Changes in AM 8.0.x

AM 8.0 supports Apache Tomcat 10 as a web application container. If you use Apache Tomcat, you must upgrade to at least version 10 before you upgrade to AM 8.0.

Find more information in Upgrade Tomcat.

As part of this change, you should rewrite scripts that used the javax.servlet.request.X509Certificate attribute in the servlet request to obtain the client certificate. Your updated scripts should use the jakarta.servlet.request.X509Certificate attribute instead.

Authentication modules and chains have been removed in AM 8.0. If you’re still using modules and chains for authentication, you must migrate to nodes and trees as soon as possible.

Clients can provide mTLS certificates to AM using trusted headers. AM now supports certificates in Base64-encoded PEM and DER format.

The corresponding value of the TLS Client Certificate Header Format configuration property on the OAuth2 Provider service has therefore changed from URLENCODED_PEM to BASE64_ENCODED_CERT.

Previously, for WebAuthn flows, if an authenticator provided an attestation that included the certificate authority (CA) root certificate, AM would remove and silently ignore the certificate. This behavior has changed in AM 8.0.

Now, if the authenticator provides an attestation that contains an invalid certificate chain (including the root CA certificate in the chain), PingAM rejects the attestation and throws an InvalidDataException error. The root certificate must be issued and securely distributed by a CA.

To monitor server activity with Prometheus, use one of the new endpoints:

Learn more in Monitor with Prometheus.

Sessions that are created to track progress through an authentication tree were previously referred to as authentication sessions, and sessions that are created after a user has authenticated were just referred to as sessions.

This release introduces the following new terminology to clarify and simplify the distinction between these session types:

This change is reflected in the documentation.

You no longer need to specify a well-known endpoint when configuring a custom OIDC Social Identity Provider service.

If the well-known endpoint isn’t specified, AM verifies signatures using the JWK location, keystore location, or the client secret.

To facilitate logging out of WS-Federation and multiprotocol environments (WS-Federation communicating with SAML 2.0), you must add the URL specified in the com.sun.identity.wsfederation.logout.wreply query parameter to the Valid goto URL Resources field in the validation service. If you don’t add this URL, redirection fails.

Learn more in Add a URL to the validation service.

The OAuth 2.0 version of the LinkedIn social identity provider configuration profile is deprecated by LinkedIn. This deprecated version has been renamed to LinkedIn (Legacy).

To configure your social identity provider with the latest OIDC version of the LinkedIn profile, use the LinkedIn profile.

The SOAP STS service has been removed in this release. If you’re still using the SOAP STS, you must migrate to the REST STS.

When you upgrade to AM 8, the SOAP STS agents and configuration are deleted. Make sure you retain anything useful to your migration prior to upgrading.

Two new fields, subject and issuer, replace the accountId field used by the jwtAssertion and jwtValidator script bindings. This lets you specify separate values for these JWT claims.

If specified, the accountId is now used as the values for issuer, stableId, and subject when these values aren’t provided.

Learn more in Generate and validate JWTs.