OpenAM 12.0.0-SNAPSHOT fixes a number of issues, and provides the following additional features.
This release uses the new OpenAM Core Token Service (CTS), with a more generalized token storage format for sessions, SAML Tokens, and OAuth Tokens. The LDAP schema have been extended for the CTS objects.
OpenAM now fully supports OAuth 2.0 and OpenID Connect 1.0 as well as the required building blocks such as WebFinger, and JWT and related emerging standards.
In addition to playing the role of OAuth 2.0 client and resource server, OpenAM can play the role of OAuth 2.0 authorization server. See Managing OAuth 2.0 Authorization for explanations, instructions, and examples.
OpenAM support for OpenID Connect 1.0 extends OAuth 2.0 capabilities so clients can verify claims about the identity of the end user, get profile information for the end user, and manage end user sessions. OpenAM plays the role of OpenID Provider. See Managing OpenID Connect 1.0 Authorization for details.
New, more modern RESTful web services are available for
authentication, identity management, profile management, session management,
Integrated Windows Authentication, and more. New endpoints are available
under the URI
/json where OpenAM is deployed, and are
demonstrated in the Developer Guide chapter on Using RESTful Web Services
OpenAM adaptive authentication capabilities now include the Device Print authentication module (OPENAM-1375). The Device Print module uses characteristics of a system, including installed fonts, screen resolution, timezone, and also geolocation to uniquely identify the system. The Device Print module includes all of the functionality associated with the HOTP authentication module.
OpenAM now supports Open Authentication (OATH, OPENAM-727). The module provides the user with a one-time password based either on a HMAC one-time password or a time-based one-time password. OATH lets you determine which type of one-time password is best for your users when they need to login with a password generating device. Devices can range from a smartphone to a dedicated device, such as YubiKey or any other OATH compliant device.
With OATH, OpenAM now supports YubiKey authentication. The YubiKey simplifies the process of logging in with a One Time Password token as it does not require the user to re-type long pass codes from a display device into the login field of the computer. The YubiKey is inserted in the USB-port of any computer and the OTP is generated and automatically entered with a simple touch of a button on the YubiKey, and without the need of any client software or drivers.
OpenAM now fully supports Internet Protocol version 6 (IPv6) in addition to IPv4.
OpenAM now fully supports Java 7 environments.
OpenAM Session failover has been modified to be simpler to deploy (OPENAM-625). OpenAM 10.0.1 and earlier required the use of Open Message Queue and Berkeley DB Java Edition, which increased the complexity and amount of time required to get session failover working. OpenAM now writes session data to the configuration data store instead. This implementation also can be used to make sessions persist across restart for single OpenAM servers. The current implementation requires that you use OpenDJ for the configuration data store.
OpenAM now includes a preview of the cloud Dashboard service, part of allowing user self-management of web based applications. (OPENAM-2019).
OpenAM now bundles OpenDJ 2.6.
The Persistent Cookie module has been added to support configuration of cookie lifetimes, based on requests and a maximum time.
IBM WebSphere 8 is now a supported platform. See Preparing IBM WebSphere in the Installation Guide for details on how to setup WebSphere 8.0 and 8.5 before deploying OpenAM.
The policy tree index has been updated so that resources first check the root level of a realm first. The tree will be created from this level, and any subsequent referrals will create another tree specific to the realm where the referral was retrieved. This conserves memory and reduces the amount of time required to load the tree. An intelligent indexing model now assists with quickly identifying relevant policy rules for the resource being authorized.
The zero page login has been modified so that administrators can disable the functionality. The zero page login process is the ability of the user to login using only GET parameters, which presents a possible security issue. Zero page login is now disabled by default (OPENAM-2354).
OpenAM now provides an account expiration post authentication plugin to set an account expiration date on successful login.
Remote clients that register notification URLs with OpenAM can now successfully deregister on shutdown (OPENAM-2766, OPENAM-2765), preventing OpenAM from trying to notify applications that are no longer running.
OpenAM now lets you configure the profile attribute name for email used by the password reset module (OPENAM-2604).
OpenAM now provides a mechanism for Identity Providers to use private
key passwords that differ from the password stored in OpenAM's
.keypass file (OPENAM-2306).
OpenAM Java Fedlet
SPACSUtils can now find the
metaAlias in either the URI or the query string
OpenAM now provides a mechanism to supply static values when setting up attribute mapping for a SAML 2.0 Identity Provider or Service Provider (OPENAM-2184).
OpenAM's LDAP authentication module now supports Samba 4 LDAP response codes (OPENAM-1826).
OpenAM's OATH authentication module's minimum password length is now configurable (OPENAM-1765).
The AMLoginModule now lets authentication modules retrieve the list of current session tokens for a user (OPENAM-1721).
OpenAM Console again includes a generic LDAP data store option (OPENAM-1656).
OpenAM's IDPAdapter now provides additional hooks for customization. This improvement introduces changes to the API that affect custom IDPAdapters (OPENAM-1623).
Legacy naming conventions have been changed to conform to the
current product name, OpenAM. This includes the OpenAM bootstrap file
is the new name for
$HOME/.openssocfg/. If you upgrade,
OpenAM still supports use of
does not rename the folder. For new OpenAM installs, OpenAM creates the
directory with the new name,
configuration time. Other files, such as the
file, and paths have been modified to ensure consistency with the naming
When running as a Service Provider, OpenAM no longer requires that you enable module-based authentication (OPENAM-1470).
OpenAM now has better support for using a reverse proxy for federation when DAS is also deployed (OPENAM-1454).
OpenAM now allows use of a read-only data store with a non-transient NameID during SAML 2.0 federation (OPENAM-1427).
The ssoadm command now includes a get-sub-cfg subcommand (OPENAM-1348).
OpenAM IDPs can now proxy all requests whether or not the SP allow the behavior (OPENAM-1266).
When working with Salesforce.com as an SP, OpenAM can now perform SP-initiated SSO, can use any arbitrary URL for the entityID/default endpoint, and automatically selects the last attribute from the first page as the default Federation ID (OPENAM-1232).
The REST authenticate command now has a parameter to specify the client IP address (OPENAM-1048).
OpenAM is now built with Maven. Maven artifacts continue to be uploaded to the ForgeRock Maven repository (OPENAM-739).
OpenAM's OATH module supports shared keys and counters (OPENAM-727).
You can now prevent OpenAM from caching subject evaluations for policy decisions (part of the fix for OPENAM-24).
In most cases you do not need to turn off caching, as OpenAM now clears cache when group membership changes. Before turning off caching in production, first test the setting to ensure that the performance impact is acceptable for your deployment.
To turn off caching, set Access Control >
Realm Name > Services > Policy Configuration >
Subjects Result Time to Live to 0. The equivalent
ssoadm property for the
The C SDK for OpenAM has been simplified. Nightly builds are all available as ZIP files, for Linux, Solaris x86, Solaris SPARC, and Windows operating systems, for both 32- and 64-bit varieties.
For C SDK product versions and support offerings, contact email@example.com.