What's New

Maintenance Releases

ForgeRock maintenance releases contain a collection of fixes and minor RFEs that have been grouped together and released as part of our commitment to support our customers. For general information about ForgeRock's maintenance and patch releases, see Maintenance and Patch Availability Policy.

  • IDM 7.0.4 is the latest release targeted for IDM 7.0 deployments, and can be downloaded from the ForgeRock Download Center.

    The release can be deployed as an initial deployment or updated from an existing 7.0 deployment. For information on updating from 7.0, see Update to a Maintenance Release.

New Features

IDM 7.0.4

This release includes updates to ICF connectors and bug fixes.

IDM 7.0.3

There are no new features in this release, only bug fixes.

IDM 7.0.2
IDM 7.0.1

There are no new features in this release, only bug fixes.

IDM 7.0.0

The DS and Active Directory password synchronization plugins now support the use of AM bearer tokens as an authentication method. For more information, see:

The latest version of the Active Directory password synchronization plugin uses UTC timestamps for logs.

The latest version of the Active Directory Password Synchronization Plugin supports a new registry key that helps prevent infinite password update loops. For more information, see the registry key, pwdChangeInterval.

The latest version of the Active Directory Password Synchronization Plugin supports a new registry key to configure the maximum retry attempts for password changes. For more information, see the registry key, maxFileRetry.

The latest version of the Active Directory Password Synchronization Plugin supports a new registry key to configure a search filter to omit users/groups from password syncing. For more information, see the registry key, userSearchFilterStrict.

You can now configure access rules over REST, at the endpoint openidm/config/access. In previous releases, access rules were configured in the access.js script. This script has been replaced by an access.json configuration file, that performs the same function. For more information, see Protect REST Endpoints With Authorization and Access Control.

You can now configure the temporary storage file size for HTTP I/O requests.

You can use _queryFilter to directly filter expanded relationships from a collection, such as authzRoles. For more information, see "Filter Expanded Relationships".

By default, JWTs are now signed with deterministic Elliptic Curve Digital Signature Algorithm (ECDSA). In order to use this more secure signing method, Bouncy Castle, which is included in the default IDM installation, must be installed. If Bouncy Castle is unavailable or the key is incompatible, IDM falls back to normal ECDSA.


If you need to turn off the use of deterministic ECDSA, add the following line to conf/system.properties:


In previous releases, setting javascript.exception.debug.info=true in the boot.properties file enabled additional debug information, including line numbers and file names for JavaScript exceptions. In this release, setting groovy.exception.debug.info=true lets you gather comparable debug information for Groovy scripts.

IDM now supports the ability to specify the REST API version in HTTP calls and scripts. For more information, see REST API Versioning.

The following APIs have been updated in this release:


Version 2 of this endpoint adds a previousRunDate property to the output of REST calls on specific scheduled tasks.

Version 2 also lets you trigger a scheduled task manually and pause and resume a scheduled task.

Note that the action parameter on the scheduler endpoint was deprecated in Version 1 of the endpoint, and is not supported in Version 2.

IDM now supports using AM bearer tokens for authentication, with the rsFilter authentication module. Going forward, this is the only supported method for integrating AM and IDM. For more information, see "rsFilter".

Notifications of changes to managed objects are injected into a property in that object type. Previously, the name of this property was always _notifications. In this IDM release, you can customize the name of the notifications property. For more information, see Configure Notifications.

The new recon/assoc endpoint can be used to gather detailed information about the associations created between a source and a target object during a reconciliation. This endpoint requires the following tables and views to be added to your repository: reconassoc, reconassocentry, and reconassocentryview. For instructions on updating your existing repositories to enable this feature, see "Upgrade an Existing Repository". For more information about recon association, see "Viewing Reconciliation Association Details".

A new endpoint has been added to self-service, which lets you get a percentage value of how complete a specified user's profile is. For more information, see "Viewing Profile Completeness".

By default, IDM now safelists fields that are safe to log. For more information, including the complete safelist, see "Use Policies to Filter Audit Data".

The in expression clause provides limited support for queries on singleton string properties. For more information, see "In Expression Clause".

In version of the ICF framework, the framework disposes of idle connector instances in the connection pool (for poolable connectors such as the LDAP connector and the Database Table connector).

A connection pool cleaner thread now runs every minute and removes connections whose lastUsed time is larger than the minEvictableIdleTimeMillis.

This behavior is an improvement on previous releases, where a connection that had been used then returned to the connection pool remained there until the next connector operation. The previous behavior could result in several connections in the pool, that were idle but still connected to the target resource.

This release lets you configure mappings in separate mapping files, instead of, or in addition to one sync.json file. You cannot manage separate mapping configurations through the Admin UI. For more information, see Mapping Data Between Resources.

This release provides the ability to configure an infinite number of queued synchronization retries. For more information, see "Configure Queued Synchronization".

mat-icon has been added to the schema property of the managed object configuration. For more information, see "Managed Object Configuration".

Queries on explicit tables in JDBC now support bool:, num:, and long: in addition the previously supported query parameters (strings, list:, and int:).

The following content was added to the default config.properties file:

# The name of the PersistenceManager to be used by the framework
# when persisting component configurations.

Security Advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.

Read a different version of :