What’s New in OpenAM 10.1.0

Major New Features
  • OpenAM now provides further support for OAuth 2.0. In addition to playing the role of client and resource server, OpenAM can now also play the role of OAuth 2.0 authorization server. See Managing OAuth 2.0 Authorization for explanations, instructions, and examples.
  • Session failover has been modified to be simpler to deploy (OPENAM-625). OpenAM 10.0.1 and earlier required the use of Open Message Queue and Berkeley DB Java Edition, which increased the complexity and amount of time required to get session failover working. OpenAM now writes session data to the configuration data store instead. This implementation also can be used to make sessions persist across restart for single OpenAM servers. The current implementation requires that you use OpenDJ for the configuration data store.

    This new implementation is designed to operate on a local site network. Cross-site session failover and session failover across wide area networks (WANs) are not supported.

  • IBM® WebSphere® 8.0 is now a supported platform. See Preparing IBM WebSphere in the Installation Guide for details on how to setup WebSphere 8.0 and 8.5 before deploying OpenAM.
  • Legacy naming conventions have been changed to conform to the current product name, OpenAM. This includes the OpenAM bootstrap file (OPENAM-1555). $HOME/.openamcfg/ is the new name for $HOME/.openssocfg/. If you upgrade, OpenAM still supports use of $HOME/.openssocfg/, and does not rename the folder. For new OpenAM installs, OpenAM creates the directory with the new name, $HOME/.openamcfg/, at configuration time. Other files, such as the openam.war file, and paths have been modified to ensure consistency with the naming conventions.
  • OpenAM now supports Open Authentication (OPENAM-727). The module provides the user with a one-time password based either on a HMAC one-time password or a time-based one-time password. OATH lets you determine which type of one-time password is best for your users when they need to login with a password generating device. Devices can range from a smartphone to a dedicated device, such as YubiKey or any other OATH compliant device.

    With OATH, OpenAM now supports YubiKey® authentication. The YubiKey simplifies the process of logging in with a One Time Password token as it does not require the user to re-type long pass codes from a display device into the login field of the computer. The YubiKey is inserted in the USB-port of any computer and the OTP is generated and automatically entered with a simple touch of a button on the YubiKey, and without the need of any client software or drivers.

Additional New Features
  • OpenAM now provides an account expiration post authentication plugin to set an account expiration date on successful login.
  • OpenAM now bundles OpenDJ 2.4.6 (OPENAM-1954).
  • The AMLoginModule now lets authentication modules retrieve the list of current session tokens for a user (OPENAM-1721).
  • OpenAM’s IDPAdapter now provides additional hooks for customization. This improvement introduces changes to the API that affect custom IDPAdapters (OPENAM-1623).
  • When running as a Service Provider, OpenAM no longer requires that you enable module-based authentication (OPENAM-1470).
  • OpenAM now has better support for using a reverse proxy for federation when DAS is also deployed (OPENAM-1454).
  • OpenAM now allows use of a read-only data store with a non-transient NameID during SAML 2.0 federation (OPENAM-1427).
  • The ssoadm command now includes a get-sub-cfg subcommand (OPENAM-1348).
  • The REST authenticate command now has a parameter to specify the client IP address (OPENAM-1048).
  • OpenAM is now built with Maven. Maven artifacts continue to be uploaded to the ForgeRock Maven repository (OPENAM-739).
  • You can now prevent OpenAM from caching subject evaluations for policy decisions (part of the fix for OPENAM-24).

    In most cases you do not need to turn off caching, as OpenAM now clears cache when group membership changes. Before turning off caching in production, first test the setting to ensure that the performance impact is acceptable for your deployment.

    To turn off caching, set Access Control > Realm Name > Services > Policy Configuration > Subjects Result Time to Live to 0. The equivalent ssoadm property for the iPlanetAMPolicyConfigService is iplanet-am-policy-config-subjects-result-ttl.

Leave a Reply

Your email address will not be published. Required fields are marked *