Notes covering ForgeRock® Identity Management software requirements, fixes, and known issues. This software offers flexible services for automating management of the identity life cycle.

About ForgeRock Identity Management Software

ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see

The ForgeRock Common REST API works across the platform to provide common ways to access web resources and collections of resources.

ForgeRock Identity Management software provides centralized, simple management and synchronization of identities for users, devices and things.

ForgeRock Identity Management software is highly flexible and therefore able to fit almost any use case and workflow.

These release notes are written for anyone using the ForgeRock Identity Management 5.5 release. Read these notes before you install or upgrade ForgeRock Identity Management software.

These release notes cover the following topics:

  • A list of the major new features and functionality provided with this release

  • Hardware and software prerequisites for installing and upgrading ForgeRock Identity Management software

  • Compatibility with previous releases

  • Potential upcoming deprecation and removals that affect scripts and applications

  • Issues fixed since the previous release

  • Known issues open at the time of release

See the Installation Guide after you read these Release Notes. The Installation Guide covers installation and upgrade for ForgeRock Identity Management software.

Chapter 1. What's New

This chapter covers new capabilities in IDM 5.5.

1.1. Patch Bundle Releases

ForgeRock patch bundle releases contain a collection of fixes and minor RFEs that have been grouped together and released as part of our commitment to support our customers. For general information on ForgeRock's maintenance and patch releases, see Maintenance and Patch Availability Policy.

  • IDM is the latest release, targeted for IDM 5.5 deployments and can be downloaded from the ForgeRock Backstage website. To view the list of fixes in this release, see Key Fixes in IDM

    The release can be deployed as an initial deployment or updated from an existing IDM 5.5 deployment. IDM 5.5 is available for download at the ForgeRock Backstage website.

1.2. New Features

  • There are no new features in this release, only bug fixes.

  • There are no new features in this release, only bug fixes.

  • There are no new features in this release, only bug fixes.

  • IDM is a maintenance release that introduces important fixes. This latest maintenance release for IDM 5.5.0 is available from the ForgeRock BackStage website. To view the list of fixes, see Key Fixes in IDM


    ForgeRock maintenance releases provide fixes to existing bugs that improve functionality and security for your IDM deployment. No new features have been introduced.

    The release can be deployed as an initial deployment or used to upgrade an existing version. You can upgrade from any version listed in "Supported Update Paths".

IDM 5.5.0
  • This release includes the following new features:

    New Default Repository

    IDM now uses an embedded ForgeRock Directory Services (DS) instance for its internal repository by default (in place of OrientDB). DS is not supported as a repository in production, however. For more information, see "Selecting a Repository" in the Installation Guide.

    Support for Clustered Reconciliation Operations

    You can now configure reconciliation jobs to be distributed across multiple nodes in the cluster. For more information, see "Distributing Reconciliation Operations Across a Cluster" in the Integrator's Guide.

    Numerous Additions to the Default Self-Service UI

    The Self-Service UI that is provided with IDM now includes support for account claiming, auto login, user managed access, privacy and consent, and more. For more information, see "Configuring User Self-Service" in the Integrator's Guide.

    New Supported Connectors

    IDM 5.5.0 bundles two new connectors - the SCIM connector (see "SCIM Connector" in the Connector Reference), and the Adobe CM connector (see "Adobe Campaign Manager Connector" in the Connector Reference).

    Admin UI Widgets

    IDM allows you to customize the Admin UI dashboards with a variety of widgets. The following widgets have been added for IDM 5.5.0:

    For a full list of available widgets, see "Available Admin UI Widgets" in the Integrator's Guide.

    Additional Social Identity Providers

    IDM supports a wide variety of social identity providers. Support for Google, Facebook, and LinkedIn was added for IDM 5. With the release of IDM 5.5.0, the following providers are now supported:


    For more information, see "Configuring Social Identity Providers" in the Integrator's Guide.

    Greater Coverage of the REST API With the API Explorer

    The API Explorer now covers most of the endpoints provided with a default IDM installation. For more information, see "API Explorer" in the Integrator's Guide.

    New Password Synchronization Plugin Guide

    The documentation that describes installation and configuration of the two password synchronization plugins has been moved out of the Integrator's Guide and into a new Password Synchronization Plugin Guide.

    For installation instructions, see "Preparing to Install and Run Servers" in the Installation Guide.

    Several samples are provided to familiarize you with the IDM features. For more information, see "Overview of the Samples" in the Samples Guide.

    For an architectural overview and a high-level presentation of IDM, see "Architectural Overview" in the Integrator's Guide.

1.3. Security Advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.

Chapter 2. Before You Install

This chapter covers requirements to consider before you run ForgeRock Identity Management software, especially before you run the software in your production environment.

If you have a special request to support a component or combination not listed here, contact ForgeRock at

2.1. Supported Repositories

The following JDBC repositories are supported for use in production:

  • MySQL version 5.5, 5.6, and 5.7 with MySQL JDBC Driver Connector/J 5.1.18 or later

  • MariaDB version 5.5, 10.0, 10.1, 10.2 with MySQL JDBC Driver Connector/J 5.1.18 or later

  • Microsoft SQL Server 2012, 2014, and 2016

  • Oracle Database 11gR2 and 12c

  • PostgreSQL 9.3.10, 9.4.5, and 9.6

  • IBM DB2, 10.1, 10.5

The default ForgeRock Directory Services (DS) repository is provided for evaluation only.

2.2. Containers

You must install IDM as a stand-alone service, using Apache Felix and Jetty, as provided. Alternate containers are not supported.

IDM bundles Jetty version 9.2.

2.3. Supported Connectors

IDM bundles the following connectors:

  • Adobe CM Connector

  • CSV File Connector

  • Database Table Connector

  • Google Apps Connector

  • Groovy Connector Toolkit

    This toolkit enables you to create scripted connectors to virtually any resource, with the following sample implementations:

    • Scripted SQL Connector

    • Scripted CREST Connector

    • Scripted REST Connector

  • Kerberos Connector

  • LDAP Connector

  • Marketo Connector

  • Salesforce Connector

  • SCIM Connector

  • Scripted SSH Connector

    Currently supported only as a prerequisite for the Kerberos Connector

A PowerShell Connector Toolkit is available for download from ForgeRock's BackStage site. This Toolkit enables you to create scripted connectors to address the requirements of your Microsoft Windows ecosystem.

Additional connectors are available from ForgeRock's BackStage site.

Use of the LDAP connector to provision to Active Directory is supported with Active Directory Domain Controllers, Active Directory Global Catalogues, and Active Directory Lightweight Directory Services (LDS).

Windows 2012 R2 is supported as the remote system for connectors and password synchronization plugins.

The following table lists the supported connectors, connector servers, and password synchronization plugins for this IDM release.

Supported Connectors, Connector Servers, and Plugins
Connector/PluginSupported Version
Adobe CM Connector1.5.0.0
CSV File Connector1.5.2.0
Database Table Connector1.1.1.0
Google Apps Connector1.4.2.0
Groovy Connector Toolkit1.4.4.0
Kerberos Connector1.4.3.0
LDAP Connector1.4.6.0
Marketo Connector1.4.3.0
Powershell Connector Toolkit1.4.4.0
Salesforce Connector5.5.0
SAP Connector1.4.2.0
SCIM Connector1.4.0.0
Active Directory Connector1.4.0.0
Java Connector Server1.5.4.0,,,,
.NET Connector Server1.5.4.0,,,,
DS Password Synchronization Plugin

5.5.0, supported with DS 5.5.0

5.0.0, supported with DS 5.0.0

3.5.0, supported with OpenDJ 3.5.0

DS Password Sync plugins are not supported with DS OEM

Active Directory Password Synchronization Plugin1.2.0, supported on Windows 2008 R2 and Windows 2012 R2

You must use the supported versions of the .NET Connector Server, or the Java Connector Server. The 1.5.x Java Connector Server is backward compatible with the version 1.1.x connectors. The 1.5.x .NET Connector Server is compatible only with the 1.4.x and 1.5.x connectors.

The .NET connector server requires the .NET framework (version 4.5 or later) and is supported on Windows Server 2008 R2 and 2012 R2.


Although the scripted connector toolkits are supported, connectors that you build with these toolkits are not supported. You can find examples of how to build connectors with these toolkits in the Samples Guide.

2.4. Choosing a Browser

ForgeRock has tested many browsers with the IDM UI, including the following browsers:

  • Chrome and Chromium, latest stable version

  • Firefox, latest stable version

  • Safari, latest stable version

  • Internet Explorer 11 and later

2.5. Choosing an Operating System

IDM is supported on the following operating systems:

  • Red Hat Enterprise Linux (and CentOS Linux) 6.5 and later, 7.x

  • Ubuntu Linux 16.04

  • Windows 2008 R2, 2012 R2, 2016

2.6. Preparing the Java Environment

IDM requires Java 8, specifically at least the Java Standard Edition runtime environment.

ForgeRock validates IDM software with Oracle JDK and OpenJDK, and does occasionally run sanity tests with other JDKs. Support for very specific Java and hardware combinations is best-effort. This means that if you encounter an issue when using a particular JVM/hardware combination, you must also demonstrate the problem on a system that is widespread and easily tested by any member of the community.

ForgeRock recommends that you keep your Java installation up to date with the latest security fixes.


If you are using the Oracle JDK and you use 2048-bit SSL certificates, you must install the Unlimited JCE policy to enable IDM to use those certificates.

Download and install the Unlimited JCE Policy for Java 8 from the Oracle Technetwork site. Unzip the JCE zip file and install the JCE policy JAR files in the /lib/security folder of the JRE.

2.7. Fulfilling Memory Requirements

You need 250 MB disk space and 1 GB memory for an evaluation installation. For a production installation, disk space and memory requirements will depend on the size of any internal and external repositories, as well as the size of the audit and service log files that IDM creates.

2.8. Supported Update Paths

The following table contains information about the supported update paths to IDM

Update Paths
VersionUpdate Supported to IDM[a]
Versions prior to IDM 5.5.0[b]
IDM 5.5.0

[a] You can deploy version as-is for initial deployments.

[b] Must first update to IDM-5.5.0, then to IDM-

Chapter 3. Fixes, Limitations, and Known Issues

This chapter covers the status of key issues and limitations for ForgeRock Identity Management 5.5.

3.1. Key Fixes

This section covers key bug fixes in IDM 5.5 software.

Key Fixes in IDM
  • OPENIDM-10910: MSSQL upgrade scripts have incorrect SQL syntax when adding columns

  • OPENIDM-11052: Admin UI Mappings page load delay on system?_action=test REST call

  • OPENIDM-11393: Assigning a userTask to openidm-admin could cause null pointer exception

  • OPENIDM-11649: UI error: Service unavailable after changes in Authentication/Session.

  • OPENIDM-11852: Clustered recon in multi-node environment may never complete

  • OPENIDM-12038: 'statusCode:null' logged in Audit for successful GET on managed objects

  • OPENIDM-12080: External Email connects to SMTP servers with TLSv1

  • OPENIDM-12208: Clustered reconciliation fails due to paging cookie from ldap AD

  • OPENIDM-12248: Data races in state shared across threads in recon

  • OPENIDM-12680: Reconciliation stuck in ACTIVE_QUERY_ENTRIES (or other ACTIVE_ state) and cannot be cancelled

  • OPENIDM-12796: jsonstorage "local" self-service with "uuid" option fails in multi-node cluster scenario

  • OPENIDM-12804: uuid token expiry doesn't work with jdbc repo

  • OPENIDM-13135: Do not load JWT signing key if JWT session module is disabled

  • OPENIDM-13160: PATCH may succeed although If-Match does not match _rev

  • OPENIDM-13292: IDM trying to initialize SSL Cert for the internal DJ even if it's not configured as the repo, Incompatible with HSM

  • OPENIDM-13553: Using the query-all-count or query-all-ids-count queryId against a managed object where roles are returned by default causes error

  • OPENIDM-14163: Workflow: Groovy classpath problem

  • OPENIDM-14266: Remove security/

Key Fixes in IDM
  • OPENIDM-10722: investigate high cpu in package for Create Managed User

  • OPENIDM-11174: Unable to resume scheduler jobs after successful pause

  • OPENIDM-11244: Include milliseconds in IDM logs

  • OPENIDM-11269: process typeError is observed in UI for association tab in mapping details.

  • OPENIDM-11648: RuntimeException&Server Error is observed on full-stack example.

  • OPENIDM-12214: OpenAMSessionModule doesn't work with OBF/CRYPT openidm truststore password

  • OPENIDM-12370: enable HSM data decryption from IDM 3.1.0 instances

Key Fixes in IDM
  • OPENIDM-10915: Backport OPENIDM-10887: expose isInitiator flag for IWA module

  • OPENIDM-10917: Backport OPENIDM-10542: IDM decryption fails with AES 256-bit key

  • OPENIDM-11087: Backport OPENIDM-11024: NPE can be thrown if the authentication service comes up before the identityService

  • OPENIDM-11167: Backport OPENIDM-5465: Performance Issue updating conditional role memberships

  • OPENIDM-11240: Backport OPENIDM-10758: returns different content if called from managed.json action or a custom endpoint

  • OPENIDM-11243: Backport OPENIDM-9783: Include thread id in all logging statements

  • OPENIDM-11256: Backport OPENIDM-9329: Self-Service UI has requests in error since workflow.json was removed in default conf

  • OPENIDM-11259: Backport OPENIDM-9347: Separate workflow widget from notifications widget on enduser dashboard

  • OPENIDM-11354: Backport COMMONS-314 json-crypto: SimpleEncryptor symmetric no longer works with HSMs

Key Fixes in IDM
  • OPENIDM-10020: Backport OPENIDM-9219: Worflow service randomly not starting properly

  • OPENIDM-10286: Idle timeout for JWT authentication module is not working

  • OPENIDM-10394: Backport OPENIDM-10231: Unable to use read-only keystore

  • OPENIDM-10401: Backport OPENIDM-10137: unable to set manager property to nullable via UI

  • OPENIDM-10754: Backport OPENIDM-10733: Compensate hangs when downstream connector is offline

  • OPENIDM-10790: Backport OPENIDM-9102: Add workflow switch to system preferences

  • OPENIDM-10791: Backport OPENIDM-9198: Improve workflow switch in admin to handle situation where workflow.json file is not available

  • OPENIDM-10792: Backport OPENIDM-9274: Disable Activiti Workflow service by default unless specifically required by a sample

  • OPENIDM-10797: Backport OPENIDM-10051: Mapping not saving properly when trying to add a condition script and target property not displaying correctly

  • OPENIDM-10818: Backport OPENIDM-10708: ResourceException when external/rest receives HTTP 204 response

  • OPENIDM-10820: Backport OPENIDM-9554: Workflow Processes Completed have "Not Found Error" for managed/user

  • OPENIDM-10909: Backport OPENIDM-9797: Self-signed certificate used for HTTPS not in OpenIDM trust store anymore

  • OPENIDM-10971: Backport OPENIDM-6782: Password is re-encrypted during any managed object update/patch

  • OPENIDM-10972: Backport OPENIDM-9643: Separate the logic out for storing the 'lastSync' property out of the all-inclusive ManagedObjetSet#update

  • OPENIDM-11090: Backport OPENIDM-10411: With embedded DJ repo, truststore configuration does not not fall back to using keystore configuration if no truststore is configured

  • OPENIDM-11095: Backport OPENIDM-9796: Add backend support to pass the task assignee _id to workflow/taskinstance/ endpoint

  • OPENIDM-11096: Backport OPENIDM-9738: selecting tasks assigned to manager1 results in 404

Key Fixes in IDM
  • OPENIDM-9880: User object relationships lost when using compensate script to handle failed delete

  • OPENIDM-10386: Backport OPENIDM-9940: onRetrieve script executed for managed attributes not returned by fields

  • OPENIDM-10387: Backport OPENIDM-10365: Temporal constraints on roles are not working anymore

Key Fixes in IDM
  • OPENIDM-9977: Backport OPENIDM-8543: Patch remove on a field succeeds but is not propagated to the target

  • OPENIDM-10019: Backport OPENIDM-8571: Provisioner should be able to retry connector that fails the startup "test"

  • OPENIDM-10029: Backport OPENIDM-9966: NullPointerException returned when creating a relationship using the source managed object's attribute within the URI and specifying a _fields parameter

  • OPENIDM-10030: Backport OPENIDM-9389: Scheduled scripts with file paths are saved incorrectly

  • OPENIDM-10046: Backport OPENIDM-9819: GenericLDAP Connector setup does not read remote LDAP schema irrespective of readSchema setting

  • OPENIDM-10047: Backport OPENIDM-9976: Self Service email validation link for Registration leads to blank page in Safari

  • OPENIDM-10060: Backport OPENIDM-9390: Various problems configuring scheduled scripts in the UI

  • OPENIDM-10102: Backport OPENIDM-9170: Role Members tab in role won't display if role has assignments

  • OPENIDM-10115: Backport OPENIDM-8201: Schedule is not saved when configured through the UI

  • OPENIDM-10192: Backport OPENIDM-10134: self service registration fails with cross-origin restrictions using safari

  • OPENIDM-10201: Backport OPENIDM-10135: manager field disappears when type is null

  • OPENIDM-10257: Backport OPENIDM-10220: Pressing Enter key after entering text in the attribute selector field for a role's condition submits form

  • OPENIDM-10275: Backport OPENIDM-10141: Adding an attribute to a 'The value for' condition causes it to be duplicated in the drop-down list

  • OPENIDM-10287: Backport OPENIDM-10205: Entered text is lost when using the attribute selector for a role's condition

  • OPENIDM-10288: Backport OPENIDM-10152: Roles condition queryFilter builder no longer shows all properties on managed/user

  • OPENIDM-10309: Backport OPENIDM-10126: Incomplete list of role members after condition query.

  • OPENIDM-10359: Backport OPENIDM-9412: In LDAP connector config page, not possible to remove Update User Filter

Key Fixes in IDM
  • OPENIDM-9679: Backport OPENIDM-9045 to Performance problem getting triggers for a scheduler job

  • OPENIDM-9680: Backport OPENIDM-9312 to Enhance configuration options for External Rest service

  • OPENIDM-9765: Backport OPENIDM-9207: recon creates incorrect links when using linkQualifiers

  • OPENIDM-9790: Backport OPENIDM-3330: inconsistent use of uidAttribute in Ldap Provisioner Config

  • OPENIDM-9801: Backport OPENIDM-5227: LDAP Connector search filters not persisted by the Admin UI

  • OPENIDM-9812: Backport OPENIDM-7315: Requests on relationship endpoints should not double-log managed object

  • OPENIDM-9852: Backport OPENIDM-9211: External REST service does not return error details from remote server

  • OPENIDM-9862: Backport OPENIDM-8543: Patch remove on a field succeeds but is not propagated to the target

  • OPENIDM-9883: Backport OPENIDM-9855: Trusted Attribute fails with multiple instances using different resources

  • OPENIDM-9896: Backport OPENIDM-9719: CORS headers returned to client with repeated values

  • OPENIDM-9897: Backport OPENIDM-9362: Managed.json does not contain all attributes within order array for default managed object types

  • OPENIDM-9898: Backport OPENIDM-7236: Update AD Powershell samples with new scripts

  • OPENIDM-9901: Backport OPENIDM-9217: Do not execute managed property's onRetrieve when returnByDefault is false

  • OPENIDM-9910: Backport OPENIDM-9286: install-service.bat has a broken classpath variable

Key Fixes in IDM 5.5.0
  • OPENIDM-9082: Some generic tables are missing foreign key constraints

  • OPENIDM-9042: KBA - Enforce choosing unique kba questions when editing profile

  • OPENIDM-9041: KBA Allowed for Inactive (Disabled) User Accounts

  • OPENIDM-8857: defaultMapping.js throws error during sync

  • OPENIDM-8856: Role grant conditions do not work on properties of any type other than string

  • OPENIDM-8834: SQL exception when running oracle script for repo

  • OPENIDM-8814: patchByQuery returns 500 error when matching more than 1 result

  • OPENIDM-8722: Patch Remove on Managed Object on property with null value is not removing the property

  • OPENIDM-8721: When reconSourceQueryPaging is false but a value is set for reconSourceQueryPageSize, only a result set up to the size of reconSourceQueryPageSize is reconciled

  • OPENIDM-8698: Direct Reports & Managers can be added to a Managed User multiple times

  • OPENIDM-8688: Untestable nullable encrypted attribute value

  • OPENIDM-8590: Managed users do not display in the Admin UI when some properties are not searchable and viewable

  • OPENIDM-8548: Links table searched with large query when performing reconById

  • OPENIDM-8427: Oracle audit purge scripts not working for empty excludeMapping

  • OPENIDM-8420: Self-Service page fails to load if no security questions are configured

  • OPENIDM-8392: Multiple passwords sample does not work as documented

  • OPENIDM-8328: Long form options no longer work with

  • OPENIDM-8288: Scheduler : NotFoundException when acquiring, releasing and firing triggers

  • OPENIDM-8287: Deleting a schedule leaves data in schedulerobjectproperties table (oracle repo)

  • OPENIDM-8276: ReconContext should generate its own Id and not inherit the RootContext Id

  • OPENIDM-8275: Adding boolean properties to a managed user not saved via Admin UI

  • OPENIDM-8256: Configure Forgerock Identity Provider does not use custom self-service relative URL

  • OPENIDM-8202: Unexpected behavior for null values in hashed fields

  • OPENIDM-8201: Schedule is not saved when configured through the UI

  • OPENIDM-8160: Remove schema owner from OracleDB update scripts

  • OPENIDM-8159: Upgrade failure cause should be reported without having to turn finest logging on

  • OPENIDM-8130: AD LDS provisioner has wrong attributes for groups

  • OPENIDM-8050: External IDM endpoint does not return response codes and errors

  • OPENIDM-8049: Self-signed cert not stored in truststore during initialization

  • OPENIDM-8043: Unable to initialize keystore and truststore when passwords are different

  • OPENIDM-8005: Error when enabling the csv audit handler for queries

  • OPENIDM-8004: Salesforce connector mapping page does not allow default values for certain properties

  • OPENIDM-7984: Full Stack sample: Unable to edit ForgeRock Identity Provider in Admin UI

  • OPENIDM-7980: A system object can be selected as a resource collection of a managed object

  • OPENIDM-7978: Full Stack sample: user is able to log in using admin page but appears to not be able

  • OPENIDM-7968: amAdmin doesn't work with fullStack (or full-stack) sample

  • OPENIDM-7960: Sample LDAP Provisioner Configs for AD/ AD LDS should align with LDAP Connector

  • OPENIDM-7951: Password policy cannot-contain-others not being evaluated during registration

  • OPENIDM-7803: Audit activity occurs for update even when before/after show no differences

  • OPENIDM-7731: UI needs to enforce only one of keyStoreHandlerName or combination of key store path plus keys store password is configured/saved

  • OPENIDM-7726: Unable to filter by '_id' attribute on Managed Objects in the UI

  • OPENIDM-7700: Core attributes can specify returnByDefault even though not applicable

  • OPENIDM-7660: Audit service fails to start with NPE when enabling CSV tamper prevention using keystore path and password

  • OPENIDM-7659: Updating the CSV audit event handler using the Admin UI may disable the handler

  • OPENIDM-7572: Incorrect link from Workflow Task to Managed User

  • OPENIDM-7564: REST and CREST samples have example-v1.json with incorrect configuration

  • OPENIDM-7561: UI not switching locale based on browser language setting

  • OPENIDM-7541: Query on Audit Logs with JSON as handler for queries fails with Exception

  • OPENIDM-7540: Query on Audit Log with query-all-ids returns full records when handler for queries is CSV

  • OPENIDM-7490: Synchronisation failure when assignment has no attributes

  • OPENIDM-7469: Absolute location with ".." in path is not recognized as non local during patch

  • OPENIDM-7445: Scripted REST (CREST) samples use _id in sync.json which is forbidden

  • OPENIDM-7441: OpenIDM does not throw an error on startup if the provisioner has an incorrect connectorRef

  • OPENIDM-7439: Filtering data for CSV connector in Admin UI fails with Internal Error

  • OPENIDM-7431: "purge-by-recon-number-of" query missing from default Oracle DB repo file

  • OPENIDM-7425: Managed User 'Has to match pattern:' field error in UI

  • OPENIDM-7422: Certain special characters do not display correctly in Provisioning Roles

  • OPENIDM-7398: Updates with scriptedcrest2dj sample broken

  • OPENIDM-7355: transaction-id is not propagated to external DJ resources

  • OPENIDM-7351: NullPointerException thrown by RepoJobStore.cleanupInstance()

  • OPENIDM-7344: After failed login with anonymous user, it is not possible to log with openidm-admin

  • OPENIDM-7337: Adding the same device to two users displays an incorrect error message

  • OPENIDM-7323: livesync ALL action on OpenICFProvisionerService should be fixed

  • OPENIDM-7315: Requests on relationship endpoints should not double-log managed object

  • OPENIDM-7296: Removing a policy in the behavior tab of the UI doesn't work

  • OPENIDM-7290: ConcurrentExecution gets turned on when updating schedule

  • OPENIDM-7223: Reconciliation always detects manager field as modified

  • OPENIDM-7176: Unexpected "Outbound email is disabled" message in User Registration when email is configured

  • OPENIDM-7163: Task Scanner does not pick up users in explicit mapping

  • OPENIDM-7158: Admin UI: Managed users properties not shown unless defined in managed.json schema

  • OPENIDM-7147: Reset button is not active when updating password of managed user with invalid values

  • OPENIDM-7141: Updating connector info provider failover settings is ignored

  • OPENIDM-7139: testConfig action validates an invalid config if a valid provisioner exists

  • OPENIDM-7095: 'Passwords do not match' message on Self Service UI

  • OPENIDM-6995: scriptedrest2dj sample SyncScript not updating sync token correctly

  • OPENIDM-6951: Self Service KBA: must hit update button twice

  • OPENIDM-6950: The length of mapping name is not properly checked

  • OPENIDM-6922: Social Identities Tab - state of toggles can be incorrect when attempting to unbind last provider

  • OPENIDM-6842: The after object in csv log contains wrong revision after user internal role is deleted

  • OPENIDM-6777: Internal Server Error providing empty '{}' value to "manager" property

  • OPENIDM-6757: Disabled OpenID Connect and oAuth modules still appear as options on login

  • OPENIDM-6678: 409 Conflict error occurs if user cancels social registration after logging into social idp

  • OPENIDM-6633: Port number not showing correctly in UI for LDAP connector

  • OPENIDM-6511: LiveSync schedules are not removed when a connector is deleted in the UI

  • OPENIDM-6316: Unable to specify attribute substitution in config via REST

  • OPENIDM-6156: Multi-valued mail attribute causes reconciliation to abort without accurately auditing the failure cause

  • OPENIDM-6072: Multiple answers to the same security question are possible

  • OPENIDM-5468: JDBC repo connection pool should retry until DB is available

  • OPENIDM-3894: Accessing admin/index.html#mapping/ extremely slow

  • OPENIDM-3845: A space in the "value" key of a PATCH replace request causes the replaced attribute to be removed

  • OPENIDM-3149: Custom Endpoint Example: object request.patchOperations is wrong for Groovy scripts

  • OPENIDM-3070: queryFilter over REST contains resultCount whilst openidm.query doesn't

  • OPENIDM-2016: Sync on unsupported object class with remote java connector returns 500 instead of 400

  • OPENIDM-1496: Sample provisioner files should not contain the _UID_ attribute in ObjectTypes

3.2. Limitations

  • There are no new known limitations in functionality in IDM

  • There are no new known limitations in functionality in IDM


IDM has the following known limitations:

  • When upgrading from version to and then shutting down the system, IDM throws a harmless exception. After startup, IDM works correctly and no issues are observed.

    The following exception is thrown:

    -> shutdown
    -> Sep 12, 2018 3:41:47 PM org.forgerock.openidm.sync.impl.RepoReconProgressStatePersistence getReconIdsForPersistedReconState
    SEVERE: Exception caught obtaining recon ids for persisted recon state: Resource 'repo/reconprogressstate' not found
    org.forgerock.json.resource.NotFoundException: Resource 'repo/reconprogressstate' not found
    at org.forgerock.json.resource.Router.getBestMatch(
IDM 5.5.0

ForgeRock Identity Management 5.5 has the following known limitations:

  • The automated update process is not currently supported on Windows platforms.

  • When you add or edit a connector through the Admin UI, the list of required Base Connector Details is not necessarily accurate for your deployment. Some of these details might be required for specific deployment scenarios only. If you need a connector configuration where not all the Base Connector Details are required, you must create your connector configuration file over REST or by editing the provisioner file directly. For more information, see "Configuring Connectors" in the Integrator's Guide.

  • For OracleDB repositories, queries that use the queryFilter syntax do not work on CLOB columns in explicit tables.

  • A conditional GET request, with the If-Match request header, is not currently supported.

  • IDM provides an embedded workflow and business process engine based on Activiti and the Business Process Model and Notation (BPMN) 2.0 standard. As an embedded system, local integration is supported. Remote integration is not currently supported.

  • If you're using the OPENAM_SESSION module to help IDM work with ForgeRock Access Management software, modify the JWT_SESSION module to limit token lifetime to 5 seconds. For more information, see information on the OPENAM_SESSION Module in the Integrator's Guide and "Supported Session Module" in the Integrator's Guide.

  • You cannot use the UI to edit the CSV audit event handler formatting fields. If you need to change these parameters, change them directly in your project's conf/audit.json file.

  • The default DS repository does not support count queries. As such, the totalPagedResults and remainingPagedResults parameters are not supported with a DS repository.

3.3. Known Issues

The following important issues remained open at the time of this release:

  • There are no new known issues in this release.

  • OPENIDM-12660: OpenIDM Update via UI doesn't call resumeJobs

  • OPENIDM-11265: Unable to pause scheduler jobs with REST call

  • OPENIDM-11633: Backport OPENIDM-9454: With an explicit mapping in a MySQL repo, you cannot create a managed user with password longer than 13 characters

  • OPENIDM-11643: Exception could be thrown after update from to (full bits).

  • OPENIDM-11648: RuntimeException&Server Error is observed on full-stack example

  • OPENIDM-11649: UI error: Service unavailable after changes in Authentication/Session

  • OPENIDM-11680: Upgrade process to should contain removing of workflow.json file from conf

Known Issues in IDM
  • There are no known issues in this release.

IDM 5.5.0
  • OPENIDM-9409: stdDev has incorrect value 0 for all clustered recon metrics

  • OPENIDM-9342: Update process: update binaries frequently disappear from Update tab

  • OPENIDM-9286: install-service.bat has a broken classpath variable

  • OPENIDM-9201: Failure to send welcome email leads to user creation failure, inconsistent state

  • OPENIDM-9138: Unable to create user with virtual attribute defined when using explicit mappings

  • OPENIDM-9137: Update: 5.0 -> 5.5 Update UI Patch fails to include "Files to be Replaced"

  • OPENIDM-9081: WARNING about extensions directory not existing appears in felix console upon restart of IDM

  • OPENIDM-8839: enum values do not display in API Explorer

  • OPENIDM-8837: Deleting all KBA questions through the UI prevents user registration w/o visible Error Message

  • OPENIDM-8827: ScriptedCrest samples uses _id in sync.json which is forbidden

  • OPENIDM-8659: Property onRetrieve hook returns null even though value is absent

  • OPENIDM-8593: Lots of API Descriptor errors in the logs on startup

  • OPENIDM-8543: Patch remove on a field succeeds but is not propagated to the target

  • OPENIDM-8518: Not Found error when accessing a process instance via Admin UI

  • OPENIDM-8381: Recovery of scheduled jobs following cluster node failure does not work

  • OPENIDM-8295: Non-required single relationship properties should be nullable

  • OPENIDM-8196: Router.json - onResponse script's response object does not contain query result for query method

  • OPENIDM-8140: Mappings page: last recon timestamp not showing most recent

  • OPENIDM-8122: OpenIDM Cluster incorrectly shows ready and running

  • OPENIDM-8052: Cannot create a remote (.NET) connector through the UI

  • OPENIDM-8045: Creating a new managed object with unsupported characters causes an exception

  • OPENIDM-7947: With DJ as a repo, OpenIDM fails to start when using HSM

  • OPENIDM-7665: Admin UI mapping view returns HTTP 400 error

  • OPENIDM-7284: Create manager/reports relationship with POST or PUT work on managed/user/id/reports but fails on managed/user/id/manager

  • OPENIDM-5914: Role is still showing as assigned in effectiveRoles attribute on query-all output if role is unassigned via the admin UI

  • OPENIDM-5909: ScriptedSSH incorrect sample provisioner group members nativeName

  • OPENIDM-5907: ScriptedSSH search script unsupported filter cause timeout exception

  • OPENIDM-5900: ScriptedSSH ErrorCodes.groovy is not loaded

  • OPENIDM-5465: Performance Issue updating conditional role memberships

  • OPENIDM-4149: availableConnectors are not updated after remote ICF shut down

  • OPENIDM-3197: '%' character in object id of calls has to be encoded

  • OPENIDM-848: Conflicting behavior might be observed between the default fields set by the onCreate script and policy enforcement

Chapter 4. Compatibility

This chapter covers major and minor changes to existing functionality, as well as deprecated and removed functionality. You must read this chapter before you start a migration from a previous release.

4.1. Important Changes to Existing Functionality

Take the following changes into account when you update to IDM 5.5. These changes will have an impact on existing deployments. Adjust existing scripts and clients accordingly:

  • There are no new important changes in functionality in this release, other than bug fixes.

  • There are no new important changes in functionality in this release, other than bug fixes.

  • There are no new important changes in functionality in this release, other than bug fixes.

IDM 5.5.0

4.2. Deprecated Functionality

The following functionality is deprecated in ForgeRock Identity Management 5.5 and is likely to be removed in a future release.

  • No functionality has been deprecated in this release.

  • No functionality has been deprecated in this release.

  • No functionality has been deprecated in this release.

IDM 5.5.0
  • Support for the TLSv1.1 protocol has been deprecated and will be removed in a future release. For more information, on the potential vulnerability, see CVE-2011-3389 from the National Vulnerability Database from the US National Institute of Standards and Technology.

    The default security protocol for IDM is TLSv1.2. Do not downgrade this protocol to TLSv1.1 unless necessary. For more information, see "Setting the TLS Version" in the Integrator's Guide.

  • The OPENAM_SESSION authentication module is deprecated and will be removed in a future release. If you are integrating IDM with ForgeRock Access Management (AM), you should use the OAUTH_CLIENT module instead.

  • The Active Directory (AD) .NET Connector is deprecated and support for its use in IDM will be removed in a future release.

    For simple Active Directory (and Active Directory LDS) deployments, the Generic LDAP Connector works better than the Active Directory connector, in most circumstances. For more information, see "Generic LDAP Connector" in the Connector Reference.

    For more complex Active Directory deployments, use the PowerShell Connector Toolkit, as described in "PowerShell Connector Toolkit" in the Connector Reference.

    Note that deprecating the AD Connector has no impact on the PowerShell connector, or on the .NET Connector Server.

  • When configuring connectors, (see "Configuring Connectors" in the Integrator's Guide), you can set up nativeType property level extensions. The JAVA_TYPE_DATE extension is deprecated.

  • Support for a POST request with ?_action=patch is deprecated, when patching a specific resource. Support for a POST request with ?_action=patch is retained, when patching by query on a collection.

    Clients that do not support the regular PATCH verb should use the X-HTTP-Method-Override header instead.

    For example, the following POST request uses the X-HTTP-Method-Override header to patch user jdoe's entry:

    $ curl \
       --header "X-OpenIDM-Username: openidm-admin" \
       --header "X-OpenIDM-Password: openidm-admin" \
       --header "Content-Type: application/json" \
       --request POST \
       --header "X-HTTP-Method-Override: PATCH" \
       --data '[
       "value":"The new description for Jdoe"
       ]' \
  • Support for the Security Management Service has been deprecated, and may be removed at the next release.

  • Support for a POST request with ?_action=sendEmail is deprecated, when sending an email with a REST call. Support for a POST request with ?_action=send is retained, on the /openidm/external/email endpoint. For an example of this REST call, see "Sending Mail Over REST" in the Integrator's Guide.

4.3. Removed Functionality

  • No features or functionality have been removed in this release.

  • No features or functionality have been removed in this release.

  • No features or functionality have been removed in this release.

IDM 5.5.0
  • Support for the RACF connector has been removed.

  • Support for the TLSv1.0 protocol has been removed. For more information, see the following PDF: Migrating from SSL and Early TLS from the PCI Security Standards Council.

    The default security protocol for IDM is TLSv1.2. Do not downgrade this protocol unless you have a specific need.

  • Support for Java 7 has been removed.

    Before you update to IDM 5.5, install a newer Java version and follow the instructions in "Java Prerequisites" in the Installation Guide.

  • The file no longer allows the use of the disableConfigSave property.

    If you use disableConfigSave property, change it to enableConfigSave as described in "Disabling Automatic Configuration Updates" in the Integrator's Guide.

  • The XML file connector has been removed. If you need to connect to a custom XML data file, you should create your own scripted connector by using the Groovy connector toolkit. For more information, see "Groovy Connector Toolkit" in the Connector Reference.

  • The default internal IDM database, OrientDB, has been replaced with ForgeRock Directory Services (DS). For more information, see "Using the Default DS Repository" in the Installation Guide.

Chapter 5. How to Report Problems and Provide Feedback

If you have questions regarding ForgeRock Identity Management software that are not answered by the documentation, you can ask questions on the forum at

When requesting help with a problem, include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation

  • Description of the environment, including the following information:

    • Machine type

    • Operating system and version

    • Repository type and version

    • Java version

    • IDM release version

    • Any patches or other software that might be affecting the problem

  • Steps to reproduce the problem

  • Any relevant access and error logs, stack traces, or core dumps

Chapter 6. Documentation Updates

"Documentation Change Log" tracks important changes to the documentation:

Documentation Change Log
  • Added a restriction warning on the production use of the embedded workflow H2 database in the Integrator's Guide.

  • integer is a supported managed object type.

2020-07-18Added a description for the maxTokenSize property of the IWA authentication module.

Added missing TOKEN authentication method and miscellaneous improvements to "SCIM Connector" in the Connector Reference.


Release of patch bundle release.


Updated the IDM Known Issues list in the release notes. For more information, see Known Issues in IDM


Release of patch bundle release.


Release of patch bundle release.


Revised the logging documentation to include security advice on logging levels. See "Specifying the Logging Level" in the Integrator's Guide and "Updating" in the Installation Guide.


Added information on restricting the maximum payload size in HTTP requests ("Restricting the HTTP Payload Size" in the Integrator's Guide).


Added a known issue to the release notes (see Known Issues in IDM


Added a list of connector dependencies for running connectors remotely (see "Installing Remote Connector Dependencies" in the Integrator's Guide).


Updated the instructions in "Configuring IDM For a Hardware Security Module (HSM) Device" in the Integrator's Guide to specify that symmetric keys must use an HMAC algorithm.


Release of maintenance release (see Key Fixes in IDM fixes).

The following documentation updates were made in this release:


Release of patch bundle release.

  • Updated the release notes.


Release of patch bundle release.

  • Updated the release notes.

  • Added a new note on upgrading from IDM to IDM 5.5. For more information, see "Updating from the CLI" in the Installation Guide.

  • Retitled the section, "Updating From IDM 5.5 to IDM" and moved it into a new section on how to apply patch releases. For more information, see "To Apply a Patch Release" in the Installation Guide.


Release of patch bundle release. Updated the release notes.


Added a workaround for the problem related to Quartz schedules and daylight savings time ("Schedules and Daylight Savings Time" in the Integrator's Guide).

Added a fix for OPENIDM-9600 (incorrect paths in the Connector Reference).

Appendix A. Release Levels and Interface Stability

This appendix includes ForgeRock definitions for product release levels and interface stability.

A.1. ForgeRock Product Release Levels

ForgeRock defines Major, Minor, Maintenance, and Patch product release levels. The release level is reflected in the version number. The release level tells you what sort of compatibility changes to expect.

Release Level Definitions
Release LabelVersion NumbersCharacteristics


Version: x[.0.0] (trailing 0s are optional)

  • Bring major new features, minor features, and bug fixes

  • Can include changes even to Stable interfaces

  • Can remove previously Deprecated functionality, and in rare cases remove Evolving functionality that has not been explicitly Deprecated

  • Include changes present in previous Minor and Maintenance releases


Version: x.y[.0] (trailing 0s are optional)

  • Bring minor features, and bug fixes

  • Can include backwards-compatible changes to Stable interfaces in the same Major release, and incompatible changes to Evolving interfaces

  • Can remove previously Deprecated functionality

  • Include changes present in previous Minor and Maintenance releases

Maintenance, Patch

Version: x.y.z[.p]

The optional .p reflects a Patch version.

  • Bring bug fixes

  • Are intended to be fully compatible with previous versions from the same Minor release

A.2. ForgeRock Product Interface Stability

ForgeRock products support many protocols, APIs, GUIs, and command-line interfaces. Some of these interfaces are standard and very stable. Others offer new functionality that is continuing to evolve.

ForgeRock acknowledges that you invest in these interfaces, and therefore must know when and how ForgeRock expects them to change. For that reason, ForgeRock defines interface stability labels and uses these definitions in ForgeRock products.

Interface Stability Definitions
Stability LabelDefinition


This documented interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect.


This documented interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release.

While new protocols and APIs are still in the process of standardization, they are Evolving. This applies for example to recent Internet-Draft implementations, and also to newly developed functionality.


This interface is deprecated and likely to be removed in a future release. For previously stable interfaces, the change was likely announced in a previous release. Deprecated interfaces will be removed from ForgeRock products.


This interface was deprecated in a previous release and has now been removed from the product.

Technology Preview

Technology previews provide access to new features that are evolving new technology that are not yet supported. Technology preview features may be functionally incomplete and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT.

Customers are encouraged to test drive the technology preview features in a non-production environment and are welcome to make comments and suggestions about the features in the associated forums.

ForgeRock does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of the ForgeRock platform. Technology previews are provided on an “AS-IS” basis for evaluation purposes only and ForgeRock accepts no liability or obligations for the use thereof.


Internal and undocumented interfaces can change without notice. If you depend on one of these interfaces, contact ForgeRock support or email to discuss your needs.

Appendix B. Getting Support

For more information or resources about ${am.abbr} and ForgeRock Support, see the following sections:

B.1. Accessing Documentation Online

ForgeRock publishes comprehensive documentation online:

  • The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.

    While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.

  • ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

B.2. Using the Site

The site has links to source code for ForgeRock open source software, as well as links to the ForgeRock forums and technical blogs.

If you are a ForgeRock customer, raise a support ticket instead of using the forums. ForgeRock support professionals will get in touch to help you.

B.3. Getting Support and Contacting ForgeRock

ForgeRock provides support services, professional services, training through ForgeRock University, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see

ForgeRock has staff members around the globe who support our international customers and partners. For details on ForgeRock's support offering, including support plans and service level agreements (SLAs), visit

Read a different version of :