...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Please see the current Release Notes (here - scroll down to change log) for the active release change log
Ubisecure SSO 8.x.x
SSO 8.6.0 (05/11/2020)
...
Improvements
- IDS-2714 - Support for PBKDF2-SHA256 password encoding has been added to SSO. All supported values can be found from Management UI authentication methods
- IDS-2571 - Improvement for handling multiple IPs in "proxy.remote-addr-name = x-forwarded-for" configuration. If there are multiple IPs included in the request, all of the IPs will be shown in the audit logs, separated by ",". This will need to be taken into consideration when parsing the audit logs. Previously multiple IPs caused issues with Ubilogin Management, Logviewer and Search applications.
- IDS-2717 - Changes to application configuration for two-factor authentication methods. If both password and a step-up method is enabled for an application, users who do not have the specific step-up method enabled on their account can log in to the application with password only. See Authentication and authorization process - SSO
...
- IDS-2719 - ubixmlsec library has been updated to version 1.5.8.50494 to support http://www.w3.org/2009/xmlenc11#aes128-gcm encryption algorithm that will be taken into use by Suomi.fi service in the near future
SSO 8.5.0 (17/06/2020)
New Features
...
- IDS-2516 - OAuth 2.0 applications can be extended with compatibility flag ExtendedOAuth2AuditLogging. This enables additional log entries to the audit log to facilitate Mobile Connect billing use cases. This can also be use for other OpenID Connect use cases. More detailed information can be found from Additional audit logging for OAuth 2.0
- IDS-1304 - Authorisation policies have been updated with scope field. This will allow Administrators to specify which scopes should be evaluated for OpenID Connect and OAuth 2.0 applications. You can read more about how to Manage authorization policies - SSO here
- IDS-2522 - Improved consent page includes requested scopes and confirm/cancel buttons instead of previous static text and checkbox. This improvement can be used for OpenID Connect methods and OAuth 2.0 applications. For other applications and methods, an updated static page of consent information will be shown to the end user. Read more about how to configure the consent screen from our Login screens - SSO and Internationalization - SSO documentation pages.
- IDS-1591 - Mobile ID (Mobiilivarmenne) phone number input field has been changed from 'text' to 'tel' to improve the user experience on mobile devices. Users default screen will show number keypad rather than alphabet keyboard, easing use of the service
- IDS-2486 - Optimisation of LDAP search in Password Reset application related to lookup of available methods
- IDS-2014 - Additional information for the different entry types has been added to our Audit log description - SSO
- IDS-2034 - Improved documentation how to setup authentication methods using SSO Management API can be found from OpenID Connect authentication method - SSO
- IDS-750 - Improved documentation related to handling of error situation not to expose any sensitive server or software information. Read more about how to use reverse proxy in our Security considerations for production environments - SSO
- IDS-1487 - Improved version handling of SSO components in order to have a better understanding of which version is currently installed. Logging of correct version (i.e. same as the release version) during SSO startup
- IDS-2445 - Improvement to how threads are handled for Health check API. In clustered environments it was noticed that the health check calls could go into a deadlock due to timing issue when connection was shutting down
- IDS-2615 - OAuth2 / OpenID Connect Token responses have been changed to exclude the id_token for refresh requests. This is to make sure that no additional information is shared with the application that the user has not approved to be shared. Read more about Access Token and ID Token from Authorization code grant and web single sign-on - SSO
- IDS-2608 - Updated audit log field "Web Application User ID" to get username sent to the application in the log entries that have this field available. More information can be found from Audit log description - SSO
...
- IDS-2158 - Version number in the footer of SSO Management UI now correctly displays the installed version of the application
- IDS-2317 - UsernameUserMappingIdentityFactory flag has been set to disabled as default as specified in SSO 8.4.1 release notes. If this functionality needs to be enabled follow the Enabling UsernameUserMappingIdentityFactory instructions
- IDS-2032 - Changing log levels in SSO management UI will now come into affect without restarting SSO application, this would previously require a restart
- IDS-1182 & IDS-1469 - Documentation has been updated related to how to configure your reverse proxy in order not to expose any sensitive server or software information. Read more about how to use reverse proxy in our Security considerations for production environments - SSO page
- IDS-2537 - Correction to jQuery call that broke WS-Federation logout in 8.4.0 and 8.4.1. If using WS-Federation methods, we suggest to upgrade to SSO 8.5.0 to resolve this issue
...
- IDS-2161 - Merged changes made in SSO 8.3.8 that did not make it into SSO 8.4.0 release (see Change log - SSO)
- IDS-2058 - Addition of compatibility flag for UsernameUserMapping legacy feature in order to prevent exhaustion of LDAP connections. This will be disabled by default in upcoming SSO 8.5.0 release (Disabling UsernameUserMappingIdentityFactory)
- IDS-2166 - Inclusion of KeyID in metadata generated by SSO Management API (OpenID Connect authentication method - SSO)
- IDS-2283 - Client metadata extension ubisecure_request_parameters / acr_values has been updated to have highest priority in outbound requests in order to ensure that correct values are sent (OpenID Connect authentication method - SSO)
- IDS-1999 - Ability to configure RequestedAuthnContext through AuthnContextClassRef or AuthnContextDeclRef together with comparision for SAML authentication methods (SAML IDP Proxy - SSO)
- IDS-2303 - Ability to configure the thread pool size of Mobile PKI authentication method (Installing and configuring ETSI MSS Mobile PKI - SSO)
Corrections
- IDS-2208 - Fix for StrictAudiencePolicy to be able to set the compatibility flag system-wide, this did not overwrite application or authentication method flags set in SSO 8.3.8 (OpenID Connect authentication method - SSO)
SSO 8.4.0 (12/11/2019)
New Features
- IDS-1103 - Accounting Service
- More information about this feature can be found from our Developer portal (Accounting Service - SSO)
- IDS-994 - Per user authentication matching
- More information about this JavaScript based frontend user interface extension can be found from our public Github repository (https://github.com/ubisecure/per-user-authentication-matching)
- More information about this JavaScript based frontend user interface extension can be found from our public Github repository (https://github.com/ubisecure/per-user-authentication-matching)
Improvements
- IDS-58 - Server side session storage/Redis product documentation (Use Redis with Identity Server)
- IDS-79 - NameIDPolicy must be set for AuthnRequest sent by SSO
- IDS-110 - Updated SSO external library (3rd party) dependencies (3rd party licenses - SSO)
- IDS-684 - AuthnContextClassRef from a SAML Identity Provider to SSO (IdP Proxy) should also be possible to be forwarded to SP
- IDS-930 - SSO management API for persistentID (PCR) name mapping
- IDS-1080 - Identity Server supports BCrypt for password encoding
...