Incompatible changes impact existing functionality and might have an effect on your migration from a previous release. Before you upgrade, review these lists and make the appropriate changes to your scripts and plugins.
Management of agent credentials
An encryption key in
agent.conf is used to decrypt credentials for the
When decryption failed in previous releases, sometimes the agent attempted to use the encrypted form of the password. From this release, the agent does not attempt to use the encrypted form of the password.
NGINX binaries renamed
NGINX binaries on Backstage have been renamed as follows:
Old name format:
New name format:
The following versions of OpenSSL are no longer supported:
|Operating systems||OpenSSL versions|
Regular expression pattern matching is platform-dependent.
IIS agents use Windows libraries and ECMAScript-compatible regular expressions. Adapt the regular expression settings for IIS agents to account for this change.
From Web Agent 5.8.1, when
Enable Fragment Redirect
true, the agent redirects the user back to the original resource using an
absolute URL. In previous Web Agent 5 versions, the agent redirects the user
using a relative URI.
Proxy rules that rely on fragment redirect to a relative URI, now result in a
redirect to a full URL. For example a redirect to
/a/b#c results in the final URL
Ordered rules that rely on matching a plain URL followed by fully qualified alternatives can result in the fully qualified alternatives matching first.
AM 5.x.x EOL
AM 5.x.x has reached Product End of Life and is no longer supported. For more information, refer to ForgeRock Product Support Lifecycle Policy | IG and Agents.
Error Logic for Login Time Out in Sessions
The fix for AMAGENTS-2717 changes the error logic that caused 403s to be seen on agent/cdsso-redirect or agent/custom-login-response when a user is redirected to authenticate, but then stays on the authentication page for longer than the default of 5 minutes.
This error could occur when a user logged out, was redirected for authentication by the agent, and then reopened the same browser the next day. Similarly, it could occur with a similar use case, on a mobile browser application.
Workarounds that were previously recommended, such as using non-default values for the following properties are no longer necessary or advised:
To prevent problems, remove such workarounds from your configuration. If you have not customized these properties, no change is required.