Release notes
|
These release notes cover multiple versions of Web Agent software. They are designed to make it easier to upgrade, especially when you are skipping releases. Ping Identity supports and maintains versions according to the Ping Identity Product Support Lifecycle Policy | PingGateway and Agents. Some older Web Agent versions have reached End of Life (EOL). Release notes for EOL versions are available in the documentation sets for those versions. If you are still running an EOL version, upgrade as soon as possible to an actively maintained version. |
Name changes for ForgeRock products
Product names changed when ForgeRock became part of Ping Identity.
The following name changes have been in effect since early 2024:
| Old name | New name |
|---|---|
ForgeRock Identity Cloud |
PingOne Advanced Identity Cloud |
ForgeRock Access Management |
PingAM |
ForgeRock Directory Services |
PingDS |
ForgeRock Identity Management |
PingIDM |
ForgeRock Identity Gateway |
PingGateway |
Learn more about the name changes in New names for ForgeRock products in the Knowledge Base.
Requirements
Ping Identity supports customers using the versions specified here. Other versions and alternative environments might work as well. When opening a support ticket for an issue, however, make sure you can also reproduce the problem on a combination covered here.
Supported clients
Web Agent supports the latest stable versions of web browsers that support JavaScript 5 and later.
AM requirements
-
Web Agent supports AM 7.2 and later.
-
Web Agent requires the WebSocket protocol to communicate with AM. Both the web server and the network infrastructure must support the WebSocket protocol. For example, Apache HTTP server requires the
proxy_wstunnel_modulefor proxying the WebSocket protocol.Read your network infrastructure and web server documentation for more information about WebSocket support.
SSL requirements
To secure communications such as the connection to AM through the WebSocket protocol, agents require OpenSSL or the Windows built-in Secure Channel API.
To define the protocol versions allowed in your environment, configure the Security Protocol List.
TLS requirements
| Agent version | Supported and enabled by default | Supported but disabled by default |
|---|---|---|
2025.3 |
TLSv1.3, TLSv1.2 |
TLSv1.1, TLSv1.0 |
2024.11 |
TLSv1.3, TLSv1.2 |
TLSv1.1, TLSv1.0 |
2023.11 |
TLSv1.3, TLSv1.2 |
TLSv1.1, TLSv1.0, SSLv3(1) |
(1) Not supported after Web Agent 2023.11.
OpenSSL requirements
| Agent version | Operating system | OpenSSL version |
|---|---|---|
2025.3 |
Red Hat Enterprise Linux |
3.4.x, 3.3.x, 3.2.x, 3.1.x, 3.0.x, 1.1.1(1) |
Microsoft Windows Server(2) |
3.4.x, 3.3.x, 3.2.x, 3.1.x, 3.0.x, 1.1.1(1) |
|
IBM AIX |
3.4.x, 3.3.x, 3.2.x, 3.1.x, 3.0.x, 1.1.1(1) |
|
2024.11 |
CentOS |
3.4.x, 3.3.x, 3.2.x, 3.1.x, 3.0.x, 1.1.1(1) |
Microsoft Windows Server(2) |
3.4.x, 3.3.x, 3.2.x, 3.1.x, 3.0.x, 1.1.1(1) |
|
IBM AIX |
3.4.x, 3.3.x, 3.2.x, 3.1.x, 3.0.x, 1.1.1(1) |
|
2023.11 |
CentOS |
3.0.x, 1.1.1 |
Microsoft Windows Server(2) |
3.0.x, 1.1.1 |
|
IBM AIX |
3.0.x, 1.1.1 |
|
5.10 |
CentOS |
3.0.x, 1.1.1, 1.1.0(3), 1.0.x(3) |
Microsoft Windows Server(2) |
3.0.x, 1.1.1, 1.1.0(3), 1.0.x(3) |
|
IBM AIX |
3.0.x, 1.1.1, 1.1.0(3), 1.0.x(3) |
(1) Support to be discontinued in a future release.
(2) On Windows, Web Agent uses the Windows built-in Secure Channel API by
default.
(3) Not supported after Web Agent 5.10.
Platform requirements
|
Supported operating systems and web servers Web Agent 2025.3
| Operating systems | OS versions | Web servers & minimum supported versions |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(1) Support to be discontinued in a future release.
(2) The Apache HTTP Server Project doesn’t
offer binary releases for Microsoft Windows. The Apache HTTP
Server web agent for Windows was tested against the binaries offered by
Apache Lounge.
Supported operating systems and web servers Web Agent 2024.11
| Operating systems | OS versions | Web servers & minimum supported versions |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(1) Learn about which version of CentOS to use with the listed
NGINX Plus from the NGINX Plus documentation.
(2) Support to be discontinued in a future release.
(3) The Apache HTTP Server Project doesn’t
offer binary releases for Microsoft Windows. The Apache HTTP
Server web agent for Windows was tested against the binaries offered by
Apache Lounge.
Supported operating systems and web servers Web Agent 2023.11
| Operating systems | OS versions | Web servers & minimum supported versions |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(1) For information about which version of CentOS to use with the listed
NGINX Plus, refer to the NGINX Plus documentation.
(2) Support to be discontinued in a future release.
(3) The Apache HTTP Server Project doesn’t
offer binary releases for Microsoft Windows. The Apache HTTP
Server web agent for Windows was tested against the binaries offered by
Apache Lounge.
Supported operating systems and web servers Web Agent 5.10
| Operating systems | OS versions | Web servers & minimum supported versions |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(1) Support to be discontinued in a future release.
(2) The Apache HTTP Server Project doesn’t offer binary releases for Microsoft Windows. The Apache HTTP Server web agent for Windows was tested against the binaries offered by Apache Lounge
Linux Systems requirements
-
Web Agent on Linux supports Glibc 2.28 and later versions. For Glibc versions before 2.28, contact support.
-
Web Agent on Linux requires a minimum of 16 MB of shared memory for the session and policy cache, and the various worker processes. Additionally, it needs 32 KB shared memory for the logging system. Failure to provide enough shared memory may result in errors similar to the following:
2017-11-10 12:06:00.492 +0000 DEBUG [1:7521][source/shared.c:1451]am_shm_create2() about to create block-clusters_0, size 1074008064 2017-11-10 12:06:00.492 +0000 ERROR [1:7521]am_shm_create2(): ftruncate failed, error: 28
To configure additional shared memory for the session and policy cache, see Environment variables.
-
If POST data preservation is enabled, the web agent requires additional free disk space in the web agent installation directory to store the POST data cache files.
Microsoft Windows systems requirements
-
Before installing the IIS web agent, make sure that the optional Application Development component of Web Server (IIS) is installed. In the Windows Server 2022 Server Manager for example, Application Development is a component of Web Server (IIS) | Web Server.
-
Web Agent on Windows requires a minimum of 16 MB of shared memory for the session and policy cache, and the various worker processes in the system page file. Additionally, it needs 32 KB shared memory for the logging system. Failure to provide enough shared memory may result in errors similar to the following:
2017-11-10 12:06:00.492 +0000 DEBUG [1:7521][source/shared.c:1451]am_shm_create2() about to create block-clusters_0, size 1074008064 2017-11-10 12:06:00.492 +0000 ERROR [1:7521]am_shm_create2(): ftruncate failed, error: 28
To configure additional shared memory for the session and policy cache, see Environment variables.
-
If POST data preservation is enabled, the web agent requires additional free disk space in the web agent installation directory to store the POST data cache files.
What’s new
Web Agent 2025.3
Web Agent 2025.3 is a major release that introduces new features, functional enhancements, and fixes.
Content Security Policy header - frame-ancestors
We’ve made changes to the Web Agent to provide support for the Content Security Policy (CSP)
frame-ancestors directive, which lets you specify which parent sources can embed a page in an iframe (and other
HTML elements).
The agent sets this directive on direct responses, such as authentication and PDP, so this only affects pages related to these responses.
By default, the Web Agent sets this directive to self, which only allows the site hosting the agent to embed
pages in iframes.
The following new bootstrap properties are available:
-
The Frame Ancestors None property controls whether pages can be embedded in iframes or not.
-
The Frame Ancestors Sources property controls which parent sources can embed pages in a
<frame>,<iframe>,<embed>or<object>element if embedding is allowed.
Learn more in iframes.
Agent authentication to Advanced Identity Cloud and AM
We’ve made changes to how Web Agent authenticates to Advanced Identity Cloud and AM.
The default fallback mode setting (0) for the
AM_AGENT_AUTH_MODE installation
environment variable and the
Agent Authentication Mode property has been removed.
The default setting is now 1 meaning the agent always authenticates using the Agent journey.
If the Agent journey doesn’t exist, you should create it. Learn more in
Authenticate agents to the identity provider.
Web Agent 2024.11
Web Agent 2024.11 is a minor release that introduces new features, functional enhancements, and fixes.
Request handling
We’ve made changes to the Web Agent to improve the security of handling requests from upstream Java servers.
The agent now rejects unsafe uses of path parameters with an HTTP 400 in the following scenarios:
-
The request contains one or more
%2For%2f(encoded forward slash) characters in the path parameters. -
The request contains one or more
%5Cor%5c(encoded backslash) characters in the path parameters on a Windows server. -
The request includes empty path segments or dot path segments with path parameters. Some example unsafe uses include:
-
/;/ -
/..; -
/.; -
/..;parameter/
Legitimate uses of
;as a path parameter are still permitted. For example, the agent won’t reject this request with thejessionidparameter:/segment1/segment2/;jsessionid=1234 -
| Path parameters (also known as matrix parameters) are used by J2EE and Spring-based Java servers in URL paths. |
Learn more in Path traversal attempts.
Agent authentication to Advanced Identity Cloud and AM
Web Agent authenticates to Advanced Identity Cloud and AM using a non-configurable authentication module or the Agent authentication journey if it exists.
A new AM_AGENT_AUTH_MODE installation environment variable controls which authentication method the agent uses. By default, the agent authenticates using the Agent journey but falls back to using the deprecated authentication module if authentication fails. This behavior is unchanged from earlier agent versions.
A new Agent Authentication Mode property allows the authentication method to be changed post-installation.
If you use PingAM 7.3 or 7.4 and experience issues with session quotas, set this property or environment variable to 2 to always authenticate using the authentication module.
The default fallback mode is deprecated and will be removed in the next release. The default will change to always authenticate using the Agent journey.
|
Include userId in audit logs
We’ve made changes to audit logging in the Web Agent to output the userId field in the audit logs.
Providing the /access/userId field is allowlisted
(which it is by default), the userId field is now included in the audit event logs.
It is populated with the value of the universalId attribute retrieved from the session by default. For example:
"userId":"id=demo,ou=user,dc=example,dc=com"The following new properties provide additional control over how the universal ID is retrieved:
The user field is currently incorrectly output in the audit logs.
This output is deprecated and the user field will be removed from audit logs in the next release.
|
Web Agent 2024.9
Web Agent 2024.9 is a minor release that introduces new features, functional enhancements, and fixes.
Prometheus monitoring
To improve monitoring in the agent, a Prometheus monitoring endpoint is now available at /agent/metrics. You can access this endpoint to return Prometheus metrics relevant to your deployment.
Learn more in Monitor services.
JWT signature validation
A new Validate JWT Signature Locally property controls how the JWT signature is validated. By default, the property is set to 0, which doesn’t change JWT signature validatation.
Set this property to 1 to validate the JWT signature locally.
| When the JWT signature is validated locally, there is an expected performance impact. |
TLSv1.3 security protocol
The TLS 1.3 security protocol can now be disabled if required by adding -TLSv1.3 to the Security Protocol List.
TLS key logging
TLS key logging is now available for troubleshooting TLS issues between the agent and AM. When enabled, TLS session keys are logged to an SSL key log file.
To troubleshoot TLS issues, enable TLS key logging using one of the following options:
-
The new Enable TLS key logging property.
-
The new AM_SSL_KEYLOG_ENABLE installation environment variable.
Then configure the new AM_SSL_KEYLOG_FILE environment variable to specify the name of the SSL key log file.
Learn more in TLS key logging.
Web Agent 2024.6
Web Agent 2024.6 is a minor release that introduces new features, functional enhancements, and fixes.
Overrides for request protocol, host, and port
In certain circumstances, the new property Disable Override Request URL Port, Host, or Protocol facilitates access to the agent by bypassing load balancers.
Audit
The new property Audit Path as Full URL is available to manage how the agent includes an HTTP request path in an audit log.
Web Agent 2024.3
Web Agent 2024.3 is a major release that introduces new features, functional enhancements, and fixes.
Hardened security of agent secrets
Because of the hardened security of agent secrets, drop-in software update to this release isn’t possible. Upgrade to this release from an earlier release is a major upgrade. Learn more in Upgrade.
- Strengthened encryption of agent secrets
-
The
agentadmin --kcommand now generates a base64-encoded 256-bit random key.The
agentadmin --pcommand now generates AES-256-GCM encrypted ciphertext.The
agentadmin --Vcommand now verifies that the agent can decrypt the ciphertext.
- Runtime encryption and decryption of on-disk agent secrets
-
At runtime, the agent decrypts the agent credentials and then generates a one-time symmetric encryption key to re-encrypt the credentials.
This feature creates crypto material at runtime. In previous releases, crypto material was created and stored only on-disk.
- Encryption key and ciphertext removed from bootstrap configuration file
-
The encryption key and ciphertext are stored in new agent configuration files,
agent-key.confandagent-password.conf. The following properties are removed fromagent.conf:For more information, refer to Agent configuration.
- Log of decryption errors for agent profile password
-
If the agent can’t decrypt the password in Agent Profile Password a message is now written to the logs.
- Use of the secret service in PingOne Advanced Identity Cloud and AM
-
With PingOne Advanced Identity Cloud and from AM 7.5, the agent profile password can optionally be managed through the identity provider’s secret service. If the identity provider finds a matching secret in a secret store, it uses that secret instead of the hard-coded agent password.
Learn more from Create an agent profile in PingOne Advanced Identity Cloud and Create agent profiles in AM.
Flexibility when client IP validation fails
A new property
Client IP Validation Failure Response
is available to force logout when
Client IP Validation is true and the IP address of an
authenticated request doesn’t originate from the IP address used for authentication.
In previous releases, the agent could only return an HTTP 403 Forbidden.
Warnings for TLS certificates validation
When
Server Certificate Trust
is set to true, the agent trusts any server certificate. Validation of the
installation with
agentadmin
now returns a warning to set the property to false in production environments.
ISAPI Web Agent
The ISAPI Web Agent is now supported. Learn more from Install IIS and ISAPI Web Agent.
Key rotation with the agentadmin command
The
agentadmin
command now provides an option for key rotation. Learn more in
Rotate keys.
Web Agent 2023.11.x
Web Agent 2023.11.2
Web Agent 2023.11.2 is a maintenance release that introduces security enhancements and fixes.
Request handling
We’ve made changes to the Web Agent to improve the security of handling requests from upstream Java servers.
The agent now rejects unsafe uses of path parameters with an HTTP 400 in the following scenarios:
-
The request contains one or more
%2For%2f(encoded forward slash) characters in the path parameters. -
The request contains one or more
%5Cor%5c(encoded backslash) characters in the path parameters on a Windows server. -
The request includes empty path segments or dot path segments with path parameters. Some example unsafe uses include:
-
/;/ -
/..; -
/.; -
/..;parameter/
Legitimate uses of
;as a path parameter are still permitted. For example, the agent won’t reject this request with thejessionidparameter:/segment1/segment2/;jsessionid=1234 -
| Path parameters (also known as matrix parameters) are used by J2EE and Spring-based Java servers in URL paths. |
Learn more in Path traversal attempts.
TLSv1.3 security protocol
The TLS 1.3 security protocol can now be disabled if required by adding -TLSv1.3 to the
Security Protocol List.
Web Agent 2023.11
Web Agent 2023.11 is a minor release that introduces new features, functional enhancements, and fixes.
Hardened security of agent responses with JavaScript
All agent responses that contain JavaScript are now protected by a Content-Security-Policy header.
Examples of responses protected by this change include:
-
HTML forms returned by the agent during POST data preservation
-
Preserved browser fragments returned by the agent during authentication
Deployment with Docker
A Dockerfile is now provided to deploy Apache Web Agent to extend and protect an application. For more information, refer to Deploy Web Agent with Docker.
Web Agent 2023.9
Web Agent 2023.9 is a minor release that introduces new features, functional enhancements, and fixes.
Supported platforms
Web Agent 2023.9 supports the following additional platforms:
-
IBM HTTP Server 8.5 for Linux
-
Red Hat JBoss Core Services for Red Hat Enterprise Linux
-
NGINX Plus R30
For more information, refer to Supported operating systems and web servers Web Agent 2023.9.
Web Agent 2023.6
Web Agent 2023.6 is a minor release that introduces new features, functional enhancements, and fixes.
Use Apache Web Agent with Apache directives
Apache Web Agent can now be configured with the following Apache directives, globally or independently for different server locations:
-
AmAgentto switch the agent on or off -
AmAuthProviderto use Apache as the policy enforcement point
For more information, refer to Configure Apache Web Agent.
Authentication of Web Agent to PingOne Advanced Identity Cloud and AM
Web Agent agents are automatically authenticated to PingOne Advanced Identity Cloud and AM by a non-configurable authentication module. Authentication chains and modules are deprecated and replaced by nodes, trees, and journeys.
You can now authenticate Web Agent to PingOne Advanced Identity Cloud and AM 7.3 with a journey. The procedure is currently optional, but will be required when authentication chains and modules are removed in a future release.
For more information, refer to Authenticate agents to PingOne Advanced Identity Cloud and Authenticate agents to AM.
Management of agent credentials
An encryption key in agent.conf is used to decrypt credentials for the agent
profile, the SSL certificate, and the HTTP proxy. By default, the agent caches
the encryption key. A new property Disable Caching of Agent Profile Password Encryption Key
is available to disable caching and require the agent to securely wipe the
encryption key after it is read.
Use the agentadmin --V command to verify that the agent can decrypt the credentials
correctly.
Web Agent 2023.3
Web Agent 2023.3 is a major release that introduces new features, functional enhancements, and fixes.
Remove HTTP Server header in IIS
In IIS, the agent can now remove the Server header from all responses.
To enable the feature, set the Remove IIS HTTP Server Header property to true.
Web Agent 5.10.x
Web Agent 5.10.4
Web Agent 5.10.4 is a maintenance release that introduces security enhancements.
Request handling
We’ve made changes to the Web Agent to improve the security of handling requests from upstream Java servers.
The agent now rejects unsafe uses of path parameters with an HTTP 400 in the following scenarios:
-
The request contains one or more
%2For%2f(encoded forward slash) characters in the path parameters. -
The request contains one or more
%5Cor%5c(encoded backslash) characters in the path parameters on a Windows server. -
The request includes empty path segments or dot path segments with path parameters. Some example unsafe uses include:
-
/;/ -
/..; -
/.; -
/..;parameter/
Legitimate uses of
;as a path parameter are still permitted. For example, the agent won’t reject this request with thejessionidparameter:/segment1/segment2/;jsessionid=1234 -
| Path parameters (also known as matrix parameters) are used by J2EE and Spring-based Java servers in URL paths. |
Learn more in Path traversal attempts.
Web Agent 5.10.2
Remove HTTP Server header in IIS
In IIS, the agent can now remove the Server header from all responses.
To enable the feature, set the
Remove IIS HTTP Server Header property
(org.forgerock.agents.config.iis.headers.server.disable) to true.
Web Agent 5.10.1
Limit the number of debug log files
To help manage the amount of stored data, the new property Maximum Number of Debug Log Files is now available to limit the number of debug log files that the agent stores after file rotation.
Web Agent 5.10
Matching FQDNs to URL patterns
The wildcard * can now be used in
FQDN Virtual Host Map.
to match a domain name. Use this feature to pass requests with
dynamically allocated hostnames, for example, in Kubernetes deployments, without
redirecting them to another domain.
For more information, see FQDN checking.
Authorization flow for single page applications using Javascript
Authorization flow for applications using Javascript is a new property to enable callbacks into JavaScript applications, after an authentication or transactional authorization journey.
The property provides support for single page applications (SPAs) that use embedded login or authorization dialogs within iframes or embedded tags.
This feature is in Technology Preview, as defined in Release levels and interface stability, for use only with assistance from Ping Identity.
Current limitations:
-
The property cannot be set in
agent.conf. Set it in the Advanced tab of the AM console. -
The feature might require configuration changes to on-prem AM servers.
-
The feature does not work with the PingOne Advanced Identity Cloud, unless the service is accessed through a reverse proxy on the application site.
Apache built-in modules available for authentication
Use Built-in Apache HTTPD Authentication Directives
is a new property to enable Apache Web Agent to use built-in Apache
authentication directives, such as AuthName, FilesMatch, and Require for
specified not-enforced URLs.
In previous releases, use of built-in Apache authentication directives was not supported. The agent replaced authentication functionality provided by Apache.
POST data preservation: use a single agent profile for multiple agent instances
In previous releases, to correctly configure POST data preservation, a separate agent profile was required in AM for each agent instance. From this release, a single agent profile can be used for multiple agent instance.
Use this feature for scalable deployments, where resources are dynamically created or destroyed.
URI fragments persisted in custom login mode
When the value of
Enable Custom Login Mode
is 2, URI fragments were previously lost during login. From this release,
URI fragments in the browser are not lost after the custom login procedure.
Pre-authentication cookies expire immediately after authentication
In previous releases, the pre-authentication cookie, agent-authn-tx, expired
when it reached the age configured by
Profile Attributes Cookie Maxage.
From this release, the pre-authentication cookie expires when the first of the
following events occur:
-
Authentication completes successfully
-
It reaches the age configured by Profile Attributes Cookie Maxage
Expiring the cookie immediately after authentication reduces the amount of used header space, and prevents authentication errors and errors in applications that set headers.
Fixes
|
Fixes in are cumulative chronologically, by release date. An issue fixed in a maintenance release, such as Web Agent 2023.11.1, isn’t included in a major release, such as Web Agent 2024.3, if the major release was issued before the minor release. |
Fixes in Web Agent 2025.3
-
AMAGENTS-3301: Log OpenSSL errors when unable to load CA certificates
-
AMAGENTS-6279: X-frame option is not coming in response header for Application url when fragment redirect is enabled
-
AMAGENTS-6749: Agent local configuration files lost formatting
-
AMAGENTS-6905: Apache agent should fail to start if multiple AmAgentID directives are detected
-
AMAGENTS-6973: Agent incorrectly %-encodes URLs to make them safe in responses
Fixes in Web Agent 2024.11
-
AMAGENTS-5958: Invalid error AMConfigurationException generated in the AM log
-
AMAGENTS-6729: Looping after Authentication in session quota mode with -25 / 403 errors
-
AMAGENTS-6885: Closing SSL session logs are at ERROR level and should be at DEBUG
-
AMAGENTS-6906: WPA validator validate_session_profile test always uses auth module (regression)
-
AMAGENTS-6916: userId does not get populated by web agent audit
-
AMAGENTS-6929: NGINX crash in agent_config_cleanup
Fixes in Web Agent 2024.9
-
AMAGENTS-6628: Fragment replay is broken with custom login mode 2
-
AMAGENTS-6527: WPA SSL_shutdown shutdown while in init errors in agent log
Fixes in Web Agent 2024.6
-
AMAGENTS-6557: Segmentation fault in agentadmin --V before install complete or in custom directory
-
AMAGENTS-6494: Agents local policy eval fails. Agent name and policy application name are switched
-
AMAGENTS-6428: Incorrect message formats in task.c
-
AMAGENTS-6289: AM_SYSTEM_LOG_FILES only works for debug.log
-
AMAGENTS-3663: Nginx Agent print absolute build path into debug logs
-
AMAGENTS-3166: The path attribute in agent’s audit log is not the full path
Fixes in Web Agent 2024.3
-
AMAGENTS-6397: If the agent instance isn’t provided for key rotation, agentadmin doesn’t print an error
-
AMAGENTS-6302: NGINX agent PDP fails with HTTP/3 connections
-
AMAGENTS-6172: WPA for IIS does not work when running in 32bit mode on 64bit Windows OS
-
AMAGENTS-6046: convert_request_after_authn_post writes to /tmp instead of configured PDP directory
-
AMAGENTS-5985: Interactive installation using existing agent configuration files duplicate properties which are commented out
-
AMAGENTS-5983: Interactive installer refer to the legacy agent configuration file - OpenSSOAgentBootstrap.properties
-
AMAGENTS-4590: login-fragment-relay page should have charset specified.
-
AMAGENTS-3992: com.forgerock.agents.config.hostmap doesn’t use the IP address
-
AMAGENTS-3506: If there are permissions issues with password file with installation on IIS then the log messages are not helpful
Fixes in Web Agent 2023.11.x
Web Agent 2023.11.1
-
AMAGENTS-6628: Fragment replay is broken with custom login mode 2
-
AMAGENTS-6494: Agents local policy eval fails. Agent name and policy application name are switched
Web Agent 2023.11
-
AMAGENTS-6175: Memory leak in credentials_secure_free
-
AMAGENTS-6133: Improper use of Bcrypt hash handle in JWT password replay module in
-
AMAGENTS-6132: JWT password replay module in IIS should use json parser
-
AMAGENTS-6073: Idle timeout should not update on NEU with SSO Only, neu fetch and
-
AMAGENTS-6057: Incorrect padding mode used in
jwtpasswdreplay.h -
AMAGENTS-5594: Web agent will return 403 errors if OpenSSL libraries aren’t loaded.
Fixes in Web Agent 2023.9
-
AMAGENTS-5995: Don’t extend user session for not enforced url with fetch attributes enabled
-
AMAGENTS-5833: WPA 403 error on /agent/cdsso-oauth2 with invalid jwt.aud.whitelist parameter value
-
AMAGENTS-5495: Web agent validator reports access to OpenSSL v.1.1.x instead of v3.x
Fixes in Web Agent 2023.6
-
AMAGENTS-5678: Custom Login mode 1 doesn’t correctly process composite advice.
-
AMAGENTS-5462: WPA crash when config.redirect.param is not set
-
AMAGENTS-5444: WPA for IIS fails with 0x80090305 error
-
AMAGENTS-5147: Web agent incorrectly escapes UTF-8 when creating JSON for audit
-
AMAGENTS-5127: Internal Server Error (500) when POST is performed without POST data preservation
-
AMAGENTS-4478: Write the Identity used in SSO to the audit logs
-
AMAGENTS-3683: Misleading message in "unsuccessful" Agent login when it is actually successful
-
AMAGENTS-3315: WPA: Runtime properties are ignored if they appear before c.s.i.agents.config.repository.location
Fixes in Web Agent 5.10.x
Web Agent 5.10.3
-
AMAGENTS-5995: Don’t extend user session for not enforced url with fetch attributes enabled
Web Agent 5.10.1
-
AMAGENTS-5341: crashes in installer when checking permissions
-
AMAGENTS-5219: Nginx agent can crash when configured with not-enforced-url regex option
-
AMAGENTS-5116: Interactive installer loops infinitely when an invalid host is supplied for the am url.
Web Agent 5.10
-
AMAGENTS-5068: performance issue in AMAGENTS-4716 fix
-
AMAGENTS-4897: config.fallback.mode doesn’t work for not-enforced url configuration
-
AMAGENTS-4795: POST Data Sticky Load Balancing Cookie Name configuration option isn’t working
-
AMAGENTS-4788: WPA doesn’t delete session tracking cookie when running in accept.sso.token mode
-
AMAGENTS-4737: WPA does not support TLS handshake Server Name Indication extension
-
AMAGENTS-4716: Agent does not handle SSO tracking cookie enclosed in double quotes
-
AMAGENTS-4687: Web Agent 5.9.0 crash if configuration fetch fails.
-
AMAGENTS-4545: nginx agent can crash if graceful restart (reload) is used with load testing.
-
AMAGENTS-4539: IIS Web Agent doesn’t log reason why PDP file deletion fails.
Removed
Removed is defined in Release levels and interface stability.
| Removed in | Object | Description | Deprecated in |
|---|---|---|---|
2025.3 |
Fallback mode setting ( |
Default has changed to always authenticate using the |
2024.11 |
Support for AM 6.5 |
Use AM 7.2 or later. |
2024.3 |
|
2024.11 |
- |
- |
- |
2024.9 |
- |
- |
- |
2024.6 |
- |
- |
- |
2024.3 |
|
Licence is never displayed during installation. |
- |
2023.11 |
- |
- |
- |
2023.9 |
- |
- |
- |
2023.6 |
- |
- |
- |
2023.3 |
|
Whole object |
5.9 |
|
|||
|
|||
|
|||
5.10 |
|
Use POST Data Sticky Load Balancing Value instead |
- |
Incompatible changes
Incompatible changes impact existing functionality and may affect your migration from a previous release. Before you upgrade, review these lists and make the appropriate changes to your scripts and plugins.
Changes in Web Agent 2025.3
Content Security Policy header - frame-ancestors
By default, the Content Security Policy (CSP) frame-ancestors directive is set to self,
which only allows the site hosting the agent to embed pages in iframes.
If you use iframes with another source, you’ll need to set the new properties appropriately.
Learn more in Content Security Policy - frame-ancestors.
Agent authentication to Advanced Identity Cloud and AM
The default fallback mode setting (0) for
AM_AGENT_AUTH_MODE and
Agent Authentication Mode has been removed.
The default setting is now 1 meaning the agent always authenticates using the Agent journey.
If the Agent journey doesn’t exist, you should create it. Learn more in
Authenticate agents to the identity provider.
Changes in Web Agent 2024.3
NGINX binaries renamed
The operating system name in the downloadable NGINX binaries has been replaced with
Linux. A single build is now suitable for all NGINX versions and operating
systems.
-
Example formats for previous release:
web-agent-2023.11-NGINX_r30_Rhel7_64bit.zip
web-agent-2023.11-NGINX_r30_Rhel8_64bit.zip
web-agent-2023.11-NGINX_r30_Rhel9_64bit.zip
web-agent-2023.11-NGINX_r30_Ubuntu20_64bit.zip
web-agent-2023.11-NGINX_r30_Ubuntu22_64bit.zip -
Example format for this release:
web-agent-2024.3-NGINX_r30_Linux_64bit.zip
AES-256-GCM encryption
Because of the changes in Hardened security of agent secrets, drop-in software update to this release isn’t possible. Upgrade to this release from an earlier release is a major upgrade. Learn more in Upgrade.
Changes in Web Agent 2023.11
There are no incompatible changes in this release or any of its maintenance releases.
Changes in Web Agent 2023.6
Management of agent credentials
An encryption key in agent.conf is used to decrypt credentials for the
following properties:
-
Agent Profile Password -
Private Key Password -
Proxy Server Password
When decryption failed in previous releases, sometimes the agent attempted to use the encrypted form of the password. From this release, the agent does not attempt to use the encrypted form of the password.
Changes in Web Agent 2023.3
Changes in Web Agent 5.10
Regular expression pattern matching is platform-dependent
IIS agents use Windows libraries and ECMAScript-compatible regular expressions. Adapt the regular expression settings for IIS agents to account for this change.
Fragment redirect
From Web Agent 5.8.1, when
Enable Fragment Redirect
is true, the agent redirects the user back to the original resource using an
absolute URL. In previous Web Agent 5 versions, the agent redirects the user
using a relative URI.
Proxy rules that rely on fragment redirect to a relative URI, now result in a
redirect to a full URL. For example a redirect to /a/b#c results in the final URL
prot://host:port/a/b#c.
Ordered rules that rely on matching a plain URL followed by fully qualified alternatives can result in the fully qualified alternatives matching first.
Deprecated
The following objects are deprecated, as defined in Release levels and interface stability:
| Deprecated in | Object | Replaced by | Removed in |
|---|---|---|---|
2025.3 |
- |
- |
- |
2024.11 |
Fallback mode setting ( |
Default will change to always authenticate using the |
2025.3 |
|
|
Not yet removed |
|
2024.9 |
- |
- |
- |
2024.6 |
- |
- |
- |
2024.3 |
Support for AM 6.5 |
Later versions of AM |
2025.3 |
From AM 7.5, values set in the AM admin UI for Replay Password Key are ignored. |
From AM 7.5, the value of the DES key is inherited from the secret mapped to the AM secret label |
Not yet removed |
|
2023.11 |
- |
- |
- |
2023.9 |
|
|
Not yet removed |
2023.6 |
- |
- |
- |
2023.3 |
- |
- |
- |
5.10 |
Prometheus endpoint |
Not yet removed |
Known issues
Web Agent 2025.3
| Issue | Comment |
|---|---|
AMAGENTS-6895: NGINX crash in agent_add_ctx_cleanups |
Unresolved |
AMAGENTS-6727: WPA policy cache module creates empty policy json file |
Unresolved |
AMAGENTS-6363: Shared user profile attributes |
Unresolved |
AMAGENTS-6215: "Not Enforced Client IP List" abnormal |
Unresolved |
AMAGENTS-5718: Custom Login mode 2 doesn’t correctly process composite advice |
Unresolved |
AMAGENTS-5032: Native agents for windows do not correctly use unicode for the file system, resulting in configured files with garbled names |
Unresolved |
AMAGENTS-4672: Web Agent does not handle specific case for Not-Enforced URL and one level wildcard properly |
Unresolved |
Web Agent 2024.11
| Issue | Comment |
|---|---|
AMAGENTS-6905: Apache agent should fail to start if multiple AmAgentID directives are detected |
Fixed in 2025.3 |
AMAGENTS-6904: validate_credential_files issue with config filename that have no path component |
Won’t fix |
AMAGENTS-6895: NGINX crash in agent_add_ctx_cleanups |
Unresolved |
AMAGENTS-6749: Agent local configuration files lost formatting |
Fixed in 2025.3 |
AMAGENTS-6727: WPA policy cache module creates empty policy json file |
Unresolved |
AMAGENTS-6363: Shared user profile attributes |
Unresolved |
AMAGENTS-6306: Infinite apache error log caused by pipe error |
Won’t fix |
AMAGENTS-6279: X-frame option is not coming in response header for Application url when fragment redirect is enabled |
Fixed in 2025.3 |
AMAGENTS-6215: "Not Enforced Client IP List" abnormal |
Unresolved |
AMAGENTS-5718: Custom Login mode 2 doesn’t correctly process composite advice |
Unresolved |
AMAGENTS-5032: Native agents for windows do not correctly use unicode for the file system, resulting in configured files with garbled names |
Unresolved |
AMAGENTS-4672: Web Agent does not handle specific case for Not-Enforced URL and one level wildcard properly |
Unresolved |
Web Agent 2024.9
| Issue | Comment |
|---|---|
AMAGENTS-6749: Agent local configuration files lost formatting |
Fixed in 2025.3 |
AMAGENTS-6729: Looping after Authentication in session quota mode with -25 / 403 errors |
Fixed in 2024.11 |
AMAGENTS-6727: WPA policy cache module creates empty policy json file |
Unresolved |
AMAGENTS-6363: Shared user profile attributes |
Unresolved |
AMAGENTS-6306: Infinite apache error log caused by pipe error |
Won’t fix |
AMAGENTS-6279: X-frame option is not coming in response header for Application url when fragment redirect is enabled |
Fixed in 2025.3 |
AMAGENTS-6215: "Not Enforced Client IP List" abnormal |
Unresolved |
AMAGENTS-5958: Invalid error AMConfigurationException generated in the AM log |
Fixed in 2024.11 |
AMAGENTS-5718: Custom Login mode 2 doesn’t correctly process composite advice |
Unresolved |
AMAGENTS-5032: Native agents for windows do not correctly use unicode for the file system, resulting in configured files with garbled names |
Unresolved |
AMAGENTS-4672: Web Agent does not handle specific case for Not-Enforced URL and one level wildcard properly |
Unresolved |
Web Agent 2024.6
| Issue | Comment |
|---|---|
AMAGENTS-6628: Fragment replay is broken with custom login mode 2 |
Fixed in 2024.9, 2023.11.1 |
AMAGENTS-6527: WPA SSL_shutdown shutdown while in init errors in agent log |
Fixed in 2024.9, 2023.11.2 |
AMAGENTS-6363: Shared user profile attributes |
Unresolved |
AMAGENTS-6306: Infinite apache error log caused by pipe error |
Won’t fix |
AMAGENTS-6279: X-frame option is not coming in response header for Application url when fragment redirect is enabled |
Fixed in 2025.3 |
AMAGENTS-6215: "Not Enforced Client IP List" abnormal |
Unresolved |
AMAGENTS-5958: Invalid error AMConfigurationException generated in the AM log |
Fixed in 2024.11 |
AMAGENTS-5718: Custom Login mode 2 doesn’t correctly process composite advice |
Unresolved |
AMAGENTS-5032: Native agents for windows do not correctly use unicode for the file system, resulting in configured files with garbled names |
Unresolved |
AMAGENTS-4672: Web Agent does not handle specific case for Not-Enforced URL and one level wildcard properly |
Unresolved |
Web Agent 2024.3
| Issue | Comment |
|---|---|
AMAGENTS-6628: Fragment replay is broken with custom login mode 2 |
Fixed in 2024.9, 2023.11.1 |
AMAGENTS-6527: WPA SSL_shutdown shutdown while in init errors in agent log |
Fixed in 2024.9, 2023.11.2 |
AMAGENTS-6494: Agents local policy eval fails. Agent name and policy application name are switched |
Fixed in 2024.6, 2023.11.1 |
AMAGENTS-6363:websites sharing a cache sometimes don’t get the expected headers set because of cache sharing issues in the agent |
Unresolved |
AMAGENTS-6306: infinite apache error log caused by pipe error |
Won’t fix |
AMAGENTS-6289: AM_SYSTEM_LOG_FILES only works for debug.log |
Fixed in 2024.6 |
AMAGENTS-5958: Invalid error AMConfigurationException generated in the AM log |
Fixed in 2024.11 |
AMAGENTS-5718: Custom Login mode 2 doesn’t correctly process composite advice. |
Unresolved |
AMAGENTS-5032: Native agents for windows do not correctly use unicode for the file system, resulting in configured files with garbled names. |
Unresolved |
AMAGENTS-4672: Web Agent does not handle specific case for Not-Enforced URL and one level wildcard properly |
Unresolved |
AMAGENTS-3663: Nginx Agent print absolute build path into debug logs |
Fixed in 2024.6 |
AMAGENTS-2813: Agents Logout perform logout multiple times |
Not a defect |
AMAGENTS-2755: Currently when setting up the agent it’s necessary to have a client certificate file when using S Channel |
Won’t fix |
Web Agent 2023.11
| Issue | Comment |
|---|---|
AMAGENTS-6628: Fragment replay is broken with custom login mode 2 |
Fixed in 2024.9, 2023.11.1 |
AMAGENTS-6527: WPA SSL_shutdown shutdown while in init errors in agent log |
Fixed in 2024.9, 2023.11.2 |
AMAGENTS-6494: Agents local policy eval fails. Agent name and policy application name are switched |
Fixed in 2024.6, 2023.11.1 |
AMAGENTS-6172: WPA for IIS doesn’t work when running in 32bit mode on 64bit Windows OS |
Fixed in 2024.3 |
AMAGENTS-6046: convert_request_after_authn_post writes to /tmp instead of configured PDP directory |
Fixed in 2024.3 |
AMAGENTS-5985: Interactive installation using existing agent configuration files duplicate properties which are commented out |
Fixed in 2024.3 |
AMAGENTS-5983 Interactive installer refer to the legacy agent configuration file - OpenSSOAgentBootstrap.properties |
Fixed in 2024.3 |
AMAGENTS-5958: Invalid error AMConfigurationException generated in the AM log |
Fixed in 2024.11 |
AMAGENTS-5777: IIS web agent zip file includes 32bit DLL |
Won’t fix |
AMAGENTS-5718: Custom Login mode 2 doesn’t correctly process composite advice. |
Unresolved |
AMAGENTS-5032: WPA: Native agents for windows do not correctly use unicode for the file system, resulting in configured files with garbled names. |
Unresolved |
AMAGENTS-4672: Web Agent does not handle specific case for Not-Enforced URL and one level wildcard properly |
Unresolved |
AMAGENTS-4590: login-fragment-relay page should have charset specified. |
Fixed in 2024.3 |
AMAGENTS-3992: WPA: com.forgerock.agents.config.hostmap does not seem to use the IP address |
Fixed in 2024.3 |
AMAGENTS-3663: Nginx Agent print absolute build path into debug logs |
Fixed in 2024.6 |
AMAGENTS-3506: If there are permissions issues with password file with installation on IIS then the log messages are not helpful |
Fixed in 2024.3 |
AMAGENTS-2813: Agents Logout perform logout multiple times |
Unresolved |
AMAGENTS-2755: Currently when setting up the agent it is necessary to have a client certificate file when using S Channel |
Unresolved |
Web Agent 2023.9
| Issue | Comment |
|---|---|
AMAGENTS-6494: Agents local policy eval fails. Agent name and policy application name are switched |
Fixed in 2024.6, 2023.11.1 |
AMAGENTS-6175: Memory leak in credentials_secure_free |
Fixed in 2023.11 |
AMAGENTS-6073: Idle timeout should not update on NEU with SSO Only, neu fetch and |
Fixed in 2023.11 |
AMAGENTS-6046: convert_request_after_authn_post writes to /tmp instead of configured PDP directory |
Fixed in 2024.3 |
AMAGENTS-5985: Interactive installation using existing agent configuration files duplicate properties which are commented out |
Fixed in 2024.3 |
AMAGENTS-5958: Invalid error AMConfigurationException generated in the AM log |
Fixed in 2024.11 |
AMAGENTS-5777: IIS web agent zip file includes 32bit DLL |
Unresolved |
AMAGENTS-5718: Custom Login mode 2 doesn’t correctly process composite advice. |
Unresolved |
AMAGENTS-5594: Web agent will return 403 errors if OpenSSL libraries aren’t loaded. |
Fixed in 2023.11 |
AMAGENTS-5032: WPA: Native agents for windows do not correctly use unicode for the file system, resulting in configured files with garbled names. |
Unresolved |
AMAGENTS-4672: Web Agent does not handle specific case for Not-Enforced URL and one level wildcard properly |
Unresolved |
AMAGENTS-4590: login-fragment-relay page should have charset specified. |
Fixed in 2024.3 |
AMAGENTS-3992: WPA: com.forgerock.agents.config.hostmap does not seem to use the IP address |
Fixed in 2024.3 |
AMAGENTS-3663: Nginx Agent print absolute build path into debug logs |
Fixed in 2024.6 |
AMAGENTS-3506: If there are permissions issues with password file with installation on IIS then the log messages are not helpful |
Fixed in 2024.3 |
AMAGENTS-2813: Agents Logout perform logout multiple times |
Unresolved |
AMAGENTS-2755: Currently when setting up the agent it is necessary to have a client certificate file when using S Channel |
Unresolved |
Web Agent 2023.6
| Issue | Comment |
|---|---|
AMAGENTS-6494: Agents local policy eval fails. Agent name and policy application name are switched |
Fixed in 2024.6, 2023.11.1 |
AMAGENTS-6175: Memory leak in credentials_secure_free |
Fixed in 2023.11 |
AMAGENTS-6046: convert_request_after_authn_post writes to /tmp instead of configured PDP directory |
Fixed in 2024.3 |
AMAGENTS-5995: Don’t extend user session for not enforced url with fetch attributes enabled |
Fixed in 2023.9 |
AMAGENTS-5985: Interactive installation using existing agent configuration files duplicate properties which are commented out |
Fixed in 2024.3 |
AMAGENTS-5833: WPA 403 error on /agent/cdsso-oauth2 with invalid jwt.aud.whitelist parameter value |
Fixed in 2023.9 |
AMAGENTS-5777: IIS web agent zip file includes 32bit DLL |
Unresolved |
AMAGENTS-5718: Custom Login mode 2 doesn’t correctly process composite advice. |
Unresolved |
AMAGENTS-5594: Web agent will return 403 errors if OpenSSL libraries aren’t loaded. |
Fixed in 2023.11 |
AMAGENTS-5495: Web agent validator reports access to OpenSSL v.1.1.x instead of v3.x |
Fixed in 2023.9 |
AMAGENTS-5032: WPA: Native agents for windows do not correctly use unicode for the file system, resulting in configured files with garbled names. |
Unresolved |
AMAGENTS-4672: Web Agent does not handle specific case for Not-Enforced URL and one level wildcard properly |
Unresolved |
AMAGENTS-4590: login-fragment-relay page should have charset specified. |
Fixed in 2024.3 |
AMAGENTS-3992: WPA: com.forgerock.agents.config.hostmap does not seem to use the IP address |
Fixed in 2024.3 |
AMAGENTS-3663: Nginx Agent print absolute build path into debug logs |
Fixed in 2024.6 |
AMAGENTS-3506: If there are permissions issues with password file with installation on IIS then the log messages are not helpful |
Fixed in 2024.3 |
AMAGENTS-2813: Agents Logout perform logout multiple times |
Unresolved |
AMAGENTS-2755: Currently when setting up the agent it is necessary to have a client certificate file when using S Channel |
Unresolved |
AMAGENTS-2724: WPA: Custom login does not work, if agent is installed in different location than root |
Duplicates AMAGENTS-5981 |
Web Agent 2023.3
| Issue | Comment |
|---|---|
AMAGENTS-6175: Memory leak in credentials_secure_free |
Fixed in 2023.11 |
AMAGENTS-6046: convert_request_after_authn_post writes to /tmp instead of configured PDP directory |
Fixed in 2024.3 |
AMAGENTS-5995: Don’t extend user session for not enforced url with fetch attributes enabled |
Fixed in 2023.9 |
AMAGENTS-5985: Interactive installation using existing agent configuration files duplicate properties which are commented out |
Fixed in 2024.3 |
AMAGENTS-5833: WPA 403 error on /agent/cdsso-oauth2 with invalid jwt.aud.whitelist parameter value |
Fixed in 2023.9 |
AMAGENTS-5777: IIS web agent zip file includes 32bit DLL |
Unresolved |
AMAGENTS-5495: Web agent validator reports access to OpenSSL v.1.1.x instead of v3.x |
Fixed in 2023.9 |
AMAGENTS-5594: Web agent will return 403 errors if OpenSSL libraries aren’t loaded. |
Fixed in 2023.11 |
AMAGENTS-5032: WPA: Native agents for windows do not correctly use unicode for the file system, resulting in configured files with garbled names. |
Unresolved |
AMAGENTS-4672: Web Agent does not handle specific case for Not-Enforced URL and one level wildcard properly |
Unresolved |
Web Agent 5.10
| Issue | Comment |
|---|---|
AMAGENTS-5995: Don’t extend user session for not enforced url with fetch attributes enabled |
Fixed in 5.10.3 |
AMAGENTS-5833: WPA 403 error on /agent/cdsso-oauth2 with invalid jwt.aud.whitelist parameter value |
Fixed in 2023.9 |
AMAGENTS-5777: IIS web agent zip file includes 32bit DLL |
Unresolved |
AMAGENTS-5495: Web agent validator reports access to OpenSSL v.1.1.x instead of v3.x |
Fixed in 2023.9 |
AMAGENTS-5594: Web agent will return 403 errors if OpenSSL libraries aren’t loaded. |
Fixed in 2023.11 |
AMAGENTS-5032: WPA: Native agents for windows do not correctly use unicode for the file system, resulting in configured files with garbled names. |
Unresolved |
AMAGENTS-4984: Setting samesite cookie to lax will cause the agent auth flow to fail if we are using different sites |
Duplicates AMAGENTS-5189 |
AMAGENTS-4672: Web Agent does not handle specific case for Not-Enforced URL and one level wildcard properly |
Unresolved |
Limitations
The following limitations are inherent to the design, not bugs to be fixed.
Custom login redirection mode
Redirect of users to a specific AM instance, an AM site, or website other than AM. For more information, refer to Login redirect.
Ignore path info properties
The NGINX Plus web agent doesn’t support the following ignore path info properties:
-
com.sun.identity.agents.config.ignore.path.info -
com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list
IIS Web Agent installation
Locked IIS configuration
Installing web agents in IIS may fail with an error similar to the following:
Creating configuration...
Error: failed to create module entry for MACHINE/WEBROOT/APPHOST/AgentSite/ (error 0x80070021, line: 1823).
The process cannot access the file because another process has locked a portion of the file. (error: 0x21).
Installation failed.This error message means the agentadmin.exe command cannot
access some IIS configuration files because they are locked.
To work around this issue, perform the following steps:
-
Open the IIS Manager and select the Configuration Editor.
-
Unlock the IIS
system.webServer/modulesmodule. -
Retry the web agent installation.
Unlocking the system.webServer/modules module should allow the
installation to finish. However, you may need to unlock other modules depending
on your environment.
|
Installation order
In an IIS environment where you need to protect a parent application and a child application with different web agent configurations, you must install the web agent on the child application before installing the web agent in the parent. Trying to install a web agent on a child that is already protected will result in error.
IIS Web Agent with client-based sessions
IIS web agents configured for client-based sessions will return HTTP 403 errors
when trying to access a protected resource if
com.sun.identity.client.notification.url is configured.
The com.sun.identity.client.notification.url property was removed in an earlier unsupported release.
Earlier versions of Web Agent use it to specify the notification listener
for the agent. However, to provide backwards-compatibility
with earlier versions of the agents, AM populates this property when
creating the agent profile.
The value of this property should be removed for all agent installations, and must be removed for IIS web agents configured for client-based sessions.
Apache HTTP server authentication functionality
The web agent replaces authentication functionality provided by Apache, for
example, the mod_auth_* modules. Integration with built-in Apache httpd
authentication directives, such as AuthName, FilesMatch, and Require
is not supported.
Custom error pages not showing after upgrade
After upgrading, you may see the default Apache welcome pages instead of custom
error pages defined by the Apache ErrorDocument directive.
If you encounter this issue, check your Apache ErrorDocument configuration.
If the custom error pages are not in the document root of the Apache HTTP Server,
you should enclose the ErrorDocument directives in Directory elements.
For example:
<Directory "/web/docs">
ErrorDocument 403 myCustom403Error.html
</Directory>Refer to the Apache documentation for more details on the ErrorDocument directive.
CA certificate file name property not honored
If you are using the Windows built-in Secure Channel API but your environment does not require client authentication, instead of setting the CA certificate friendly name in the CA Certificate File Name Property, set it in the Public Client Certificate File Name property. For example:
com.forgerock.agents.config.cert.ca.file =
com.forgerock.agents.config.cert.file = CA-cert-friendly-name
com.sun.identity.agents.config.trust.server.certs = falseAppendix A: Release levels and interface stability
You can find information about release levels in the Ping Identity Product Support Lifecycle Policy | PingGateway and Agents.
Product stability labels
Ping Identity Platform software supports many features, protocols, APIs, GUIs, and command-line interfaces. Some of these are standard and very stable. Others offer new functionality that is continuing to evolve.
Ping Identity acknowledges you invest in these features and interfaces and so need to understand when they are expected to change. For that reason, we define stability labels and use these definitions in Ping Identity Platform products.
| Stability Label | Definition |
|---|---|
Stable |
This documented feature or interface is expected to undergo backwards-compatible changes only for major releases. Changes may be announced at least one minor release before they take effect. |
Evolving |
This documented feature or interface is continuing to evolve and so is expected to change, potentially in backwards-incompatible ways even in a minor release. Changes are documented at the time of product release. While new protocols and APIs are still in the process of standardization, they are Evolving. This applies, for example, to recent Internet-Draft implementations and to newly developed functionality. |
Legacy |
This feature or interface has been replaced with an improved version, and is no longer receiving development effort from Ping Identity. You should migrate to the newer version, however the existing functionality will remain. Legacy features or interfaces will be marked as Deprecated if they are scheduled to be removed from the product. |
Deprecated |
This feature or interface is deprecated, and likely to be removed in a future release. For previously stable features or interfaces, the change was likely announced in a previous release. Deprecated features or interfaces will be removed from Ping Identity products. |
Removed |
This feature or interface was deprecated in a previous release, and has now been removed from the product. |
Technology Preview |
Technology previews provide access to new features that are considered as new technology that is not yet supported. Technology preview features may be functionally incomplete, and the function as implemented is subject to change without notice. DO NOT DEPLOY A TECHNOLOGY PREVIEW INTO A PRODUCTION ENVIRONMENT. Customers are encouraged to test drive the technology preview features in a non-production environment, and are welcome to make comments and suggestions about the features in the associated forums. Ping Identity does not guarantee that a technology preview feature will be present in future releases, the final complete version of the feature is liable to change between preview and the final version. Once a technology preview moves into the completed version, said feature will become part of Ping Identity Platform. Technology previews are provided on an “AS-IS” basis for evaluation purposes only, and Ping Identity accepts no liability or obligations for the use thereof. |
Internal/Undocumented |
Internal and undocumented features or interfaces can change without notice. If you depend on one of these features or interfaces, contact support to discuss your needs. |
Getting support
Ping Identity provides support services, professional services, training, and partner services to assist you in setting up and maintaining your deployments. For a general overview of these services, see https://www.pingidentity.com.
Ping Identity has staff members around the globe who support our international customers and partners. For details on Ping Identity’s support offering, visit https://www.pingidentity.com/support.
Ping Identity publishes comprehensive documentation online:
-
The Ping Identity Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage Ping Identity Platform software.
While many articles are visible to everyone, Ping Identity customers have access to much more, including advanced information for customers using Ping Identity Platform software in a mission-critical capacity.
-
Ping Identity product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.
Security advisories
Ping Identity issues security advisories in collaboration with our customers to address any security vulnerabilities transparently and rapidly.
Ping Identity’s security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.
You can find security advisories in the Knowledge Base.
Release timeline
| Release date | Web Agent version | Release type(1) |
|---|---|---|
March 2025 |
2025.3 |
Major |
January 2025 |
5.10.4 |
Maintenance |
December 2024 |
2023.11.2 |
Maintenance |
November 2024 |
2024.11 |
Minor |
September 2024 |
2024.9 |
Minor |
July 2024 |
2023.11.1 |
Maintenance |
June 2024 |
2024.6 |
Minor |
April 2024 |
5.10.3 |
Maintenance |
March 2024 |
2024.3 |
Major |
November 2023 |
2023.11 |
Minor |
September 2023 |
2023.9 |
Minor |
June 2023 |
2023.6 |
Minor |
March 2023 |
2023.3 |
Major |
February 2023 |
5.10.2 |
Maintenance |
December 2022 |
5.10.1 |
Maintenance |
June 2022 |
5.10 |
Minor |
January 2022 |
5.9.1 |
Maintenance |
September 2021 |
5.9 |
Minor |
February 2021 |
5.8 |
Minor |
August 2020 |
5.7 |
Minor |
April 2019 |
5.6 |
Minor |
October 2018 |
5.5 |
Minor |
December 2017 |
5 |
Major |
November 2015 |
4 |
Major |
November 2013 |
3.3 |
Minor |
February 2013 |
3.1-Xpress |
Minor |
February 2010 |
3 |
Major |
(1) You can find details about the scope of expected changes for different release types in Ping Identity Product Support Lifecycle Policy | PingGateway and Agents.