Major New Features
OpenIG, the ForgeRock Identity Gateway, is a high-performance reverse proxy server with specialized session management and credential replay functionality. OpenIG integrates well with OpenAM, and there is no need to modify the target application or the container in which it runs.
OpenIG also includes the Federation Gateway, which enables federation capabilities for applications that cannot be modified to use the Fedlet and SAML 2.0.
OpenAM now uses OpenDJ 2.4.5 as the embedded data store (OPENAM-960).
OpenAM now also uses the OpenDJ LDAP SDK.
OpenAM now provides JSON output through the identity services REST interface (OPENAM-940).
OpenAM now supports adaptive risk authentication (OPENAM-846). You configure the adaptive risk authentication module to assess risks, and then you add the module into an authentication chain. The module determines whether to require further authentication processing based on assessment of the risk involved during authentication. Adaptive risk authentication lets you require more from users when they login from an unfamiliar location, from a new device, after a long period during which the account remained idle, and so forth.
OpenAM supports a new SAML 2.0 IdP Adapter plug-in for additional flexibility. The adapter lets the system handle situations that arise when the identity provider needs to perform additional processing before releasing the assertion, or when interaction with the user is needed before releasing it. The IdP Adapter class implementing the plugin can be configured through the console (OPENAM-700).
OpenAM now provides an OAuth 2.0 Client authentication module (OPENAM-679).
Multiple improvements in the OpenAM upgrade process streamline the move to the new version (OPENAM-626).
OpenAM now supports interoperability with LDAP servers that implement the (Behera) Internet-Draft, Password Policy for LDAP Directories (OPENAM-613).
Additional New Features
Setup wizards make it easier to use OpenDJ as the identity repository.
OpenAM now allows you to differentiate Login UI buttons using CSS (OPENAM-977).
OpenAM now allows authentication modules to be installed as a single .jar file (OPENAM-916).
OpenAM has improved console configuration for handling services such as Authentication Core Settings and Identity Repositories (OPENAM-887).
The ssoadm command now provides subcommands to manage entitlement application types: create-appl-type, delete-appl-types, list-appl-types (OPENAM-872).
OpenAM console now includes many more helpful hints and built-in documentation (OPENAM-805).
OpenAM now lets you fetch maximum session time, time remaining, and idle time when querying attributes over the REST interface (OPENAM-801).
OpenAM now supports a refresh parameter to reset session idle time to 0 when querying attributes over the REST interface (OPENAM-800).
OpenAM now supports time zone policy settings using the RFC 822 format, +/-0000 (OPENAM-791).
OpenAM session service now lets you set the maximum session time, maximum idle time, and maximum caching time when assigning service to the user through the console (OPENAM-785).
OpenAM now returns a load balancer cookie, if configured, to an authentication request over the REST interface (OPENAM-766).
OpenAM ClusterStateService now works with HTTPS endpoints (OPENAM-759). When using HTTPS endpoints, set com.sun.identity.urlchecker.dorequest=false.
OpenAM now bundles click-nodeps.jar (OPENAM-646).
OpenAM now provides additional statistics related to session failover (OPENAM-641).
The OpenAM amsfo script now starts the session database only after the message queue is up and running (OPENAM-624).
OpenAM .NET fedlets now support encrypted assertions (OPENAM-604).
The Administration Tools setup script now has better default settings (OPENAM-577).
The OpenAM console configuration wizard now suggests better values for cookie domains (OPENAM-576).
OpenAM .jar files now contain standard MANIFEST entries (OPENAM-570).
The ssoadm can now decode an encrypted password stored in the password file (OPENAM-569).
You can now configure the HOTP authentication module email from address using OpenAM console (OPENAM-513).
The OpenAM console page Debug.jsp (such as http://openam.example.com:8080/openam/Debug.jsp) now can set the log level for any debug instance (OPENAM-511). See the Debug instances drop-down list at the top of the page.
OpenAM now provides a property, openam.authentication.ignore_goto_during_logout, to set whether to ignore logout goto URLs, and instead display the Logout page (OPENAM-494).
OpenAM now provides support for multiple failover servers in the RADIUS authentication module (OPENAM-477).
OpenAM now provides a mechanism to control which session properties are copied during session upgrade (OPENAM-462).
OpenAM now provides session timeout notification (OPENAM-457). The improvement implements a hook for timeout into the session service on the server side. It listens for timeouts on all sessions.
The OpenAM authentication service now can map HTTP headers when forwarding requests (OPENAM-453). This applies both to the distributed and centralized authentication services. See configuration properties openam.retained.http.headers and openam.forbidden.to.copy.headers.
The OpenAM session service now lets you extend quota exhaustion actions with a plugin (OPENAM-433).
To add a new plugin, update the amSession.properties files with the appropriate internationalization keys, and place your plugin class either in WEB-INF/classes or WEB-INF/lib where you deployed OpenAM. Next, add your implementation using the ssoadm command.
Here, mykey is the internationalization key you added to amSession.properties files, and demo.Clazz is the fully qualified class name for your plugin class.
You can remove the plugin using the ssoadm remove-attr-choicevals command, and list quota exhaustion actions using the ssoadm get-attr-choicevals command.
OpenAM now tracks monitoring information for LDAP connection pools (OPENAM-410). OpenAM monitoring exposes the minimum size of the pool, the maximum size of the pool, the high water mark of the pool, the current size of the pool, the number of connections retrieved, the number of connections created, and the number of connections destroyed.
OpenAM Windows Desktop SSO now provides a mechanism to fail attempted authentication when Kerberos-authenticated user has no profile in the OpenAM data store (OPENAM-403).
OpenAM now handles Active Directory password expiration responses properly (OPENAM-258).
OpenAM password reset now uses realm aliases to find realms for end users, eliminating the need to add a realm parameter to the URL (OPENAM-192).
OpenAM now allows time-based rotation, and also file name prefixes and suffixes for regular and debug logs. (OPENAM-41, OPENAM-42)
For cross domain single sign on and SAML 2.0 authentication, users were presented with a blank login page during authentication, in fact a page containing forms with hidden fields used to process authentication. OpenAM now provides templates so you can show users something besides than blank pages, such as for example a page with an animated .gif progress bar (OPENAM-9).