OpenAM Fixes, Limitations, & Known Issues

Fixes The following issues were fixed in release . Identity web-services update call always removes group memberships (OPENAM-1043). isSessionQuotaReached in AMLoginModule does not work in single server mode (OPENAM-1042). Wildcards in referrals can be ignored due to invalid search filter (OPENAM-1006). OpenAM should not be shipped with JDMK monitoring enabled by default (OPENAM-1004). Deadlock during server startup (OPENAM-1003). Special character used in membership search filter should be escaped (rfc2254) (OPENAM-987). RuntimeException in Sufficient module breaks the chain (OPENAM-975). OpenAM 10 does not get deployed in JBoss 7.02 (OPENAM-949). Fedlet encounters error processing LogoutRequest as /saml2loginwithrelay.template is missing from the classpath (OPENAM-933). IdRepo log is spammed with agent attributes (OPENAM-923). SAML2Exception when fetching SP AuthnRequestInfo in multi server setup when IDP response is not sent to origin server (OPENAM-909). ServiceTypeManager can return invalid tokens (OPENAM-906). Javascript and CSS bugs on userstore wizard screen (OPENAM-896). Access to root realm after console deploy timeout occurs (OPENAM-895). REST logout does not perform actual logout on auth context (OPENAM-893). Relative (goto) redirects don't work with proxied requests (OPENAM-891). SAML2 Authentication Authority entity bindings are verified as if they were in an SAML2 IDP entity, this causes an NPE (OPENAM-888). After restoring backup OpenAM fails to load configuration (OPENAM-885). PagePropertiesCallback ignores attribute and require lists (OPENAM-883). empty passwords cause backup to fail during upgrade (OPENAM-881). new_org.jsp doesn't work, when the second auth request contains extra parameters (OPENAM-878). Configurator User Data Store selection not retrieving i18n values (OPENAM-871). OpenAM Console Session list throwing an exception (OPENAM-870). Upgrade fails to connect to external configuration store (OPENAM-866). A second GUI Configurator Exists (OPENAM-863). Exception handling in the REST interface (OPENAM-843). LDAP Auth Module doesn't remove terminated LDAP connection from pool and returns 401 error via REST interface (OPENAM-839). Character encoding problem on the password reset page (OPENAM-832). L10NMessageImpl can lose initCause (OPENAM-828). Creating a Identity Membership Condition in a sub-realm does not use the correct Datastore (OPENAM-827). Multiprotocol federation sample application failure (OPENAM-825). LoginViewBean UI does not implement new_org.jsp functionality (OPENAM-824). SFO scripts don't work on Debian GNU/Linux, because of /bin/awk path (OPENAM-818). ShutdownManager gets stuck in waiting state causing the server to be unavailable (OPENAM-817). Setup progress page is never closing the stream (OPENAM-814). Session timeout branding is not working (OPENAM-813). LDAPFilterCondition will try to bind using LDAPv2 even with LDAPv3 only servers (OPENAM-812). AMIdentityMembershipCondition is missing information about who the user is which is required to make the decision (OPENAM-811). In case of session upgrade requesting the page again can cause Session Timeout errors (OPENAM-807). Successful access to LoginViewBean still creates a new session (OPENAM-794). SAML2 Metadata for a remote service provider with Extensions breaks the console and Entity Providers no longer list under Federation (OPENAM-792). LDAPFilter conditions are not using the correct Policy config when used in a sub-realm policy definition (OPENAM-790). Combination of referral policy, self evaluation and super resource match fails to follow referral (OPENAM-788). AMSetupServlet::getRemoteServerInfo fails if the first instance SSL certificate is invalid (OPENAM-784). Config Wizard ignores server URL (OPENAM-778). When a SAML2 Request does not contain an Authentication Context, the Default Authentication Context mapper maps a level=0 (OPENAM-775). Radius auth module typo (wrong server configuration check) (OPENAM-767). Endless recursion in CachedRemoteServicesImpl (OPENAM-738). REST/SOAP API leaks information about users by returning an InvalidPassword exception when the users password is wrong. (OPENAM-735). AuthenticationFailureCount and AuthenticationFailureRate do not Update Correctly (OPENAM-734). JDBC authentication module fails to initialize in JNDI mode (OPENAM-733). LDAPConnectionPool has risk of dead lock (OPENAM-730). Multi-threaded entitlement evaluation gives wrong result (OPENAM-726). amsfo start results in repeat /t Wait for the broker to start properly messages (OPENAM-723). Shutting down DS when "sun-idrepo-ldapv3-config-idletimeout" is other than 0 (zero) can result in loop (OPENAM-716). REOPEN -LDAP Error 80 can result in build up of LDAPv3EventService::RetryTask objects (OPENAM-688). LDAPv3EventServicePolling can enter RetryTask loop if LDAP encounters a problem at the same time as the persistent searches are restarted (OPENAM-684). updateSiteNameToIDMappings will leave siteNameToIdTable null if sites are not configured (OPENAM-675). CachedSubEntries::getSubEntries returns the actual reference to the cache entry (OPENAM-673). AuthClientUtils::sendAuthRequestToOrigServer does not handle server errors (OPENAM-668). Persistent Cookie should only be set on success and not on AMAuthCookie (OPENAM-667). OpenAM complains about invalid character when the FedCOTMemberName has '=' in it (OPENAM-664). jaxrpc xml parser can introduce corruption in the output when parsing (OPENAM-656). amsessiondb should run with tx no sync in bdb (OPENAM-652). amsessiondb error messages are going to System.err and are getting lost (OPENAM-644). amsessiondb does not shutdown properly if the DB/MQ is broken (OPENAM-643). amsessiondb does not recover from db errors and can break the MQ (OPENAM-642). DAUI shutdown is not releasing resources correctly (OPENAM-639). Infinite loop in LoginViewBean during login using Membership login module (OPENAM-633). changing the debug level from message to error is ignored by the entitlements engine (OPENAM-622). Error while trying to import service configuration into OpenDJ (OPENAM-616). Session upgrade does not work if the second login is on a different server (OPENAM-615). LoginState looks up LDAP profile attributes for the session service when it doesn't need to. (OPENAM-612). javax.servlet.ServletException: missing jspFile on start up (OPENAM-608). Certificate module has a problem with OCSP validation if JCE is used (OPENAM-586). REST authentication interface does not differentiate between inactive and locked accounts (OPENAM-584). maximum session limit during rest authentication results in 200 and null return (OPENAM-583). Debug error log gets "unable to locate message ID object for FSAssertionManager" when using CDSSO (OPENAM-581). GOT_ALL_HOSTED_ENTITIES audit log is erroneusly logged (OPENAM-580). SecurID Authentication in New PIN mode and Change PIN mode fails in English locale (OPENAM-529). HOTP authentication module: If sms and/or email could not be sent no error is shown for the user (OPENAM-523). HOTP authentication module: Missing properties in resource bundle leads to internal authentication error (OPENAM-521). When a SAML2 Authentication Request is sent to an IdP with the IsPassive flag set to true and no valid session is present, the RelayState is dropped by the IdP (OPENAM-520). SecurID authentication exception: Logindisplay:Null (OPENAM-519). DAS configurator does not store OpenAM deployment URI (OPENAM-518). AuthUtils.isLocalServer method gets confused with the server URI when used on the DAS (OPENAM-509). lb cookie set on the DAS is used incorrectly in the PLLClient (OPENAM-508). Not every admin tool ignores version check by default (OPENAM-506). NotificationSender does not analyse the response from the client correctly. (OPENAM-498). Running in non c66encode mode can lead to dual URL decoding issue in the CDCClientServlet to CDCServlet communications (OPENAM-491). Multiple windows during SAML2 sign-on can lead to NPE (OPENAM-489). Multiple browser access can cause invalid redirects during SAML2 sign-on (OPENAM-488). In case of zero page session upgrade DAS does not set session cookie expiration (OPENAM-487). amMasterSessionTableStats can be negative in some cases (OPENAM-486). SAML validator.jsp breaks with NPE if it was unable to create ValidateSAML2 (OPENAM-485). create-server command returns success state when invalid properties were supplied (OPENAM-482). AuthClientUtils should forward requests with the same method in case of failover (OPENAM-478). SAML2 HTTPPOST Profil: Assertion not signed when response is signed (OPENAM-475). Build can't handle spaces in directory names (OPENAM-473). DAS LogoutViewBean should not accept invalid gotoURL's (OPENAM-470). HttpURLConnectionManager should set a connect timeout for the provided connections (OPENAM-468). Log file "amAuthentication.error" is not created (OPENAM-459). When changing the DNS alias in a realm, the Realm Alias Referrals are not updated until restart when using external configuration store (OPENAM-446). Agent inheriting Location of Agent Configuration Repository from Agent Group causes error (OPENAM-440). Missing files while creating console/noconsole wars (OPENAM-407). OpenAM's servlet API version does not officially support the included JSTL 1.1 (OPENAM-398). If the Session DB is offline, AMLoginModule::isSessionQuotaReached malfunctions (OPENAM-393). LoginViewBean NPE (OPENAM-370). Custom Response Providers are ignored by the Entitlements Framework (OPENAM-333). It is not possible to assign a Post Authentication Class plugin to a service chain with the ssoadm (OPENAM-318). OpenAM LDAP schema should conform to the expected structural objectclass usage (OPENAM-312). Distributed authentication UI not able to do resource based authentication (OPENAM-298). Blank in form can break fedlet creation (OPENAM-269). SAML2.0 isPassive attribute in the AuthnRequest is ignored by the IdP (OPENAM-261). Distributed Authentication UI Login URL not accepted (OPENAM-247). Remote SessionRequest.setProperty causes HTTP 500 for null property/value (OPENAM-191). SetupDistAuthWAR does not support the ability to set the lb value (OPENAM-188). "Authentication by Module Chain" fails when used in a sub-realm (OPENAM-171). updating service to include new PluginSchems, ssoadm command is counterintuitive (OPENAM-109). Default top-level realm privileges block SMS access to policy agents (OPENAM-90). SessionCount.getDeploymentMode uses site rather than server count to determine multi server mode (OPENAM-87). SAML2 service provider initiated SSO does not check that the realm of the authenticated user matches the realm of the COT (OPENAM-77). RuntimeException does not updates the failureModuleSet in LoginState (OPENAM-74). No way of configuring CDC and federated authentication without writing custom code (OPENAM-28). Some classes of Policy Changes are not propagating to the agent (OPENAM-25). ssoadm versioncheck fails with encoded contents (OPENAM-20). Deadlock when making Entitlements REST requests (OPENAM-16). Wrong resource bundle in com.sun.identity.rest.RestException (OPENAM-15).