What's New

Maintenance Releases

ForgeRock maintenance releases contain a collection of fixes and minor RFEs that have been grouped together and released as part of our commitment to support our customers. For general information on ForgeRock's maintenance and patch releases, see Maintenance and Patch Availability Policy.

  • IDM 7.0.1 is the latest release targeted for IDM 7.0 deployments and can be downloaded from the ForgeRock Backstage website.

    The release can be deployed as an initial deployment or updated from an existing 7.0.0 deployment. For information on updating from 7.0.0, see Update to a Maintenance Release.


    ForgeRock strongly recommends that you update your IDM 7.0 deployment to IDM 7.0.1.

New Features

The release of ForgeRock Identity Management 7.0.0 software includes the following new features:

The DS and Active Directory password synchronization plugins now support the use of AM bearer tokens as an authentication method. For more information, see:

You can now configure access rules over REST, at the endpoint openidm/config/access. In previous releases, access rules were configured in the access.js script. This script has been replaced by an access.json configuration file, that performs the same function. For more information, see Protect REST Endpoints With Authorization and Access Control.

You can now configure the temporary storage file size for HTTP I/O requests.

You can use _queryFilter to directly filter expanded relationships from a collection, such as authzRoles. For more information, see "Filter Expanded Relationships".

By default, JWTs are now signed with deterministic Elliptic Curve Digital Signature Algorithm (ECDSA). In order to use this more secure signing method, you must install Bouncy Castle. If Bouncy Castle is unavailable or the key is incompatible, IDM falls back to normal ECDSA.


If you need to turn off the use of deterministic ECDSA, add the following line to conf/system.properties:


In previous releases, setting javascript.exception.debug.info=true in the boot.properties file enabled additional debug information including line numbers and file names for JavaScript exceptions. In this release, setting groovy.exception.debug.info=true enables you to gather comparable debug information for Groovy scripts.

IDM now supports the ability to specify the REST API version in HTTP calls and scripts. For more information, see REST API Versioning.

The following APIs have been updated in this release:


Version 2 of this endpoint adds a previousRunDate property to the output of REST calls on specific scheduled tasks.

Version 2 also lets you trigger a scheduled task manually and pause and resume a scheduled task.

Note that the action parameter on the scheduler endpoint was deprecated in Version 1 of the endpoint and is not supported in Version 2.

IDM now supports using AM bearer tokens for authentication, with the rsFilter authentication module. Going forward, this is the only supported method for integrating AM and IDM. For more information, see "rsFilter".

Notifications of changes to managed objects are injected into a property in that object type. Previously, the name of this property was always _notifications. In this IDM release, you can customize the name of the notifications property. For more information, see "Configure Notifications".

The new recon/assoc endpoint can be used to gather detailed information about the associations created between a source and a target object during a reconciliation. This endpoint requires the following tables and views to be added to your repository: reconassoc, reconassocentry, and reconassocentryview. For instructions on updating your existing repositories to enable this feature, see "Upgrade an Existing Repository". For more information about recon association, see "Viewing Reconciliation Association Details".

A new endpoint has been added to self-service, which lets you get a percentage value of how complete a specified user's profile is. For more information, see "Viewing Profile Completeness".

By default, IDM now safelists fields that are safe to log. For more information, including the complete safelist, see "Use Policies to Filter Audit Data".

The in expression clause provides limited support for queries on singleton string properties. For more information, see "In Expression Clause".

In version of the ICF framework, the framework disposes of idle connector instances in the connection pool (for poolable connectors such as the LDAP connector and the Database Table connector).

A connection pool cleaner thread now runs every minute and removes connections whose lastUsed time is larger than the minEvictableIdleTimeMillis.

This behavior is an improvement on previous releases, where a connection that had been used then returned to the connection pool remained there until the next connector operation. The previous behavior could result in several idle connections in the pool, still connected to the target resource. The next time the connector was used, ICF would attempt to use the existing connection in the pool. The pool manager would check the lastUsed time of the connection, which would be expired, and would then close that connection before creating a new one.

This release lets you configure mappings in separate mapping files, instead of, or in addition to one sync.json file. You cannot manage separate mapping configurations through the Admin UI. For more information, see Mapping Data Between Resources.

This release provides the ability to configure an infinite number of queued synchronization retries. For more information, see "Configure Queued Synchronization".

mat-icon has been added to the schema property of the managed object configuration. For more information, see "Managed Object Configuration".

Queries on explicit tables in JDBC now support bool:, num:, and long: in addition the previously supported query parameters (strings, list:, and int:).

Security Advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.

Read a different version of :