OpenAM 14.0.0
リリース日 : 2019 年 12 月 23 日
新機能
WebAuthn 認証モジュール
OpenAM 14 では WebAuthn 準拠の認証モジュールを新たに提供します。この認証モジュールは登録用のモジュールであるWebAuthn(登録)
と認証用のモジュールであるWebAuthn(認証)
の 2 つで構成されています。WebAuthn(登録)
で登録したデバイスをWebAuthn(認証)
に対して利用することでパスワードレス認証を実現できます。
詳細はWebAuthnをご確認下さい。
なお、本機能は以下の Issue と関連しています。
- #62 WebAuthn Authentication Module
SAML2 / OIDC 認可機能
OpenAM 14 では SAML 2.0 の IdP や OpenID Connect の OP のエンドポイントに対してポリシーによるアクセス制御機能が追加されました。従来、一部のサービスプロバイダーやリライングパーティに対してより強固な認証を求める要件では、サービスプロバイダーやリライングパーティ自身が対応する要求を行う必要があり、IdP 側で一貫した制御は困難でした。本機能を利用することで OpenAM が各 SP、RP に対する認証強度を制御することができます。
詳細はSAML IdP のポリシーベースアクセス制御もしくはOIDC OP のポリシーベースアクセス制御をご覧ください。
なお、本機能は以下の Issue と関連しています。
OpenJDK 11 対応
OpenAM 14 ではビルド環境/実行環境として OpenJDK 11 を新たにサポートします。
なお、本機能は以下の Issue と関連しています。
バグ修正及びエンハンス
- #195 Tab UI selection is not highlighted on some screens
- #188 Broken layout of setup screen
- #187 Document URL
- #186 Japanese localization of upgrade screen
- #137 Display of authentication failure screen is unstable
- #135 Branding
- #131 OATH authentication module(not FR OATH) does not work in Japanese locale
- #121 Can not create a new realm when using IE11
- #115 Audit Event Handler ignores realm-based log configurations
- #110 ForgeRock AM/OpenAM Security Advisory #201901-08: Open Redirect and Potential XSS
- #109 ForgeRock AM/OpenAM Security Advisory #201901-07: Business Logic Vulnerability
- #108 ForgeRock AM/OpenAM Security Advisory #201901-06: Open Redirect
- #106 ForgeRock AM/OpenAM Security Advisory #201901-04: Security Misconfiguration
- #105 ForgeRock AM/OpenAM Security Advisory #201901-03: Cross Site Scripting
- #92 AMUncaughtException occurs in Google Apps settings if there are host IDPs and COTs only in other realms
- #91 AMUncaughtException occurs in the configuration screen for Google Apps
- #88 Expired Token remains in CTS
- #87 XUI accesses authentication REST API with
=undefined
- #85 Some JSPs redirect to showServerConfig.jsp
- #84 Authentication chaining does not work if the user search attribute of the LDAP authentication module does not match that of the data store
- #83 OpenID Connect authentication fails if jwks_uri content contains x5c
- #82 Support RS384/RS512 signature algorithm for ID token
- #81 Unable to change settings due to changelogDb issue of embedded DJ
- #80 Authentication bypass
- #77 ForgeRock AM/OpenAM Security Advisory #201801-12: Content Spoofing Vulnerability
- #76 ForgeRock AM/OpenAM Security Advisory #201801-11: Business Logic Vulnerability
- #75 ForgeRock AM/OpenAM Security Advisory #201801-10: LDAP Injection Vulnerability
- #74 ForgeRock AM/OpenAM Security Advisory #201801-09: Business Logic Vulnerability
- #73 ForgeRock AM/OpenAM Security Advisory #201801-08: Business Logic Vulnerability
- #72 ForgeRock AM/OpenAM Security Advisory #201801-07: Information Leakage
- #71 ForgeRock AM/OpenAM Security Advisory #201801-06: Business Logic Vulnerability
- #70 ForgeRock AM/OpenAM Security Advisory #201801-05: Business Logic Vulnerability
- #69 ForgeRock AM/OpenAM Security Advisory #201801-04: Open Redirect
- #68 ForgeRock AM/OpenAM Security Advisory #201801-03: Cross Site Scripting
- #67 ForgeRock AM/OpenAM Security Advisory #201801-02: Configuration password stored in plain text
- #66 ForgeRock AM/OpenAM Security Advisory #201801-01: Business Logic Vulnerability
- #64 ForgeRock OpenAM Security Advisory #201608-01: Open Redirect
- #61 OAuth2 consent page ignores Accept-Language
- #60 Support RSA-OAEP for SAML Assertion Encryption
- #58 Unexpected screen is displayed when the authentication chain fails
- #57 Session is destroyed when session upgrade fails
- #55 Make issuing FR OATH recovery code optional
- #54 Can not edit policy using IE11
- #53 Groovy script causes infinite loop
- #52 Japanese localization of OATH authentication (FR OATH)
- #50 Deleting an instance of the authentication module registered by default also deletes the authentication modules of the same type
- #49 When using client secret for signature in OAuth2/OIDC authentication module, it is necessary to set client secret in two fields
- #47 Local authentication ignores Accept-Language
- #45 Authentication process can not continue if local authentication fails in SAML2 authentication
- #44 OAuth 2.0 client should support client_secret_basic
- #43 Japanese localization of admin screen
- #42 acr_values not working if the user is login in more than one chain
- #41 Add option to use local time zone instead of UTC in audit logging
- #40 SAML2 authentication does not work when SAML2 failover is enabled.
- #39 Information for single logout stored in CTS is not updated
- #36 Remove dependency on ForgeRock Maven repositories
- #34 Open redirect vulnerability in OAuth 2.0
- #30 Auth Error messages ignore Accept-Language
- #29 JavaMail debug logs are output to stdout.
- #26 Error is output to CoreSystem if monitoring is disabled
- #24 Upgrade Commons FileUpload library to the new version
- #21 Upgrade Jackson library to the new version.
- #16 An improper session management vulnerability in user self-service
- #15 Provide templates for contributions
- #14 Persistent search does not recover
- #13 The order of items breaks on OAuth2.0/OIDC auth module setting page.
- #12 User remains on ‘Loading’ page if using ‘OAuth2.0/OIDC’ auth module and authId token expires
- #10 Finish button of Identity Provider wizard doesn’t work
- #7 ForceAuth cause JSON callbacks error
- #6 Search Timeout for LDAP filter condition should be in seconds
- #5 Goto URL with multiple query string parameters incorrectly decoded
- #3 XUI does not enable Secure cookie flags for SSO tracking cookie on 13.5.0
- #1 Japanese locale file for XUI
システム要求仕様
オペレーティングシステム
- Red Hat Enterprise Linux 7, 8
- CentOS 7, 8
Java
- OpenJDK 8, 11
Web アプリケーションコンテナ
- Apache Tomcat 7, 8.5, 9
Web クライアント
次に提示するソフトウェアの内、ベンダーがサポートするバージョンを対象とします。
オペレーティングシステム
- Windows
- macOS
- Linux
- iOS
- Android
PC 版ブラウザー
- Microsoft Edge
- Internet Explorer
- Mozilla Firefox
- Safari
- Google Chrome
スマートフォン版ブラウザー
- iOS/iPadOS: Safari
- Android: Google Chrome