Documentation updates
In addition to the changes described elsewhere in these release notes, the published documentation for each AM version includes the following important changes.
AM 7.4.x
AM 7.4.2
AM 7.4.2
AME-29951 |
Document back-channel logout |
AME-29538 |
Update next-generation scripting documentation with exception handling scenarios |
AME-27726 |
Add more information for activity audit log events |
AME-27697 |
Document |
AME-27432 |
SAML Artifact flow fails when running AM with JRE 17 |
AME-22545 |
|
OPENAM-23394 |
Clarify usage of FBC at install time |
OPENAM-23362 |
Success redirect order is incorrect |
OPENAM-23359 |
Added note about FBC not being supported |
OPENAM-23188 |
Correct steps for accessing am-external in node developer guide |
OPENAM-23078 |
Update steps for letting DS manage CTS tokens |
OPENAM-22972 |
Request to add a statement on async in doc |
OPENAM-22871 |
Wrong default value for |
OPENAM-22741 |
Adding missing step in "Configure amr claims" procedure |
OPENAM-22635 |
Procedure for enabling the AM reaper is incorrect |
OPENAM-22515 |
Document Logout Webhook key WebhookEventType |
OPENAM-22327 |
Remove mention of Internet Explorer from AM docs |
OPENAM-22254 |
Update browser support table for WebAuthn |
OPENAM-22207 |
List HiddenValueCallback as interactive not read-only |
OPENAM-22157 |
Clarify version support in upgrade instructions |
OPENAM-22100 OPENAM-22049 OPENAM-22885 OPENAM-21325 |
Improvements to upgrading servers section |
OPENAM-22099 |
Remove misleading information about unsupported custom callbacks |
OPENAM-22045 |
Corrected default log level |
OPENAM-21935 |
Document the maximum JWT token liftime accepted by AM |
OPENAM-21907 |
Added a tip to the setup guide for finding server and site IDs |
OPENAM-21744 |
Removed an incorrect statement about invalidating client-side auth session |
OPENAM-21650 |
Updated base DN for AM configuration data |
OPENAM-21165 |
Request for a sample script to be added to the docs |
OPENAM-20673 |
Clarify device reset with WebAuthn |
OPENAM-20591 |
Prevent ClassNotFoundException when removing click-* jars |
OPENAM-19899 |
Remove all instances of /UI/login |
OPENAM-19575 |
OIDC guide feedback: Check algorithm statement for |
OPENAM-19533 |
Remove unnecessary images from install steps |
OPENAM-19395 |
Distinguish between general mail server and self-service mail service |
AM 7.4.1
AM 7.4.1
AME-27930 |
Prepare truststore should use 7.x DS security model |
AME-27531 |
Incorrect description for Scripting Engine configuration for Thread pool queue size |
AME-25385 |
Document the HTTP client asynchronous feature |
OPENAM-22635 |
Procedure for enabling the AM reaper is incorrect |
OPENAM-22207 |
List HiddenValueCallback as interactive not read-only |
OPENAM-22099 |
Remove misleading information about unsupported custom callbacks |
OPENAM-22098 |
Additional information required in JWT validation example |
OPENAM-22066 |
Document Social Provider Handler node |
OPENAM-22065 |
Fix Knowledge Base link in documentation |
OPENAM-21914 |
Clarify deprecation and replacement of shared and transient state bindings |
OPENAM-21851 |
Clarify use of |
OPENAM-21801 |
Next generation scripting: Update |
OPENAM-21798 |
Next generation scripting: Document "get" wrapper functions |
OPENAM-21754 |
Add warning to library scrips about use of third party libraries |
OPENAM-21699 |
Fix example for authenticating to specific services |
OPENAM-21696 |
Add a note to the Set Custom Cookie node docs around host vs domain cookies |
OPENAM-21667 |
Sessions guide: Set JWT token expiry if you update max session TTL |
OPENAM-21666 |
Security guide: Byte and MB values of request body limit don’t match |
OPENAM-21620 |
Node development: Improve and correct Node class documentation |
OPENAM-21603 |
Missing spaces in catalina opts example prevents tomcat starting |
OPENAM-21457 |
Clarify where the Failure node routes a user |
OPENAM-21419 |
Security guide: Attach Java examples for custom secret stores |
OPENAM-21413 |
Fix sample script in SAML docs |
OPENAM-21344 |
Update profile data scripting examples with try-catch blocks |
OPENAM-20752 |
OAuth 2.0 scripted policy condition variables need updating |
OPENAM-20522 |
State that Sector Identifier URI is needed for Pairwise OAuth2Client profile |
OPENAM-18598 |
Clarify account linking in Social Provider Handler Node documentation |
OPENAM-18095 |
List all usable audit log attributes |
AM 7.4.0
AM 7.4.0
Corrected name of |
Added links to Knowledge Base articles about restricting access to endpoints |
Updated social identity provider configuration reference with more information about transformation scripts and added realm to redirect URL example |
Provided more detail about audit log events |
Corrected error in WDSSO REST call in Authentication guide |
Note added about a |
Clarified documentation for the OIDC user info plugin
that the |
Added explanation for audit filtering example in the Security guide |
Amended wording describing the Amster version used for upgrading exported configuration |
Updated instructions to download the UI source |
Documented changes to the OAuth 2.0 device authorization grant |
Updated format of scripting logger names |
Fixed error in Device Profile Collector node documentation |
Clarified information around tuning the CTS connection pool |
Added note to caution that a certificate must exist in the keystore before mapping secrets to that keystore |
Removed references to unsupported CoreWrapper API from the documentation |
Improved the information about the bindings available to OAuth 2.0 scripted extensions |
Added more information for the following authentication nodes |
Corrected information about storing device data in shared state for OATH Registration node |
Updated Node development documentation with a note that OTP Email Sender node supports plain text notifications only |
Added note to advise installers and upgraders to remove |
Documented the new |
Added new REST STS configuration property, |
Updated Authentication guide with links to WS-Federation implementation steps in Knowledge Base |
Clarified supported claims when requesting policy decisions |
Added a table to list the certificates used in SAML 2.0 flows with their corresponding secret mappings. For details, refer to Certificates and secrets |
Clarified the steps to remove an AM instance in the installation guide |
Added the default path for audit logs on Windows |
Added a note about adding urls to Valid WReply List to ensure successful WS-Federation sign-on flow |
Added Inner Tree Node capabilities and restrictions |
Corrected an error in the deployment diagram. Refer to Example deployment topology |
Updated module information to refer readers to Knowledge Base articles about certificate authentication |
Fixed a documentation error relating to OAuth 2.0 email service configuration values |
Documented authentication session state management scheme differences and concerns. For details, refer to Server-side sessions and Client-side sessions |
Updated instructions for setting CATALINA_OPTS on Windows |
Documented the setting to configure the rotatable amadmin secret cache expiry time. Refer to |
Documented the new |
AM 7.3.x
AM 7.3.3
-
OPENAM-23746: Incorrect
subvalue in mayAct script for delegation -
OPENAM-23714: Indicate that only one secret can be active for any secret label mapping
-
OPENAM-23638: Update DATA_STORE setting for silent install to
dirServer -
OPENAM-23620: Update documentation for error logging in Rest API
-
OPENAM-23616: Client secret not required for OAuth 2.0 client update request
-
OPENAM-23549: Error in documentation on scope validation
-
OPENAM-23362: Success redirect URL order of precedence is incorrect
-
OPENAM-21779: Fix errors in legacy OAuth 2 endpoint docs
-
OPENAM-21744: Remove statement about invalidating the client-side authentication session
-
OPENAM-21452: Update AES Keywrap note to apply only to SOAP STS
-
OPENAM-20974: Update path to incremental upgrade for amUpgrade tool
-
OPENAM-20859: Update SAML v2.0 reference section
AM 7.3.2
-
OPENAM-23188: Correct steps for accessing
am-externalin Node developer guide -
OPENAM-23139: Fix links to Agent docs from AM
-
OPENAM-23065: Update Knowledge links to Salesforce location
-
OPENAM-22871: Wrong default value for
STS instance is running as remote instance -
OPENAM-22741: Add missing step in "Configure amr claims" procedure
-
OPENAM-22635: Procedure for enabling the AM reaper is incorrect
-
OPENAM-22515: Document Logout Webhook key WebhookEventType
-
OPENAM-22449: Add Combined MFA Registration node to 7.3.x documentation
-
OPENAM-22327: Remove mention of Internet Explorer from AM docs
-
OPENAM-22254: Update browser support table for WebAuthn
-
OPENAM-22207: List HiddenValueCallback as interactive not read-only
-
OPENAM-22099: Remove misleading information about unsupported custom callbacks
-
OPENAM-22078: Update OATH Device Storage node
-
OPENAM-22045: Correct default log level
-
OPENAM-21935: Document the maximum JWT token liftime accepted by AM
-
OPENAM-21851: Clarify use of
Single SignOn Servicesetting for the IdP -
OPENAM-21650: Update base DN for AM configuration data
-
OPENAM-21051: Update logger names with new format
-
OPENAM-20987: Document OAuth 2.0 provider setting
Allow Client Credentials in Token Endpoint Query Parameters -
OPENAM-20673: Clarify device reset with WebAuthn
-
OPENAM-19899: Remove all instances of
/UI/login -
OPENAM-19575: Correct algorithm statement for
/oauth2/connect/jwk_uri -
OPENAM-19533: Remove unnecessary images from install steps
-
OPENAM-18598: Clarify account linking in Social Provider Handler node documentation
AM 7.3.1
-
AME-25154: Update the CATALINA_OPTS in setenv.bat for Windows
-
OPENAM-21851: Clarify use of
Single SignOn Servicesetting for the IdP -
OPENAM-21699: Fix example for authenticating to specific services
-
OPENAM-21620: Node development: Improve and correct Node class documentation
-
OPENAM-21580: Improve documentation on updating OAuth 2.0 clients
-
OPENAM-21579: Java keystores require ASCII passwords
-
OPENAM-21573: Amster upgrade documentation description contains an error
-
OPENAM-21383: Instructions to download the UI source code are out of date
-
OPENAM-21344: Update profile data scripting examples with try-catch blocks
-
OPENAM-21254: Complete note in Invalidate all sessions for a user section
-
OPENAM-21081: Clarify version support in Amster release notes
-
OPENAM-21051: Update logger name and review debug logging page
-
OPENAM-21048: Error in Device Profile Collector node documentation
-
OPENAM-20925: Inaccurate documentation on CTS tuning
-
OPENAM-20911:
Corewrapperobject no longer accessible in authentication nodes -
OPENAM-20909: Align multi-version release notes with content of previous versions
-
OPENAM-20906: Artifact changes in AM 7.3 aren’t documented in Release Notes
-
OPENAM-20903: Clarify audit filtering example
-
OPENAM-20870: Access token script API is incomplete
-
OPENAM-20835: Explain the
SESSION_BLACKLISTtoken that exists for client-side authentication sessions -
OPENAM-20666: Caution against duplicate OIDC ACR mappings
-
OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars
-
OPENAM-20522: State that Sector Identifier URI is needed for Pairwise OAuth2Client profile
-
OPENAM-20311: Document AM property for LDAPS protocol
-
OPENAM-20038: Document which URLs for REST STS are made locally/remotely
-
OPENAM-19215: Missing documentation for WS Federation in Admin guide
-
OPENAM-19214: Authorization guide: Clarify supported claims in requesting policy decisions
-
OPENAM-19149: Clarify SAML certificates and secrets usage
-
OPENAM-18606: The documentation to remove an AM instance is misleading
-
OPENAM-18495: Provide details of each audit log event name in the AM documentation
-
OPENAM-18468: Maintenance guide: Update config store connection pool values
-
OPENAM-18099: Explanation of rawProfile information and mappings
-
OPENAM-18092: Provide better explanation on default Social Identity Provider configuration
-
OPENAM-18078: Review documentation on endpoints
-
OPENAM-17906: State default path for audit logs on windows
-
OPENAM-17580: Document configuration settings needed for AM 6.5.3+ for WS-Federation token issuer endpoints
-
OPENAM-17535: Authorization guide: Building the sample plugin is showing outdated info
-
OPENAM-16325: Inner Tree node capabilities and restrictions
-
OPENAM-16311: Rework transactional authorization over REST
-
OPENAM-16191: Deployment images lost accuracy between release 13.5 and 6
-
OPENAM-15083: Certificate Auth module needs detailed documentation
AM 7.3
-
Removed instructions on using deprecated chains and modules to set up push authentication. Use authentication trees instead, as described in Push authentication journeys.
-
Updated the format of these release notes to list cumulative changes, instead of reflecting only the changes for the current release.
-
Clarified that AM truncates sequences of whitespace with a single whitespace when creating SAML v2.0 values such as entity IDs.
-
Removed use of deprecated
withmethod from Scripted decision node API callbacks. -
Documented new
Use mixed case for password change messagesproperty for the LDAP Decision node. -
Added missing HTTP connector settings to WildFly setup instructions.
-
Updated information about
--acceptLicenseparameter in the Set up administration tools steps. -
Removed access token from header in call to /oauth2/connect/endSession.
-
Documented how to mark configuration properties as passwords in the Node development guide.
-
Improved documentation for dynamic client registration.
-
Improved description of the
Transformation Scriptfield for the Social Provider Handler node. -
Documented how to use the amupgrade tool to upgrade configuration.
-
Improved navigation of the authentication nodes configuration reference.
-
Clarified that the ForgeRock Authenticator app supports JPEG and PNG image formats.
-
Clarified location of
setenvscript in the Evaluation guide. -
Updated installation and deployment graphics to show less complex DS installations.
-
Described the role of the
Latest Access Time Update Frequencyproperty in session management.
AM 7.2.x
AM 7.2.2
-
OPENAM-22207: List HiddenValueCallback as interactive not read-only
-
OPENAM-22099: Remove misleading information about unsupported custom callbacks
-
OPENAM-22065: Fix Knowledge Base link in documentation
-
OPENAM-21851: Clarify use of
Single SignOn Servicesetting for the IdP -
OPENAM-21815: Clarify how transient state is removed after next callback
-
OPENAM-21383: Instructions to download the UI source code are out of date
-
OPENAM-21081: Clarify version support in Amster release notes
-
OPENAM-21071: Add more information for LDAP availability (KeepAlive) changes
-
OPENAM-21048: Error in Device Profile Collector node documentation
-
OPENAM-20929: Switch to multi-version release notes
-
OPENAM-20835: Explain the
SESSION_BLACKLISTtoken that exists for client-side authentication sessions -
OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars
-
OPENAM-20522: State that Sector Identifier URI is needed for Pairwise OAuth2Client profile
-
OPENAM-20311: Document AM property for LDAPS protocol
-
OPENAM-19215: Missing documentation for WS Federation in Admin guide
-
OPENAM-19214: Authorization Guide: Clarify supported claims in Requesting Policy Decisions
-
OPENAM-19149: Clarify SAML certificates and secrets usage
-
OPENAM-18606: The documentation to remove an AM instance is misleading
-
OPENAM-18468: Maintenance guide: Update config store connection pool values
-
OPENAM-18099: Explanation of rawProfile information and mappings
-
OPENAM-17580: Document configuration settings needed for AM 6.5.3+ for WS-Federation token issuer endpoints
-
OPENAM-17535: Authorization guide: Building the sample plugin is showing outdated info
-
OPENAM-16325: Inner Tree node capabilities and restrictions
-
OPENAM-15083: Certificate Auth module needs detailed documentation
AM 7.2.1
-
Updated Changes in AM 7.2.x with changes to the TreeContext class.
-
Documented the advanced server properties that determine search settings for keepalive and availability checks. For details, refer to Advanced properties.
-
Documented the
evalThreadSizesetting as a tuning parameter for policy evaluation. For details, refer to Policy evaluation settings. -
Fixed an error in the Pass-through authentication node documentation.
-
Noted that the
JavaScript originsproperty of an OAuth 2.0 client does not support non-standard headers. -
Clarified that SAML assertions must be signed when using HTTP-POST.
-
Updated the JVM monitoring metrics.
-
Clarified the use of the
auditEntryDetailfor the scripted decision node. -
Clarified that Transactional authorization does not trigger account lockout.
-
Fixed an error in the UI customization documentation.
-
Updated the documentation on configuring JBoss and WildFly.
-
Updated the documentation on the validateGoto endpoint.
-
Indicated that using ID tokens as session tokens requires specific privileges.
-
Improved the social authentication documentation.
-
Updated the documentation on stateless session upgrade.
-
Clarified the
--realmsoption of theexport-configcommand. -
Documented a limitation related to bulk import to external application stores with affinity.
-
Added a workaround for a problem with
amsterrunning multi-line commands (OPENAM-18715)
AM 7.2
-
Updated the Choice Collector node documentation to clarify that the default choice is the first in the list if no default choice is specified.
-
Recommended the removal of the
velocity-1.7.jarlibrary after install or upgrade. -
Added a step to the instructions on building custom nodes.
-
Added
Logback.jsplogger names to the Debug logging documentation.
AM 7.1.x
AM 7.1.4
-
Cautioned that host-based cookies should be used for security reasons (Securing the Session Cookie)
-
Changed the default expiry time of server-side agent sessions (
com.iplanet.am.session.agentSessionIdleTime) -
Updated docs to indicate that the
failureUrlis not included in REST responses if it is empty -
Clarified SAML certificates and secrets usage
-
Clarified supported claims when requesting policy decisions over REST
-
Fixed an error in the Device Profile Collector node docs
-
Documented settings for WS-Federation token issuer endpoints (Federation Authentication Module)
-
Added Inner Tree Node capabilities and restrictions
-
Documented AM property for LDAPS protocol
org.forgerock.openam.ldap.secure.protocol.version) -
Advised that changes to Authentication Naming Attribute after setup require existing identities to be updated
-
Enhanced the documentation of the Provision Dynamic Account node
-
Advised administrators to increase DS search limits for large numbers of SAML entities SAML Deployment Considerations)
-
Documented
evalThreadSizesetting as tuning parameter for policy evaluation -
Clarified that SAML assertion must be signed when using HTTP-POST
-
Clarified use of
auditEntryDetailfor scripted decision node -
Added missing HTTP connector setting to JBoss setup instructions
-
Updated instructions on validating a
gotoURL -
Enhanced the documentation on the LDAP availability / KeepAlive changes, new in 7.1.3
-
Removed incorrect wording about namespaces in the node development docs
-
Noted that the
JavaScript Originsproperty of an OAuth2 client does not support non-standard headers -
Creating a SAML2 entity with a double space results in SAML2 entity with a single space
-
Updated Changes in AM 7.1.x with changes to the
TreeContextclass -
Updated the upgrade instructions with information on custom server default properties
AM 7.1.3
-
Updated Changes in AM 7.1.x with changes to the TreeContext class.
-
Added the
org.forgerock.openam.introspect.token.query.param.allowedadvanced server property. -
Added the
org.forgerock.openam.ldap.dncache.expire.timeadvanced server property, which sets the DN cache timeout. -
Updated the OATH Registration node and Push Registration node documentation for the customizable QR code message.
-
Updated the Remote consent documentation to describe the new JWKs URI.
-
Clarified the limitation on using ID tokens as access tokens. For details, refer to Additional Use Cases for ID Tokens.
-
Improved the logback documentation.
-
Updated the documentation on scripted policy conditions.
-
Documented the crypto settings in the IDM Provisioning service.
-
Added information on specifying remote entity encryption methods.
-
Added subject and body to the OTP Email Sender Node and OTP SMS Sender Node.
-
Added guidance on naming custom nodes.
-
Corrected an error in the ForceAuth documentation for authentication trees.
-
Corrected an error in the OIDC hybrid flow documentation.
-
Described how to customize account lockout messages.
-
Updated the documentation on custom post-authentication plugin hooks.
-
Updated the documentation on the OAuth2 Device flow.
-
Add information on overriding and customizing OIDC claims scripts.
-
Clarified change to CORS filter configuration from AM 7 onwards.
-
Documented the nonProxyHosts advanced server property for HTTP client connections.
AM 7.1.2
-
Added guidance on protecting user profile attributes.
-
Updated Multi-Factor Authentication Nodes with details of the OATH nodes that replicate the existing OATH module functionality:
-
OATH Registration Node
-
OATH Token Verifier Node
-
For information on how to create and test an authentication tree using the OATH nodes, refer to One-Time Password Authentication Using Trees.
AM 7.1.1
-
Updated the examples in the Accessing Shared State Data section.
-
Added documentation in Supported Callbacks about the following callbacks:
-
BooleanAttributeInputCallback
-
BooleanAttributeInputCallback
-
ConsentMappingCallback
-
KbaCreateCallback
-
NumberAttributeInputCallback
-
StringAttributeInputCallback
-
TermsAndConditionsCallback
-
ValidatedCreatePasswordCallback
-
ValidatedCreateUsernameCallback
-
-
Updated the Preparing for Development section to specify that you must include a
nodeDescriptionproperty in nodes to ensure that they appear in the authentication tree designer. -
Improved the procedure on mapping files in file system secret volumes to add more detail about how to encrypt and create filesystem-based secrets.
-
Updated the Directory Server Requirements to indicate that DS 5.+ is required as External Directory Server for 7.1.+.
-
Added a change in behavior to the logging on session timeout.
AM 7.1
-
Initial release of AM 7.1.
AM 7.0.x
AM 7.0.3
-
Updated Changes in AM 7.0.x with changes to the TreeContext class.
AM 7.0.2
-
Indicated that scripts should be upgraded as part of the upgrade process.
-
Improved the documentation about the request parameter of the
/oauth2/authorizeendpoint. -
Noted support for Internet Explorer 11 ends August 17, 2021, in alignment with the announcement from Microsoft ending support for Internet Explorer 11.
-
Updated Session Upgrade documentation to clarify that the
ForceAuthparameter used with an authentication tree causes AM to issue a new session token, regardless of the security requirements. -
Updated the Supported Upgrade Paths section to remove the upgrade from OpenAM 13.X and add upgrade path from AM 7.x.
-
Added a new section, Managing the Secure Cookie Filter.
-
Removed information about Oracle Weblogic from the installation guide as it is not supported in this version.
-
Added a new section, OAuth 2.0 Scopes Policy Script API Functionality.
-
Updated the Scripting Environment documentation to show how to obtain the Groovy and JavaScript engine version that AM is using.
-
As part of hardening the security around the SAML v2.0 implementation that occurred in AM 7, the URLs specified in the Assertion Consumer Service must exactly match the SP’s scheme, FQDN, and port.
-
Added a new section, Setting Session Properties.
AM 7.0.1
-
Added documentation on Adding Audit Information.
-
Improved the documentation on Tuning Authentication Node/Module LDAP Connections.
-
Added information on determining if an existing session is present before using the Get Session Data Node.
-
Added information on configuring the public key or HMAC secret in Authenticating Clients Using JWT Profiles.
-
Added information on using the
ssoadmcommand with secure connections in Setting Up Administration Tools. -
Updated Web or Java Agents SSO and SLO with Java Agent 5.7 and Web Agent 5.7 properties.
-
Updated JVM tuning properties.
-
Documented commands to export policy and application store LDIF files.
-
Clarified documentation on OAuth 2.0 JWK URI cache settings in To Create and Configure a Client Profile.
-
Clarified documentation on SAML v2.0 hosted SP attribute map in Hosted Service Provider Configuration Properties.
-
Corrected the Device Tampering Verification documentation to indicate that the device determines the score, rather than the node or the ForgeRock SDKs.
-
Updated how to create an HTTPS connector for Tomcat in Configuring AM’s Container for HTTPS.
-
Corrected the account mapper classes in Example: Protecting a Web Site With OAuth 2.0.
-
Added documentation about HTTP options when configuring a JVM proxy in front of AM in Preparing the Environment.
-
Updated the Linking Identities Automatically with Auto-Federation section to use the new UI.
-
Corrected the user required to perform policy evaluation with REST in To Evaluate a Policy.
-
Corrected the procedure on SAML v2.0 chains, in Linking Identities by Using Authentication Trees or Chains.
AM 7.0
-
Initial release of AM 7.