allows the use of the disableConfigSave property.

    If you use disableConfigSave property, change it to enableConfigSave as described in Section 7.4.2, "Disabling Automatic Configuration Updates" in the Integrator's Guide.

  • The XML file connector has been removed. If you need to connect to a custom XML data file, you should create your own scripted connector by using the Groovy connector toolkit. For more information, see Chapter 6, "Groovy Connector Toolkit" in the Connector Reference.

  • The default internal IDM database, OrientDB, has been replaced with ForgeRock Directory Services (DS). For more information, see Section 2.1, "Using the Default DS Repository" in the Installation Guide.

4.4. Functionality That Will Change in the Future

No major functionality is planned to change at this time.

Chapter 5. How to Report Problems and Provide Feedback

If you have questions regarding ForgeRock Identity Management software that are not answered by the documentation, you can ask questions on the forum at

When requesting help with a problem, include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation

  • Description of the environment, including the following information:

    • Machine type

    • Operating system and version

    • Repository type and version

    • Java version

    • IDM release version

    • Any patches or other software that might be affecting the problem

  • Steps to reproduce the problem

  • Any relevant access and error logs, stack traces, or core dumps

Chapter 6. Documentation Updates

Table 6.1, "Documentation Change Log" tracks important changes to the documentation:

Table 6.1. Documentation Change Log

Release of maintenance release (see Key Fixes in IDM


Added a known issue to the release notes (see Known Issues in IDM


Added a list of connector dependencies for running connectors remotely (see Section, "Installing Remote Connector Dependencies" in the Integrator's Guide).


Updated the instructions in Section 20.3, "Configuring IDM For a Hardware Security Module (HSM) Device" in the Integrator's Guide to specify that symmetric keys must use an HMAC algorithm.


Release of maintenance release (see Key Fixes in IDM fixes).

The following documentation updates were made in this release:


Release of patch release.

  • Updated the release notes.


Release of patch release.


Release of patch release. Updated the release notes.


Added a workaround for the problem related to Quartz schedules and daylight savings time (Section 17.3, "Schedules and Daylight Savings Time" in the Integrator's Guide).

Added a fix for OPENIDM-9600 (incorrect paths in the Connector Reference).

Chapter 7. Getting Support

This chapter offers information and resources about ForgeRock Identity Management and ForgeRock support.

7.1. Accessing Documentation Online

ForgeRock publishes comprehensive documentation online:

  • The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.

    While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.

  • ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

7.2. Using the Site

The site has links to source code for ForgeRock open source software, as well as links to the ForgeRock forums and technical blogs.

If you are a ForgeRock customer, raise a support ticket instead of using the forums. ForgeRock support professionals will get in touch to help you.

7.3. Getting Support and Contacting ForgeRock

ForgeRock provides support services, professional services, training through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see

ForgeRock has staff members around the globe who support our international customers and partners. For details, visit, or send an email to ForgeRock at

Read a different version of :