Access Manager 5.0 Service Pack 2 (5.0.2) includes new features, enhancements, improves usability, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Access Manager forum on Micro Focus Forums, our online community that also includes product information, blogs, and links to helpful resources. You can also share your ideas for improving the product in the Ideas Portal.
For more information about this release and the latest release notes, see the Documentation page. Note that we have moved Access Manager 5.0 documentation from the NetIQ domain to Micro Focus. For Access Manager documentation versions prior to 5.0, see Documentation.
If you have suggestions for documentation improvements, click comment on this topic at the top or bottom of the specific page in the HTML version of the documentation posted on the Documentation page.
For information about the Access Manager support life cycle, see the Product Support Life Cycle page.
This release includes the following new features and enhancements:
This release introduces Identity Server authentication APIs. These APIs enable you to build your own end-to-end login experience replacing the built-in user portal login experience. You can use these APIs in the following scenarios:
Primary Authentication: Verifies the end-users' credentials using one of the following methods:
Name/Password - Basic
Name/Password - Form
Secure Name/Password - Basic
Secure Name/Password - Form
Multi-factor Authentication: When Access Manager is integrated with Advanced Authentication through the plug-in approach, the API supports multi-factor authentication for the following methods:
Smartphone
Voice call
For more information about these APIs, see Identity Server Authentication API.
You can also configure the default user attributes that you want in the authentication response.
For information about configuring the attributes list, see Identity Server Authentication APIs in the NetIQ Access Manager 5.0 Administration Guide.
Microsoft Windows Autopilot is an end-to-end Windows device management solution. Irrespective of the locations, users can log in to the device using their email ID. When integrated with Microsoft Azure, Access Manager supports the Windows Autopilot feature.
For more information about Windows Autopilot, see “Overview of Windows Autopilot”.
For more information about how to use this feature in Access Manager, see Enabling Access Manager with Microsoft Windows Autopilot in the NetIQ Access Manager 5.0 Administration Guide.
Access Manager now provides an option to specify scopes for a client application. The application can use only the configured scopes instead of using all scopes available in the resource server.
For more information, see Registering OAuth Client Applications in the NetIQ Access Manager 5.0 Administration Guide.
Access Manager now supports authentication through external OAuth provider Itsme. Itsme is Belgium’s official mobile identity. It is a digital identity provider, which provides a platform to quickly and effortlessly identify a user on a website or an application.
For more information, see Configuring the Social Authentication Class in the NetIQ Access Manager 5.0 Administration Guide.
This release introduces Analytics Dashboard plug-in for the following products: NetIQ SecureLogin.
NetIQ SecureLogin
For more information, see Analytics Dashboard in the NetIQ SecureLogin 9.0 Administration Guide.
NetIQ Secure API Manager
For more information, see Configure Analytics in the NetIQ Secure API Manager 2.0 Administration Guide.
NOTE:The plug-in is not supported with Access Manager container deployment.
Access Manager introduces a new option Token Lifetime for WS-Federation. Using this option, you can configure the validity duration of the authentication token.
For more information, see Modifying the Authentication Response in the NetIQ Access Manager 5.0 Administration Guide.
You can now upgrade all the Access Manager services using one click from the primary Administration Console.
Upgrade Assistant is now enabled for registration on RHEL platform.
For more information, see Registration Using Local Repository on RHEL
and Upgrading Access Manager through Upgrade Assistant
in the NetIQ Access Manager 5.0 Installation and Upgrade Guide.
In addition to the integration with on-premises Advanced Authentication, Access Manager now supports integration with the Advanced Authentication as a Service.
For more information about how to integrate, see Multi-Factor Authentication Using Advanced Authentication.
With this release, when JWT is encrypted using custom keys provided in the resource server, user info endpoint is able to decrypt the JWT and provide valid user info details in response.
This release provides the following updated components:
Tomcat 9.0.55
Apache 2.4.53
Log4j 2.17.1
JDK 1.8.0_312
OpenSSL 1.0.2zd
This release includes the following videos:
Access Manager Upgrade Assistant: Registration and Upgrade on RHEL and SLES
Integrating Access Manager with Itsme
Access Manager 5.0 Service Pack 2 resolves the following security issues:
The cache-control headers for Identity Server and ESP URL
Generic XSS validation filter to disable scanning specific directories
XSS vulnerability fixes in Identity Server. (CVE-2021-22531)
XSS vulnerability in the Access Manager Administration Console (CVE-2022-26325)
Redirection Issue with customized URL (CVE-2022-26326)
NOTE:We appreciate Stefan Stojanovski, penetration tester at Viris d. o. o. for finding and responsibly disclosing the vulnerability that is listed as CVE-2021-22531.
NOTE:We also appreciate the researcher community for anonymously notifying other vulnerabilities to us as part of the Responsible Disclosure process.
This release includes the following software fixes:
Component |
Bug ID |
Issue |
---|---|---|
Identity Server |
218333 |
Swap files are not deleted after the session expires and IDP disk space is consumed by the swap files. |
NIDS-Risk |
218415 |
Calculated Risk Score value does not get passed to Virtual Attribute. |
Access Gateway |
328380 |
409-esp errors for users having French characters in their name. |
NIDS-Risk |
329512 |
IP based rule fails after upgrade to Access Manager 5.0. |
NIDS-SAML 2.0 |
329580 |
SAML Attribute Matching lookup automatically sets filter to mandate objectclass=user. |
NIDS-SAML 2.0 |
329605 |
Approval Request Link is not working when user is not logged into ServiceNow already. |
OAuth |
356026 |
In a client credentials flow, the OAuth grant does not return the scope name. |
Admin Console |
357126 |
Admin Console service is not coming up after system reboot on RHEL 8.3 and SLES 15SP3. |
OAuth |
367068 |
OAuth logout does not direct you to the default login contract unless you close the browser or try more than once. |
Admin Console |
395034 |
Advance File Configuration Management does not restore original shipping files. |
NIDS-OAuth 2.0 |
414186 |
Request for authorization code generates a 404 code when response_mode=form_post is used. |
OAUth |
419007 |
OAuth Redirect URI does not accept special characters. |
Admin Console |
419013 |
Brokering groups are missing after upgrading the Admin Console to 5.0.1. |
Admin Console |
421011 |
After upgrading to Access Manager 5.0.1 it is not possible to add a Page Matching Criteria which includes double quotes. |
NIDS-Risk |
432055 |
User profile rule fails in case of missing user attributes after upgrade from Access Manager 4.5.x to 5.0.1. |
OAuth |
434011 |
OAuth login redirect URI is not validated correctly. |
OAuth |
432131 |
OAuth client configuration replicated across clusters and deleted when accessed from second cluster. |
NIDS-Authentication |
458035 |
DynamicAuthentication not working after update to Access Manager 5.0.1 |
Admin Console |
476028 |
Upgrade from 4.5.3 to 5.0.1 hangs at Upgrading Novell Identity Server Admin Plug-in. |
OAuth |
478008 |
Request all roles attributes in the access token does not work as expected. |
Admin Console |
483082 |
ambkup not backing up trusted roots container. |
OAuth |
479127 |
OAuth Resource Owner flow using OTP fails. |
OAuth |
489272 |
New OAuth resource servers lost from configuration. |
Admin Console |
425159 |
Migration of Access Manager 4.5 running on Windows to Access Manager 5.x on Linux fails. |
After purchasing Access Manager 5.0.2, download the software and the license from the Software License and Download portal.
Table 1 Files Available for Access Manager 5.0.2
Filename |
Description |
---|---|
AM_502_AccessManagerService_Linux64.tar.gz |
Contains the Identity Server and Administration Console .tar file. |
AM_502_AccessGatewayAppliance_OVF.tar.gz |
Contains the Access Gateway Appliance OVF template. |
AM_502_AccessGatewayService_Linux64.tar.gz |
Contains the Access Gateway Service .tar file for Linux. |
AM_502_AccessGatewayAppliance.tar.gz |
Contains the Access Gateway Service .tar file. |
AM_502_Dashboard_HelmChart-1.0.2.tgz |
Contains the Analytics Dashboard Helm Chart 1.0.2. |
AM_502_AnalyticsDashboard.tar.gz |
Contains the Access Manager Analytics Server .tar file. |
AM_502_Containers.tar.gz |
Contains the .tar file of all the images for Docker deployment. |
AM_502_HelmChart-1.0.2.tgz |
Contains the Access Manager Helm Chart 1.0.2. |
For information about the upgrade paths, see Supported Upgrade Paths. For more information about installing and upgrading, see the NetIQ Access Manager 5.0 Installation and Upgrade Guide.
To upgrade Access Manager on Docker, see Helm Charts in the NetIQ Access Manager 5.0 Installation and Upgrade Guide.
After upgrading to Access Manager 5.0.2, verify that the version number of the component is indicated as 5.0.2.0-309. To verify the version number, perform the following steps:
In Administration Console Dashboard, click Troubleshooting > Version.
Verify that the Version field lists 5.0.2.0-309.
To upgrade to Access Manager 5.0.2, you must be on one of the following versions of Access Manager:
4.5 Service Pack 4
4.5 Service Pack 5
4.5 Service Pack 5 Patch 1 (Log4j)
4.5. Service Pack 5 Patch 2 (OpenSSL)
Access Manager 5.0
5.0 Service Pack 1 Patch 1 (Log4j)
5.0 Service Pack 1
5.0 Service Pack 1 Patch 3 (OpenSSL)
To upgrade to Analytics Server 5.0.2, you must be on one of the following versions of Analytics Server:
Analytics Server 5.0
Analytics Server 5.0 Service Pack 1
The following issues are currently being researched for Access Manager 5.0.2.
Micro Focus strives to ensure that our products provide quality solutions for your enterprise software needs. If you need assistance with any issue, visit Micro Focus Support, then select the appropriate product category.
Issue: You can only modify or change attribute sets to different attribute sets. After the attribute set is updated for Authentication API, it cannot be rolled back to the default settings
Workaround: Do not add any attributes in the Selected Attribute field. By default, Authentication API responds with given_name, family_name, and email attributes when no attribute set is configured.
Workaround: Clear the session cookie if the first user has not logged out.
Workaround: There is no workaround for the issue.
Workaround: Do not use third factor of Advanced Authentication Server.
Workaround: Install Access Manager 5.0.2.1. For more information about the patch, see Access Manager 5.0 Service Pack 2 Patch 1 Release Notes.
For specific product issues, contact Micro Focus Support at https://www.microfocus.com/support-and-services/.
Additional technical information or advice is available from several sources:
Product documentation, Knowledge Base articles, and videos: https://www.microfocus.com/support-and-services/
The Micro Focus Community pages: https://www.microfocus.com/communities/
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.microfocus.com/about/legal/.
© Copyright 2022 Micro Focus or one of its affiliates.