PingAM release notes

New in AM 7.3.x

AM 7.3.2

AM 7.3.2 is a maintenance release that introduces functional enhancements and fixes.

Backchannel logout token contains exp claim

The logout token generated during backchannel logout now contains an exp claim.

Learn more in Backchannel logout.

System property for social provider sub claim uniqueness

A new system property (org.forgerock.openam.oidc.SocialProvider.sub.claim.is.not.unique) indicates that the OIDC social provider doesn’t return a unique value for the sub claim.

This is false by default.

New ssoadm commands update attributes in a realm service

A fix to the deprecated ssoadm tool adds the following new commands:

  • add-realm-default-attributes

  • set-realm-default-attributtes

  • remove-realm-default-attributes

  • get-realm-default-attributes

These commands work on realm defaults from AM 7 onwards.

AM 7.3.1

AM 7.3.1 is a maintenance release that introduces functional enhancements and fixes.

Storing identified identities in the authentication session

The following new methods let you record users and agents verified to exist in an identity store:

org.forgerock.openam.auth.node.api.Action

  • public ActionBuilder withIdentifiedIdentity(AMIdentity id)

  • public ActionBuilder withIdentifiedIdentity(String username, IdType id)

org.forgerock.openam.auth.nodes.script.ActionWrapper

  • public ActionWrapper withIdentifiedAgent(String agentName)

  • public ActionWrapper withIdentifiedUser(String username)

A new advanced server property, org.forgerock.am.auth.trees.authenticate.identified.identity determines whether AM uses these stored identified identities when deciding which user to log in.

This lets custom nodes and decision node scripts correctly resolve identities that have the same username.

For more information, refer to advanced server properties.

Scripting logger name change

Scripts that log debug messages create loggers that now include the name of the script.

The name of a scripting logger uses the format scripts.<context>.<script UUID>.(<script name>); for example, scripts.OIDC_CLAIMS.36863ffb-40ec-48b9-94b1-9a99f71cc3b5.(OIDC Claims Script).

Refer to Debug logging.

Customize account lockout message

Use the new ActionBuilder.withLockoutMessage(String lockoutMessage) method in a Scripted Decision node to customize the message displayed to an end user when their account is locked or inactive.

For details, refer to Scripted decision node API.

Setting to permit client credentials in token endpoint query parameters

The OAuth 2.0 Provider service includes a new advanced property, Allow Client Credentials in Token Endpoint Query Parameters, that lets you include client credentials as query parameters in OAuth 2.0 token endpoint requests.

In previous AM versions, you could supply client credentials (the client_id and client_secret) as query parameters in POST requests to the /oauth2/access_token endpoint. This is now prohibited by default and you must include the credentials within the POST request body.

The new Allow Client Credentials in Token Endpoint Query Parameters setting controls this behavior and is false by default in new deployments. For security reasons, keep this property disabled to prevent client credentials from being included as query parameters.

When you upgrade an existing deployment to AM 7.3.1, this property is initially set to true for legacy support. After upgrading, you should update your scripts and clients to support the new behavior then set the property to false.

AM 7.3

AM 7.3 is a minor release that introduces new features, functional enhancements, and fixes.

An issue was discovered in the 7.3.0 release of DS that has the potential to corrupt static groups. To ensure data integrity, we highly recommend upgrading to DS 7.3.1. This issue affects the stability and reliability of static groups only. Continuing to use DS 7.3.0 may lead to data corruption and other unintended consequences.

The necessary fixes were made in DS 7.3.1; however if you deployed AM with DS 7.3.0, and you use static groups, you must contact Support for assistance with resolving the data corruption.

Combined MFA Registration node

The Combined MFA Registration node lets an authenticated user register a device, such as a mobile phone, for multi-factor authentication with a push notification and an OATH one-time password in a single step.

For details, refer to Combined MFA Registration node.

OIDC ID Token Validator node

The OIDC ID Token Validator node provides similar functionality to the OpenID Connect id_token bearer module. It evaluates whether the ID token is valid, according to the OIDC specification to let AM rely on an OIDC provider (OP)'s ID token to authenticate an end user.

For details, refer to OIDC ID Token Validator.

OATH Device Storage node

The OATH Device Storage node stores devices in the user profile after an OATH Registration node records them in the shared state.

For details, refer to OATH Device Storage node.

Support for EdDSA for WebAuthn

The WebAuthn Registration node now supports EdDSA as a signing algorithm. Devices that provide EdDSA-signed attestation data in packed format during registration (specifically EdDSA with the Ed25519 curve, as required by the WebAuthn specification) are now supported.

Scripted support for SAML v2.0 SP adapter

You can now customise the SP adapter with a script. Create a script of type SAML2_SP_ADAPTER and configure the hosted SP entity to use the custom script.

For details, refer to SP adapter.

Addition of prompt_values_supported to the OIDC exposed configuration

The OpenID Connect well-known/openid-configuration endpoint has been enhanced to expose the prompt_values_supported parameter of the provider configuration.

Support for multi-tenant social identity providers

Social identity provider configuration now lets you specify a regular expression to evaluate the issuer claim in ID tokens.

For details, refer to the Issuer comparison check setting.

For details, refer to Advanced properties.

Ability to invalidate sessions by username

The new logoutByUser action on the json/sessions endpoint lets you log out all sessions for a specified user. This action is available for server-side and client-side sessions but is disabled for client-side sessions by default. For more information, refer to Invalidate all sessions for a user.

This action introduces a new audit notification topic /agent/session.v2. Subscribers to this topic receive the same notifications available from the /agent/session topic with an additional notification message for a LOGOUT_USER_TOKEN event. This event is created in the activity audit log whenever logoutByUser is invoked. The action is CREATE or UPDATE depending on whether a token for the user being logged out exists.

The userId component of this entry is that of the caller, not of the target. For example, if an administrative user logs out another user, the userId is that of the administrative user, not that of the user being logged out. The objectId indicates the target of the operation.

The LOGOUT_USER_TOKEN event notification has a different syntax. Instead of a sessionuuid, it contains the user’s universalId. For example:

{
  "topic": "/agent/session.v2",
  "timestamp": "2022-11-14T09:56:56.814Z",
  "body": {
    "universalId": "id=demo,ou=user,dc=openam,dc=forgerock,dc=org",
    "eventType": "LOGOUT_USER_TOKEN"
  }
}

Consumers cannot rely on new events having identical syntax and should check the eventType before deciding how to process the event.

Scripted JWT issuer

For the JWT profile for OAuth 2.0 authorization grant, AM now lets you provide dynamic trusted JWT issuers via a script as an alternative to static configuration.

For details, refer to Configure a scripted JWT issuer.

OAuth 2.0 authentication supported for email service

Microsoft are deprecating SMTP Basic authentication. AM 7.3 introduces the option in the email service to select REST-based OAuth 2.0 authentication using Microsoft Graph API, in addition to supporting the legacy SMTP authentication.

For details, refer to Configure the email service.

Cross-upgrade session reference property

To track the session through upgrade, enable the cross-upgrade session reference property, which retains its value throughout the session lifecycle.

This unique and constant session reference is recorded in the audit logs for session creation and upgrade events.

Refer to the Enable Cross Upgrade Session Reference property for details.

Ability to specify location of REST STS instance

AM 7.3 includes a new option in the REST STS configuration that lets you specify whether the STS instance is running on the AM host or as a separate, remote Java process.

Refer to the STS Instance is running as remote instance property for details.