PingAM release notes

New in AM 7.1.x

AM 7.1.4

AM 7.1.4 is the latest maintenance release targeted for AM 7.1 deployments and can be downloaded from the Backstage website.

The release can be deployed as an initial deployment or updated from an existing AM 7.1.x deployment.

No new features have been added in AM 7.1.4.

AM 7.1.3

AM 7.1.3 is a maintenance release that introduces functional enhancements and fixes.

The release can be deployed as an initial deployment or updated from an existing AM 7.1.x deployment.

To make it easier to publish keys used for remote consent, AM 7.1.3 provides a new JWKs URI, specifically for remote consent agents. This URI indicates where a remote consent service can obtain the keys that AM uses to sign and encrypt the consent request. These keys include:

  • The public signing key, used to sign the consent request that is sent to the remote consent server, so that it can be validated on the remote consent server.

  • The public encryption key for the consent response, so that the response can be encrypted (if encryption is enabled).

The default JWKs URI for remote consent clients is /oauth2/consent_agents/jwk_uri.

For example, /https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/consent_agents/jwk_uri.

Keep-alive and load balancer availability checks

DS has introduced a new LDAP health check feature that changes how AM determines server availability. Keep-alive checks are now sent for every LDAP connection to prevent idle timeouts and separate availability checks are performed for load balanced connections.

Two new advanced server properties determine the settings for the keep-alive and availability checks:

  • org.forgerock.openam.ldap.keepalive.search.base

  • org.forgerock.openam.ldap.keepalive.search.filter

For details, refer to Advanced properties.

AM 7.1.2

org.forgerock.openam.encryption.padshortinputs system property for AES Key Wrap encryption

A new Java system property (org.forgerock.openam.encryption.padshortinputs) pads short inputs for compatibility with Java 17, in preparation for upgrade.

For details, refer to Preparing AES Key Wrap Encryption.

org.forgerock.openam.authentication.forceAuth.enabled advanced server property for authentication chains

A new advanced server property (org.forgerock.openam.authentication.forceAuth.enabled) controls the ForceAuth authentication property for chains.

AM 7.1.1

There are no new features in AM 7.1.1, only bug fixes.

AM 7.1

AM 7.1.0 is a minor release that introduces new features, functional enhancements, and fixes.

OAuth 2.0 and OpenID Connect Token Exchange Support

Following the OAuth 2.0 Token Exchange specification, AM 7.1 now lets you exchange ID tokens and access tokens in delegation and impersonation use cases.

For details, refer to OAuth 2.0 Token Exchange.

Social identity provider client improvements

AM 7.1 enhances the OAuth 2.0/OpenID Connect client support offered in the Social Identity Provider Service. To connect to financial-grade identity providers, AM and Ping Identity Platform can now:

  • Use acr values to specify a set of rules that the authorization request must satisfy when authenticating to the provider; for example, using multi-factor authentication.

    Learn more

    A new property, ACR Values, has been to the OpenID Connect secondary configuration of the Social Identity Provider Service.

  • Accept encrypted ID tokens.

    Learn more

    AM includes a new JWK URI, which the provider can use to obtain keys for verifying request object signatures, and for encrypting ID tokens.

    Two new properties have been added to the OpenID Connect secondary configuration of the Social Identity Provider Service:

    • OP Encrypts ID Tokens

    • Issuer

  • Send request parameters in a JWT, or as a reference to a JWT.

    Learn more

    The JWT is always signed, and optionally encrypted.

    As part of this change, the following fields have been added to the OpenID Connect secondary configuration of the Social Identity Provider Service:

    • Request Parameter JWT Option

    • Request Object Audience

    • Encrypt Request Parameter JWT

    • JWT Signing Algorithm

    • JWT Encryption Algorithm

    • JWT Encryption Method

  • Authenticate using a JWT or mutual TLS (mTLS).

    Learn more

    The JWT is always signed, and optionally encrypted.

    As part of this change, the Use Basic Auth switch in the client has been replaced with the Client Authentication Method drop-down list, which contains the following options:

    • CLIENT_SECRET_POST

    • CLIENT_SECRET_BASIC

    • PRIVATE_KEY_JWT

    • ENCRYPTED_PRIVATE_KEY_JWT

    • TLS_CLIENT_AUTH

    • SELF_SIGNED_TLS_CLIENT_AUTH

    AM 7.1 also includes a new advanced server property, openam.private.key.jwt.encryption.algorithm.whitelist, that specifies the algorithms the client can use to encrypt authentication JWTs and request object JWTs.

  • Let social providers return ID tokens by submitting an HTML form using the HTTP POST method, as defined in the OAuth 2.0 Form Post Response Mode specification.

    Learn more

    The Response Mode drop-down list has been added to the OpenID Connect secondary configuration of the Social Identity Provider Service.

    The Redirect after form post URL property has been added to support the form post response mode in custom login pages.

AM 7.1 provides a preconfigured client for Apple and itsme. For details, refer to Social Authentication and the /oauth2/connect/rp/jwk_uri endpoint.

OpenID Connect backchannel logout

As the OpenID provider, AM 7.1 supports the OpenID Connect Back-Channel Logout 1.0 Draft 06. This draft lets AM send logout tokens to relevant relying parties when a session associated with an ID token becomes invalid.

As part of this change, the Store OPS Tokens switch, used to enable session management at the provider, has been renamed to OIDC Session Management.

When OIDC Session Management is enabled, ID tokens contain a new claim, sid. This claim specifies a session ID that identifies the relying party’s session with the provider. The sid can also be found in the logout tokens, if enabled.

For details, refer to Informing Relying Parties that a Session has Expired.

Push authentication nodes

AM 7.1 adds a number of authentication nodes to assist with push authentication:

Account Active Check authentication module

AM 7.1 includes an Account Active Check authentication module that lets you determine whether an account is marked as active, or locked, without having to run through the rest of the authentication chain.

For details, refer to Account Active Check Module.

Properties available to claims and access token scripts

AM 7.1 adds new properties to the OpenID Connect Claims and OAuth 2.0 Access Token Modification script types, to access the properties of the relevant client and the incoming request.

For details, refer to Scripting OpenID Connect 1.0 Claims and Modifying the Content of Access Tokens.

live and ready status endpoints

AM 7.1 includes new endpoints to check whether an instance is alive and ready to process requests.

For details, refer to Monitoring Instances.

Access to secrets and credentials in authentication scripts

AM 7.1 adds the ability for scripted decision nodes to access the secrets configured in AM secret stores.

For example, a script can access credentials or secrets defined in a file system secret volume in order to make outbound calls to a third-party REST service, without hard-coding those credentials in the script.

For details, refer to Accessing Credentials and Secrets.

Support for PEM-formatted keys and certificates

AM 7.1 adds support for loading the following PEM-formatted secrets:

  • Elliptic Curve and RSA private keys

    • OpenSSL format

    • PKCS#8 format

  • X.509 certificates

  • RSA public keys

  • (non-standard) AES secret keys

  • (non-standard) HMAC secret keys

  • (non-standard) Generic secrets, such as connection passwords or API keys

Use PEM secrets on the secret stores that support it:

  • Environment and system property secrets store

  • File system secret volumes

  • Google GSM secret stores

For more information, refer to Importing PEM-Formatted Keys.

Session service uses secret stores

Client-based sessions and client-based authentication sessions now use secret stores for:

  • Signing JWTs with RSA and elliptic curve algorithms.

  • Encrypting JWTs with RSA algorithms.

The upgrade process migrates the relevant configuration to secret stores automatically. HMAC signing secrets and symmetric AES keys for encryption have not been migrated yet, and are still available in the Session service configuration page.

For more information, refer to Configuring Client-Based Session Security.

Loading secrets from Google Secret Manager

AM 7.1 lets you load secrets from Google Secret Manager (GSM).

For details, refer to Google GSM Secret Stores.

New OATH nodes

AM 7.1 adds two new multi-factor authentication nodes that replicate the existing OATH module functionality: