1. Home
  2. Release Notes
  3. OpenAM 14.0.0

Release Date : December 23, 2019

New Features

WebAuthn authentication module

OpenAM 14 provides a new WebAuthn-compliant authentication module. This authentication module consists of two modules: WebAuthn (Registration) for registration and WebAuthn (Authentication) for authentication. Passwordless authentication can be realized by executing WebAuthn (Authentication) using the device registered with WebAuthn (Registration).

Please check WebAuthn for details.

This feature is related to the following issues.

  • #62 WebAuthn Authentication Module

SAML2 / OIDC authorizarion

OpenAM 14 adds access control by policy for SAML 2.0 IdP and OpenID Connect OP endpoints. Traditionally, the requirement to require stronger authentication for some service providers and relying parties required that the service providers and relying parties themselves make stronger requests. Consistent control on the IdP side was difficult. By using this feature, OpenAM can control the authentication strength for each SP and RP.

Please check Policy based access control for SAML IdP or Policy based access control for OIDC OP for details.

This feature is related to the following issues.

  • #90 Policy based access control for OIDC OP
  • #89 Policy based access control for SAML IdP

OpenJDK 11 support

OpenAM 14 newly supports OpenJDK 11 as a build / execution environment.

This feature is related to the following issues.

  • #33 Upgrade unit testing frameworks to support Java 11
  • #32 Java11 Support

Bug fixes and Enhancements

  • #195 Tab UI selection is not highlighted on some screens
  • #188 Broken layout of setup screen
  • #187 Document URL
  • #186 Japanese localization of upgrade screen
  • #137 Display of authentication failure screen is unstable
  • #135 Branding
  • #131 OATH authentication module(not FR OATH) does not work in Japanese locale
  • #121 Can not create a new realm when using IE11
  • #115 Audit Event Handler ignores realm-based log configurations
  • #110 ForgeRock AM/OpenAM Security Advisory #201901-08: Open Redirect and Potential XSS
  • #109 ForgeRock AM/OpenAM Security Advisory #201901-07: Business Logic Vulnerability
  • #108 ForgeRock AM/OpenAM Security Advisory #201901-06: Open Redirect
  • #106 ForgeRock AM/OpenAM Security Advisory #201901-04: Security Misconfiguration
  • #105 ForgeRock AM/OpenAM Security Advisory #201901-03: Cross Site Scripting
  • #92 AMUncaughtException occurs in Google Apps settings if there are host IDPs and COTs only in other realms
  • #91 AMUncaughtException occurs in the configuration screen for Google Apps
  • #88 Expired Token remains in CTS
  • #87 XUI accesses authentication REST API with =undefined
  • #85 Some JSPs redirect to showServerConfig.jsp
  • #84 Authentication chaining does not work if the user search attribute of the LDAP authentication module does not match that of the data store
  • #83 OpenID Connect authentication fails if jwks_uri content contains x5c
  • #82 Support RS384/RS512 signature algorithm for ID token
  • #81 Unable to change settings due to changelogDb issue of embedded DJ
  • #80 Authentication bypass
  • #77 ForgeRock AM/OpenAM Security Advisory #201801-12: Content Spoofing Vulnerability
  • #76 ForgeRock AM/OpenAM Security Advisory #201801-11: Business Logic Vulnerability
  • #75 ForgeRock AM/OpenAM Security Advisory #201801-10: LDAP Injection Vulnerability
  • #74 ForgeRock AM/OpenAM Security Advisory #201801-09: Business Logic Vulnerability
  • #73 ForgeRock AM/OpenAM Security Advisory #201801-08: Business Logic Vulnerability
  • #72 ForgeRock AM/OpenAM Security Advisory #201801-07: Information Leakage
  • #71 ForgeRock AM/OpenAM Security Advisory #201801-06: Business Logic Vulnerability
  • #70 ForgeRock AM/OpenAM Security Advisory #201801-05: Business Logic Vulnerability
  • #69 ForgeRock AM/OpenAM Security Advisory #201801-04: Open Redirect
  • #68 ForgeRock AM/OpenAM Security Advisory #201801-03: Cross Site Scripting
  • #67 ForgeRock AM/OpenAM Security Advisory #201801-02: Configuration password stored in plain text
  • #66 ForgeRock AM/OpenAM Security Advisory #201801-01: Business Logic Vulnerability
  • #64 ForgeRock OpenAM Security Advisory #201608-01: Open Redirect
  • #61 OAuth2 consent page ignores Accept-Language
  • #60 Support RSA-OAEP for SAML Assertion Encryption
  • #58 Unexpected screen is displayed when the authentication chain fails
  • #57 Session is destroyed when session upgrade fails
  • #55 Make issuing FR OATH recovery code optional
  • #54 Can not edit policy using IE11
  • #53 Groovy script causes infinite loop
  • #52 Japanese localization of OATH authentication (FR OATH)
  • #50 Deleting an instance of the authentication module registered by default also deletes the authentication modules of the same type
  • #49 When using client secret for signature in OAuth2/OIDC authentication module, it is necessary to set client secret in two fields
  • #47 Local authentication ignores Accept-Language
  • #45 Authentication process can not continue if local authentication fails in SAML2 authentication
  • #44 OAuth 2.0 client should support client_secret_basic
  • #43 Japanese localization of admin screen
  • #42 acr_values not working if the user is login in more than one chain
  • #41 Add option to use local time zone instead of UTC in audit logging
  • #40 SAML2 authentication does not work when SAML2 failover is enabled.
  • #39 Information for single logout stored in CTS is not updated
  • #36 Remove dependency on ForgeRock Maven repositories
  • #34 Open redirect vulnerability in OAuth 2.0
  • #30 Auth Error messages ignore Accept-Language
  • #29 JavaMail debug logs are output to stdout.
  • #26 Error is output to CoreSystem if monitoring is disabled
  • #24 Upgrade Commons FileUpload library to the new version
  • #21 Upgrade Jackson library to the new version.
  • #16 An improper session management vulnerability in user self-service
  • #15 Provide templates for contributions
  • #14 Persistent search does not recover
  • #13 The order of items breaks on OAuth2.0/OIDC auth module setting page.
  • #12 User remains on ‘Loading’ page if using ‘OAuth2.0/OIDC’ auth module and authId token expires
  • #10 Finish button of Identity Provider wizard doesn’t work
  • #7 ForceAuth cause JSON callbacks error
  • #6 Search Timeout for LDAP filter condition should be in seconds
  • #5 Goto URL with multiple query string parameters incorrectly decoded
  • #3 XUI does not enable Secure cookie flags for SSO tracking cookie on 13.5.0
  • #1 Japanese locale file for XUI

System requirement

Operating system

  • Red Hat Enterprise Linux 7, 8
  • CentOS 7, 8

Java

  • OpenJDK 8, 11

Web application container

  • Apache Tomcat 7, 8.5, 9

Web client

Among the software listed below, the version supported by the vendor is supported.

Operating system

  • Windows
  • macOS
  • Linux
  • iOS
  • Android

PC browser

  • Microsoft Edge
  • Internet Explorer
  • Mozilla Firefox
  • Safari
  • Google Chrome

Smartphone browser

  • iOS/iPadOS: Safari
  • Android: Google Chrome