Versions Compared

Old Version 10

changes.mady.by.user Former user

Saved on

compared with

New Version 11

changes.mady.by.user troinine-ubi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.3

Ubisecure SSO 8.x.x

Ubisecure SSO 8.3.5

Corrections

  • IDS-1354: Fixed warning of missing library file commons-daemon.jar in application server log during startup
    • This issue occurred in version 8.3.4 but does not cause regression other than the warning note in the logs

Ubisecure SSO 8.3.4

New Features

  • IDS-1308: Finnish Trust Network: Support for SAML2 LG extension as specified in FTN SAML2 Profile v1.0 chapter 3.5.3.1.
    • SSO is now able to read the LG extension from inbound SAML 2.0 Authentication Requests and use it as the login UI locale; and write it to outbound SAML 2.0 Authentication Requests.
    • For SAML 2.0 Authentication Methods, writing the extension in an Authentication Request requires a new Compatibility Flag FinnishTrustNetwork set for the method.
    • For SAML 2.0 Applications, the Extension is read from an Authentication Request automatically if one is available.

Corrections

  • IDS-1326: Running the setup.sh for Enterprise Linux doesn't require high system entropy.
    • This was an errored requirement used only in 8.3.2 and 8.3.3
  • IDS-1279: Mobile Connect Authentication v1.1: Error responses for Mobile Connect authentication requests are now compatible with the updated Authentication 1.1 profile.

...

Corrections

...

  • IDS-963: The LDAP search for finding a ubiloginAuthMapping entry in the Ubilogin Directory, that is performed each time a user is authenticated, consumes less resources
  • IDS-78: LDAPS support for SSO install.sh, export.sh and import.sh
  • IDS-388: The default font size for error messages is increased from 0.8em to 1.1em

Corrections

  • IDS-60: Disabled users cannot log in to applications with accounts that are linked by User Driven Federation.
    • When a user authenticates with a federated identity and a matching local account is returned by a FederationManager implementation (i.e. CIDFederationManager or UbiloginFederationTable), the local account status is now verified and the access is denied if the status is not valid.
    • The workaround fix Preventing disabled users from logging in with user driven federation as described in the page User driven federation is not needed anymore.
  • IDS-1014: SSO management doesn't disclose the client_secret for OAuth2 application agents
    • When uploading a client metadata to an OAuth 2.0 application agent using the SSO Management Console, if the metadata contains a client_secret, the client_secret is now removed before storing the metadata in the agent configuration in Ubilogin Directory.
      • Prior to 8.3, the client_secret was not removed, but stored as is in the agent configuration in Ubilogin Directory.
    • Furthermore, even if the client_secret has already been stored in the agent configuration, as may be the case for agents that have already been activated prior to SSO 8.3, the client_secret will now not be shown in the SSO Management Console nor in the SSO Management API.
      • Prior to 8.3, the client_secret, if set in the client metadata, was shown in SSO Management Console.
  • IDS-1052: OTP lists for UbiloginDirectory users created from SSO Management Console are not invalid randomly
  • IDS-945: Execute flag is set for the bash scripts in the Linux version
  • IDS-723: The SMTP message that is sent by SMTP OTP method sets the Date header as specified in RFC 822
  • IDS-821: Some errors (such as LDAP read timeout) during password/reset don't deactivate the servlet that catches it
  • IDS-437: Main Class in the MANIFEST.MF of sso-pkipolicy.jar is correct
  • IDS-1074: Linux version: OpenLDAP installation script (ldap/openldap/install.sh) doesn't show an unnecessary error message ldap_modify: No such attribute (16)

Ubisecure SSO 8.2.25-1

Corrections

  • IDS-782: Added missing OTP Server files to installation package.

...

  • IDS-578: Configurable status request delay.

    • The delays between the transaction request and the initial status request, as well as the delay between consecutive status requests after the first one, are configurable. The configuration parameters are initialStatusRequestDelay and consecutiveStatusRequestDelay. Refer also to the method configuration guide.

  • IDS-658: Separate error message when authentication times out.
    • There is a new error message LOGIN_EXPIRED that is shown whenever authentication timeout occurs. The timeout is set in the ae.timeout configuration parameter. The possible error messages are listed under ETSI MSS Mobile PKI Unregistered Screen in Login Screens.

Corrections

  • IDS-589: Chrome: Forms submitted using POST to SSO's browser endpoints don't work.
    • SSO 8.2.19 and 8.2.24 had the issue with Chrome browser, that Forms submitted using POST method to SSO's browser endpoint return 403 Forbidden HTTP status. This caused problems for example with SAML 2.0 login sequence with Ubisecure SAML SP module, because it uses SAML HTTP-POST binding by default, which is based on send a form using POST. That issue is now fixed.

...

Ubisecure SSO 8.1.2 (15.5.2017)

Corrections

  • IAM-2376: The rules specified in methodmenu.rules are now applied correctly

...

  • IAM-2320: Tupas IDP: If A01Y_RETLINK contains query part, the query part is now included also in the tupas response.

Corrections

  • IAM-2300: In fresh SSO installation, user can now define "allowed to" -group for SSO API agent
  • IAM-2308: Agent type of SSO API agent is now correctly OAuth agent
  • IAM-2326: WS-Federation: Continue button is now shown after successful IDP initated logout, if there's active WS-Federation session
  • IAM-2311: Url is corrected for Nordea TUPAS test method (tupas.nordea.1) in methods-tupas.ldif

...

  • IAM-1374: SSO support for wreply and wfresh paraneters in WS-Federation
  • IAM-2019: SSO support for wauth and whr parameters in WS-Federation 
  • IAM-1352: SSO Management API - New functionality to add/remove/modify users 
  • IAM-1457: SSO Management API - New functionality to create mapping configuration (persistentId, refreshtokenPolicy)
  • IAM-1735: Sms-mt-otp and smtp-otp grant, added error description to Error Response explaining the error situation
  • IAM-1907: OTP Timout for Sms-mt-otp and smtp-otp grant,is now configurable in minutes. By default, there is no timeout.
  • IAM-2073: TUPAS IDP A01Y_RETLINK parameter allows ignoring of query parameters from the URL(s)
  • IAM-2110: Type and attribute names in SSO Management API calls for input are now case in-sensitive. Type and attribute names in responses are now in CamelCase.
  • IAM-2204: Java updated to version jdk-8u121
  • IAM-2197: Tomcat updated to version 8.0.42

Corrections

  • IAM-2066: SSO Linux UbiloginDirectory does not fail to start after reboot (because the OS changes /var/run/ubilogin ownership to root:root)
  • IAM-2075: Agents with empty template field, no longer show the wrong template in login page
  • IAM-2018: Agent activation file download now works also in new Chrome browser

Ubisecure SSO 8.0.1 (2.12.2016)

Corrections

  • IAM-1833: MPKI authentication now works with mobileconnectloginhint-compabilityflag and ENCR_MSIDN

...

  • IAM-1320: SSO Server acts as a TUPAS IDP
  • IAM-1478: PCR generation - an option to use new kind of UUID format as specified in RFC 4112[9]
  • IAM-1493: It is now possible to prevent SSO on server side by using agent setting (using either Forceauthn, oneTimeUse or both parameters)
  • IAM-1736: New Ubisecure look and feel to SSO
  • IAM-1770: New tomcat version 8.0.38

Corrections

  • IAM-1685: SAML agent metadata configuration fixed - agentlogo is not mandatory when clientname is used

...

  • IAM-1506: SSO authorization policy can decrypt values

Corrections

  • IAM-1538: SSO password app doesn't show errors for all users

...

  • IAM-1032: OpenID Provider Metadata, tokeninfo_endpoint replaced with introspection_endpoint (RFC 7662) 
  • IAM-1384: Token Introspection updates for RFC 7662 
  • IAM-1066: MPKI login screen can be configured so that it does not ask a spam code and tries automatically to login if mobile connect crypted loginhint is provided.
  • IAM-1451: OAuth2 and SAML2 metadata agent logo, based on locale, can be set visible in the login screen, with or without the default SSO logo
  • IAM-1474: SSO openldap version upgrade to openldap-2.4.44 (OpenLDAP is now compiled without DDS overlay and with both BDB (default) and new MDB backends)

Corrections

  • IAM-1420: SSO management GUI copyright message is changed to state GlobalSign instead of Ubisecure

...

Ubisecure SSO 7.3.4 (30.9.2015)

Corrections

  • IAM-997: Some button texts not visible in management UI
  • IAM-998: Service cant be deleted if name contains "<>"

...

  • IAM-817: SSO login flow should double check UDF linking need after registration and not ask for user consent if linking has be done
  • IAM-895: Autocomplete for password input forms settable in UI-template (affects screens in SSO and password application)
  • IAM-946: If address tracking (netmask) is disabled then a AuthnStatement/SubjectLocality element is no longer created in SAML Assertion
  • IAM-948: If directory user mapping is successful for a user then UDF process will be skipped
  • IAM-951: Backchannel messages (SOAP Logout) are now secured with TLS 1.2

Corrections

  • IAM-25: SSO Management: Form inputs should be sanitized to prevent Cross-Site Scripting
  • IAM-883: OAuth: Malformed JWT causes error "Unexpected char 127 (line no=1, column no=1, offset=0) at ...)"
  • IAM-943: Session injection in Password application doesn't work in a reverse proxy deployment
  • IAM-969: Methodmenu rules don't change when a template is changed

...