PingAM release notes

Documentation updates

In addition to the changes described elsewhere in these release notes, the published documentation for each AM version includes the following important changes.

The Amster release notes have been combined into the AM release notes. These release notes now include Amster changes since AM 7.2.

AM 8.0.x

AM 8.0.1

  • AME-31340: Document ability of Push Notification service to reset device ID

  • AME-31138: Document removal of library scripts from custom scripted nodes

  • OPENAM-23714: Indicate that only one secret can be active for any secret label mapping

  • OPENAM-23616: Client secret not required for OAuth 2.0 client update request

AM 8.0

  • AME-31026: Deprecate audit event handlers

  • AME-30978: Add the Set Error Details node to nodes list and add details about the acceptException() method

  • AME-30936: Mark legacy monitoring as deprecated

  • AME-30901: Document dynamic client registration scripting

  • AME-30890: OPENAM-23637: Add documentation for No Session Trees and update session text where necessary

  • AME-30857: Config Provider node script enabled for next-gen scripting engine

  • AME-30819: Upgrade instructions for Tomcat 10

  • AME-30789: Remove SNMP properties from the documentation

  • AME-30457: Document updated TLS Client Certificate Header Format option value

  • AME-30442: OPENAM-22904: Overhaul STS guide - remove SOAP STS and modules and chains

  • AME-30393: Document new next-generation cookieName binding

  • AME-30392: Document next-generation context for policy condition scripts

  • AME-30344: Document DER-formatted certificates for OAuth2: Client authentication

  • AME-30333: Document IDM Environment Condition

  • AME-30291: SAML certificate metadata update

  • AME-30249: Document backchannel authentication

  • AME-30229: Document the Message-Authenticator attribute config for RADIUS servers

  • AME-30173: Update Evaluation guide to use external DS

  • AME-30154: Document prevent use of mustRun trees as realm default

  • AME-30046: AM: Document the Flow Control node

  • AME-30026: Document new next-gen scripting utils.crypto.subtle binding

  • AME-29963: AME-30155: Document OIDC application journeys

  • AME-29951: Document back-channel logout exp claim

  • AME-29759: Document new next-generation script method to get random values

  • AME-29757: Document removal of custom Social IdP UI configuration properties

  • AME-29754: Document new suspend and resume functionality in Scripted Decision node

  • AME-29685: Revise the section about post-authentication tree hooks

  • AME-29619: Add navigation for the new Success Details node

  • AME-29538: Update next-generation scripting documentation with exception handling scenarios

  • AME-29511: Document the WebAuthn metadata service and related secret label for FIDO certification

  • AME-29485: Document samlApplication script binding

  • AME-29415: Document the Failure Details node

  • AME-29406: AME-29431: Document new prometheus endpoints

  • AME-29326: Document property to indicate OIDC provider doesn’t return unique value for the sub claim

  • AME-29179: Document additional Config Provider node options

  • AME-29168: Add section on node security

  • AME-29165: Added "Send an HTTP request" section

  • AME-29164: Update Maintain Authentication nodes

  • AME-29163: Update Plugin Class

  • AME-29162: Update Handle Errors

  • AME-29161: AME-29141: Reorganise node developer guide

  • AME-29160: Update Action Class

  • AME-29159: Update Inject Objects into a node

  • AME-29155: Document new NodeState merge state methods

  • AME-29133: Config Interface @Attribute Improvements

  • AME-29132: Node Metadata Improvements

  • AME-29131: Node Class Improvements

  • AME-29129: AME-29127: AME-29130: Updates to nodes 'Prepare for development' page

  • AME-29072: Document change in behavior for self-signed root CA provided in WebAuthN attestation

  • AME-28883: Document grace period for client-side sessions in one-to-one storage scheme

  • AME-28726: Documentation for custom LINE OIDC config

  • AME-28682: Outdated options in DS command-line examples

  • AME-28614: Documentation of fix for validateJwtClaims failing when using a RS256: Alg signature

  • AME-28596: Document add entity configuration to enable journey association

  • AME-28322: Document new scripting monitoring metrics

  • AME-28264: Document new advanced server property for configurable ID token clock skew time

  • AME-28256: Document configure journey to always run to completion

  • AME-28057: Document Distributed Tracing

  • AME-27982: Add Customize account lockout message example from KB

  • AME-27965: Add KB content from How do I add a roles claim to the OIDC Claims Script in AM?

  • AME-27964: Add KB content from How do I add a session property claim to the OIDC Claims Script?

  • AME-27963: Adding salient info from How do I add custom claims to the OIDC Claims Script in AM?

  • AME-27962: Add content from How do I override claims in the OIDC ID token in Identity Cloud or AM?

  • AME-27953: Documentation for enabling mTLS for HTTP Client script binding

  • AME-27930: Docs on preparing a truststore should use DS 7.x security model

  • AME-27878: Document customizing SAML NameID with a script

  • AME-27846: Document the addition of encodeURI form body for httpClient

  • AME-27845: Document the Scripted Decision node access to context.request.cookies

  • AME-27844: Document new functions added to ActionWrapper next-generation script binding

  • AME-27843: Document rotation of the http proxy password without server restart

  • AME-27841: Document availability of utility classes in library scripts

  • AME-27840: Documentation for new utility class script bindings

  • AME-27838: Document secrets binding for all next-generation scripts

  • AME-27834: Client certificate in SP metadata is configurable

  • AME-27774: AME-27792: Document audit logging changes for trees

  • AME-27726: Add more information for activity audit log events

  • AME-27697: Document jwtAssertion and jwtValidator next-generation scripting improvements

  • AME-27609: Document renaming of OAuth2: Client ID Token Public Encryption Key property

  • DOCS-7931: Rename ForgeRock SDKs to Ping SDKs

  • OPENAM-28565: Add note to docs about reserved binding names

  • OPENAM-23662: Document the Amster Jwt Decision node

  • OPENAM-23660: Update docs to include info on default trees that exist in AM 8

  • OPENAM-23620: Update REST version messages

  • OPENAM-23558: Provide more info on the am_authentication_count metric

  • OPENAM-23549: Error in documentation on scope validation

  • OPENAM-23547: Remove deprecated openam-legacy-debug-slf4j module from docs

  • OPENAM-23513: Update supported directory stores

  • OPENAM-23463: Docs for Journey Timeout settings for authenticated sessions

  • OPENAM-23461: Docs for Journey Timeout settings for pre-authentication sessions

  • OPENAM-23411: Document changes to default denylist poll interval

  • OPENAM-23410: Document changes to mergeShared and mergeTransient nodeState methods

  • OPENAM-23407: Updated Localize AM section to make it clearer that you have to download the UI first

  • OPENAM-23362: Success Redirect order is incorrect

  • OPENAM-23278: Clarify docs on CTS token types

  • OPENAM-23277: Update Amster upgrade section to include 7.5

  • OPENAM-23188: Correct steps for accessing am-external in auth node developer guide

  • OPENAM-23171: Errors in SAML 2.0: profile OAuth 2: Grant docs

  • OPENAM-23104: authLib script context missing from docs

  • OPENAM-23081: Document improvements to transactional authorization

  • OPENAM-23078: Update steps for letting DS manage CTS tokens

  • OPENAM-23066: Update amr claims section to use OIDC claims script instead of module mapping

  • OPENAM-23036: Incorrect example used in Configure scr claims

  • OPENAM-23005: Add section on creating trees using REST

  • OPENAM-22887- 22906: Remove deprecated modules and chains from the documentation

  • OPENAM-22899: Add notes to the Radius guide about reenabling modules and chains

  • OPENAM-22878: Document the settings for OCSP verification

  • OPENAM-22871: Wrong default value for STS Instance is running as remote instance

  • OPENAM-22841: Document new OIDC LinkedIn social identity provider configuration

  • OPENAM-22813: Remove AM 6.x references including for supported upgrades

  • OPENAM-22741: Adding missing step in "Configure amr claims" procedure

  • OPENAM-22641: Corrected token terminology per feedback

  • OPENAM-22635: Rework pruning CTS tokens

  • OPENAM-22607: Link to DS docs for appropriate tuning info

  • OPENAM-22549: Add references for Set State node

  • OPENAM-22525: Add HSM support info from KB

  • OPENAM-22515: Document Logout Webhook key WebhookEventType

  • OPENAM-22417: Add link to max length property for goTo URL

  • OPENAM-22385: Document default values for Session properties

  • OPENAM-22356: Include a more useful link in Release Notes for custom auth node secrets enablement

  • OPENAM-22343: Document method return types for the script binding

  • OPENAM-22339: Provide example systemd script for AM

  • OPENAM-22327: Remove mention of Internet Explorer from AM docs

  • OPENAM-22254: Update browser support table for WebAuthn

  • OPENAM-22157: Clarify version support in upgrade instructions

  • OPENAM-22152: Additional information required in token exchange impersonation

  • OPENAM-22100: OPENAM-22049: OPENAM-22885: OPENAM-21325: Various improvements to upgrading servers section

  • OPENAM-22099: Remove misleading information about unsupported custom callbacks

  • OPENAM-22045: Corrected default log level

  • OPENAM-21935: Document the maximum JWT token liftime accepted by AM

  • OPENAM-21907: Added a tip to the setup guide for finding server and site IDs

  • OPENAM-21857: Document security hardening for UMA confusable homoglyphs

  • OPENAM-21763: Update terminology around "sessions" to use authenticated and pre-authentication

  • OPENAM-21763: Changed pre-authentication session terminology to journey session

  • OPENAM-21744: Removed incorrect statement about invalidating client-side auth session

  • OPENAM-21591: Document checkIssuerForIdTokenInfo advanced server property

  • OPENAM-20673: Clarify device reset with WebAuthn

  • OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars

  • OPENAM-19899: Remove all instances of /UI/login

  • OPENAM-19575: OIDC guide feedback: Check algorithm statement for /oauth2/connect/jwk_uri

  • OPENAM-19533: Remove unnecessary images from installation steps

  • OPENAM-19395: Distinguish between general mail server and self-service mail service

  • SDKS-3759: Added verifyTransactionsHelper script binding docs from AIC.

  • SDKS-3173: The PingOne Worker service requires a configured OAuth2 provider service.

  • SDKS-2959: Document PingOne Protect-related callbacks

  • SDKS-2953: Document PingOne Worker service

  • SDKS-2864: Adding new nodes to catalog page in AM

  • SDKS-2861: Add PingOne Protect nodes to the list of nodes

AM 7.5.x

AM 7.5.2

  • AME-32653: Document support for PingDirectory as an identity store

  • OPENAM-24374: Correct docs for validators in Auth Node dev guide

  • OPENAM-24320: Indicate support for other third-party authenticator apps

  • OPENAM-24300: Update AM docs regarding PKCS12 keystore support

  • OPENAM-24225: Fully integrate Amster docs into AM docs

  • OPENAM-24196: SAML documentation improvements

  • OPENAM-24158: Address feedback on the ForgeRock Authenticator app

  • OPENAM-24092: Transactional authorization policies aren’t supported for the JwtClaim subject type

  • OPENAM-24067: Created a single drawio.png which includes the vector

  • OPENAM-24067: Add documentation on how to rename MFA devices & update push diagram

  • OPENAM-24018: Improve IdP adapter custom script

  • OPENAM-24014: Fix encoding for auth header example

  • OPENAM-23959: Fix error in default secret alias name

  • OPENAM-23920: Clarify requirements for environment condition and difference from subject condition

  • OPENAM-23855: JDBC Audit log table note about VARCHAR limits

  • OPENAM-23746: Incorrect sub value in mayAct script for delegation

  • OPENAM-23714: Indicate only one secret can be active for any secret label mapping

  • OPENAM-23638: Fix DATA_STORE setting for silent install should be dirServer

  • OPENAM-23620: Update docs for error logging in Rest API

  • OPENAM-23616: Client secret not required for OAuth 2.0 client update request

  • OPENAM-23549: Error in documentation on scope validation

  • OPENAM-23485: Add more info on how locale is used

  • OPENAM-23407: Updated Localize AM section to make it clearer that you have to download the UI first

  • OPENAM-23394: Clarify usage of FBC at install time

  • OPENAM-23362: Success redirect order is incorrect

  • OPENAM-23359: Added note about FBC not being supported

  • OPENAM-23281: Document bindings for Social IdP Profile transformation script type

  • OPENAM-23126: Incorrect guidance on setSessionProperty

  • OPENAM-22853: Add description for Token Endpoint Authentication Method is none

  • OPENAM-22849: The DS rebuild-index command doesn’t have a --useSsl option

  • OPENAM-22576: Updating links for the push auth nodes

  • OPENAM-22576: Update MFA related screenshots

  • OPENAM-22173: Provide more detail for httpClient script binding

  • OPENAM-22100: Improvements to upgrading servers section

  • OPENAM-21858: Document the fields available for SAML Name ID Mapping

  • OPENAM-21849: Configure same key for two AMs using AES

  • OPENAM-21779: Fixed errors in legacy OAuth 2.0 endpoint docs

  • OPENAM-21744: Removed an incorrect statement about invalidating the client-side auth session

  • OPENAM-21655: Updated docs to reflect correct default setting for HTTP only cookies

  • OPENAM-21638: Clarified the valid values for the default lockout attribute

  • OPENAM-21455: Added more info around SAML 2.0 algorithms

  • OPENAM-21454: Provide sample SAML metadata files

  • OPENAM-21452: Made AES Keywrap note specific to SOAP STS

  • OPENAM-20974: Update path to incremental upgrade for amUpgrade tool

  • OPENAM-19503: Fixed CustomIdRepoConfig idRepoClass method name

  • SDKS-2793: Add bound devices to list of upgrade LDIF files.

AM 7.5.1

  • AME-29538: Update next-generation scripting documentation with exception handling scenarios

  • AME-28883: Add info from KB about different token types in the CTS

  • AME-28766: Documentation for new utility class script binding

  • AME-28682: Update options in DS command-line examples

  • AME-27982: Add customize account lockout message example from Knowledge Base

  • AME-27930: Documentation on preparing a truststore should use DS 7.x security model

  • AME-27726: Add more information for activity audit log events

  • AME-22545: com.sun.identity.sm.filebased_embedded_enabled must be set to false after migration

  • AMAGENTS-6487: Update info about web agent and session cookie name in line with changes to web agent docs

  • FRAAS-20042: Add content from How do I check what MFA devices are registered to a user in Identity Cloud and AM?

  • OPENAM-23277: Update Amster upgrade section to include 7.5

  • OPENAM-23188: Correct steps for accessing am-external in auth node developer guide

  • OPENAM-23078: Update steps for letting DS manage CTS tokens

  • OPENAM-23005: Add section on creating trees using REST

  • OPENAM-22972: Request to add a statement on async in doc

  • OPENAM-22931: Two callbacks are incorrectly named in the documentation

  • OPENAM-22871: Wrong default value for STS instance is running as remote instance

  • OPENAM-22741: Add missing step in "Configure amr claims" procedure

  • OPENAM-22641: Correct token terminology per feedback

  • OPENAM-22635: Rework pruning CTS tokens

  • OPENAM-22607: Link to DS docs for appropriate tuning info

  • OPENAM-22515: Document Logout Webhook key WebhookEventType

  • OPENAM-22356: Include a more useful link in Release Notes for custom auth node secrets enablement

  • OPENAM-22343: Document method return types for the script binding

  • OPENAM-22339: Provide example systemd script for AM

  • OPENAM-22327: Remove mention of Internet Explorer from AM documentation

  • OPENAM-22254: Update browser support table for WebAuthn

  • OPENAM-22157: Clarify version support in upgrade instructions

  • OPENAM-22099: Remove misleading information about unsupported custom callbacks

  • OPENAM-22045: Correct default log level

  • OPENAM-21935: Document the maximum JWT token lifetime accepted by AM

  • OPENAM-21907: Added a tip to the Setup guide for finding server and site IDs

  • OPENAM-21778: Error in documentation on modifying access tokens

  • OPENAM-20673: Clarify device reset with WebAuthn

  • OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars

  • OPENAM-19899: Remove all instances of /UI/login

  • OPENAM-19575: OIDC guide feedback: Check algorithm statement for /oauth2/connect/jwk_uri

  • OPENAM-19533: Remove unnecessary images from installation steps

  • OPENAM-19395: Distinguish between general mail server and self-service mail service

  • SDKS-3173: The PingOne Worker service requires a configured OAuth 2.0 provider service

  • SDKS-2861: Add PingOne Protect nodes to the list of nodes

AM 7.5

  • OPENAM-22207: List HiddenValueCallback as interactive not read-only

  • OPENAM-22098: Additional information required in JWT validation example

  • OPENAM-22065: Fix Knowledge Base link in documentation

  • OPENAM-22061: The Get Session Data Node updates the objectAttributes

  • OPENAM-21964: Update and align documentation for secret default mappings

  • OPENAM-21914: Clarify deprecation and replacement of shared and transient state bindings

  • OPENAM-21900: The Identify Existing User Node updates the shared state username

  • OPENAM-21885: Clarify statement on realms in the API Explorer docs

  • OPENAM-21882: Document minimum OTP length for HOTP Generator node

  • OPENAM-21851: Clarify use of setting for the IdP

  • OPENAM-21801: Next generation scripting: Update nodeState.getObject

  • OPENAM-21798: Next generation scripting: Document "get" wrapper functions

  • OPENAM-21759: Clarify use of Java class allowlisting in next-generation scripting

  • OPENAM-21754: Add warning to library scrips about use of third party libraries

  • OPENAM-21723: Attribute Present Decision node: Add note about case-sensitivity

  • OPENAM-21711: Incorrect acr_values step in Backchannel request grant

  • OPENAM-21706: Policy evaluation will succeed for failed transactional authorization under certain conditions

  • OPENAM-21699: Fix example for authenticating to specific services

  • OPENAM-21696: Add a note to the Set Custom Cookie node docs around host vs domain cookies

  • OPENAM-21670: Setup guide: Check and update link to affinity load balancing

  • OPENAM-21667: Sessions guide: Set JWT token expiry if you update max session TTL

  • OPENAM-21622: Retry limit decision node: Wrong shared state property name

  • OPENAM-21620: Node development: Improve and correct Node class documentation

  • OPENAM-21603: Missing spaces in catalina opts example prevents tomcat starting

  • OPENAM-21504: List Prometheus output with better description.

  • OPENAM-21418: Fix numbering in JWT profile sequence diagram

  • OPENAM-21413: Sample script in SAML docs does not work

  • OPENAM-21344: Update profile data scripting examples with try-catch blocks

  • OPENAM-20906: Artifact changes in AM 7.3 are not documented in Release Notes

  • OPENAM-20752: OAuth2 scripted policy condition variables needs updating

  • OPENAM-20522: State in docs that Sector Identifier URI is needed for Pairwise OAuth2Client profile

  • OPENAM-20349: Add detail to the Device Match node docs

  • OPENAM-19204: Customer cannot rely on Transient Node data for WebAuthN Authentication Node

  • OPENAM-18095: Update documentation with all available audit log fields

AM 7.4.x

AM 7.4.2

  • AME-29951: Document back-channel logout exp claim

  • AME-29538: Update next-generation scripting documentation with exception handling scenarios

  • AME-27726: Add more information for activity audit log events

  • AME-27697: Document jwtAssertion and jwtValidator next-generation scripting improvements

  • AME-27432: SAML Artifact flow fails when running AM with JRE 17

  • AME-22545: com.sun.identity.sm.filebased_embedded_enabled must be set to false after migration

  • OPENAM-23394: Clarify usage of FBC at install time

  • OPENAM-23362: Success redirect order is incorrect

  • OPENAM-23359: Added note about FBC not being supported

  • OPENAM-23188: Correct steps for accessing am-external in node developer guide

  • OPENAM-23078: Update steps for letting DS manage CTS tokens

  • OPENAM-22972: Request to add a statement on async in doc

  • OPENAM-22871: Wrong default value for STS instance is running as remote instance

  • OPENAM-22741: Adding missing step in "Configure amr claims" procedure

  • OPENAM-22635: Procedure for enabling the AM reaper is incorrect

  • OPENAM-22515: Document Logout Webhook key WebhookEventType

  • OPENAM-22327: Remove mention of Internet Explorer from AM docs

  • OPENAM-22254: Update browser support table for WebAuthn

  • OPENAM-22207: List HiddenValueCallback as interactive not read-only

  • OPENAM-22157: Clarify version support in upgrade instructions

  • OPENAM-22100 OPENAM-22049 OPENAM-22885 OPENAM-21325: Improvements to upgrading servers section

  • OPENAM-22099: Remove misleading information about unsupported custom callbacks

  • OPENAM-22045: Corrected default log level

  • OPENAM-21935: Document the maximum JWT token liftime accepted by AM

  • OPENAM-21907: Added a tip to the setup guide for finding server and site IDs

  • OPENAM-21744: Removed an incorrect statement about invalidating client-side auth session

  • OPENAM-21650: Updated base DN for AM configuration data

  • OPENAM-21165: Request for a sample script to be added to the docs

  • OPENAM-20673: Clarify device reset with WebAuthn

  • OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars

  • OPENAM-19899: Remove all instances of /UI/login

  • OPENAM-19575: OIDC guide feedback: Check algorithm statement for /oauth2/connect/jwk_uri

  • OPENAM-19533: Remove unnecessary images from install steps

  • OPENAM-19395: Distinguish between general mail server and self-service mail service

AM 7.4.1

  • AME-27930: Prepare truststore should use 7.x DS security model

  • AME-27531: Incorrect description for Scripting Engine configuration for Thread pool queue size

  • AME-25385: Document the HTTP client asynchronous feature

  • OPENAM-22635: Procedure for enabling the AM reaper is incorrect

  • OPENAM-22207: List HiddenValueCallback as interactive not read-only

  • OPENAM-22099: Remove misleading information about unsupported custom callbacks

  • OPENAM-22098: Additional information required in JWT validation example

  • OPENAM-22066: Document Social Provider Handler node nodeState updates

  • OPENAM-22065: Fix Knowledge Base link in documentation

  • OPENAM-21914: Clarify deprecation and replacement of shared and transient state bindings

  • OPENAM-21851: Clarify use of Single SignOn Service setting for the IdP

  • OPENAM-21801: Next generation scripting: Update nodeState.getObject

  • OPENAM-21798: Next generation scripting: Document "get" wrapper functions

  • OPENAM-21754: Add warning to library scrips about use of third party libraries

  • OPENAM-21699: Fix example for authenticating to specific services

  • OPENAM-21696: Add a note to the Set Custom Cookie node docs around host vs domain cookies

  • OPENAM-21667: Sessions guide: Set JWT token expiry if you update max session TTL

  • OPENAM-21666: Security guide: Byte and MB values of request body limit don’t match

  • OPENAM-21620: Node development: Improve and correct Node class documentation

  • OPENAM-21603: Missing spaces in catalina opts example prevents tomcat starting

  • OPENAM-21457: Clarify where the Failure node routes a user

  • OPENAM-21419: Security guide: Attach Java examples for custom secret stores

  • OPENAM-21413: Fix sample script in SAML docs

  • OPENAM-21344: Update profile data scripting examples with try-catch blocks

  • OPENAM-20752: OAuth 2.0 scripted policy condition variables need updating

  • OPENAM-20522: State that Sector Identifier URI is needed for Pairwise OAuth2Client profile

  • OPENAM-18598: Clarify account linking in Social Provider Handler Node documentation

  • OPENAM-18095: List all usable audit log attributes

AM 7.4

  • Corrected name of SSOResponse binding in SAML SP adapter sample script.

  • Added links to Knowledge Base articles about restricting access to endpoints.

  • Updated social identity provider configuration reference with more information about transformation scripts and added realm to redirect URL example.

  • Provided more detail about audit log events.

  • Corrected error in WDSSO REST call in Authentication guide.

  • Note added about a SESSION_BLACKLIST token that exists for client-side authentication sessions.

  • Clarified documentation for the OIDC user info plugin that the /userinfo retrieves claims from the profile scope only.

  • Added explanation for audit filtering example in the Security guide.

  • Amended wording describing the Amster version used for upgrading exported configuration.

  • Updated instructions to download the UI source.

  • Documented changes to the OAuth 2.0 device authorization grant.

  • Updated format of scripting logger names

  • Fixed error in Device Profile Collector node documentation.

  • Clarified information around tuning the CTS connection pool.

  • Added note to caution that a certificate must exist in the keystore before mapping secrets to that keystore.

  • Removed references to unsupported CoreWrapper API from the documentation.

  • Improved the information about the bindings available to OAuth 2.0 scripted extensions.

  • Added more information for the following authentication nodes:

  • Corrected information about storing device data in shared state for OATH Registration node.

  • Updated Node development documentation with a note that OTP Email Sender node supports plain text notifications only.

  • Added note to advise installers and upgraders to remove web.xml entry to prevent a click-servlet exception.

  • Documented the new org.forgerock.openam.ldap.secure.protocol.version advanced property for defining the protocols AM uses to connect to a secure LDAP server.

  • Added new REST STS configuration property, STS Instance is running as remote instance. For details, refer to REST STS configuration

  • Updated Authentication guide with links to WS-Federation implementation steps in Knowledge Base.

  • Clarified supported claims when requesting policy decisions.

  • Added a table to list the certificates used in SAML 2.0 flows with their corresponding secret mappings. For details, refer to Certificates and secrets.

  • Clarified the steps to remove an AM instance in the installation guide.

  • Added the default path for audit logs on Windows.

  • Added a note about adding urls to Valid WReply List to ensure successful WS-Federation sign-on flow.

  • Added Inner Tree Node capabilities and restrictions.

  • Corrected an error in the deployment diagram. Refer to Example deployment topology.

  • Updated module information to refer readers to Knowledge Base articles about certificate authentication.

  • Fixed a documentation error relating to OAuth 2.0 email service configuration values.

  • Documented authentication session state management scheme differences and concerns. For details, refer to Server-side sessions and Client-side sessions.

  • Updated instructions for setting CATALINA_OPTS on Windows.

  • Documented the setting to configure the rotatable amadmin secret cache expiry time. Refer to org.forgerock.openam.secrets.special.user.secret.refresh.seconds.

  • Documented the new Enabled setting for external data stores.

AM 7.3.x

AM 7.3.3

  • OPENAM-23746: Incorrect sub value in mayAct script for delegation

  • OPENAM-23714: Indicate that only one secret can be active for any secret label mapping

  • OPENAM-23638: Update DATA_STORE setting for silent install to dirServer

  • OPENAM-23620: Update documentation for error logging in Rest API

  • OPENAM-23616: Client secret not required for OAuth 2.0 client update request

  • OPENAM-23549: Error in documentation on scope validation

  • OPENAM-23362: Success redirect URL order of precedence is incorrect

  • OPENAM-21779: Fix errors in legacy OAuth 2 endpoint docs

  • OPENAM-21744: Remove statement about invalidating the client-side authentication session

  • OPENAM-21452: Update AES Keywrap note to apply only to SOAP STS

  • OPENAM-20974: Update path to incremental upgrade for amUpgrade tool

  • OPENAM-20859: Update SAML v2.0 reference section

AM 7.3.2

  • OPENAM-23188: Correct steps for accessing am-external in Node developer guide

  • OPENAM-23139: Fix links to Agent docs from AM

  • OPENAM-23065: Update Knowledge links to Salesforce location

  • OPENAM-22871: Wrong default value for STS instance is running as remote instance

  • OPENAM-22741: Add missing step in "Configure amr claims" procedure

  • OPENAM-22635: Procedure for enabling the AM reaper is incorrect

  • OPENAM-22515: Document Logout Webhook key WebhookEventType

  • OPENAM-22449: Add Combined MFA Registration node to 7.3.x documentation

  • OPENAM-22327: Remove mention of Internet Explorer from AM docs

  • OPENAM-22254: Update browser support table for WebAuthn

  • OPENAM-22207: List HiddenValueCallback as interactive not read-only

  • OPENAM-22099: Remove misleading information about unsupported custom callbacks

  • OPENAM-22078: Update OATH Device Storage node

  • OPENAM-22045: Correct default log level

  • OPENAM-21935: Document the maximum JWT token liftime accepted by AM

  • OPENAM-21851: Clarify use of Single SignOn Service setting for the IdP

  • OPENAM-21650: Update base DN for AM configuration data

  • OPENAM-21051: Update logger names with new format

  • OPENAM-20987: Document OAuth 2.0 provider setting Allow Client Credentials in Token Endpoint Query Parameters

  • OPENAM-20673: Clarify device reset with WebAuthn

  • OPENAM-19899: Remove all instances of /UI/login

  • OPENAM-19575: Correct algorithm statement for /oauth2/connect/jwk_uri

  • OPENAM-19533: Remove unnecessary images from install steps

  • OPENAM-18598: Clarify account linking in Social Provider Handler node documentation

AM 7.3.1

  • AME-25154: Update the CATALINA_OPTS in setenv.bat for Windows

  • OPENAM-21851: Clarify use of Single SignOn Service setting for the IdP

  • OPENAM-21699: Fix example for authenticating to specific services

  • OPENAM-21620: Node development: Improve and correct Node class documentation

  • OPENAM-21580: Improve documentation on updating OAuth 2.0 clients

  • OPENAM-21579: Java keystores require ASCII passwords

  • OPENAM-21573: Amster upgrade documentation description contains an error

  • OPENAM-21383: Instructions to download the UI source code are out of date

  • OPENAM-21344: Update profile data scripting examples with try-catch blocks

  • OPENAM-21254: Complete note in Invalidate all sessions for a user section

  • OPENAM-21081: Clarify version support in Amster release notes

  • OPENAM-21051: Update logger name and review debug logging page

  • OPENAM-21048: Error in Device Profile Collector node documentation

  • OPENAM-20925: Inaccurate documentation on CTS tuning

  • OPENAM-20911: Corewrapper object no longer accessible in authentication nodes

  • OPENAM-20909: Align multi-version release notes with content of previous versions

  • OPENAM-20906: Artifact changes in AM 7.3 aren’t documented in Release Notes

  • OPENAM-20903: Clarify audit filtering example

  • OPENAM-20870: Access token script API is incomplete

  • OPENAM-20835: Explain the SESSION_BLACKLIST token that exists for client-side authentication sessions

  • OPENAM-20666: Caution against duplicate OIDC ACR mappings

  • OPENAM-20591: Prevent ClassNotFoundException when removing click-* jars

  • OPENAM-20522: State that Sector Identifier URI is needed for Pairwise OAuth2Client profile

  • OPENAM-20311: Document AM property for LDAPS protocol

  • OPENAM-20038: Document which URLs for REST STS are made locally/remotely

  • OPENAM-19215: Missing documentation for WS Federation in Admin guide

  • OPENAM-19214: Authorization guide: Clarify supported claims in requesting policy decisions

  • OPENAM-19149: Clarify SAML certificates and secrets usage

  • OPENAM-18606: The documentation to remove an AM instance is misleading

  • OPENAM-18495: Provide details of each audit log event name in the AM documentation

  • OPENAM-18468: Maintenance guide: Update config store connection pool values

  • OPENAM-18099: Explanation of rawProfile information and mappings

  • OPENAM-18092: Provide better explanation on default Social Identity Provider configuration

  • OPENAM-18078: Review documentation on endpoints

  • OPENAM-17906: State default path for audit logs on windows

  • OPENAM-17580: Document configuration settings needed for AM 6.5.3+ for WS-Federation token issuer endpoints

  • OPENAM-17535: Authorization guide: Building the sample plugin is showing outdated info

  • OPENAM-16325: Inner Tree node capabilities and restrictions

  • OPENAM-16311: Rework transactional authorization over REST

  • OPENAM-16191: Deployment images lost accuracy between release 13.5 and 6

  • OPENAM-15083: Certificate Auth module needs detailed documentation

AM 7.3

  • Removed instructions on using deprecated chains and modules to set up push authentication. Use authentication trees instead, as described in Push authentication journeys.

  • Updated the format of these release notes to list cumulative changes, instead of reflecting only the changes for the current release.

  • Clarified that AM truncates sequences of whitespace with a single whitespace when creating SAML v2.0 values such as entity IDs.

  • Removed use of deprecated with method from Scripted decision node API callbacks.

  • Documented new Use mixed case for password change messages property for the LDAP Decision node.

  • Added missing HTTP connector settings to WildFly setup instructions.

  • Updated information about --acceptLicense parameter in the Set up administration tools steps.

  • Removed access token from header in call to /oauth2/connect/endSession.

  • Documented how to mark configuration properties as passwords in the Node development guide.

  • Improved documentation for dynamic client registration.

  • Improved description of the Transformation Script field for the Social Provider Handler node.

  • Documented how to use the amupgrade tool to upgrade configuration.

  • Improved navigation of the authentication nodes configuration reference.

  • Clarified that the ForgeRock Authenticator app supports JPEG and PNG image formats.

  • Clarified location of setenv script in the Evaluation guide.

  • Updated installation and deployment graphics to show less complex DS installations.

  • Described the role of the Latest Access Time Update Frequency property in session management.