Skip to end of metadata
Go to start of metadata

The OpenAM Snapshot 9.5 Release Notes provide the following information.

OpenAM Snapshot 9.5 Hardware and Software Requirements

OpenAM Snapshot 9.5 supports most hardware and software requirements supported by OpenSSO Enterprise 8.0. For information, see the "Sun OpenSSO Enterprise 8 Release Notes."

Java 6 Required

This release of OpenAM requires Java 6 to run. This is due to the product taking advantage of new features in Java 6.

The OpenAM Client SDK is supported on JDK 1.5 and above.

OpenAM requires a Java Heap size of 1024m to run. Please ensure you start your deployment container with the following JVM options:

-Xmx1024m -XX:MaxPermSize=256m

Getting Started With OpenAM Snapshot 9.5

If you have not previously installed OpenAM, here are the basic steps to follow:

  1. If necessary, install, configure, and start one of the supported web containers.
  2. Download and unzip the file from the following site:  
  3. Deploy the openam.war file to the web container, using the web container administration console or deployment command. Or, if supported by the web container, simply copy the WAR file to the container's autodeploy directory.
  4. Configure OpenAM snapshot 9 using either the GUI Configurator or the command-line Configurator.
    To launch the GUI Configurator, enter the following URL in your browser: protocol://host.domain:port/deploy_uri.
    For example:
  5. Perform any additional configuration using either the OpenAM Administration Console or the ssoadm command-line utility.
  6. To download a version 3.0 policy agent, refer the ForgeRock download page.

For a more detailed explanation of the OpenAM installation process, have a read of this deployment howto .

What's New in OpenAM Snapshot 9.5

  • OpenAM moves to OpenDS 2.3
  • IDP Proxy Enhancements
  • OpenSSO Enterprise migration snapshot
  • Full Distributed Authentication Service functionality
  • NSS and NSPR version update

OpenAM moves to OpenDS 2.3

OpenAM Snapshot 9.5 has upgraded the embedded configuration repository to version 2.3.0 build_003 of OpenDS. The new version of OpenDS is now installed with the OpenDS configuration and management tools. At present there is no automatic way to upgrade an existing installation of OpenAM Snapshot 9 to Snapshot 9.5. OpenAM Snapshot 9 can be upgraded manually, refer to the process outlined in the upgrade document.

IDP Proxy Enhancements

OpenAM Snapshot 9.5 supports an IdP IDP Finder plugin so that an IdP Proxy can implement a java class to provide a list of preferred IdPs that can be presented to the end user by utilizing a configurable IdP Finder JSP.

The documentation of the plugin can be found at:

The Plugin can be configured through the OpenAM Web console or by using the extended metadata.

For more information see how to use an implementation of the plugin that comes with this snapshot at:

OpenSSO Enterprise Migration Snapshot

OpenAM Snapshot 9.5 contains fixes for all issues resolved in OpenSSO Enterprise 8.0 U1 Patch 1, 2 and 3. Customers running one of the aforementioned versions of OpenSSO can migrate to OpenAM Snapshot 9.5 without experiencing any regression bugs. 

Full Distributed Authentication Service Functionality

OpenAM Snapshot 9 supports full Distributed Authentication Service functionality. In previous releases of OpenSSO/OpenAM the Distributed Authentication Service had limited functionality due to limitation of the remote authentication API. This limitation has been resolved in OpenAM Snapshot 9.5. For more information please refer to the following TechNote.

NSS and NSPR version update

The version of NSS used in this release has been updated to 3.12.5 and NSPR is now 4.8.

Issues resolved in this Snapshot

The following issues have been resolved in this Snapshot.


  • OPENAM-3 - SAML2 Forward for Authentication when acting as IdP gets a truncated URL
  • OPENAM-4 - ssoadm update-entity-keyinfo does not accept the -e option
  • OPENAM-5 - Invalid URL concatenation problem with ? and &
  • OPENAM-13 - SAML2 Metadata for a remote IdP with Extensions, EntityAttributes breaks the console and the IdP in question
  • OPENAM-14 - NPE in logging when using ssoadm
  • OPENAM-17 - Build error with JDK 1.6.0_18
  • OPENAM-39 - onePageLogin processing bug in LoginViewBean (not distUI)
  • OPENAM-44 - ReOPEN -Ability to set Dpro Session Attributes from Authentication Module
  • OPENAM-46 - Account Lockout only works on the first module called in the authentication chain
  • OPENAM-47 - OpenAM Client SDK should be able to cope with OpenAM server restarts
  • OPENAM-48 - LDAPv3Repo does not cope with failover if the primary server is down
  • OPENAM-49 - Return to Login URL link in the DAS does not preserve query parameters
  • OPENAM-50 - DAS cannot cope with switching AuthContext during the same authentication flow
  • OPENAM-52 - Using OPL on the DAS, there is a limit to two callbacks
  • OPENAM-54 - Concurrent access bug in the CDCClientServlet
  • OPENAM-55 - DAS can introduce duplicate cookies in HTTP response when DAS failover is in place
  • OPENAM-58 - DAS LoginViewBean should cope with RFC4646 locale format
  • OPENAM-64 - DAS LoginServlet original server request routing can result in user being denied access
  • OPENAM-66 - sunamcompositeadvice parameter should take precedence over service parameter, OpenAM server fix
  • OPENAM-67 - sunamcompositeadvice parameter should take precedence over service parameter, DAS LoginViewBean fix
  • OPENAM-68 - DAS does not call AuthContext::Logout method on logout
  • OPENAM-69 - after session upgrade UUID is converted to lower case this breaks session quotas
  • OPENAM-70 - If the success URL is set in the session then the LoginViewBean does not look for this property
  • OPENAM-72 - Locate and fix additional weak reference NPE's
  • OPENAM-76 - CDCClientServlet does not create cookies properly leading to problems on the CDCServlet
  • OPENAM-78 - CDCServlet using Strings when it should use final statics
  • OPENAM-79 - Generated SAML2 tokens contain hard-coded AttributeValue tag without namespace prefix
  • OPENAM-80 - AM C SDK and Agents do not build properly on modern Linux 32 or 64
  • OPENAM-88 - LoginViewBean does not cope with onePageLogin properly, DAS side fix
  • OPENAM-89 - Possible leak of session cookie value
  • OPENAM-91 - DAS LoginViewBean ignores the FQDN with calculating the realm
  • OPENAM-92 - No-console build does not remove ssoadm.jsp
  • OPENAM-93 - redirect to top level realm after session timeout
  • OPENAM-94 - ServiceConfigImpl does not cope with cache entry token id changes
  • OPENAM-96 - SMSJAXRPCObjectImpl notification URL cache can contain duplicate URLs
  • OPENAM-97 - AMClientCapData does not cope with invalid session token, should refresh and retry
  • OPENAM-98 - For a SAML2 Attribute Provider, the SAML2 Attribute format might be different than SAML2Constants.BASIC_NAME_FORMAT
  • OPENAM-100 - With Remote Auth Security enabled, policy agents are denied access
  • OPENAM-114 - Authentication error log messages have no context ID
  • OPENAM-116 - Error handling is a bit mad in AuthContext
  • OPENAM-124 - does not handle Exceptions very well
  • OPENAM-127 - OpenAM Apache agent long startup due to threading library pause
  • OPENAM-133 - admin tools setup fails on 9.5
  • OPENAM-136 - deployment problems on windows, setcp.bat missing
  • OPENAM-138 - Default implementation for client detection framework does not work
  • OPENAM-142 - Installation with Default Configuration Wizard is not working
  • OPENAM-147 - OpenDS is missing some upgrade files
  • OPENAM-148 - OpenDS Admin SSL certificates are not persisted to the keystore during replication setup
  • OPENAM-150 - openssoclientsdk.jar is missing LDAP connection pool classes
  • OPENAM-151 - AdminTools installer fails, when debug/log directory already exists
  • OPENAM-153 - QA tests do not configure on OpenAM 9
  • OPENAM-154 - OpenAM Console Agents section, NullPointerException sometimes on some of the agents tabs
  • OPENAM-160 - XML characters not encoded in Remote Auth API
  • OPENAM-162 - Problem when unauthenticated user access "Logout endpoint"
  • OPENAM-163 - Error when account lockout feature enabled
  • OPENAM-164 - QA Tests fail when not using Ant Version 1.7.1
  • OPENAM-165 - QA Authentication redirect tests failing with 'OpenSSO' as part of search string
  • OPENAM-166 - + in the naming attribute confuses the LoginState and prevents login
  • OPENAM-167 - Accessing DAS logout without session makes wrong redirect
  • OPENAM-168 - Persistent Cookie setting function needs global settings and better security
  • OPENAM-175 - ssoadm needs a sub-command to add plugin schema and to delete plugin schema
  • OPENAM-176 - Admin token invalid causes looping calls to session service
  • OPENAM-180 - Process not terminated when shutting down tomcat instance running OpenAM
  • OPENAM-184 - File descriptor leak leads to " Too many open files"
  • OPENAM-187 - Property missing from DAS config file
  • OPENAM-189 - ssoadm does not take into account JAVA_HOME and CLASSPATH variables
  • OPENAM-196 - ssoadm create-agent does not allow agentRootURL to be set
  • OPENAM-197 - ssoadm needs a way to manually set the site id
  • OPENAM-198 - ssoadm set-sub-cfg does not cope with nested schemas
  • OPENAM-202 - The OpenDS backup command is not included under the opends/bin directory
  • OPENAM-204 - BasicClientTypesManager does not correctly set the locale encoding
  • OPENAM-205 - Weird EmbeddedOpenDS errors in single-server environment
  • OPENAM-206 - Conditions are now evaluated in separate threads and this causes restricted tokens to fail
  • OPENAM-213 - OpenAM Client SDK is missing LDAPConnPoolUtils class
  • OPENAM-214 - get/set user session property methods in AMLoginModule do not cope with session upgrade and force auth
  • OPENAM-216 - CollectionHelper does not process multiple server names correctly
  • OPENAM-217 - Session Failover system grinds to a halt over time
  • OPENAM-218 - Session Failover system using longs for ints
  • OPENAM-225 - LDAPv3 IdRepo does not manage the list of ldap servers correctly in a multi-site environment
  • OPENAM-229 - additional filters using OpenAM SDK can fail to initialise correctly
  • OPENAM-230 - OpenAM cannot install third instance when using embedded repository
  • OPENAM-231 - restricted token cross server dereferencing does not work when cookie encoding is enabled
  • OPENAM-234 - CDCServlet should respond with 403 in the case of failure rather than sad access denied page
  • OPENAM-235 - cdcservlet should expose 500 server errors so they can be correctly managed
  • OPENAM-241 - Duplicate session cookies in OPL on the DAS
  • OPENAM-242 - Conditions should be provided with an evaluation context
  • OPENAM-246 - JAXRPCHelper does not use the local site URL, rather picks a site at random
  • OPENAM-248 - Site Status Monitor can get confused if OpenAM instances are behind a load balancer
  • OPENAM-252 - JMQ failover leads to resource leak
  • OPENAM-253 - Client IP is not correct if OpenAM is behind a proxy
  • OPENAM-255 - ClusterStateService does not cope with servers behind proxies or if the server is still available at the socket level.
  • OPENAM-259 - RetryTask does not honour the num retries count
  • OPENAM-260 - InternalSession objects created during logout from the Dist UI
  • OPENAM-262 - SessionService logs entry at error level instead of message
  • OPENAM-263 - Broken SP-side processing of non-success SAML responses
  • OPENAM-264 - Network Monitor should not be enabled by default
  • OPENAM-266 - RetryTask in LDAPv3EventService should not retry for ever, rather the retry count
  • OPENAM-270 - Certain URLs called before AMSetupServlet can cause configuration to fail
  • OPENAM-282 - Entitlements framework ignores ConditionDecision TTL value
  • OPENAM-293 - OpenAM thows exception if debugLevel is null during bootstrap or set at server defaults level
  • OPENAM-297 - OpenAM SAML IDP accepts arbitrary AssertionConsumerServiceURLs
  • OPENAM-300 - When trying to create an openam.war without the console, the resulting war does not deploy (missing zip for OpenDS).
  • OPENAM-302 - URLs for comparison are not correctly canonicalized lead to policy decisions resulting in deny
  • OPENAM-303 - The REST Interface isTokenValid does not reset the Session Idle Time counter.
  • OPENAM-304 - Creating a SAML2 entity with Attribute Authority cert aliases - encryption/signing aliases reversed


  • OPENAM-7 - The Remote Auth API does not transfer the HTTP request/response state
  • OPENAM-8 - Moving embedded OpenDS to 2.3.0
  • OPENAM-45 - OpenSSO CSDK does not support HttpCallback structures and inteface
  • OPENAM-51 - CDCServlet and CDCClientServlet need to be able to use a custom auth UI URI set at request time
  • OPENAM-53 - AMLoginModule should provide a method to allow account lockout count to be incremented
  • OPENAM-56 - unable to get or set properties on a restricted token
  • OPENAM-57 - cdcservlet should be able to set custom response header
  • OPENAM-101 - IDP SLO should be able to cope with mis-routed request due to broken load balancing
  • OPENAM-125 - should be more platform neutral and other improvements
  • OPENAM-132 - AMLoginModule needs a method to determine if a username account is already locked out
  • OPENAM-194 - Warn about use of AMLoginModule#getSSOSession
  • OPENAM-220 - Change the default for ssoadm.jsp to disabled
  • OPENAM-226 - ssoadm show-agent output should be a viable input to create-agent
  • OPENAM-278 - Make optional to do Federation Account Linking when NameID Format is unspecified at the SP and IdP for SAML2

New Feature

  • OPENAM-40 - substituteHeader method in the AMLoginModule

Known Issues in This Release

OpenAM Snapshot 9.5 contains a number of outstanding issues that have been noted in the OpenAM bug tracker . Please check bugster for open bugs.

OpenAM Documentation

ForgeRock is working on providing an up to date documentation for the current release of OpenAM. in the meantime you can check the OpenSSO Enterprise 8.0 documentation, available at:

OpenSSO Enterprise 8.0 Documentation Center

Deprecation Notifications and Announcements

  • The LDAP JDK file ldapjdk.jar was not included in OpenAM, beginning with OpenSSO Express 7 (predecessor of OpenAM).
  • The Unix authentication module and the Unix authentication helper (amunixd) will not be included in a future OpenAM release.
  • The Sun Java System Access Manager 7.1 Release Notes stated that the Access Manager package, commonly known as the Access Manager SDK (AMSDK), and all related APIs and
    XML templates will not be included in future releases of OpenSSO (OpenAM predecessor), therefore it is not included in the OpenAM. Migration options are not available now and are not expected to be available in the future. OpenIDM provides user provisioning solutions that you can use instead of the AMSDK. For more information about Identity Manager, see

How to Report Problems and Provide Feedback

If you have questions or issues with OpenAM Snapshot, report them in

If you are requesting help for a problem, please include the following information:

  • Description of the problem, including when the problem occurs and its impact on your operation
  • Machine type, operating system version, web container and version, JDK version, and OpenAM release version, including any patches or other software that might be affecting the problem
  • Steps to reproduce the problem
  • Any error logs or core dumps
  • No labels