ForgeRock maintenance releases contain a collection of fixes and minor RFEs that have been grouped together and released as part of our commitment to support our customers. For general information about ForgeRock's maintenance and patch releases, see Maintenance and Patch Availability Policy.
- IDM 7.0.2
- IDM 7.0.1
There are no new features in this release, only bug fixes.
- IDM 7.0.0
The DS and Active Directory password synchronization plugins now support the use of AM bearer tokens as an authentication method. For more information, see:
The latest version of the Active Directory Password Synchronization Plugin supports a new registry key that helps prevent infinite password update loops. For more information, see the registry key,
The latest version of the Active Directory Password Synchronization Plugin supports a new registry key to configure the maximum retry attempts for password changes. For more information, see the registry key,
The latest version of the Active Directory Password Synchronization Plugin supports a new registry key to configure a search filter to omit users/groups from password syncing. For more information, see the registry key,
You can now configure access rules over REST, at the endpoint
openidm/config/access. In previous releases, access rules were configured in the
access.jsscript. This script has been replaced by an
access.jsonconfiguration file, that performs the same function. For more information, see Protect REST Endpoints With Authorization and Access Control.
You can now create privilege dynamic filters for delegated administrators.
You can now configure the temporary storage file size for HTTP I/O requests.
You can use
_queryFilterto directly filter expanded relationships from a collection, such as
authzRoles. For more information, see "Filter Expanded Relationships".
By default, JWTs are now signed with deterministic Elliptic Curve Digital Signature Algorithm (ECDSA). In order to use this more secure signing method, you must install Bouncy Castle. If Bouncy Castle is unavailable or the key is incompatible, IDM falls back to normal ECDSA.
If you need to turn off the use of deterministic ECDSA, add the following line to
In previous releases, setting
groovy.exception.debug.info=truelets you gather comparable debug information for Groovy scripts.
IDM now supports the ability to specify the REST API version in HTTP calls and scripts. For more information, see REST API Versioning.
The following APIs have been updated in this release:
Version 2 of this endpoint adds a
previousRunDateproperty to the output of REST calls on specific scheduled tasks.
Note that the
actionparameter on the
schedulerendpoint was deprecated in Version 1 of the endpoint, and is not supported in Version 2.
IDM now supports using AM bearer tokens for authentication, with the
rsFilterauthentication module. Going forward, this is the only supported method for integrating AM and IDM. For more information, see "rsFilter".
Notifications of changes to managed objects are injected into a property in that object type. Previously, the name of this property was always
_notifications. In this IDM release, you can customize the name of the notifications property. For more information, see "Configure Notifications".
recon/assocendpoint can be used to gather detailed information about the associations created between a source and a target object during a reconciliation. This endpoint requires the following tables and views to be added to your repository:
reconassocentryview. For instructions on updating your existing repositories to enable this feature, see "Upgrade an Existing Repository". For more information about recon association, see "Viewing Reconciliation Association Details".
A new endpoint has been added to self-service, which lets you get a percentage value of how complete a specified user's profile is. For more information, see "Viewing Profile Completeness".
By default, IDM now safelists fields that are safe to log. For more information, including the complete safelist, see "Use Policies to Filter Audit Data".
inexpression clause provides limited support for queries on singleton string properties. For more information, see "
In version 184.108.40.206 of the ICF framework, the framework disposes of idle connector instances in the connection pool (for poolable connectors such as the LDAP connector and the Database Table connector).
A connection pool cleaner thread now runs every minute and removes connections whose
lastUsedtime is larger than the
This behavior is an improvement on previous releases, where a connection that had been used then returned to the connection pool remained there until the next connector operation. The previous behavior could result in several connections in the pool, that were idle but still connected to the target resource.
This release lets you configure mappings in separate mapping files, instead of, or in addition to one
sync.jsonfile. You cannot manage separate mapping configurations through the Admin UI. For more information, see Mapping Data Between Resources.
This release provides the ability to configure an infinite number of queued synchronization retries. For more information, see "Configure Queued Synchronization".
mat-iconhas been added to the
schemaproperty of the managed object configuration. For more information, see "Managed Object Configuration".
Queries on explicit tables in JDBC now support
long:in addition the previously supported query parameters (strings,
ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.
For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.