Versions Compared

Version Old Version 8 New Version Current
Changes made by

John Jellema

John Jellema

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Release highlights

This release focuses on introduction of the following new features and improvements:  

We have improved OAuth2.0 flow support, according to RFC6749 section 2.3.1, to include URL encoded client credentials. This feature is being released with a feature flag, off as a default. This means if your environment requires URL encoding of client credentials you will need to activate the feature flag. NOTE: this feature should be tested for backwards compatibility in your environment. Ensure that you review both the ClientID and the secret URL decoding prior to enabling this feature in your production environment. You can review specifics here. And general guidance for OAuth 2.0 integration here.

Important change for customers with multi-node LDAP deployments, the default setting for the cleanuplockEnabled has been updated to true, or on. This setting ensures that the memory management improvements added in SSO 9.3 and SSO 9.4 will be taken into use, optimising the caching and memory management of SSO in large, active environments. See the IDS-4926 ticket below. 

Important - see IDS-4449 SSO OAuth2 should support URL encoded client credentials to support section 2.3.1 of RFC6749. 

NOTES

Postgres Update see. IDS-4904

LDAP remains on 2.5.16, no substantial improvements or requirements found in 2.5.18

Centos OS removal

Tomcat - there were backward incompatible changes discovered by the global community with Tomcat 9.0.91, these were resolved and tomcat has been updated to 9.0.xx for SSO 9.5 

CertAP IDS-4895 runs in java11 with slf4j

Please ensure you review the updated System Recommendations page and are aware of the 3rd Party License page.

Contents

Table of Contents
stylenone

Change log 

SSO 9.5.0

New Features

Improvements

  • IDS-2429 - An often requested, but low level improvement to SSO is to create an example-template location within the installation package to permit Administrators creating new environments to more easily locate all of the available configuration options.  create or show link here.
  • IDS-4926 - Customers with multi-node LDAP deployments will benefit from the memory management improvement made in SSO session manager. Specifically, the "cleanupLockEnabled" has been set to default true, which means this memory management improvement is applied as default. Please see the Configuring cleanup of expired SSO sessions in OpenLDAP for more information.
  • IDS-4818 - An improvement has been made to both UI and API for SSO when creating or updated an applications metadata to ensure a unique clientID is used. For more detail please see OAuth 2.0 provider implementation reference - SSO, specifically the Request Parameters table. 
  • IDS-3429 - Improved SMS authentication method (SPI Mobile Phone) to include both GET and POST message sending methods. Default remains as a GET.  Please see the documentation, section 6. Click SPI Mobile Phone tab, for more detail. 
  • IDS-4856 - Improvements found in Audit Logging for the external module supporting Swedish BankID. The AuditClientDisplayName  will enable the Client Display name to be logged with each login event.
  • IDS-3330 - Ability to configure the timeout value within Redis when used with SSO. Please see Timeout Configuration on Redis Configuration - SSO
  • IDS-4885 - Password applications which use URL encoded client secret will function, see also IDS-4886 in the CustomerID section.
  • IDS-4449 - see ticket

Corrections

  • IDS-4868 - Through a customers low level auditing of SSO there was a hypothetical XML expansion bug found within SSO. With extensive knowledge of SSO, it is possible to craft a hypothetical attack, however in testing these attacks were found to result in "Ticket Validation Error" being displayed to the user (attemptive attacker) and ERROR messages being logged. During the investigation an implementable solution was found, therefore it was decided to remove even this theoretical attack vector.
  • IDS-4763 - (need to work this one)
  • IDS-4526 - 
  • IDS-4431 - client credentials Oauth response improvement
  • IDS-3117 - removal of body option from TOTP GET call
  • IDS-3026 - Corrected deviation found in the use of RSA-OAEP-256 encryption and decryption.

  • IDS-2314 - This item is not a defect, SSO verifies the account represented by refresh token still exists, is enabled etc. when a refresh token is used to get a new access token. This is obviously not possible with unregistered users where we by definition have no record of the account. Historically, this ticket carried the following description: There is a known issue with passing a refresh token to token endpoint results in "invalid_grant" error, if the refresh token has been issued to an unregistered user from an authentication method having a connected Directory Service. This issue is now closed. Please open a Service Desk ticket if you require additional details.

Modules

  • Within IDS 2024.2, SSO 9.5, our external module Metadate Updater has been improved to update its functionality when used within Identity Cloud, specifically for use on linux systems and with Java11. These updates will be included in downloadable updates which will be provided as a supplemental release during the upcoming months. If you or your customer utilises Metadata Updater, please open a support ticket which includes your environment parameters (windows/linux and which version of SSO and CustomerID are in place) to determine if the updated Metadata Updater should be used.
  • SAML SP for Java with SSO 9.5 - see IDS-3838, as this has been updated for Java11 and slf4j logging.

CustomerID 6.5.0

New Features

Improvements

Release highlights

This release focuses on introduction of the following new features and improvements:  



Client Credential URL Encoding Support. We have improved OAuth2.0 flow support, according to RFC6749 section 2.3.1, to include URL encoded client credentials. This feature is being released with a feature flag, off as a default. This means if your environment requires URL encoding of client credentials you will need to activate the feature flag. NOTE: this feature should be tested for backwards compatibility in your environment. Ensure that you review both the ClientID and the secret URL decoding prior to enabling this feature in your production environment. You can review specifics here. And general guidance for OAuth 2.0 integration here.


System Recommendations. As with every release we continually update the 3rd Party Library's used by the Identity Platform. Among these updates, we would like to point out Tomcat update, while there were globally observed incompatibilities with 9.0.91, these have been resolved and SSO 9.5 is being released with a later patch version (Tomcat 9.0.97). Also Postgres has been updated, within IDS-4904, we have updated the JBDC driver (42.7.4) permitting the latest PostgreSQL 16 to be utilised.  

The Redhat issued an end-of-life statement on Centos 7, to ensure full open source linux deployment options the Identity Platform has been migrated to Rocky8 and Rocky9 distributions. We always encourage Customers to review the System Recommendations page found with each release. If there are any questions, please do not hesitate to open a Service Desk ticket and Operations will be happy to help you resolve any environment or deployment support questions you might have. 



Please ensure you review the updated System Recommendations page and are aware of the 3rd Party License page.


Contents

Table of Contents
stylenone

Change log 

SSO 9.5.0

New Features

Improvements

  • IDS-2429 - An often requested, but low level improvement to SSO is to create an example-template location within the installation package to permit Administrators creating new environments to more easily locate all of the available configuration options. Please see the Example configuration directories for Linux and windows within Configuration - SSO.
  • IDS-3330 - Ability to configure the timeout value within Redis when used with SSO. Please see Timeout Configuration on Redis Configuration - SSO
  • IDS-3429 - Improved SMS authentication method (SPI Mobile Phone) to include both GET and POST message sending methods. Default remains as a GET.  Please see the documentation, section 6. Click SPI Mobile Phone tab, for more detail. 
  • IDS-4449 - SSO OAuth2 supports URL encoded client credentials as required by section 2.3.1 of RFC6749.
  • IDS-4818 - An improvement has been made to both UI and API for SSO when creating or updated an applications metadata to ensure a unique clientID is used. 
  • IDS-4827 - Included the ability to configure the trusted SAML keys for ETSI MSS MPKI via API. 
  • IDS-4719 - Swedish BankID adapter no longer uses a personal number during authentication of a session. Code improvement has been made to remove the use of personal number, which is no longer supported within BankID authentications.

Corrections

  • IDS-4885 - Within Client Credentials, password applications which use URL encoded client secret will function without error, see also IDS-4886 in the CustomerID section.
  • IDS-4868 / IDS-4763 - Through a customers low level auditing of SSO there was a hypothetical XML expansion bug found within SSO. With extensive knowledge of SSO, it was possible to craft a hypothetical attack, however during testing these attacks were found to result in "Ticket Validation Error" being displayed to the user (or attemptive attacker) and ERROR messages being logged. A solution has been implemented which prevents this hypothetical XML expansion attack vector. 
  • IDS-4847 - a correction of Azure metadata export, where the tenantid is presented with curly braces. SSO will now manage this improper format permitting improved use of this resource.
  • IDS-4526 - There was a know issue that occurs in SSO Management UI when removing the last user from an existing application, the UI will appear blank with no application to select. Note: Only one user can be impersonated by an application.
  • IDS-4431 - There is a known issue where SSO will provide an incomplete OAuth2 response when access has been denied. This has been improved and is no longer a deviation.
  • IDS-3117 - The body option has been removed from the TOTP GET call. 
  • IDS-3026 - Corrected key management between RSA_OAEP_256 in JWE tokens, used by Nimbus and Jose4j . It has been observed that errors occur when these libraries are used with previous versions of SSO. 
  • IDS-2314 - This item is not a defect, SSO verifies the account represented by refresh token still exists, is enabled etc. when a refresh token is used to get a new access token. This is obviously not possible with unregistered users where we by definition have no record of the account. Historically, this ticket carried the following description: There is a known issue with passing a refresh token to token endpoint results in "invalid_grant" error, if the refresh token has been issued to an unregistered user from an authentication method having a connected Directory Service. This issue is now closed. Please open a Service Desk ticket if you require additional details.

SSO Modules

Over the course of twenty years of development, there have been a number of code modules that have been developed for Identity Platform, specifically for SSO, which provide functionality to some deployments but where the code is not an essential component or function found within the SSO release package itself. Within the IDS 2024.2 development cycle we have updated a number of these external modules. They provide specific solutions for specific use cases, so if you are unaware of these modules, they likely do not impact or benefit your environment. However, if you have been using one or more of these modules, we would like to work with you to ensure that your current operating environment can benefit from these latest updates. Each of the updates require a Java11 environment and have only be tested with SSO 9.5, therefore until your environment upgrades to this release, please continue using your existing modules. We would ask you to contact Support via Service Desk so we can prepare the modules to be downloadable for you - this will occur after the release of the IDS 2024.2 software. 

  • Metadata Updater
  • CertAP
  • SAML SP for Java
  • SAML palvelu

CustomerID 6.5.0

New Features

Improvements

  • IDS-3765 - There was a known issue where JDK 11.0.15 would prevent Wildfly from working/starting correctly. This has been resolved in later versions of JDK 11.x.x

  • IDS-1340 - CustomerID Rest 2.1 API has been improved to permit an administrator to force password changes for existing users, this can be performed via Rest API 2.1 - CustomerID.  Please see the documentation for PUT125 Force Password Change for User.

  • IDS-4911 - Improved the diag logs for CustomerID, it had been observed that warnings were being logged in diag log when invalid event listener was included in a previously release CID package.  While these events could be safely ignored, the invalid event listener has been removed which also removes the warning found in diag logs.

  • IDS-4886 - Improvements have been made to CustomerID to DisableOAuth2CredentialsUrlDecoding where the application uses a URL encoded secret 

    IDS-

    permit the use of a URL encoded secret. The following flag is no longer required:  DisableOAuth2CredentialsUrlDecoding.

  • IDS-4877 - Improved the management of user with OAuth 2.0 authentication to ensure both API and UI requested user moves are possible for all the following functions; 

    • Password
    • SAML 
    • OIDC
    • SMS
    • SMTP 
    • OTP 
    • TOTP

Corrections

Notes on Password changes - update link to regex and password pages for the properly escaped regex testing highlighted in IDS 4913

  • IDS-3392 / IDS-4889 - There was a known issue when an Administrator user is used moved to another organisation then error was logged. The Administrator users was correctly moved, but a safely ignorable log entry was created. This known issue has been corrected. Now there is no log entry error present.


Please review the change log if you are upgrading your system from a prior version to IDS 2024.12:   Identity Platform



Deviations

The following deviations are found within Identity Platform and are expected to be corrected over time. For a listing of known issues found on Identity Platform please see: Considerations, limitations and known issues

SSO

Ticket number

External description

IDS-561There is a known issue where SSO does not check the mappingURL value when creating or editing an inboundDirectoryMappings when using the SSO REST API. Directory Mappings are possible to be created, but then not opened or edited.
IDS-1030There is a known issue where running the CertAP setup.cmd in a windows environment will post errors of missing linux tags. While these errors are unsightly, they can be safely ignored.  This issue will be corrected in a future release.
IDS-1499There is a known issue where SSO will return http 401, rather than http 400 when token introspection without an authentication header or when invalid credentials are present. 
IDS-1629There is a known issue resulting in unclear error messages. When a user is configured without a phone number and SMS OTP method is added to their profile result in one of two error messages. If the SMS OTP is the only authentication method enabled, the message will be “The user account is disabled”. If there are other authentication methods enabled, the message will be “Access to the requested resource is denied”.
IDS-1648This is a known issue that only  is only present with password2. User is presented with a popup "Update: Invalid account Status" if one of the previous three passwords are used when asked to update their password. There is no known work around. 
IDS-1662The use of the following special characters when making any search will result in an internal sever error 500 and a stack trace. Symbols: + = # ; , < > Work around, administrators should not use the special symbols when naming users or searching for users.
IDS-1893There is a known issue if you use OpenID authentication, a user cannot access SAML or Ubilogin web applications. Work around use any other non-OpenID authentication method. If OpenID is required, then use OAuth 2.0 application.
IDS-2090There is a known issue where the SSO management UI will not filter results correctly if the filter expression is short, contains incorrect filter expressions and there are Scandinavian characters included. 
IDS-2244

There is a known issue when using special characters within SSO management API in persistentID name mapping that may result in incorrect side or policy id values being returned. Recommended work around, do not use special characters, like “=” “,” “#” in site and policy mapping names.

IDS-2260There is a known installation issue when using SSO Password reset.  Using the installation instructions for password reset tool requires an administrator to run tomcat update.  This occasionally results in an empty context.xml file being created which causes SSO to fail when being restarted.  Workaround, repeat the run tomcat update step which will create a correct .xml file and SSO will restart.
IDS-2478There is a known issue in SSO that it is not possible to have different localisations for access_denied returned by IdP and local access_denied, for example if directory user mapping fails after successful authentication
IDS-2790There is a known issue with sending in invalid formatted request to introspection endpoint returns stack trace including server version number. This can be mitigated by following our Security considerations for using reverse proxy and customising error pages with HAProxy Security considerations for production environments - SSO 
IDS-3092There is a known issue where Administrators are unable to alter password encoding through the SSO management UI. There is no known UI work around.
IDS-3625There is a known issue where an ERROR 500 message with stack-trace is shown in the browser if there is no valid encryption key available in SSO. Mitigation use reverse proxy to catch all 500 error with user friendly information Security considerations for production environments - SSO
IDS-3665There is a known issue where the authorisation endpoint may become corrupted if a URL contains "%20" in URL encoded format. 
IDS-3730There is a known issue where using “Force Reauthentication” configuration for an application that uses refresh tokens, the refresh tokens are immediately invalidated. Workaround is to not use “Force Reauthentication”, set max age to 0 in auth request → Authentication is forced and refresh tokens are valid.
IDS-3971 

There is a known issue which results in a non-impacting stack trace being logged when updating metadata using ManagedScheudledExecutorService for SAML 2 AP. There is no known work around to this non-impacting log event.

IDS-4202

There is a known issue where attributes forwarded from an external authentication method are not available after the access token has been refreshed. No known work around is available at this time.

IDS-4431

There is a known issue where SSO will provide an incomplete OAuth2 response when access has been denied. There is no work around for this defect. No known work around is available at this time.

IDS-4448

There is a known issue that prevents the Accounting service scheduled cleaner from running on a subsequent day after restart. This is due an invalid check for the earliest removal date of events. Work around, events can be manually removed from the service log.

IDS-4526There is a know issue that occurs in SSO Management UI when removing the last user from an existing application, the UI will appear blank with no application to select. Recommended work around, do not remove the final user from an application, ensure that at least one user is assigned to an application

from the service log.

IDS-4644

There is a known issue where the use of special characters within a users name, like “)” for example “Bud)”, will break the user mapping view. Work around, do not permit special characters within user names.

IDS-4669

There is a known issue where the status refresh does not update entryTtl for dynamic session objects. There is no known work around at this t

IDS-4733

There is a known issue within SSO which could permit XML expansion from an external entity. Additionally, there is a known issue within SSO which could allow for header injection. Both items will be corrected in an upcoming patch, SSO 9.4.1.

IDS-4967

There is a known issue where SSO may leave IO Streams in an improperly closed state which results in a diag log warning when SSO server is shut down as the LDAP Connection thread could not be shut down.

CustomerID

Ticket number

Description

IDS-1373There is a known issue in CustomerID when a new user is created in a non-virtual organisation, the invitation can contain a role when no role has been approved for that user.  
IDS-1509There is a known issue where a new user being invited to a virtual organisation the CustomerID administrator cannot approve the user; an internal server error occurs.   
IDS-1706There is a known issue with null values (DbAssignable.set and DbAssignable.isNull) which may result in NullPointer exceptions when using REST calls. This impacts Roles, Mandates and Invitations.
IDS-2312There is a known issue in approval view where changing technical name of an organization to include Scandinavian letters doesn't work.
IDS-2683There is a known issue where CID REST API's 2.0 and 2.1 do not locate organisations with URL encoded characters in their names.  Work around, if possible, ensure there are no URL encoded characters within organisation names. (example Ä Ö Å). 
IDS-2703There is a known issue where a role name with different case can be created which results in one LDAP entry and two SQL entries.
IDS-2876There is a known issue if user is rejected from UI error is logged "Error when trying to get approval request with ID: null". A stack trace is logged. This stack trace can be safely ignored.
IDS-2934There is a known issue in CustomerID within Mandates, where no renotify email is sent to new user to register using mandate invitation. Admin user sends mandate from Admin UI to new user that is not registered to the system. Email is sent correctly, but no renotify is sent to register to the system.Mandate expires correctly also and email is sent that mandate was expired.
IDS-2941There is a known issue where a NPE will occur if an administrator is viewing an ORG2PER mandate from the CustomerID management UI.  
IDS-3058There is a known issue where in change password application of CustomerID where the return URL is missing a forward slash (returns "https:/" not "https://") resulting in failed redirect if the cancel button would be enabled.
IDS-3765There is an issue with JDK 11.0.15 that prevents Wildfly from working