The following changes are listed in OpenAM 12.0.4:

• OAuth 2.0 tokeninfo endpoint changed. The OAuth 2.0 tokeninfo endpoint now returns the client_id in the response.

• SAML status codes proxied to Service Providers. The OpenAM IdP proxy implementation now proxies SAML status codes that were received from the remote IdP over to the SPs.

• SAML v2.0 Bearer Assertion Profile changes. Fixes made to support SAML assertions that do not include a KeyInfo element mean the following additional checks are also performed:

  • The issuer of the assertion must be configured as a remote IdP.

  • The audience of the assertion must be configured as a hosted SP.

  • The hosted SP and the remote IdP must be in the same Circle Of Trust.

• The OAuth 2.0 SAML grant assertion parameter must now be Base64 URL encoded.. For more information, see Using SAML Assertions as Authorization Grants in RFC 7522.

• New csrf parameter required by the /oauth2/authorize endpoint. The /oauth2/authorize endpoint requires a new csrf parameter. The value of the parameter duplicates the contents of the iPlanetDirectoryPro cookie, which contains the SSO token of the resource owner giving consent.

  For example:

  $ curl \
   --request POST \
   --header  "Content-Type: application/x-www-form-urlencoded" \
   --Cookie "iPlanetDirectoryPro=AQIC5w...*" \
   --data "redirect_uri=http://www.example.net" \
   --data "scope=profile" \
   --data "response_type=code" \
   --data "client_id=myClient" \
   --data "csrf=AQIC5w...*" \
   --data "decision=allow" \
   --data "save_consent=on" \
   "http://openam.example.com:8080/openam/oauth2/authorize?response_type=code&client_id=myClient"\
   "&realm=/&scope=profile&redirect_uri=http://www.example.net"

  Duplicating the cookie value helps prevent Cross-Site Request Forgery (CSRF) attacks.

  Important

  If you are updating from version 12.0, 12.0.1, 12.0.2, or 12.0.3 to version 12.0.4 or 13.x, you will need to update your code to include the csrf parameter when sending REST requests to the /oauth2/authorize endpoint.

• New property required by persistent cookie authentication modules. For each persistent cookie authentication module instance in your configuration, you must set the newly introduced openam-auth-persistent-cookie-hmac-key property.

  The value can be generated with the following command:

  $ openssl rand -base64 32

  Existing ssoadm scripts to configure the persistent cookie authentication module will need to be updated due to this change.

  Use an ssoadm command similar to the following to update authentication module instances:

  $ openam/bin/ssoadm update-auth-instance --realm / --name pcookie --adminid amadmin --password-file .pass --attributevalues openam-auth-persistent-cookie-hmac-key=$(openssl rand -base64 32)

• Updated Embedded OpenDJ. The embedded OpenDJ server has been updated to version 2.6.4, replacing the previous 2.6.1.

• .NET Fedlet Documentation Moved: The .NET Fedlet documentation is now a KB article available to ForgeRock customers.

The following changes are listed in OpenAM 12.0.3:

• Changes to SAML 2.0 NameID Persistence. OpenAM's SAML 2.0 account management and NameID persistence logic has been updated to work better with non-persistent NameID formats.

  The NameID persistence logic is summarized as follows:

  
      Persistent NameID           -> NameID MUST be stored
      Transient NameID            -> NameID MUST NOT be stored
      Ignored user profile mode -> NameID CANNOT be stored (fails if used in
      combination with persistent NameID-Format)
      For any other case          -> NameID MAY be stored based on customizable logic
     

  The following changes have been made on the identity provider side:

  • New Setting: idpDisableNameIDPersistence. OpenAM now provides a new setting, idpDisableNameIDPersistence, which disables the storage of the NameID values for all NameIDs issued by that IdP instance, as long as the NameID-Format is anything but urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

  • SP's spDoNotWriteFederationInfo Repurposed. The SP's spDoNotWriteFederationInfo setting has been repurposed. It no longer is specific to unspecified NameID-Formats. Now, it affects all non-persistent NameID-Formats, similar to the idpDisableNameIDPersistence setting in the IdP configuration.

  • NameID Lookup Changes. The NameID lookup mechanism has been modified, so that it only tries to look up existing NameID values for the user if the NameID is actually persisted for the corresponding NameID-Format.

  • New Method in the IDPAccountMapper Interface. The IDPAccountMapper interface has been extended with the following new method:

    /**
          * Tells whether the provided NameID-Format should be persisted in the user data
          *       store or not.
          *
          * @param realm The hosted IdP's realm.
          * @param hostEntityID The hosted IdP's entityID.
          * @param remoteEntityID The remote SP's entityID.
          * @param nameIDFormat The non-transient, non-persistent NameID-Format in question.
          * @return true if the provided NameID-Format should be persisted
          *       in the user data store, false otherwise.
          */
          public boolean shouldPersistNameIDFormat(String realm, String hostEntityID,
          String remoteEntityID,String nameIDFormat);

    The default implementation of shouldPersistNameIDFormat in DefaultIDPAccountMapper first checks whether idpDisableNameIDPersistence is enabled in the hosted IdP configuration. If idpDisableNameIDPersistence is disabled, the logic advances and accesses the remote SP's spDoNotWriteFederationInfo flag.

  The following changes have been made on the service provider side:

  • Changes to SPAccountMapper. The SPAccountMapper implementations now no longer need to perform reverse lookups using the received NameID value. The SPACSUtils now performs the reverse lookup if the NameID-Format should be persisted. This change was made to ensure that NameID values are only persisted in the data store if they have not been stored there previously.

  • SP's spDoNotWriteFederationInfo Repurposed. The SP's spDoNotWriteFederationInfo setting has been repurposed. It no longer is specific to unspecified NameID-Formats. It affects all non-persistent NameID-Formats.

  • New Method in the SPAccountMapper Interface. The SPAccountMapper interface has been extended with the following new method:

    /**
          * Tells whether the provided NameID-Format should be persisted in the user data
          *       store or not.
          *
          * @param realm The hosted SP's realm.
          * @param hostEntityID The hosted SP's entityID.
          * @param remoteEntityID The remote IdP's entityID.
          * @param nameIDFormat The non-transient, non-persistent NameID-Format in question.
          * @return true if the provided NameID-Format should be persisted
          *       in the user data store, false otherwise.
          */
          public boolean shouldPersistNameIDFormat(String realm, String hostEntityID,
          String remoteEntityID, String nameIDFormat);
         

    The default implementation of shouldPersistNameIDFormat in DefaultLibrarySPAccountMapper checks whether spDoNotWriteFederationInfo is enabled in the hosted SP configuration.

  For more information, see OPENAM-6021.

• OAuth v2.0 Token Administration Endpoint No Longer Lists All Tokens. When querying the /frrest/oauth2/token REST endpoint as an admin user, the _queryId must contain userName=username. The OAuth v2.0 Token Administration endpoint no longer retrieves all tokens if the SSOTokenID for the OpenAM superuser is passed. This feature was found to be a potential problem if you had a very large number of tokens in the system. For information, see OPENAM-5847.

The following changes are listed in OpenAM 12.0.2:

• OAuth2 Tokeninfo Endpoint is No Longer Realm-Specific. Requests made to the /oauth2/tokeninfo endpoint no longer need to specify the realm the provided OAuth2 access token belongs to.

  For more information, see OPENAM-6534.

These changes are new in OpenAM 12.0.1:

• Agent Group Membership Now Stored in Agent Profile. Agent group membership information is now stored as part of the agent profile using the agentgroup attribute. You can assign an agent to a group by simply setting the agentgroup property upon creation. You can also use the ssoadm show-agent command to return the group membership detail in the agentgroup attribute. Note that the existing ssoadm commands (for example, add-agent-to-grp and remove-agent-from-grp) are still the preferred methods for managing group membership information.

  During upgrade, agent profiles will be automatically upgraded to use the new agentgroup attribute to store the group's name.

  For more information, see OPENAM-718.

• Updated weblogic.xml for WebLogic. When running OpenAM on WebLogic 11g, you must add a WebLogic-specific descriptor file, WEB-INF/weblogic.xml in the .war before deployment. The descriptor file maps resources defined for OpenAM in WebLogic deployments.

  An example weblogic.xml file is presented below:

  <?xml version="1.0" encoding="UTF-8"?>
  <weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://xmlns.oracle.com/weblogic/weblogic-web-app
      http://xmlns.oracle.com/weblogic/weblogic-web-app/1.3/weblogic-web-app.xsd">
  
      <context-root>/openam</context-root>
      <container-descriptor>
         <prefer-application-packages>
  
            <!-- Use bundled Jersey library -->
            <package-name>com.sun.jersey.*</package-name>
            <package-name>com.sun.research.ws.wadl.*</package-name>
            <package-name>com.sun.ws.rs.ext.*</package-name>
  
            <!-- Rhino -->
            <package-name>org.mozilla.javascript.*</package-name>
  
            <package-name>org.apache.commons.lang.*</package-name>
         </prefer-application-packages>
      </container-descriptor>
  </weblogic-web-app>
     

  For more information see, OPENAM-3333.

• AD/LDAP/RADIUS Authentication Modules Allow More Than One Primary/Secondary Server. The Active Directory, LDAP, and RADIUS authentication modules now allow one or more servers to be designated as primary or secondary servers.

  When authenticating users from a directory server that is remote to OpenAM, set the primary server values, and optionally, the secondary server values. Primary servers have priority over secondary servers.

  ssoadm attributes are: primary is iplanet-am-auth-ldap-server; secondary is iplanet-am-auth-ldap-server2.

  Both properties take more than one value; thus, allowing more than one primary or secondary remote server, respectively. Assuming a multi-data center environment, OpenAM determines priority within the primary and secondary remote servers, respectively, as follows:

  • Every LDAP server that is mapped to the current OpenAM instance has highest priority.

    For example, if you are connected to openam1.example.com and ldap1.example.com is mapped to that OpenAM instance, then OpenAM uses ldap1.example.com.

  • Every LDAP server that was not specifically mapped to a given OpenAM instance has the next highest priority.

    For example, if you have another LDAP server, ldap2.example.com, that is not connected to a specific OpenAM server and if ldap1.example.com is unavailable, OpenAM connects to the next highest priority LDAP server, ldap2.example.com.

  • LDAP servers that are mapped to different OpenAM instances have the lowest priority.

    For example, if ldap3.example.com is connected to openam3.example.com and ldap1.example.com and ldap2.example.com are unavailable, then openam1.example.com connects to ldap3.example.com.

  For more information, see OPENAM-3575.

• StartTLS Support for Directory Server-Based Data Stores. You can now use StartTLS to initiate secure connections to directory server-based data stores. A new property, sun-idrepo-ldapv3-config-connection-mode, has been created and has possible values of LDAP, LDAPS, and StartTLS to enable this feature.

  The sun-idrepo-ldapv3-config-connection-mode property replaces sun-idrepo-ldapv3-config-ssl-enabled, which has been removed from the configuration schema (sunIdentityRepositoryService).

  OpenAM automatically updates the sun-idrepo-ldapv3-config-ssl-enabled property to the sun-idrepo-ldapv3-config-connection-mode property when you upgrade. To enable StartTLS, set the sun-idrepo-ldapv3-config-connection-mode property to StartTLS. You will also need to update existing ssoadm scripts to use the new sun-idrepo-ldapv3-config-connection-mode property.

  For more information, see OPENAM-3714.

• Move of OAuth 2.0 Well-Known Endpoints. The well-known endpoints have been moved from /openam/.well-known to /openam/oauth2/.well-known.

  For more information, see OPENAM-4333.

• StartTLS Support for AD/LDAP Authentication Modules. You can now use StartTLS with the Active Directory and LDAP authentication modules to secure OpenAM's connection to the data stores. A new property, openam-auth-ldap-connection-mode, has been created with the possible values of LDAP, LDAPS, and StartTLS to enable this feature.

  The openam-auth-ldap-connection-mode property replaces the iplanet-am-auth-ldap-ssl-enabled property, which has been removed from the configuration schema (sunAMAuthADService and iPlanetAMAuthLDAPService).

  OpenAM automatically updates the iplanet-am-auth-ldap-ssl-enabled property to the openam-auth-ldap-connection-mode property when you upgrade. You must manually set the value of the openam-auth-ldap-connection-mode to StartTLS to initiate a StartTLS connection to the data store. You will also need to update existing ssoadm scripts to use the new openam-auth-ldap-connection-mode property.

  For more information, see OPENAM-5097.

• AD Authentication Module Now Provides iplanet-am-auth-ldap-ssl-trust-all. The iplanet-am-auth-ldap-ssl-trust-all property in the Active Directory authentication module enables the X509TrustManager to trust all certificates when the Active Directory authentication module connects to AD servers protected by self-signed or invalid (for example, invalid hostnames) certificates.

  Caution: Use this property with care as it bypasses the normal certificate verification process.

  For more information, see OPENAM-5460.

• Addional JVM Properties for WebSphere Installs. OpenAM 12.0.1 requires an updated step when running OpenAM on WebSphere. The JVM settings require additional properties to be set.

  -DamCryptoDescriptor.provider=IBMJCE
  -DamKeyGenDescriptor.provider=IBMJCE
  -Djavax.xml.parsers.DocumentBuilderFactory=org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
  -Djavax.xml.parsers.SAXParserFactory=org.apache.xerces.jaxp.SAXParserFactoryImpl
     

  Run the following procedures to set up the JVM properties on WebSphere. Note that these steps were run on WebSphere 8.5 on a Windows platform:

  1. Log in to the WebSphere console.

  2. In the left pane, expand Servers.

  3. Expand Server Types.

  4. Click WebSphere application servers.

  5. In the right pane, click on the server name.

  6. In the Server infrastructure section, expand Java and Process Management.

  7. Click Process definition.

  8. In the Advanced properties section, click Java Virtual Machine.

  9. In the Generic JVM arguments text field, add the JVM properties.

  10. Save the configuration.

  For more information, see OPENAM-6109.

• OAuth2 Scopes Behavior Affected By Upgrade. After an upgrade, OAuth 2.0 scope behavior uses a deprecated implementation class, org.forgerock.openam.oauth2.provider.impl.ScopeImpl.

  The workaround is to manually update the OAuth 2.0 providers to use the org.forgerock.openam.oauth2.OpenAMScopeValidator.

  For background information, see OPENAM-6319.

• All OpenAM core server, tools, and agent installers now display a software license acceptance screen prior to configuration. You must agree to the license to continue the configuration.

  For users implementing scripted or silent installs, the installers and upgrader tools provide a --acceptLicense command-line option, indicating that you have read and accepted the terms of the license. If the option is not present on the command-line invocation, the installer or upgrader will interactively present a license agreement screen to the user.

• When you visit the Policies tab for a realm in OpenAM console, OpenAM now directs you to the new policy editor. For instructions on using the new policy editor, see the Administration Guide chapter, Defining Authorization Policies in the Administration Guide. Notice that policies now belong to applications as described in that chapter.

  OpenAM has changed its internal representation for policies to better fit the underlying implementation, which is based on a new engine designed for higher performance and finer grained policies. When you upgrade to this version, OpenAM migrates your policies to the new representation.

  Depending on your existing policies before upgrade, you can see the following differences:

  • Existing policies with multiple resource rules map to multiple new policies.

    When a single policy maps to multiple policies during migration, OpenAM appends a number to the existing name for each new policy. This allows you to recognize the set of policies when you must manage them together, for example to change them all in the same way.

    This behavior is to optimize policy evaluation performance. The newer policy engine matches resources to policies during evaluation with indexing that proves very efficient as long as each policy specifies one resource pattern. OpenAM processes the list of resources in policies in linear fashion, so long lists of resources can slow policy evaluation.

  • Conditions in existing policies map to newer representations.

    New representations exist for all existing conditions provided in OpenAM out of the box. Custom conditions developed for your deployment do not map to any of the newer conditions provided. In that case you must implement your custom conditions by implementing the newer service provider interfaces, and then replace your existing policies to use them.

    To see how to implement a custom policy plugin, see the Developer's Guide chapter, Customizing Policy Evaluation in the Developer's Guide.

  • When OpenAM encounters issues migrating policies during upgrade, it writes messages about the problems in the upgrade log. When you open a policy in the policy editor that caused problems during the upgrade process the policy editor shows the issues, but does not let you fix them directly. Instead you must create equivalent, corrected policies in order to use them in OpenAM.

  • It is strongly recommended not to use the forward slash character in policy names. Users running OpenAM servers on Tomcat and JBoss web containers will not be able to manipulate policies with the forward slash character in their names without setting the ‑Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true argument in the CATALINA_OPTS environment variable before starting the OpenAM web container.

    It is also strongly recommended not to enable the ALLOW_ENCODED_SLASH=true setting while running OpenAM in production. Using this option introduces a security risk. See Apache Tomcat 6.x Vulnerabilities and the related CVE for more information.

    If you have policy names with forward slashes after migration to OpenAM 12, rename the policies so that they do not have forward slashes. Perform the following steps if you use Tomcat or JBoss as your OpenAM web container:

    1. Stop the OpenAM web container.

    2. Add the ‑Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true setting to the CATALINA_OPTS environment variable.

    3. Restart the OpenAM web container.

    4. Rename any policies with forward slashes in their names.

    5. Stop the OpenAM web container.

    6. Remove the ‑Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true setting from the CATALINA_OPTS environment variable.

    7. Restart the OpenAM web container.

  OpenAM configuration has changed in several ways to accommodate the changes to the way policies are managed:

  • The Policy Configuration Service is simplified. For details see the Reference section, Policy Configuration in the Reference.

  • OpenAM now requires policy referrals only when an application is administered across multiple realms, as can be the case when one policy agent protects multiple applications. Otherwise, OpenAM can use new settings in policy agent profiles to direct policy agent requests to the appropriate realm and application.

    Note

    Referrals are not shown by default in the policy editor. To enable them, in the OpenAM console, select Configuration > Global > Policy Configuration, set Activate Referrals to Enabled, and then click Save.

    The web and Java EE policy agent profiles includes the new settings under OpenAM Services > Policy Client Service in OpenAM console. These new settings allow you to set the realm and application for a policy agent. The settings are compatible with existing policy agents, as they are not used by the policy agents themselves, but instead by OpenAM when handling policy agent requests.

  The fix for OPENAM-3509 ensures that OpenAM considers a trailing slash as part of the resource name to match. This improves compatibility between self and subtree modes, and compatibility with older policy agents.

• The Device ID (Match), HMAC One-Time Password (HOTP), and Device ID (Save) modules, configured together in an authentication chain, provide the same functionality as the Device Print Authentication module that is present in OpenAM 11.x versions.

  The Device Print authentication module is only available for OpenAM 11.x versions and their upgrades. If you have upgraded from OpenAM 11.x to OpenAM 12.0 you can still use the Device Print module, customize it, and create new instances of the module or use the Device ID (Match) and Device ID (Save) modules.

  Important

  The Device ID (Match) profiles (that is, device fingerprints) are incompatible with profiles created from the Device Print authentication module. If the user has existing device print profiles, created from the Device Print authentication module, these old profiles will always fail to match the client's new device profiles using the scripted Device ID (Match) module even when using the same device.

  With the Device ID (Match) and Device ID (Save) modules, the user must re-save each device profile, which deletes the old 11.x profiles stored for the user.

• As part of a fix for OpenID Connect ID Token signing, the password storage format for OAuth 2.0 clients has changed. As a result you must reset OAuth 2.0 client passwords after upgrade. For details, see the Upgrade Guide procedure To Complete Upgrade from OpenAM 11.0 in the Upgrade Guide

• Following a change to the SAML 2.0 pages in OpenAM, you no longer customize saml2login.template and saml2loginwithrelay.template to add a progress bar for single sign on. Instead, customize saml2/jsp/autosubmitaccessrights.jsp as described in the procedure, To Indicate Progress During SSO in the Administration Guide.

• Changing passwords by using a PUT REST API call is no longer supported.

  Use a POST request to /json/subrealm/users/username?_action=changePassword to change a password.

• The response returned when submitting incorrect credentials to /json/authenticate has changed as follows:

  • OpenAM 11.0.1

    {
          "errorMessage": "Authentication Failed!!",
          "failureUrl": "https://openam.example.com:8443"
    }

  • OpenAM 12.0.0

    {
          "code": 401,
          "reason": "Unauthorized",
          "message": "Authentication Failed!!",
          "detail": {
             "failureUrl": "https://openam.example.com:8443"
          }
    }

• When running OpenAM on WebLogic 11g, you must add a WebLogic-specific descriptor file, WEB-INF/weblogic.xml to the .war before deployment.

• In the OpenID Connect 1.0 module you can map local user profile attributes to OpenID Connect Token claims, allowing the module to retrieve the user profile based on the ID Token. The key is the ID Token field name and value is the local user profile attribute name. The default has been changed as follows: mail=email, uid=sub. (OPENAM-5263)

• The class hierarchy for the ResourceName interfaces has changed. Previous implementations should be source-compatible, but will not be binary-compatible, and will need recompiling.

• The OAuth2 provider uses RSA as its default encryption algorithm. The default OAuth2 client agent configuration has been changed to RS256 to match the OAuth2 provider algorithm. The client agent continues to support HMAC algorithms; only the default encryption algorithm has been changed to support out-of-the-box functionality. (OPENAM-5279)

• The distributed authentication service (DAS) and cross-domain single sign-on (CDSSO) do not support the iPSPCookie/DProPCookie query string parameter to set a DProPCookie in the user-agent as a mechanism for cookie persistence. Neither DAS nor CDSSO retains iPSPCookie=yes.

• Updates to OAuth 2.0 and OpenID Connect authentication modules mean that any custom implementations of org.forgerock.openam.authentication.modules.oauth2.AccountMapper or org.forgerock.openam.authentication.modules.oauth2.AttributeMapper no longer work, and needs to be reimplemented against org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper and/or org.forgerock.openam.authentication.modules.common.mapping.AccountProvider as appropriate.

• The XUI, now the default for end-user pages, handles DNS/realm alias differently from the classic UI, which was the default in previous OpenAM versions. With the classic UI, the realm alias is specified both in the host name and the URI path. With the XUI, the host name alone specifies the realm. The XUI evaluates a realm specified in the path of the URL as a subrealm of the realm specified by the host name alias.

  For example, with the classic UI, you could authenticate to a realm, realm1 using the DNS alias realm1.example.com:8080 and the realm query parameter, realm=realm1, as follows:

  http://realm1.example.com:8080/openam/UI/Login?realm=realm1
     

  With XUI, you do not include a realm in the URI if it has already been mapped as now any URI realm is additive and specifies a subrealm of the DNS alias realm. For example, using the following URL indicates that you are attempting to authenticate to /realm1/realm1 (that is, the sub-realm, realm1 under the realm, realm1).

  http://realm1.example.com:8080/openam/XUI/#Login/realm1
     

  As another example, if you have a sub-realm called test under /realm1 and make a request to:

  http://realm1.example.com:8080/openam/XUI/#Login/test
     

  The request authenticates to /realm1/test. Note also that the use of URI realm is preferred over realm as a query parameter.

• No functionality has been deprecated in this release.

• No functionality has been deprecated in this release.

• No functionality has been deprecated in this release.

• No functionality has been deprecated in this release.

• Classic (JATO-based) UI is deprecated for end user pages. OpenAM offers the JavaScript-based XUI as a replacement. Classic UI for end user pages is likely to be removed in a future release.

• Older REST services relying on the following endpoints are deprecated.

  /identity/attributes	/identity/read
  /identity/authenticate	/identity/search
  /identity/authorize	/identity/update
  /identity/create	/ws/1/entitlement/decision
  /identity/delete	/ws/1/entitlement/decisions
  /identity/isTokenValid	/ws/1/entitlement/entitlement
  /identity/logout	/ws/1/entitlement/entitlements

  The following table shows how legacy and newer endpoints correspond.

  REST Endpoints

  Deprecated in the Administration Guide URIs	Newer Evolving in the Administration Guide URIs
  /identity/attributes	/json/users
  /identity/authenticate	/json/authenticate
  /identity/authorize	/json/policies?_action=evaluate, /json/policies?_evaluateTree
  /identity/create, /identity/delete, /identity/read, /identity/search, /identity/update	/json/agents, /json/groups, /json/realms, /json/users
  /identity/isTokenValid	/json/sessions/tokenId?_action=validate
  /identity/logout	/json/sessions/?_action=logout
  /ws/1/entitlement/decision, /ws/1/entitlement/decisions, /ws/1/entitlement/entitlement, /ws/1/entitlement/entitlements	/json/policies?_action=evaluate, /json/policies?_evaluateTree
  N/A	/json/applications
  N/A	/json/applicationtypes
  N/A	/json/conditiontypes
  N/A	/json/dashboard
  N/A	/json/decisionscombiners
  N/A	/json/policies
  N/A	/json/referrals
  N/A	/json/serverinfo
  N/A	/json/subjectattributes
  N/A	/json/subjecttypes
  N/A	/xacml/policies

  
  

  Find examples in the Developer Guide chapter Using RESTful Web Services in the Developer's Guide.

  Support for the older REST services is likely to be removed in a future release in favor of the newer REST services. Older REST services will be removed only after replacement REST services are introduced.

• With the implementation of XACML 3.0 support when importing and exporting policies the following ssoadm commands have been replaced:

  Policy Import and Export with ssoadm

  Deprecated in the Administration Guide Command	Newer Evolving in the Administration Guide Command
  create-policies	create-xacml
  delete-policies	delete-xacml
  list-policies	list-xacml
  update-policies	create-xacml

  
  

  For more information, see the OpenAM Reference section ssoadm — configure OpenAM core services in the Reference.

• With the implementation of OAuth 2.0 in this release, the following OAuth JSP endpoints are deprecated and targeted for future removal:

  deleteconsumer.jsp

  This endpoint is used to delete consumer systems, which get resources from service providers (SPs) based on OAuth 1.0 tokens.

  deletetoken.jsp

  This endpoint is used to delete an existing OAuth 1.0 token.

  index.jsp

  Specifies an endpoint used to register and delete service consumers, which get resources from SPs. Provides access to registerconsumer.jsp and deleteconsumer.jsp. Associated with OAuth 1.0.

  registerconsumer.jsp

  Defines an endpoint used to register a consumer of services from SPs. Associated with OAuth 1.0.

  userconsole.jsp

  Allows a user to authorize or revoke a request for an OAuth 1.0 token.

• The Netscape LDAP API is to be removed from OpenAM, with OpenAM using the OpenDJ LDAP SDK instead. This affects all classes in com.sun.identity.shared.ldap.* packages.

• OpenAM currently uses Sun Java System Application Framework (JATO). JATO is deprecated and is likely to be replaced in a future release.

• With the implementation of the Persistent Cookie authentication module, the Core Authentication module persistent cookie options are deprecated and are likely to be removed in a future release.

• The OAuth 2.0 plugin interface for custom scopes, Scope is deprecated and likely to be removed in a future release. Custom OAuth 2.0 scopes plugins now implement the ScopeValidator interface instead. For an example, see the Developer's Guide chapter, Customizing OAuth 2.0 Scope Handling in the Developer's Guide.

• The OAuth 2.0 plugin interface for custom response types, ResponseType is deprecated and likely to be removed in a future release. Custom OAuth 2.0 response type plugins now implement the ResponseTypeHandler interface instead.

• No functionality has been removed in this release.

• No functionality has been removed in this release.

• Removal of Unused Install-Time LDAP Users. Default LDAP users that were set up during initial installation have been removed, because they were not referenced anywhere in the configuration. Any associated access control instructions to the removed entries have also been removed.

  When targeting Oracle DSEE as the user store, OpenAM no longer creates the following entries and ACIs:

  • dn: ou=DSAME users, CHOSEN_SUFFIX

  • dn: cn=dsameuser, ou=DSAME users, CHOSEN_SUFFIX

  • dn: cn=amldapuser,ou=DSAME Users, CHOSEN_SUFFIX

  • allow (all) userdn = "ldap:///cn=dsameuser,ou=DSAME Users,CHOSEN_SUFFIX";

  • allow (read,search) userdn = "ldap:///cn=amldapuser,ou=DSAME Users,CHOSEN_SUFFIX";

  • deny (write) userdn ="ldap:///self". The aci was updated to remove the dsameuser reference from the target filter.

  When targeting OpenDJ as the user store (internally or externally), OpenAM no longer creates the following entries and ACIs:

  • dn: ou=opensso adminusers,CHOSEN_SUFFIX

  • dn: cn=openssouser,ou=opensso adminusers,CHOSEN_SUFFIX

  • dn: cn=ldapuser,ou=opensso adminusers,CHOSEN_SUFFIX

  • allow (read,search) userdn = "ldap:///cn=ldapuser,ou=opensso adminusers,CHOSEN_SUFFIX";

  • allow (all) userdn = "ldap:///cn=openssouser,ou=opensso adminusers,CHOSEN_SUFFIX";

  • deny (write) userdn ="ldap:///self". The aci was updated to remove the openssouser reference from the target filter.

  New installations will not have these entries and ACIs. For upgraded deployments, you must manually remove the entries if they are not being used. For details, see the explanation in (OPENAM-1036 and in OpenAM Security Advisory #201505-05).

• The sun-idrepo-ldapv3-config-connection-mode property replaces sun-idrepo-ldapv3-config-ssl-enabled, which has been removed from the configuration schema (sunIdentityRepositoryService). For more information, see OPENAM-3714.

• The openam-auth-ldap-connection-mode property replaces iplanet-am-auth-ldap-ssl-enabled, which has been removed from the configuration schema (sunAMAuthADService and iPlanetAMAuthLDAPService). For more information, see OPENAM-5097.

• Removal of Unused Install-Time LDAP Users. Default LDAP users that were set up during initial installation have been removed, because they were not referenced anywhere in the configuration. Any associated access control instructions to the removed entries have also been removed.

  When targeting Oracle DSEE as the user store, OpenAM no longer creates the following entries and ACIs:

  • dn: ou=DSAME users, CHOSEN_SUFFIX

  • dn: cn=dsameuser, ou=DSAME users, CHOSEN_SUFFIX

  • dn: cn=amldapuser,ou=DSAME Users, CHOSEN_SUFFIX

  • allow (all) userdn = "ldap:///cn=dsameuser,ou=DSAME Users,CHOSEN_SUFFIX";

  • allow (read,search) userdn = "ldap:///cn=amldapuser,ou=DSAME Users,CHOSEN_SUFFIX";

  • deny (write) userdn ="ldap:///self". The aci was updated to remove the dsameuser reference from the target filter.

  When targeting OpenDJ as the user store (internally or externally), OpenAM no longer creates the following entries and ACIs:

  • dn: ou=opensso adminusers,CHOSEN_SUFFIX

  • dn: cn=openssouser,ou=opensso adminusers,CHOSEN_SUFFIX

  • dn: cn=ldapuser,ou=opensso adminusers,CHOSEN_SUFFIX

  • allow (read,search) userdn = "ldap:///cn=ldapuser,ou=opensso adminusers,CHOSEN_SUFFIX";

  • allow (all) userdn = "ldap:///cn=openssouser,ou=opensso adminusers,CHOSEN_SUFFIX";

  • deny (write) userdn ="ldap:///self". The aci was updated to remove the openssouser reference from the target filter.

  New installations will not have these entries and ACIs. For upgraded deployments, you must manually remove the entries if they are not being used. For details, see the explanation in (OPENAM-1036 and in OpenAM Security Advisory #201505-05).

• The sun-idrepo-ldapv3-config-connection-mode property replaces sun-idrepo-ldapv3-config-ssl-enabled, which has been removed from the configuration schema (sunIdentityRepositoryService). For more information, see OPENAM-3714.

• The openam-auth-ldap-connection-mode property replaces iplanet-am-auth-ldap-ssl-enabled, which has been removed from the configuration schema (sunAMAuthADService and iPlanetAMAuthLDAPService). For more information, see OPENAM-5097.

• No functionality has been removed in this release.

• OPENAM-9611: InvalidStatusCodeSaml2Exception breaks the SAML2 SP Error handling in a non IDP-proxy environment.

• OPENAM-9526: Compiling the source code without git repo fails at openam-clientsdk module

• OPENAM-9407: Backport OPENAM-7556 to 12.0.x

• OPENAM-9400: NPE in LDAP module if "hasNext" throws an ErrorResultIOException

• OPENAM-9337: Attribute value in profile page is cached

• OPENAM-9290: OpenAM should send a response to the SP in case of empty NameIdPolicy value in SAML Authn Request

• OPENAM-9027: IdServiceImpl logs message level data on warning level

• OPENAM-8962: Unable to set Start and End IPCondition condition policy

• OPENAM-8944: PolicyRequestHandler does not take ignore profile into account when looking up profile attributes

• OPENAM-8919: DJLDAPv3Repo needs to escape special chars in search results.

• OPENAM-8910: NPE if a null siteID is passed to Session.validateSessionID

• OPENAM-8736: When upgrading OpenAM, upgrade can fail if sun-idrepo-ldapv3-config-ssl-enabled has not been removed.

• OPENAM-8708: Authentication can fail for users with non-ascii character in multi-server environment

• OPENAM-8689: javascript httpClient appends headers as querystring parameters

• OPENAM-8659: JSON REST authenticate endpoint doesn't check validity of sessionUpgradeSSOTokenId before returning authId

• OPENAM-8648: PostAuthentication not triggered for noSession=true authentication case

• OPENAM-8614: User status attribute mapping with Active Directory doesn't work when creating new users

• OPENAM-8578: The default WS-Fed and SAML2 IDP attribute mapper should provide a way to Base64 binary encoding of NameID

• OPENAM-8567: SAML v2.0 Bearer Assertion Profile fails if SAML assertion does not include KeyInfo Element

• OPENAM-8564: "Invalid Properties" warning when updating org.forgerock.openam.url.connectTimeout with ssoadm

• OPENAM-8543: Special characters are not always escaped correctly in universal identifier DNs

• OPENAM-8533: Case sensitivity in realm name for password reset REST calls

• OPENAM-8523: J2EE Agent does not pickup "DN Restriction Only Enabled" from OpenAM configuration

• OPENAM-8521: CacheBlockBase will deadlock when com.sun.identity.idm.cache.entry.expire.enabled=true

• OPENAM-8510: com.sun.identity.saml2.cacheCleanUpInterval should only accept values > 0

• OPENAM-8494: Certain services cannot be added/modified at realm level when psearch is disabled

• OPENAM-8483: OAUTH2.0 client MUST use the HTTP "POST" method when making access token requests

• OPENAM-8474: Active Directory ( AD ) DataStore doesn't show User Status in OpenAM GUI

• OPENAM-8463: Creating New SAMLv2 SOAP Binding Request Handler gives errors

• OPENAM-8433: JSON Authentication does not provide correct feedback for expired session

• OPENAM-8432: LocalSSOTokenSessionModule throws NPE when dependencies are not initialized

• OPENAM-8417: IdRepo attempts to access profile when session quotas are enabled, even if 'ignore' user profile is enabled

• OPENAM-8386: NPE in DelegationPolicyImpl due to non-thread safe initialization

• OPENAM-8335: OATH shows One time password callback view even if username is not defined

• OPENAM-8268: Null authnLevel can be set in DefaultIDPAuthnContextMapper.getIDPAuthnContextInfo() if no default set.

• OPENAM-8266: TLS issue with com.iplanet.am.util.AMSendMail

• OPENAM-8250: SAML + OAuth2 flow fails with ClassCastException

• OPENAM-8243: "Illegal universal identifier null." on UMUserPasswordResetOptions in multi-instance setup

• OPENAM-8201: setup.bat of SSOAdminTools always returning exit error code 1

• OPENAM-8199: Resource based authentication does not work with more than one environment condition

• OPENAM-8171: In-memory account lockout reset doesn't work when using LDAP module

• OPENAM-8151: SAML SSO for subrealm does not correctly login user as it ignores the org param when XUI enabled

• OPENAM-8146: XUI does not honor success URL set by PAP

• OPENAM-8073: Installation randomly fails with NPE when message level logging is enabled

• OPENAM-8040: Exception when loading schema for datastore

• OPENAM-8014: NullPointer when using "Default Failure Login URL" with IDP

• OPENAM-7860: Cannot setup 12.0.x with IBM JDK 7

• OPENAM-7778: XML Signature DigestMethod should be configurable when using SAML2

• OPENAM-7750: NPE when OpenAM shut downs

• OPENAM-7443: Password Encryption Key property is incorrect - in Advanced Server configuration

• OPENAM-7254: ClassNotFoundException for DenyOverride triggered from EntitlementUtils after OpenAM installation

• OPENAM-7233: NPE after viewing the OpenAM change organization page

• OPENAM-7071: container requirements are not stated for Distributed Authentication Server

• OPENAM-6974: SAML federation failover does not work to federate additional COT SPs

• OPENAM-6470: ThemeManager.js doesn't need to strip "/" anymore when loading theme for realm

• OPENAM-6390: Retrieving User in federation returns the amIdentity with id in lower case

• OPENAM-6344: Incorrect error when password length is not valid with Forgotten Password in XUI

• OPENAM-6315: Proxying SAML2 Second level status code

• OPENAM-6188: ssoadm list-xacml with –policynames throws a com.sun.identity.entitlement.EntitlementException: Incorrect search filter

• OPENAM-6160: auth_time is updated when refreshing token

• OPENAM-5938: Cert Auth module should not read cert from HTTP request when 'iplanet-am-auth-cert-gw-cert-auth-enabled' is set

• OPENAM-5923: JCE Certificate Validation won't work for Cert module consumed in 'portal' mode

• OPENAM-5640: SAML SP ignore Conditions in Assertion.

• OPENAM-5626: XUI not redirecting to console when no datastore in top realm

• OPENAM-5428: Missing log entry error when clicking IDP services tab

• OPENAM-5367: [ and { characters in uid cause problems with Privilege evaluation

• OPENAM-5213: OAuth2 tokeninfo endpoint is not returning client_id info

• OPENAM-4499: XUI cannot cope with Ignored User Profile mode

• OPENAM-3891: SAML2 session upgrade fails if the request hits a different server where the old session was created

• OPENAM-3750: REST authentication failed if unicode/utf8 login/password

• OPENAM-3574: SMSGateway is missing JavaDoc

• OPENAM-2911: IdP initiated SSO with persistent identifier causes URLNotFoundException: Invalid service host name.

• OPENAM-1068: In case of session upgrade the SAML IDPCache can lose the ssotoken sessionindex mapping

• OPENAM-1462: OATH Module TOTP does not implement Resyncronization part of RFC6238

• OPENAM-1900: Provide support for more XML signatures types in SAML query string verification process

• OPENAM-2028: java.lang.NullPointerException at com.sun.identity.saml2.common.SAML2Utils.getRemoteServiceURL

• OPENAM-2137: DSConfigMgr can hide exception root causes

• OPENAM-3095: When a SP sends an unsigned Authn Request using SAML ECP OpenAM sees it as a wrong message

• OPENAM-3135: XUI does not support resource based authentication

• OPENAM-3253: XUI: sunIdentityUserPassword not set in com.sun.identity.authentication.spi.ReplayPasswd

• OPENAM-3266: Heartbeat timeouts can occur during operation

• OPENAM-3381: SAML login is not handled correctly on the SP if the user already has a local session on the SP

• OPENAM-3470: The SAML2 nameid should not be persisted if the nameid-format is not persistent

• OPENAM-3693: LDAP psearch uses DN to update the cache instead of valid Universal ID

• OPENAM-3698: Federation authentication module may be retrieved from the incorrect realm when running OpenAM as an SAML SP

• OPENAM-3762: sun-idrepo-ldapv3-config-memberurl doesn't exist for LDAPv3ForOpenDS

• OPENAM-3868: Regression: NPE in WDSSO module when authenticating via ClientSDK

• OPENAM-4103: Allow sending AuthnRequests without the RequestedAuthnContext element

• OPENAM-4135: Authentication triggers a search that retrieves all attributes - IDRepo

• OPENAM-4177: Update OAuth2 access_token endpoint to handle auth chain with non-name/password callback

• OPENAM-4754: NPE when SessionID doesn't contain StorageKey for SFO

• OPENAM-4765: AdminTokenAction - retrieving the admin token is not Synchronized

• OPENAM-4983: Commands for embedded DJ should use --noPropertiesFile switch

• OPENAM-5101: Policy Editor does not handle names which contain '/' character

• OPENAM-5234: AuthLevel policy condition does not work with pol. agents when result code 403 is expected

• OPENAM-5264: Can't login to OpenAM with no cookies set in the platform service

• OPENAM-5364: 11.0 format policies with "?" in the rule name cannot be edited by the Policy Editor

• OPENAM-5400: Policy Editor: Unable to edit/delete policy whose name ends in a '/' character

• OPENAM-5416: XUI not handling correctly response from REST services during authentication

• OPENAM-5467: XUI/#logout/ route ignores "goto" parameter

• OPENAM-5505: Setting openam-session-timeout-handler-list= in ssoadm set-attr-defs ends up creating a list with one empty item

• OPENAM-5530: OpenAM does not set the destination in the last leg of IDP Proxy SLO

• OPENAM-5541: Resource based auth doesn't work in sub realm

• OPENAM-5554: run-xacml-client-sample.sh packaged with ExampleClientSDK-CLI-12.0.0.zip is missing libraries

• OPENAM-5567: User attribute mapping sometimes fail

• OPENAM-5614: Jackson can not instantiate AuthnRequestInfoCopy/IDPSessionCopy from JSON object

• OPENAM-5670: Create Policy UI can't get the subject attributes if you don't have a datastore configured.

• OPENAM-5695: Allow admin users to update user's password without the old password

• OPENAM-5712: Cross-realm session upgrade with ForceAuth does not trigger #confirmLogin

• OPENAM-5721: WindowsDesktopSSO trusted realm list doesn't work

• OPENAM-5733: validationService doesn't work if the datastore isn't configured

• OPENAM-5744: Authentication level login doesn't work if the module name doesn't match the module type

• OPENAM-5755: Prevent duplicate metaAliases in SAML2 entities

• OPENAM-5759: Update OAuth2 to display the token and user information in the OAuth2Provider.access log

• OPENAM-5785: Allow ssoadm to import and export agent configurations with hashed passwords

• OPENAM-5804: Forgot password in XUI with a sub-realm when using RFC3986 specs not redirecting correctly

• OPENAM-5826: Zero Page Login disallowed after OPENAM-sec-201503 CAS is applied

• OPENAM-5834: Changes since OPENAM-2274 to DefaultLibrarySPAccountMapper has meant that NameID can't be used in some cases using auto federation

• OPENAM-5835: Redirect loop between OpenAM and J2EE Agent in case of invalid admin token

• OPENAM-5841: Realm override query parameter on login not overriding realm

• OPENAM-5847: OAuth 2.0 Token Administration Endpoint should not allow to list all tokens as 'Super User'

• OPENAM-5883: SAML Time value should allow milliseconds values with less than 3 digits

• OPENAM-5894: Can't update WindowsDesktopSSO module with ssoadm

• OPENAM-5902: Persistent cookie fails on host cookies when domain deleted via console

• OPENAM-5917: IdP proxy in a subrealm is unable to send SLO response to the remote SP

• OPENAM-5920: Realm associated with OAuth2 tokens is not normalised

• OPENAM-5921: XUI Login page does not pass username to post auth plugin

• OPENAM-5922: Getting a user's resource sets from root realm doesn't work with realm override parameter

• OPENAM-5980: CTS async queue can cause threads to wait for a long time

• OPENAM-5987: Database audit logging 'failure buffer' does not write all records after DB recovery

• OPENAM-5998: Null Pointer Exception in Session.removeSID

• OPENAM-6000: Accessing XUI through a FQDN that is resolvable but not mapped throws an internal server error

• OPENAM-6039: Asynchronous queue for OAuth2 Tokens can result in token validation failures

• OPENAM-6056: LoginViewBean does not correctly handle empty ChoiceCallbacks

• OPENAM-6069: Make org.forgerock.openam.agents.config.policy.evaluation.* optional

• OPENAM-6156: orderedlist uitype in service config breaks when updated

• OPENAM-6192: For OAuth 2.0 don't expect the default Shared Consent Attribute to contain a value on first use

• OPENAM-6196: Exception With SAML 2.0 ECP IDP Profile (PAOS Binding)

• OPENAM-6235: NameID values that contain characters such as & cause parsing issues when used in XML documents.

• OPENAM-6236: Add token life time options per OAuth2 client

• OPENAM-6237: com.sun.xml.ws.api.pipe.TransportPipeFactory - ClassNotFoundException

• OPENAM-6244: In case of GeoIp2Exception in the adaptive module, only the score of the geolocation should be affected

• OPENAM-6266: Allow the confirmation email URL in the Forgotten password service to be a relative path

• OPENAM-6273: XUI self-service links are only available when data-store auth-module is used

• OPENAM-6293: XUI freezes at startup when serverinfo service call fails

• OPENAM-6318: IdP proxy should populate the AuthenticatingAuthority element in its Responses

• OPENAM-6323: Divide the message "JWT has expired or is not valid" into two messages

• OPENAM-6362: HOTP and OATH auth-modules do not set 'failureUserID' when throwing InvalidPasswordException, this breaks OpenAM account lockout

• OPENAM-6372: Browser back button and OpenAM internal authentication error

• OPENAM-6376: OAuth2 resource owner authentication code does not pass headers to auth module

• OPENAM-6377: CTSOperations is currently performing setLatestAccessTime on a local token, rather than the remote one.

• OPENAM-6423: Post Authentication Plugin can't set headers in the logout API on REST response

• OPENAM-6443: Unable to change a user password using admin token via REST

• OPENAM-6455: ConnectionCount logic does not produce a sensible ConnectionFactory max pool size for some scenarios

• OPENAM-6468: InvalidClassException with certauth after #201505-01 patch

• OPENAM-6472: NPE when choosing No on new_org.jsp

• OPENAM-6476: Initialization of a ServiceConfigImpl may block retrieval of already cached instances

• OPENAM-6499: Configuration store servers are not listed in Directory Configuration

• OPENAM-6501: RestSecurity is instantiated every time user makes serverinfo request

• OPENAM-6503: Unable to update policies in subrealm

• OPENAM-6506: Potential NPE in OpenAMScopeValidator.evaluateScope

• OPENAM-6514: OAuth2 authorization flow stores resource owner in universalID format if persistent mode is on

• OPENAM-6534: Update OAuth2 tokeninfo endpoint to be realm-independent

• OPENAM-6545: ServerInfoResource should attempt to cache ServiceConfigs per realm rather than creating one on each request

• OPENAM-6552: access_token request sent by OAuth2Saml2GrantSPAdapter is not realm aware

• OPENAM-6553: Fix Social Authentication in subrealms

• OPENAM-6558: jwt-bearer grant type handler doesn't call additionalDataToReturnFromTokenEndpoint of the Scope Validator Plugin

• OPENAM-6613: Updating Hosted IDP Authentication Context Mapper does not save values

• OPENAM-6620: jwks_uri generates a kid value different for each server in a site configuration

• OPENAM-6627: Self-registration fails in XUI when using realms

• OPENAM-6630: Policy Editor 'Export All Policies' does not specify realm

• OPENAM-6726: Issues creating Agent client using REST API

• OPENAM-6734: Shutdown race condition between embedded OpenDJ and OpenAM persistent search restart

• OPENAM-6741: STS configuration not showing in admin console

• OPENAM-6776: SAML authentication can fail with NumberFormatException

• OPENAM-6798: Remove ORIG_URL after OAUTH2 Authentication complete

• OPENAM-6825: Fails to issue OAuth2 access token if client type confidential is inherited from group

• OPENAM-6842: PAP onLogout() method is not triggered in a multi-server environment, if the logout is invoked from the OpeAM instance in which session is not created.

• OPENAM-6867: changePassword REST endpoint is not returning LDAP issues that are related to a user mistake.

• OPENAM-6872: Improved error message in OpenSSOConfigurator

• OPENAM-6878: OpenAM forgot password search hard coded for UID

• OPENAM-6883: SystemConfigurationUtil maintains a list of server URLs that assume lowercase deployment contexts

• OPENAM-6892: Create a Shared Secret Provider plugin for the standard OATH module

• OPENAM-7002: The email attribute property defined in the email service is not used when sending e-mail in forgotten password flow

• OPENAM-7055: Improved logic for POST binding Assertion/Response signature check

• OPENAM-7070: Datastore screen error when loading schema if host list has entries with pipe

• OPENAM-7075: endSession endpoint can't kill SSO Token for some OAuth2 grant type

• OPENAM-7095: ssoadm do-batch doesn't continue if the -c flag is applied for the SAML delete-entity command

• OPENAM-7109: Allow user to adjust the size of Metadata that can be uploaded by the Common Task "Create SAMLv2 Providers" buttons.

• OPENAM-7122: json/agents/?_action=create returns inconsistent error codes when an agent name already exists

• OPENAM-7123: Allow country-specific localization in XUI

• OPENAM-7260: OAuth2 authorization flow sets wrong resource owner if alias name + LDAP auth is used.

• OPENAM-7265: Post Authentication Plugin HttpServletRequest is null in onLogout() method

• OPENAM-7298: Custom response attributes are not visible in the policy editor UI and are erased when editing policies through the UI

• OPENAM-7320: Consider using JDK JAXP/XML instead of Xerces/Xalan to keep up with JDK fixes

• OPENAM-7467: Redirect loop with XUI and resource=true when user initially authenticated to different chain

• OPENAM-7547: OpenIdConnectAuthorizeRequestValidator doesn't take default scopes into account when checking.

• OPENAM-7549: Call to userinfo unexpectedly generates "WARNING: Couldn't find any helper support the HTTP_Bearer challenge scheme."

• OPENAM-7727: debugfiles.properties missing in ClientSDK jar

• OPENAM-7778: XML Signature DigestMethod should be configurable when using SAML2

• OPENAM-7820: Additional delete/revoke token endpoints for Oauth2

• OPENAM-7864: Failure to connect to syslog server can cause OpenAM to hang

• OPENAM-7898: Increase OAuth authorization code character limit to support Azure and others

• OPENAM-7966: hiddenValueBox not showed in DAS

• OPENAM-8074: Changing an user password with the same value returns 400 with ldap errorcode=20

• OPENAM-8091: OpenAM cannot connect to a DataStore which accepts only TLSv1.2

• OPENAM-8108: Radius auth module not usable in auth-chain with 'shared-state' enabled

• OPENAM-8174: OpenAM gives an Internal Server Error when the user tries to reset their password before the minimum password age

• OPENAM-8194: The default WS-Fed IDP attribute mapper should provide a way to Base64 encode binary attributes

• OPENAM-8204: XUI does not display proper error message when changing password

• OPENAM-8225: Reading binary attributes, for example objectGUID, from the IdRepo cache not always returning valid values

• OPENAM-8237: jaxrpc-impl-1.1.3_01-041406.jar and webservices-rt-2009-29-07.jar contain the same classes

• OPENAM-8282: Password Reset questions are not randomly chosen when resetting password

• OPENAM-8327: Unable to send e-mail via Google SMTP with SSL enabled

• OPENAM-5804: Forgot password in XUI with a sub-realm when using RFC3986 specs not redirecting correctly

• OPENAM-5826: Zero Page Login disallowed after OPENAM-sec-201503-v1102-CAS is applied

• OPENAM-5841: Realm override query parameter on login not overriding realm

• OPENAM-6000: Accessing XUI through a FQDN that is resolvable but not mapped throws an internal server error

• OPENAM-6039: Asynchronous queue for OAuth2 Tokens can result in token validation failures

• OPENAM-6293: XUI freezes at startup when serverinfo service call fails

• OPENAM-6377: CTSOperations is currently performing setLatestAccessTime on a local token, rather than the remote one.

• OPENAM-6455: ConnectionCount logic does not produce a sensible ConnectionFactory max pool size for some scenarios

• OPENAM-6457: DirectoryContentUpgrader causes Entry Already Exists exception for CTS suffix when upgrading OpenAM

• OPENAM-6468: InvalidClassException with certauth after #201505-01 patch

• OPENAM-6499: Configuration store servers are not listed in Directory Configuration

• OPENAM-6501: RestSecurity is instantiated every time user makes serverinfo request

• OPENAM-6503: Unable to update policies in subrealm

• OPENAM-6534: OAuth2 tokeninfo endpoint should be realm-independent

• OPENAM-6545: ServerInfoResource should attempt to cache ServiceConfigs per realm rather than creating one on each request

• OPENAM-6613: Updating Hosted IDP Authentication Context Mapper does not save values

• OPENAM-6627: Self-registration fails in XUI when using realms

• OPENAM-273: com.sun.identity.policy.PolicyManager, when used in client API, does not work across multiple SSO sessions in a single JVM instance

• OPENAM-718: Agent group membership lost after backup/restore

• OPENAM-816: ssoadm authentication depends on the sunEnableModuleBasedAuth=true

• OPENAM-1036: Review install-time created LDAP users

• OPENAM-1631: Add option to enable debug logging of decrypted SAML assertions

• OPENAM-2238: Support extensibility of auth context classes as described in the SAMLv2 spec

• OPENAM-2348: set-realm-svc-attrs: "Not a supported type: realm"

• OPENAM-3296: ssoadm uses LDAP auth module first to authenticate amadmin

• OPENAM-3575: LDAP auth module fails if more than one LDAP server is configured as primary/secondary LDAP server

• OPENAM-3714: The DJLDAPv3Repo doesn't support StartTLS

• OPENAM-3856: AMAuthenticationManager can get incorrectly initialized for subrealms

• OPENAM-3877: Changing password through new REST endpoint fails if default AuthN chain needs more than just the password to authenticate

• OPENAM-4164: AgentsRepo could cache stale ServiceConfigImpl

• OPENAM-4195: SAML2token saved in CTS with hex tokenId but read without converting to hex

• OPENAM-4333: OAuth2 endpoint doesn't honour realm DNS aliases - must specify realm via URL query string

• OPENAM-4344: OAuth2Saml2GrantSPAdapter does not pass the realm to the access_token endpoint

• OPENAM-4413: Agent sessions are affected by active session quotas when com.iplanet.am.session.agentSessionIdleTime is used

• OPENAM-4605: Unable to install OpenAM Configuration Data Store into an 'ou' through the console

• OPENAM-4614: MergeAll Option cause a desynchronisation of the log rotation

• OPENAM-4644: Log file rotation isn't respected

• OPENAM-4804: SAE fails with No_App_Attrs:https error

• OPENAM-4856: HOTP auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store

• OPENAM-4919: DNMapper.realmNameToAMSDKName logic adding extra = when checking against orgAttr

• OPENAM-4923: Windows Desktop SSO module should allow whitelisting Kerberos realms/KDCs

• OPENAM-5034: Legacy password pages unable to handle special characters in username

• OPENAM-5065: PLLClient should call getErrorStream() to get response body on IOException.

• OPENAM-5082: DJLDAPv3Repo setAttributes may add unnecessary objectclasses to modifyRequest.

• OPENAM-5097: LDAP and AD auth modules should support startTLS extended operation

• OPENAM-5120: SAML2 SP in a sub-realm not fully functional after OPENAM-474

• OPENAM-5148: URL links in email sent from REST forgotPassword or register is not URLEncoded

• OPENAM-5183: CTS port settings are reverted to default when doing upgrade from AM 11 to AM 12

• OPENAM-5208: SAML2 SLO error on IDP with Session Synchronization when SP does not support SOAP binding

• OPENAM-5237: OAuth2 authorization consent page uses absolute URL in FORM tag

• OPENAM-5241: DN cache is never enabled since OPENAM-3822

• OPENAM-5252: DJLDAPv3Repo returns different error code when DN cache is enabled

• OPENAM-5260: When using HTTP-POST binding allow to only sign the Response

• OPENAM-5311: Default timelimit in Netscape SDK should be configurable

• OPENAM-5312: Initialization of a ServiceSchemaManager may block retrieval of already cached instances

• OPENAM-5317: 1st. character from realm value is deleted from endpoint /json/authenticate?realm=myRealm"

• OPENAM-5326: When using .well-known/openid-configuration?realm=/shop the iss/issuers does not match

• OPENAM-5332: OAuth2 RefreshTokenServerResource should check the clientID case insensitively

• OPENAM-5381: Specifying an external user store when using configurator tool is not being processed correctly

• OPENAM-5383: CTS Reaper fails if simple paged control is not present in response

• OPENAM-5386: Policy editor doesn't always use realm-specific REST endpoints

• OPENAM-5388: Missing policy actions after upgrading to OpenAM 12

• OPENAM-5411: OpenAM is filling the ResponseLocation with a null instead of an empty string

• OPENAM-5417: Policy Conditions of same type can not be combined in OpenAM 12

• OPENAM-5419: TokenExpired exception message is not consistent

• OPENAM-5421: TokenResource ignores query string passed from client

• OPENAM-5451: Resource based authentication does not work as expected in 12 (with legacy UI)

• OPENAM-5472: NPE in #setAttributes when IdRepo fails to read directory schema

• OPENAM-5488: Upgrade fails from OpenAM 11 to OpenAM 12 with NPE from OAuth2 client profile

• OPENAM-5508: REST with Realm/DNS Aliases causes unexpected results

• OPENAM-5578: Although OpenDJ is selected as default for external user data store LDAPv3ForODSEE type is used

• OPENAM-5598: Adaptive Risk auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store

• OPENAM-5621: OIDC .well-known/webfinger endpoint is reporting wrong href URL

• OPENAM-5623: CTS uses inefficient search for coreTokenId=

• OPENAM-5660: NPE when the keyalias does not exist or does not contain a certificate

• OPENAM-5690: Get an Access Token From SAML 2.0 on 12.0.0 uses grant type saml2-bearer, but TokenEndpoint is not defined in OAuth2Application

• OPENAM-4340: Configurator is unable to handle special characters in passwords

• OPENAM-4264: IDPAccountMapper.getNameID() does not receive the SP Entity ID if there is no SPNameQualifier in the SAML request

• OPENAM-4262: IDP Proxy should set destination depending on the Binding

• OPENAM-4236: CookieUtils.addCookieToResponse only sends Max-Age attribute

• OPENAM-4229: Change Password as User does not work using AD-LDS (ADAM) User Store

• OPENAM-4227: Set Password as Administrator does not work using AD-LDS (ADAM) User Store

• OPENAM-4094: OAuth2 Authentication Module does not work, if com.iplanet.am.cookie.encode is true.

• OPENAM-3969: 403 on using /json/<realm>/policies?_action=evaluate

• OPENAM-3822: Datastore authentication fails after modify DN operation.

• OPENAM-3758: OAuth2 save consent when no scope is present is not working

• OPENAM-3731: Sun JDK 1.6.0_43: some requests cause never-ending loop in SAML2Utils.decodeFromRedirect

• OPENAM-3964: The class hierarchy for ResourceName interfaces has changed in this issue. Previous implementations should still be source-compatible but are not binary-compatible. You must recompile your custom code if you implemented the ResourceName interfaces.

• OPENAM-3640: StackOverFlowError in WebtopNaming

• OPENAM-3573: IDP Initiated federation with missing SPNameQualifier result in exception

• OPENAM-3513: wrong l10n key in code, ssoadm delete-auth-instance fails on error reporting

• OPENAM-3437: RelayState validation fails during SLO

• OPENAM-3428: DJLDAPv3Repo breaks Active Directory when using sAMAccountName as naming attribute with the DN being the CN

• OPENAM-3385: DJLDAPv3Repo Error Unexpected Results Returned when searching Active Directory users from the root

• OPENAM-3314: Hosted IDPs/SPs in COTs with Spaces

• OPENAM-3271: OpenAM Bootstrap file not found for upgrade from 10.0.1 to 11.0.0 if both .openamcfg and .openssocfg exist

• OPENAM-3225: SAML authentication throws NPE with IDP metadata showing certain characteristics

• OPENAM-2532: deleting ActiveDirectory DataStore from subrealm deleting parent's referrals too.

• OPENAM-2464: HOTP auth module sends 2 HOTP codes, if "Request new code" is clicked.

• OPENAM-2322: NULL pointer exception in windowsdesktopsso.java file when doing kerberos service ticket authentication with Openssoclientsdk.jar client program - backward compatibility broken

• OPENAM-1829: .NET Fedlet - "Signature Transform" and "Canonicalization Method" should be configurable

• OPENAM-1789: .NET Fedlet creates SAML2 IDs with incorrect format

• OPENAM-1773: DAS does not handle goto whitelisting

• OPENAM-1755: The .NET fedlet uses invalid constants "True" "False" for some boolean XML attributes

• OPENAM-1749: AttributeQueryUtil.getAttributeMapForFedlet eats non-Success StatusCode from IDP

• OPENAM-1655: AttributeQueryUtil ignores configured SPAttributeMapper

• OPENAM-1058: Enhance to use attribute names defined in the HOTP service config for the telephone, carrier and email address.

• OPENAM-957: Null pointer exceptions in IDPSSOFederate.getAuthnRequest()

• OPENAM-474: Dynamic User Creation not populating all available attributes onto newly created user

• OPENAM-371: Remove frequently occurring meaningless Error stack trace from debug log

• OPENAM-294: ssoadm: create and update

• OPENAM-110: Attribute name comparison in AttributeQueryUtil.isSameAttribute()

• OPENAM-61: SAML2 appliesTo not being HTML character-encoded

• Manually Update Required for Some Fixes. The changes related to OPENAM-6468 and OPENAM-6499 are not handled automatically by upgrade, thus when upgrading OpenAM from 12.0.1 or from a version where the #201505-01 security patch has been applied, the Object Deserialisation Class Whitelist server setting needs to be updated manually with the following new entries:

  com.sun.identity.common.configuration.ServerConfigXML
  com.sun.identity.common.configuration.ServerConfigXML$DirUserObject
  com.sun.identity.common.configuration.ServerConfigXML$ServerGroup
  com.sun.identity.common.configuration.ServerConfigXML$ServerObject
  java.security.cert.Certificate
  java.security.cert.Certificate$CertificateRep
     

• Different OpenAM Version Within a Site. Do not run different versions of OpenAM together in the same OpenAM site.

• Deleting Referral Policy. OpenAM allows you to delete a referral policy even if policies depending on the referral still exist in the target realm. Deleting a referral policy that other policies depend on can cause problems during policy evaluation. You must therefore make sure that no policies depend on any referrals that you delete.

• Avoid Use of Special Characters in Policy or Application Creation. Do not use special characters within policy, application or referral names (for example, "my+referral") using the Policy Editor or REST endpoints as OpenAM returns a 400 Bad Request error. The special characters are: double quotes ("), plus sign (+), command (,), less than (<), equals (=), greater than (>), backslash (\), and null (\u0000). (OPENAM-5262)

• Avoid Using REST Endpoint Names for Realm Names. Do not use the names of OpenAM REST endpoints as the name of a realm. The OpenAM REST endpoint names that should not be used includes: users, groups, realms, policies, and applications. (OPENAM-5314)

• Deploying OpenAM on Windows in an IPv6 Network. When deploying OpenAM components on Microsoft Windows in an IPv6 environment, you must use the Java 7 Development Kit on Windows (due to JDK-6230761, which is fixed only in Java 7).

• Database Repository Type is Experimental. The Database Repository type of data store is experimental and not supported for production use.

• Enforcing Session Quotas With Session Failover. By default, OpenAM does not enforce session quotas when running in Site mode without session failover. To work around this behavior, set the server configuration property openam.session.useLocalSessionsInMultiServerMode=true. You can set this property in OpenAM console under Configuration > Servers and Sites > Servers > Server Name > Advanced.

• OpenAM with Embedded Directory Server in IPv6 Networks. On hosts with pure IPv6 networks, OpenAM configuration has been seen to fail while starting the embedded OpenDJ directory server (OPENAM-3008).

• JBoss 6.3 Support for Java 8. As of this writing, JBoss 6.3/AS 7.4.0 does not support Java 8. Until JBoss 6.3 fully supports Java 8, you can use JDK 1.7.0_56 (OPENAM-4876).

• Note about HttpServletResponse And HttpServletRequest. The HttpServletRequest instance passed to AMPostAuthProcessInterface#onLogout will be null. The HttpServletResponse instance passed to AMPostAuthProcessInterface#onLogout is not the actual HttpServletResponse corresponding to the request but a faux instance whose only purpose is to transfer headers back to the actual HttpServletResponse (OPENAM-4045).

• XACML Policy Import and Export. OpenAM can only import XACML 3.0 files that were either created by an OpenAM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.

• Different OpenAM Version within a Site. Do not run different versions of OpenAM together in the same OpenAM site.

• Deleting Referral Policy. OpenAM allows you to delete a referral policy even if policies depending on the referral still exist in the target realm. Deleting a referral policy that other policies depend on can cause problems during policy evaluation. You must therefore make sure that no policies depend on any referrals that you delete.

• Avoid Use of Special Characters in Policy or Application creation. Do not use special characters within policy, application or referral names (for example, "my+referral") using the Policy Editor or REST endpoints as OpenAM returns a 400 Bad Request error. The special characters are: double quotes ("), plus sign (+), comma (,), less than (<), equals (=), greater than (>), backslash (\), and null (\u0000). (OPENAM-5262)

• Avoid Using REST Endpoint Names for Realm Names. Do not use the names of OpenAM REST endpoints as the name of a realm. The OpenAM REST endpoint names that should not be used includes: "users", "groups", "realms", "policies" and "applications". (OPENAM-5314)

• Deploying OpenAM on Windows in an IPv6 Network. When deploying OpenAM components on Microsoft Windows in an IPv6 environment, you must use the Java 7 Development Kit on Windows (due to JDK-6230761, which is fixed only in Java 7).

• Database Repository Type is Experimental. The Database Repository type of data store is experimental and not supported for production use.

• Enforcing Session Quotas with Session Failover. By default OpenAM does not enforce session quotas when running in Site mode without session failover. To work around this behavior, set the server configuration property openam.session.useLocalSessionsInMultiServerMode=true. You can set this property in OpenAM console under Configuration > Servers and Sites > Servers > Server Name > Advanced.

• OpenAM with Embedded Directory Server in IPv6 Networks. On hosts with pure IPv6 networks, OpenAM configuration has been seen to fail while starting the embedded OpenDJ directory server (OPENAM-3008).

• JBoss 6.3 Support for Java 8. As of this writing, JBoss 6.3/AS 7.4.0 does not support Java 8. Until JBoss 6.3 fully supports Java 8, you can use JDK 1.7.0_56 (OPENAM-4876).

• Note about HttpServletResponse & HttpServletRequest. The HttpServletRequest instance passed to AMPostAuthProcessInterface#onLogout will be null. The HttpServletResponse instance passed to AMPostAuthProcessInterface#onLogout is not the actual HttpServletResponse corresponding to the request but a faux instance whose only purpose is to transfer headers back to the actual HttpServletResponse (OPENAM-4045).

• XACML Policy Import and Export. OpenAM can only import XACML 3.0 files that were either created by an OpenAM instance, or that have had minor manual modifications, due to the reuse of some XACML 3.0 parameters for non-standard information.

• Login page does not load or ssoadm fails if OpenAM is running on Apache Tomcat 8.5 or 9.

  If you accidently upgraded Apache Tomcat to version 8.5 or later (see the supported Tomcat version at "OpenAM Web Application Container Requirements"), you may experience issues with the login page or ssoadm failing.

  For a workaround, see /knowledge/kb/article/a73027813.

• OPENAM-9757: ssoadm does not work properly on websphere without additional setup

• OPENAM-8975: Unable to install AM 12.0.3 on Websphere 8.5

• OPENAM-8796: Some of LDAP User Attributes are missing after upgrade

• OPENAM-8633: Message changed for the failed password when authenticating over REST

• OPENAM-7781: persistent cookie auth module does not allow to change cookie name by default

• OPENAM-7746: Authentication in sub-realm fails if DNS alias is used and persistence can not be guaranteed

• OPENAM-7282: Forgotten password submit button is disabled when using autocomplete

• OPENAM-7035: OAuth2ProviderSettings are not updated if configuration of baseUrlSource service is changed

• OPENAM-6426: Forgot password doesn't print an audit log

• OPENAM-6262: Admin console generates incorrect goto URLs when behind reverse proxy

• OPENAM-4430: Upgrade wizard is out of date for other languages than EN

• Login page does not load or ssoadm fails if OpenAM is running on Apache Tomcat 8.5 or 9.

  If you accidently upgraded Apache Tomcat to version 8.5 or later (see the supported Tomcat version at "OpenAM Web Application Container Requirements"), you may experience issues with the login page or ssoadm failing.

  For a workaround, see /knowledge/kb/article/a73027813.

• OPENAM-71: SAML2 error handling in HTTP POST and Redirect bindings

• OPENAM-774: Invalid characters check not performed.

• OPENAM-1068: In case of session upgrade the SAML IDPCache can lose the ssotoken sessionindex mapping

• OPENAM-1105: Init properties sometimes don't honor final settings

• OPENAM-1194: Unable to get AuthnRequest error in multiserver setup

• OPENAM-1323: Unable to create session service when no datastore is available

• OPENAM-1521: Cookie Hijacking Prevention does not work properly under FireFox

• OPENAM-1660: Read-access to SubjectEvaluationCache is not synchronized

• OPENAM-1831: OpenAM 10.0 subrealm DNS alias doesn't work as expected unless setting com.sun.identity.server.fqdnMap

• OPENAM-1886: Session invalidated on OpenAM server is not deleted from SFO datastore

• OPENAM-1892: Only Accept certificate for authentication if KeyUsage is correct

• OPENAM-1946: Password change with AD does not work when old password is provided

• OPENAM-2028: java.lang.NullPointerException at com.sun.identity.saml2.common.SAML2Utils.getRemoteServiceURL

• OPENAM-2137: DSConfigMgr can hide exception root causes

• OPENAM-2155: Non printable characters in some files. Looks like most should be copyright 0xA9

• OPENAM-2168: Authentication Success Rate and Authentication Failure Rate are always 0

• OPENAM-2715: Mandatory OAuth2 Provider settings not enforced in the UI

• OPENAM-2911: IdP initiated SSO with persistent identifier causes URLNotFoundException: Invalid service host name.

• OPENAM-3048: RESTful authentication using curl doesn't work on the WebLogic 12c (12.1.1.0)

• OPENAM-3095: When a SP sends an unsigned Authn Request using SAML ECP OpenAM sees it as a wrong message

• OPENAM-3109: Token conflicts can occur if OpenDJ servers are replicated

• OPENAM-3223: Policy Wildcard Matches doesn't work after OpenAM upgrade with an ODSEE

• OPENAM-3243: The Core Auth Module persistent cookie options are different from the Persistent Cookie Module

• OPENAM-3253: XUI: sunIdentityUserPassword not set in com.sun.identity.authentication.spi.ReplayPasswd

• OPENAM-3266: Heartbeat timeouts can occur during operation

• OPENAM-3381: SAML login is not handled correctly on the SP if the user already has a local session on the SP

• OPENAM-3442: CTS TokenType is missing an index

• OPENAM-3466: LDAP authentication module does not apply the change of the password for the bind DN user until restart

• OPENAM-3470: The SAML2 nameid should not be persisted if the nameid-format is not persistent

• OPENAM-3693: LDAP psearch uses DN to update the cache instead of valid Universal ID

• OPENAM-3698: Federation authentication module may be retrieved from the incorrect realm when running OpenAM as an SAML SP

• OPENAM-3762: sun-idrepo-ldapv3-config-memberurl doesn't exist for LDAPv3ForOpenDS

• OPENAM-3827: json/session endpoint not listing sessions

• OPENAM-3868: Regression: NPE in WDSSO module when authenticating via ClientSDK

• OPENAM-3924: XUI is ignoring iplanet-am-admin-console-password-reset-enabled and requesting user password be entered anytime password is changed

• OPENAM-4135: Authentication triggers a search that retrieves all attributes - IDRepo

• OPENAM-4430: Upgrade wizard is out of date for other languages than EN

• OPENAM-4517: GUI installer crashes and restarts in Safari

• OPENAM-4754: NPE when SessionID doesn't contain StorageKey for SFO

• OPENAM-4765: AdminTokenAction - retrieving the admin token is not Synchronized

• OPENAM-4983: Commands for embedded DJ should use --noPropertiesFile switch

• OPENAM-5234: AuthLevel policy condition does not work with pol. agents when result code 403 is expected

• OPENAM-5243: REST HTTP codes are different for some actions in AM 11.0.2 and AM 12

• OPENAM-5264: Can't login to OpenAM with no cookies set in the platform service

• OPENAM-5321: Cross realm session upgrade not handled properly by XUI

• OPENAM-5364: 11.0 format policies with "?" in the rule name cannot be edited by the Policy Editor

• OPENAM-5400: Policy Editor: Unable to edit/delete policy whose name ends in a '/' character

• OPENAM-5416: XUI not handling correctly response from REST services during authentication

• OPENAM-5467: XUI/#logout/ route ignores "goto" parameter

• OPENAM-5505: Setting openam-session-timeout-handler-list= in ssoadm set-attr-defs ends up creating a list with one empty item

• OPENAM-5530: OpenAM does not set the destination in the last leg of IDP Proxy SLO

• OPENAM-5541: Resource based auth doesn't work in sub realm

• OPENAM-5554: run-xacml-client-sample.sh packaged with ExampleClientSDK-CLI-12.0.0.zip is missing libraries

• OPENAM-5567: User attribute mapping sometimes fail

• OPENAM-5614: Jackson can not instantiate AuthnRequestInfoCopy/IDPSessionCopy from JSON object

• OPENAM-5626: XUI not redirecting to console when no datastore in top realm

• OPENAM-5670: Create Policy UI can't get the subject attributes if you don't have a datastore configured.

• OPENAM-5712: Cross-realm session upgrade with ForceAuth does not trigger #confirmLogin

• OPENAM-5721: WindowsDesktopSSO trusted realm list doesn't work

• OPENAM-5733: validationService doesn't work if the datastore isn't configured

• OPENAM-5744: Authentication level login doesn't work if the module name doesn't match the module type

• OPENAM-5834: Changes since OPENAM-2274 to DefaultLibrarySPAccountMapper has meant that NameID can't be used in some cases using auto federation

• OPENAM-5847: OAuth 2.0 Token Administration Endpoint should not allow to list all tokens as 'Super User'

• OPENAM-5883: SAML Time value should allow milliseconds values with less than 3 digits

• OPENAM-5894: Can't update WindowsDesktopSSO module with ssoadm

• OPENAM-5902: Persistent cookie fails on host cookies when domain deleted via console

• OPENAM-5917: IdP proxy in a subrealm is unable to send SLO response to the remote SP

• OPENAM-5920: Realm associated with OAuth2 tokens is not normalised

• OPENAM-5921: XUI Login page does not pass username to post auth plugin

• OPENAM-5980: CTS async queue can cause threads to wait for a long time

• OPENAM-5987: Database audit logging 'failure buffer' does not write all records after DB recovery

• OPENAM-6056: LoginViewBean does not correctly handle empty ChoiceCallbacks

• OPENAM-6156: orderedlist uitype in service config breaks when updated

• OPENAM-6192: For OAuth 2.0 don't expect the default Shared Consent Attribute to contain a value on first use

• OPENAM-6196: Exception With SAML 2.0 ECP IDP Profile (PAOS Binding)

• OPENAM-6235: NameID values that contain characters such as & cause parsing issues when used in XML documents.

• OPENAM-6244: In case of GeoIp2Exception in the adaptive module, only the score of the geolocation should be affected

• OPENAM-6262: Admin console generates incorrect goto URLs when behind reverse proxy

• OPENAM-6273: XUI self-service links are only available when data-store auth-module is used

• OPENAM-6318: IdP proxy should populate the AuthenticatingAuthority element in its Responses

• OPENAM-6362: HOTP and OATH auth-modules do not set 'failureUserID' when throwing InvalidPasswordException, this breaks OpenAM account lockout

• OPENAM-6372: Browser back button and OpenAM internal authentication error

• OPENAM-6374: Registering UMA resource sometimes gives error

• OPENAM-6376: OAuth2 resource owner authentication code does not pass headers to auth module

• OPENAM-6384: XUI: Sharing resource twice (with another user) fails

• OPENAM-6385: Revoking access to individual resource using XUI fails

• OPENAM-6423: Post Authentication Plugin can't set headers in the logout API on REST response

• OPENAM-6426: Forgot password doesn't print an audit log

• OPENAM-6443: Unable to change a user password using admin token via REST

• OPENAM-6457: DirectoryContentUpgrader causes Entry Already Exists exception for CTS suffix when upgrading OpenAM

• OPENAM-6471: Cannot Initialize Authentication exception when upgrading OpenAM

• OPENAM-6472: NPE when choosing No on new_org.jsp

• OPENAM-6476: Initialization of a ServiceConfigImpl may block retrieval of already cached instances

• OPENAM-6506: Potential NPE in OpenAMScopeValidator.evaluateScope

• OPENAM-6514: OAuth2 authorization flow stores resource owner in universalID format if persistent mode is on

• OPENAM-6552: access_token request sent by OAuth2Saml2GrantSPAdapter is not realm aware

• OPENAM-6553: Fix Social Authentication in subrealms

• OPENAM-6558: jwt-bearer grant type handler doesn't call additionalDataToReturnFromTokenEndpoint of the Scope Validator Plugin

• OPENAM-6620: jwks_uri generates a kid value different for each server in a site configuration

• OPENAM-6630: Policy Editor 'Export All Policies' does not specify realm

• OPENAM-6666: Re-shared resource that is revoked by resource owner, re-shared user still has access

• OPENAM-6726: Issues creating Agent client using REST API

• OPENAM-6734: Shutdown race condition between embedded OpenDJ and OpenAM persistent search restart

• OPENAM-6739: Creating UMA policy as amadmin doesn't show in user's resources

• OPENAM-6741: STS configuration not showing in admin console

• OPENAM-6776: SAML authentication can fail with NumberFormatException

• OPENAM-6798: Remove ORIG_URL after OAUTH2 Authentication complete

• OPENAM-6825: Fails to issue OAuth2 access token if client type confidential is inherited from group

• OPENAM-6842: PAP onLogout() method is not triggered in a multi-server environment, if the logout is invoked from the OpeAM instance in which session is not created.

• OPENAM-6867: changePassword REST endpoint is not returning LDAP issues that are related to a user mistake.

• OPENAM-6878: OpenAM forgot password search hard coded for UID

• OPENAM-6883: SystemConfigurationUtil maintains a list of server URLs that assume lowercase deployment contexts

• OPENAM-6976: OAuth2 Error Page on oauth2/authorize with valid params and cookie

• OPENAM-6977: Validate OIDC script returns "No privilege mapping for requested action validate"

• OPENAM-7002: The email attribute property defined in the email service is not used when sending e-mail in forgotten password flow

• OPENAM-7021: XUI login script queries "/openam/json/users?realm=/?_action=idFromSession"

• OPENAM-7035: OAuth2ProviderSettings are not updated if configuration of baseUrlSource service is changed

• OPENAM-7054: RADIUS Server Does not Start After Initial Install Without a Web Container Restart

• OPENAM-7070: Datastore screen error when loading schema if host list has entries with pipe

• OPENAM-7075: endSession endpoint can't kill SSO Token for some OAuth2 grant type

• OPENAM-7095: ssoadm do-batch doesn't continue if the -c flag is applied for the SAML delete-entity command

• OPENAM-7122: json/agents/?_action=create returns inconsistent error codes when an agent name already exists

• OPENAM-7255: XUI "Delete Label" is inactive for orphan labels

• OPENAM-7260: OAuth2 authorization flow sets wrong resource owner if alias name + LDAP auth is used.

• OPENAM-7265: Post Authentication Plugin HttpServletRequest is null in onLogout() method

• OPENAM-7282: Forgotten password submit button is disabled when using autocomplete

• OPENAM-7298: Custom response attributes are not visible in the policy editor UI and are erased when editing policies through the UI

• OPENAM-7321: Update scripting whitelist to allow use of CHF client in scripts

• OPENAM-7334: Client Authentication method not compliant with OpenID standard

• OPENAM-7382: HTTP GET to uma/auditHistory with param "sortKeys=-eventTime" returned 500 server error

• OPENAM-7467: Redirect loop with XUI and resource=true when user initially authenticated to different chain

• OPENAM-7547: OpenIdConnectAuthorizeRequestValidator doesn't take default scopes into account when checking.

• OPENAM-7549: Call to userinfo unexpectedly generates "WARNING: Couldn't find any helper support the HTTP_Bearer challenge scheme."

• OPENAM-7727: debugfiles.properties missing in ClientSDK jar

• OPENAM-7746: Authentication in sub-realm fails if DNS alias is used and persistence can not be guaranteed

• OPENAM-7781: persistent cookie auth module does not allow to change cookie name by default

• OPENAM-7785: 404 on <server:port>/openam

• OPENAM-7864: Failure to connect to syslog server can cause OpenAM to hang

• OPENAM-7939: Audit file retention "Minimum Free Space Required" field doesn't stop growing the occupied disk space

• OPENAM-7966: hiddenValueBox not showed in DAS

• OPENAM-8058: ForgeRock Authenticator settings cannot be changed when in production

• OPENAM-8074: Changing an user password with the same value returns 400 with ldap errorcode=20

• OPENAM-8077: XUI does not overwrite stateless session on session upgrade

• OPENAM-8091: OpenAM cannot connect to a DataStore which accepts only TLSv1.2

• OPENAM-8108: Radius auth module not usable in auth-chain with 'shared-state' enabled

• OPENAM-8111: User Self Service is active if configured however not turned on in the realm

• OPENAM-8125: IE 9/10: can't create policy resource

• OPENAM-8148: Adding new subject with Tivoli as datastore missing kbaInfoContainer schema

• OPENAM-8174: OpenAM gives an Internal Server Error when the user tries to reset their password before the minimum password age

• OPENAM-8180: Custom auth breaks after upgrade due to lack of "resourceName"

• OPENAM-8204: XUI does not display proper error message when changing password

• OPENAM-8225: Reading binary attributes, for example objectGUID, from the IdRepo cache not always returning valid values

• OPENAM-8237: jaxrpc-impl-1.1.3_01-041406.jar and webservices-rt-2009-29-07.jar contain the same classes

• OPENAM-8282: Password Reset questions are not randomly chosen when resetting password

• OPENAM-8327: Unable to send e-mail via Google SMTP with SSL enabled

• OPENAM-8633: Message changed for the failed password when authenticating over REST

• OPENAM-8796: Some of LDAP User Attributes are missing after upgrade

• Login page does not load or ssoadm fails if OpenAM is running on Apache Tomcat 8.5 or 9.

  If you accidently upgraded Apache Tomcat to version 8.5 or later (see the supported Tomcat version at "OpenAM Web Application Container Requirements"), you may experience issues with the login page or ssoadm failing.

  For a workaround, see /knowledge/kb/article/a73027813.

• OPENAM-71: SAML2 error handling in HTTP POST and Redirect bindings

• OPENAM-480: Adding a server to a site requires restart of OpenAM

• OPENAM-774: Invalid characters check not performed.

• OPENAM-1105: Init properties sometimes don't honor final settings

• OPENAM-1111: Persistent search in LDAPv3EventService should be turned off if caching is disabled

• OPENAM-1137: Error message raised when adding a user to a group

• OPENAM-1181: Improperly defined applications cause the policy framework to throw NPE

• OPENAM-1194: Unable to get AuthnRequest error in multiserver setup

• OPENAM-1317: With ssoadm create-agent, default values are handled differently for web agents and j2ee agents

• OPENAM-1323: Unable to create session service when no datastore is available

• OPENAM-1505: LogoutViewBean does not use request information for finding the correct template

• OPENAM-1659: Default Authentication Locale is not used as fallback

• OPENAM-1660: Read-access to SubjectEvaluationCache is not synchronized

• OPENAM-1831: OpenAM 10.0 subrealm DNS alias doesn't work as expected unless setting com.sun.identity.server.fqdnMap

• OPENAM-1886: Session invalidated on OpenAM server is not deleted from SFO datastore

• OPENAM-1892: Only Accept certificate for authentication if KeyUsage is correct

• OPENAM-1945: Default Configuration create invalid domain cookie

• OPENAM-1946: Password change with AD does not work when old password is provided

• OPENAM-2085: Unreliable policy evaluation results with com.sun.identity.agents.config.fetch.from.root.resource enabled

• OPENAM-2155: Non printable characters in some files. Looks like most should be copyright 0xA9

• OPENAM-2168: Authentication Success Rate and Authentication Failure Rate are always 0

• OPENAM-2404: new_org.jsp is displayed from the original realm in case of session upgrade

• OPENAM-2469: IdP initiated SSO endpoints should honor RelayState even when they're POSTed

• OPENAM-2537: SAML AuthContext mapper auth level setting inconsistencies

• OPENAM-2564: resource-based authentication with DistAuth not working

• OPENAM-2608: Restricted Token validation does not work in legacy REST API

• OPENAM-2656: PrefixResourceName#compare() strips off trailing '/' in PathInfo

• OPENAM-2715: Mandatory OAuth2 Provider settings not enforced in the UI

• OPENAM-3048: RESTful authentication using curl doesn't work on the WebLogic 12c (12.1.1.0)

• OPENAM-3056: Retrieving roles may fail when using more than one data store

• OPENAM-3109: Token conflicts can occur if OpenDJ servers are replicated

• OPENAM-3223: Policy Wildcard Matches doesn't work after OpenAM upgrade with an ODSEE

• OPENAM-3243: The Core Auth Module persistent cookie options are different from the Persistent Cookie Module

• OPENAM-3442: CTS TokenType is missing an index

• OPENAM-3466: LDAP authentication module does not apply the change of the password for the bind DN user until restart

• OPENAM-3827: json/session endpoint not listing sessions

• OPENAM-3924: XUI is ignoring iplanet-am-admin-console-password-reset-enabled and requesting user password be entered anytime password is changed

• OPENAM-4430: Upgrade wizard is out of date for other languages than EN

• OPENAM-4517: GUI installer crashes and restarts in Safari

• OPENAM-5234: AuthLevel policy condition does not work with pol. agents when result code 403 is expected

• OPENAM-5243: REST HTTP codes are different for some actions in AM 11.0.2 and AM 12

• OPENAM-5321: Cross realm session upgrade not handled properly by XUI

• OPENAM-6056: LoginViewBean does not correctly handle empty ChoiceCallbacks

• OPENAM-6319: OAuth2 scopes behaviour affected by the upgrade

• OPENAM-6340: XUI needs to support DNS/Alias behaviour for subrealms as per OPENAM-5508

• OPENAM-6565: .well-known/openid-configuration is published with both DNS Realm alias AND realm in the path, resulting in failed authentication

• Login page does not load or ssoadm fails if OpenAM is running on Apache Tomcat 8.5 or 9.

  If you accidently upgraded Apache Tomcat to version 8.5 or later (see the supported Tomcat version at "OpenAM Web Application Container Requirements"), you may experience issues with the login page or ssoadm failing.

  For a workaround, see /knowledge/kb/article/a73027813.

• OPENAM-71: SAML2 error handling in HTTP POST and Redirect bindings

• OPENAM-774: Invalid characters check not performed.

• OPENAM-1105: Init properties sometimes don't honor final settings

• OPENAM-1111: Persistent search in LDAPv3EventService should be turned off if caching is disabled

• OPENAM-1137: Error message raised when adding a user to a group

• OPENAM-1181: Improperly defined applications cause the policy framework to throw NPE

• OPENAM-1194: Unable to get AuthnRequest error in multiserver setup

• OPENAM-1219: SAML 2 metadata parsing breaks in glassfish 3.1.2

• OPENAM-1317: With ssoadm create-agent, default values are handled differently for web agents and j2ee agents

• OPENAM-1323: Unable to create session service when no datastore is available

• OPENAM-1505: LogoutViewBean does not use request information for finding the correct template

• OPENAM-1659: Default Authentication Locale is not used as fallback

• OPENAM-1660: Read-access to SubjectEvaluationCache is not synchronized

• OPENAM-1831: OpenAM 10.0 subrealm DNS alias doesn't work as expected unless setting com.sun.identity.server.fqdnMap

• OPENAM-1886: Session invalidated on OpenAM server is not deleted from SFO datastore

• OPENAM-1892: Only Accept certificate for authentication if KeyUsage is correct

• OPENAM-1945: Default Configuration create invalid domain cookie

• OPENAM-1946: Password change with AD does not work when old password is provided

• OPENAM-2085: Unreliable policy evaluation results with com.sun.identity.agents.config.fetch.from.root.resource enabled

• OPENAM-2137: DSConfigMgr can hide exception root causes

• OPENAM-2155: Non printable characters in some files. Looks like most should be copyright 0xA9

• OPENAM-2168: Authentication Success Rate and Authentication Failure Rate are always 0

• OPENAM-2404: new_org.jsp is displayed from the original realm in case of session upgrade

• OPENAM-2469: IdP initiated SSO endpoints should honor RelayState even when they're POSTed

• OPENAM-2537: SAML AuthContext mapper auth level setting inconsistencies

• OPENAM-2564: resource-based authentication with DistAuth not working

• OPENAM-2608: Restricted Token validation does not work in legacy REST API

• OPENAM-2656: PrefixResourceName#compare() strips off trailing '/' in PathInfo

• OPENAM-2715: Mandatory OAuth2 Provider settings not enforced in the UI

• OPENAM-3048: RESTful authentication using curl doesn't work on the WebLogic 12c (12.1.1.0)

• OPENAM-3056: Retrieving roles may fail when using more than one data store

• OPENAM-3109: Token conflicts can occur if OpenDJ servers are replicated

• OPENAM-3223: Policy Wildcard Matches doesn't work after OpenAM upgrade with an ODSEE

• OPENAM-3243: The Core Auth Module persistent cookie options are different from the Persistent Cookie Module

• OPENAM-3442: CTS TokenType is missing an index

• OPENAM-3466: LDAP authentication module does not apply the change of the password for the bind DN user until restart

• OPENAM-3827: json/session endpoint not listing sessions

• OPENAM-3924: XUI is ignoring iplanet-am-admin-console-password-reset-enabled and requesting user password be entered anytime password is changed

• OPENAM-4430: Upgrade wizard is out of date for other languages than EN

• OPENAM-4517: GUI installer crashes and restarts in Safari

• OPENAM-5234: AuthLevel policy condition does not work with pol. agents when result code 403 is expected

• OPENAM-5243: REST HTTP codes are different for some actions in AM 11.0.2 and AM 12

• OPENAM-5321: Cross realm session upgrade not handled properly by XUI

• OPENAM-6056: LoginViewBean does not correctly handle empty ChoiceCallbacks

• OPENAM-6302: Upgrade incorrectly sets default value for the REST APIs service

• OPENAM-6319: OAuth2 scopes behaviour affected by the upgrade

• Login page does not load or ssoadm fails if OpenAM is running on Apache Tomcat 8.5 or 9.

  If you accidently upgraded Apache Tomcat to version 8.5 or later (see the supported Tomcat version at "OpenAM Web Application Container Requirements"), you may experience issues with the login page or ssoadm failing.

  For a workaround, see /knowledge/kb/article/a73027813.

• OPENAM-5321: Cross realm session upgrade not handled properly by XUI

• OPENAM-5243: REST HTTP codes are different for some actions in AM 11.0.2 and AM 12

• OPENAM-5237: OAuth2 authorization consent page uses absolute URL in FORM tag

• OPENAM-5234: AuthLevel policy condition does not work with pol. agents when result code 403 is expected

• OPENAM-5183: CTS port settings are reverted to default when doing upgrade from AM 11 to AM 12

• OPENAM-4517: GUI installer crashes and restarts in Safari

• OPENAM-4430: Upgrade wizard is out of date for other languages than EN

• OPENAM-3924: XUI is ignoring iplanet-am-admin-console-password-reset-enabled and requesting user password be entered anytime password is changed

• OPENAM-3466: LDAP authentication module does not apply the change of the password for the bind DN user until restart

• OPENAM-3442: CTS TokenType is missing an index

• OPENAM-3223: Policy Wildcard Matches doesn't work after OpenAM upgrade with an ODSEE

• OPENAM-3109: Token conflicts can occur if OpenDJ servers are replicated

• OPENAM-3056: Retrieving roles may fail when using more than one data store

• OPENAM-3048: RESTful authentication using curl doesn't work on the WebLogic 12c (12.1.1.0)

• OPENAM-2715: Mandatory OAuth2 Provider settings not enforced in the UI

• OPENAM-2705: People container name/value configs are not always correctly used - backport

• OPENAM-2656: PrefixResourceName#compare() strips off trailing '/' in PathInfo

• OPENAM-2608: Restricted Token validation does not work in legacy REST API

• OPENAM-2564: resource-based authentication with DistAuth not working

• OPENAM-2537: SAML AuthContext mapper auth level setting inconsistencies

• OPENAM-2469: IdP initiated SSO endpoints should honor RelayState even when they're POSTed

• OPENAM-2453: HTTP GET /ws/1/entitlement/privilege? HTTP 400 with message "Unable to search privileges."

• OPENAM-2404: new_org.jsp is displayed from the original realm in case of session upgrade

• OPENAM-2168: Authentication Success Rate and Authentication Failure Rate are always 0

• OPENAM-2137: DSConfigMgr can hide exception root causes

• OPENAM-2085: Unreliable policy evaluation results with com.sun.identity.agents.config.fetch.from.root.resource enabled

• OPENAM-2023: Federation Connectivity Test fails with Account termination is not working

• OPENAM-1946: Password change with AD does not work when old password is provided

• OPENAM-1945: Default Configuration create invalid domain cookie

• OPENAM-1892: Only Accept certificate for authentication if KeyUsage is correct

• OPENAM-1886: Session invalidated on OpenAM server is not deleted from SFO datastore

• OPENAM-1852: Oauth2 auth-module can not be used with DistAuth

• OPENAM-1831: OpenAM 10.0 subrealm DNS alias doesn't work as expected unless setting com.sun.identity.server.fqdnMap

• OPENAM-1811: DAS response serialization is not working as expected when using PAP

• OPENAM-1660: Read-access to SubjectEvaluationCache is not synchronized

• OPENAM-1659: Default Authentication Locale is not used as fallback

• OPENAM-1505: LogoutViewBean does not use request information for finding the correct template

• OPENAM-1456: Change of the agent group in the J2EE policy agent profile causes profile corruption

• OPENAM-1323: Unable to create session service when no datastore is available

• OPENAM-1317: With ssoadm create-agent, default values are handled differently for web agents and j2ee agents

• OPENAM-1269: Entitlements are incorrectly converted to policies

• OPENAM-1237: Property 'noSubjectKeyIdentifier' is missing in fmWSSecurity.properties

• OPENAM-1219: SAML 2 metadata parsing breaks in glassfish 3.1.2

• OPENAM-1194: Unable to get AuthnRequest error in multiserver setup

• OPENAM-1181: Improperly defined applications cause the policy framework to throw NPE

• OPENAM-1137: Error message raised when adding a user to a group

• OPENAM-1111: Persistent search in LDAPv3EventService should be turned off if caching is disabled

• OPENAM-1105: Init properties sometimes don't honor final settings

• OPENAM-774: Invalid characters check not performed.

• OPENAM-291: SelfWrite permissions are denied to sub realms

• OPENAM-71: SAML2 error handling in HTTP POST and Redirect bindings