Fixes in AM 7.4.x

OPENAM-23441

Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working

OPENAM-23091

Fix for systemEnv.getProperty() in next-generation scripting

OPENAM-23059

ssoadm doesn’t work against realm defaults

OPENAM-22988

Failover doesn’t occur when heartbeat interval is set to 0

OPENAM-22846

External app/policy store active/passive LB isn’t working

OPENAM-22836

Unable to update KBA security questions using XUI

OPENAM-22717

SP-initiated SSO fails with "Illegal character in scheme name" when the IdP entity name has a special character

OPENAM-22657

JWT validation fails when signed using the RS256 algorithm

OPENAM-22632

AMSetupServlet install error with Windows multi-domain environment

OPENAM-22608

Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing

OPENAM-22465

Unexpected error when request_uri client doesn’t match request parameter client in PAR authorise request

OPENAM-22391

Issues with evaluateTree when using wildcard policies

OPENAM-22346

The RP form_post endpoint doesn’t handle POST data well when OP returns error

OPENAM-22322

Signed ArtifactResponse Assertion can’t be verified and fails

OPENAM-22318

OAUTH_REQUEST_ATTRIBUTES cookie isn’t getting deleted after authentication

OPENAM-22298

NullPointerException in SAML2Utils.verifyNameIDFormat method

OPENAM-22264

Add global attribute handling to ssoadm

OPENAM-22120

Backchannel logout tokens now include the exp claim

OPENAM-21951

No option to set the selectedIndex on a ChoiceCallback

OPENAM-21926

Lockout message is not applied when using Identity Store Decision node

OPENAM-21897

Creation order determines policy evaluate and evaluateTree results

OPENAM-21864

No option to enable the trackingCookie with callbacksBuilder

OPENAM-21748

Next-generation scripting missing "get" wrapper function for HiddenValueCallback

OPENAM-21609

OAuth2Provider service created immediately after install/restart isn’t available in code flow

OPENAM-21545

Unable to create a circle of trust in file-based configuration with external data store

OPENAM-20945

Unable to trace token revocation back to resource owner because of missing trackingID field

OPENAM-20314

Social Provider Handler node and Social IdP service use the sub claim to search for links to existing accounts

OPENAM-20239

Setting the keepalive or heartbeat interval to a negative value in the IdRepo config causes an error

OPENAM-15834

Access token call fails when an unsupported claim is requested

OPENAM-14438

Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster

OPENAM-22753

Destroy All session may fail to work

OPENAM-22715

PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder is not escaping values correctly

OPENAM-22696

Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes

OPENAM-22620

Slow response from access token endpoint using client credentials grant

OPENAM-22602

OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL

OPENAM-22421

Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2

OPENAM-22289

Session quota action may fail when the session isn’t updatable but should be fine to proceed

OPENAM-22181

Approve UMA request fails with 500 error when AM deployed as a platform

OPENAM-22171

Forgotten password fails when AM searches for the identity to modify

OPENAM-22119

"Access to Java class ScriptedLoggerWrapper prohibited" exception

OPENAM-22109

The expiry time of OPS token in 7.x doesn’t change with the time of tokens created

OPENAM-22017

Configuration Provider node creates node class dynamically leading to native memory leak

OPENAM-21976

Single point of locking contention when doing client-based session logout

OPENAM-21972

SAML artifact binding is using crosstalk for artifact resolution

OPENAM-21941

Unable to edit policies in the UI

OPENAM-21937

Quota enforcement affects agent sessions that authenticate by tree

OPENAM-21936

Unable to use legacy and next-generation scripts in the same authentication tree

OPENAM-21868

ssoadm create-sub-cfg not working for AM 7.2+ due to the context= field

OPENAM-21854

TermsAndConditionsCallback fails with error on XUI

OPENAM-21803

Certificate User Extractor node cannot resolve wrong name when UPN SubjectAltNameExt

OPENAM-21780

Next-generation httpClient script binding adds "null" as entity to GET requests

OPENAM-21747

Amster not working after connecting when AM REST call has extra set-cookie headers

OPENAM-21664

Upgrade fails to AM 7.4.0 with an uncaught exception when initializing the PrivilegeIndexStore class

OPENAM-21484

OAuth 2.0 token introspection response has different claim value types when introspecting refresh tokens

OPENAM-21473

Certificate Collector node: getPortalStyleCert throws exception when cert/header not present

OPENAM-21466

AM using OIDC social authentication fails to verify ID token if remote JWK_URIs have duplicate KID

OPENAM-21277

Running Amster in debug mode doesn’t work on Windows

OPENAM-21191

Web agent sessions have a long session lifetime of 42 years

OPENAM-20609

Inconsistent error message when generating access token using refresh token after changing username

OPENAM-19999

ID token as AM session doesn’t work with /authorize when openid scope is requested

OPENAM-19889

Policy evaluation fails with agent access token JWT as subject

OPENAM-17816

500 Internal Server Error (from NPE) returned for a missing Content-Type header

OPENAM-21476

Persistent Cookie isn’t created when using Configuration Provider node

OPENAM-21421

Scripting logger name isn’t based on logging hierarchy convention

OPENAM-21390

Fix caching error when a journey switches backend instances to correctly provide data to nodeState

OPENAM-21360

Add java.util.concurrent.ExecutionException to AM scripting class allowlist

OPENAM-21323

LDAP (inline) upgrade fails due to policy creation of UssSelfWriteAttributes

OPENAM-21304

Retain request URI values specified during dynamic client registration

OPENAM-21164

Fix type issue of XML String in SAML responses when using a custom adapter

OPENAM-21160

Make sure secure state values are retained when navigating the authentication tree

OPENAM-21158

Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2

OPENAM-21085

Undefined bindings are incorrectly evaluated in Groovy scripts

OPENAM-21069

WindowsDesktopSSO authentication is failing

OPENAM-21053

Missing userId from Access audit log when org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false in JWT client authentication flow

OPENAM-21030

Amster CLI doesn’t work on Windows

OPENAM-21010

Social authentication user profile corrupted when remote OIDC server provides non-English identity claims

OPENAM-21004

AM will always look for valid session when scope=openid

OPENAM-21001

SAML IdPAccountMapper isn’t correctly determined

OPENAM-20980

OIDC social provider uses configured issuer instead of wellknown endpoint issuer when using regex comparison

OPENAM-20953

Return subject attributes correctly when evaluating a policy using a JwtClaim as subject type

OPENAM-20920

Improve handling of SAML2 IDP metadata that uses SSO endpoint entries other than HTTP-POST or HTTP-Redirect bindings when binding is null

OPENAM-20897

Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others

OPENAM-20895

Newly created Maven archetype project for building custom authentication nodes fails to build

OPENAM-20851

Existing registered devices unable to use push notifications when AWS SNS credentials are updated

OPENAM-20784

TestUMAPolicy fails for users that will cause LocalizedIllegalArgumentException

OPENAM-20756

Social authentication request for Apple fails due to duplicated response_mode=form_post request parameter

OPENAM-20691

Fix rare race condition in session quota destroy next expiring action that can lead to the oldest session not being destroyed

OPENAM-20682

Unable to encrypt from jwk_uri where there are multiple JWKs with the same kid but different algorithms

OPENAM-20490

AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"

OPENAM-20451

Fix to display user-friendly account name during WebAuthn device registration

OPENAM-20299

Fix to make agent authentication honor com.iplanet.am.session.agentSessionIdleTime

OPENAM-20230

Class allowlisting denies access to permitted classes after running for an extended period of time

OPENAM-20026

Social IDP with trailing whitespace in the name can’t be deleted using the UI

OPENAM-20024

Improve debug logging when login to XUI fails with HTTP 404 JsonValueException from endpoint

OPENAM-19282

Recovery Code Display Node works only immediately after Registration node

OPENAM-19261

Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant

OPENAM-18709

New nodeState.getObject method added to return values stored in both shared and secure state

OPENAM-18685

New realm-level configuration setting to remove or skip subname claim

OPENAM-18004

Support sequential transaction IDs to improve audit logging for HTTP requests to IDM

OPENAM-17331

Push Notifications: User with disabled endpoint is not able to login

OPENAM-17179

Deleting an authentication tree leaves orphaned nodes that prevent deletion of referenced scripts