ForgeRock maintenance releases contain a collection of fixes and minor RFEs that have been grouped together and released as part of our commitment to support our customers. For general information on ForgeRock's maintenance and patch releases, see Maintenance and Patch Availability Policy.
IDM 7.0.1 is the latest release targeted for IDM 7.0 deployments and can be downloaded from the ForgeRock Backstage website.
The release can be deployed as an initial deployment or updated from an existing 7.0.0 deployment. For information on updating from 7.0.0, see Update to a Maintenance Release.
ForgeRock strongly recommends that you update your IDM 7.0 deployment to IDM 7.0.1.
The release of ForgeRock Identity Management 7.0.0 software includes the following new features:
The DS and Active Directory password synchronization plugins now support the use of AM bearer tokens as an authentication method. For more information, see:
You can now configure access rules over REST, at the endpoint
openidm/config/access. In previous releases, access rules were configured in the
access.js script. This script has been replaced by an
access.json configuration file, that performs the same function. For more information, see Protect REST Endpoints With Authorization and Access Control.
You can now configure the temporary storage file size for HTTP I/O requests.
You can use
_queryFilter to directly filter expanded relationships from a collection, such as
authzRoles. For more information, see "Filter Expanded Relationships".
By default, JWTs are now signed with deterministic Elliptic Curve Digital Signature Algorithm (ECDSA). In order to use this more secure signing method, you must install Bouncy Castle. If Bouncy Castle is unavailable or the key is incompatible, IDM falls back to normal ECDSA.
If you need to turn off the use of deterministic ECDSA, add the following line to
In previous releases, setting
groovy.exception.debug.info=true enables you to gather comparable debug information for Groovy scripts.
IDM now supports the ability to specify the REST API version in HTTP calls and scripts. For more information, see REST API Versioning.
The following APIs have been updated in this release:
Version 2 of this endpoint adds a
previousRunDateproperty to the output of REST calls on specific scheduled tasks.
Note that the
actionparameter on the
schedulerendpoint was deprecated in Version 1 of the endpoint and is not supported in Version 2.
IDM now supports using AM bearer tokens for authentication, with the
rsFilter authentication module. Going forward, this is the only supported method for integrating AM and IDM. For more information, see "rsFilter".
Notifications of changes to managed objects are injected into a property in that object type. Previously, the name of this property was always
_notifications. In this IDM release, you can customize the name of the notifications property. For more information, see "Configure Notifications".
recon/assoc endpoint can be used to gather detailed information about the associations created between a source and a target object during a reconciliation. This endpoint requires the following tables and views to be added to your repository:
reconassocentryview. For instructions on updating your existing repositories to enable this feature, see "Upgrade an Existing Repository". For more information about recon association, see "Viewing Reconciliation Association Details".
A new endpoint has been added to self-service, which lets you get a percentage value of how complete a specified user's profile is. For more information, see "Viewing Profile Completeness".
By default, IDM now safelists fields that are safe to log. For more information, including the complete safelist, see "Use Policies to Filter Audit Data".
in expression clause provides limited support for queries on singleton string properties. For more information, see "
In Expression Clause".
In version 184.108.40.206 of the ICF framework, the framework disposes of idle connector instances in the connection pool (for poolable connectors such as the LDAP connector and the Database Table connector).
A connection pool cleaner thread now runs every minute and removes connections whose
lastUsed time is larger than the
This behavior is an improvement on previous releases, where a connection that had been used then returned to the connection pool remained there until the next connector operation. The previous behavior could result in several idle connections in the pool, still connected to the target resource. The next time the connector was used, ICF would attempt to use the existing connection in the pool. The pool manager would check the
lastUsed time of the connection, which would be expired, and would then close that connection before creating a new one.
This release lets you configure mappings in separate mapping files, instead of, or in addition to one
sync.json file. You cannot manage separate mapping configurations through the Admin UI. For more information, see Mapping Data Between Resources.
This release provides the ability to configure an infinite number of queued synchronization retries. For more information, see "Configure Queued Synchronization".
mat-icon has been added to the
schema property of the managed object configuration. For more information, see "Managed Object Configuration".
Queries on explicit tables in JDBC now support
long: in addition the previously supported query parameters (strings,
ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.
For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.