Identity Server 2021.2 Release Notes
Owned by ubisebastian
Release highlights
This release focuses on introduction of the following new features and improvements:
OpenID Certification
The OpenID Foundation is a certifying entity for OpenID Connect deployments. While Ubisecure's Identity Platform has been supporting OpenID Connect method for many years, we had not completed the OpenID Foundation's conformance test suite, until now. With this release of Ubisecure SSO we have completed the certification requirements for the Basic OpenID Provider profile, explained more fully here: OpenID Connect Core 1.0. This ensures that integrations you add to SSO are validated in accordance to the shared OIDC specifications. More information about the certification and test results can be found from OpenID Foundation's website https://openid.net/certification/ and https://www.certification.openid.net/plan-detail.html?plan=O9YEnpp1wyJug&public=true
CIBA Core 1.0
When we first introduced the Ubisecure Backchannel Authentication Adapter in 2018, the OpenID Connect Client Initiated Backchannel Authentication Flow Core 1.0 (CIBA Core 1.0) specification was not finalised yet. With the release of SSO 8.8.0 we have reviewed the final document and made adjustments to the authenticator accordingly. Together with the small adjustments which have been updated in the Swedish BankID, for example metadata information and error handling, the update of the polling interval in CIBA Core 1.0, means that our Swedish BankID implementation will keep connections flowing once you have installed SSO 8.8.0. As our previous implementation was named Ubisecure Backchannel Authentication Adapter (UBAA), due to it being pre-spec, we have renamed it to CIBA adapter within our latest documentation.
In connection to this the previous "Backchannel Authentication Adapter" method is now called "Unregistered OpenID Connect CIBA".
Note: If there are old CIBA methods available in the system, we recommend updating the Type to the new "Unregistered OpenID Connect CIBA" and restart SSO server to resolve a noted upgrade issue (IDS-3113 in known issues).
We have also included possibilities to use the CIBA method as MFA (multi-factor authentication) for your registered users, referred to as "SPI OpenID Connect CIBA" method in SSO management UI. This allows the usage of the CIBA adapter or your own CIBA compliant adapter to be used as additional security when logging in to an application.
Freja eID
We are delighted to add the Freja eID authenticator to the long, and growing, list of fully tested authenticators that can be used with the Identity Platform. For easy an configuration example, please read our Knowledge base article on Configure OpenID Connect Freja eID login
Accounting service APIs
The Accounting Service has been extended with new APIs and added security. With these new API calls you are able to get additional information related to ticket granted events, such as which method and application was accessed and the user information is still pseudonymised for security reasons. The frequency of these calls can collect events on a daily, hourly or per minute basis.
Backwards incompatible changes
There are two backwards incompatible changes in this release, one related to SSO and the other to Swedish BankID Adapter (referred to as CIBA adapter);
- If you are using Swedish BankID adapter in your service, SSO 8.8 requires Swedish BankID Adapter to be at least version 1.1.1.
- If you have SPI Ubikey OTP Printout or SPI TOTP method with an SQL directory service, then you need to add LegacyUserCredentialsTable compatibility flag to the method and restart SSO server to make sure it takes affect.
Additionally, you will find a listing of known issues, with internal ticket references at the bottom of this page.
Contents
Change log
SSO 8.8.0
New Features
- IDS-105 - Administrators are now able to configure OpenID Connect methods in SSO Management UI without using the Management API. Read our Knowledge base article Configure OpenID Connect authentication method in SSO Management UI
- IDS-2861 - UserInfo endpoint now supports POST requests. See Authorization code grant and web single sign-on - SSO for more information
- IDS-2765 - SPI OpenID Connect CIBA method has been included to SSO. This allows CIBA method to be used as step-up method for your registered users. Read more about the configuration from OpenID Connect CIBA authentication method
- IDS-2937 - New API calls have been added to the Accounting Service to get more information on the ticket granted events happening in your system. The API calls return method and application used for each of the events and are able to be queried daily, hourly or per minute. More information about the API calls can be found from Event details API section in Accounting Service API
- IDS-2256 - Freja eID is now supported by SSO. Read our Knowledge base article Configure OpenID Connect Freja eID login
- IDS-3008 - TOTP API has been extended with a new call to get information if a user has the TOTP method enabled or disabled for their account. Detailed information how to use the API is available in TOTP API swagger documentation that can be configured with the TOTP API - SSO
Improvements
- IDS-2862 - In Authentication requests that require End-user interaction to continue although prompt parameter is none the error response has been changed from previous access_denied to interaction_required, according to the OpenID Connect Core 1.0 specifications
- IDS-2847 - Hardcoded acr_value for Client Initiated Backchannel Authentications method has been removed
- IDS-2833 - CIBA adapter (previously UBAA) OpenID Provider metadata has been updated with backchannel_token_delivery_modes_supported and token_endpoint_auth_signing_alg_values_supported values. More information about the metadata can be found from Installing and configuring Swedish BankID - SSO
- IDS-2837 - invalid_grant error message has been updated to use LOGIN_CANCEL error message instead of previous AUTHENTICATION_METHOD_INVALID for CIBA methods
- IDS-2940 - Swedish BankID Authentication Adapter's Spring Boot version has been updated and Swagger UI URL has changed, check the new URL from Installing and configuring Swedish BankID - SSO
- IDS-1670 - Step-up method usability has been improved to not show any selection between step-up methods if there is only one configured for the application. For example, if only TOTP method is available as 2FA method in application, the user no longer needs to click "totp.1" button after signing in with password, but is immediately asked for TOTP code
- IDS-2160 - Improved performance when generating and downloading reports from the Accounting Service. In our testing we have noted substantially decreased download times observable in larger datasets
- IDS-2794 - Updated unix.config/win32.config file to include sso-api.uuid, totp.uuid and accounting.client.uuid to preserve the client IDs during upgrade of your system. Info about this can be found from Preserve essential configuration settings in upgrade
- IDS-3019 - Accounting Service methods have been updated for CIBA methods. Previously named UBAA method is now referred to as UNREGISTERED.CIBA and registered CIBA method is referred to as DIR.CIBA. See Accounting Service - SSO for more information
- IDS-3011 - Unregistered CIBA method: Transformation of id_token claims was changed to be same as in OpenID Connect method. Also added a new configuration option `usernameClaim` for defining the id_token claim used as the subject for the unregistered user
- IDS-3015 - Token endpoint responses have been updated to have HTTP headers "Cache-Control: no-store" and "Pragma: no-cache" set by default to prevent information to be cached
- IDS-3018 - Refresh token endpoint error responses have been updated in accordance to
OpenID Connect Core 1.0 - IDS-3061 - New compatibility flag was introduced to resolve backwards incompatibility with OTP printout and TOTP secrets in the case that the users are stored in SQL database. If this is the case LegacyUserCredentialsTable needs to be added to the method for the users to keep using their set secrets. New SQL users or existing users recreating their secrets will be handled correctly. See more details from TOTP Authentication Method and OTP Printout authentication method - SSO
- IDS-3062 - Swedish BankID Authentication Adapter has been updated to include client_id in aud claim and id_token expiration time. Configuration information can be found from Installing and configuring Swedish BankID
- IDS-3009 - TOTP method can now be used without additional schema changes when using AD LDS as Ubilogin Directory together with external SQL directory
Corrections
- IDS-1511 - SSO Password reset: old tokens not invalidated. There are built-in features that can be used to mitigate
- OTP should be set to expire (policy.oauth.otp.timeout)
- Password min-age should be set greater than OTP expiration time (policy.password.min-age)
- IDS-2721 - MENU_INTRO2_TEXT in SSO messages properties has been fixed to show the client name in SSO login screen when configured in client_name is configured in the metadata. Review Login screens - SSO for more details
- IDS-2247 - OTP_LOGIN_REMAINING_PASSWORD_AMOUNT in SSO properties has been fixed to show the remaining one-time passwords left on the printed list to warn the user to renew the list before it runs out of passwords. More details on configurations can be found from Login screens - SSO and OTP Printout authentication method - SSO
- IDS-2750 - Refresh tokens were invalid for Unregistered SMS with an Ubilogin Directory user. This issue has been fully resolved.
- IDS-3104 - SPI TOTP method: Account lockout policy section is now shown in TOTP method configuration in SSO Management UI and pressing "Update" without any changes doesn't remove the lockout policy configurations.
CustomerID 5.8.0
New Features
- IDS-2770 - CustomerID REST API 2.1 has been updated with "PUT117 Reinvite User". This allows an Administrator send a new email to a user with status "Waiting for registration". This might be useful if the user that is waiting to register has lost their invitation email or if their email address was invalid an Administrator can update the email and reinvite the user without having to start the process from scratch. Please find more information about this API call in REST API 2.1 - CustomerID
Improvements
- IDS-2851 - policy.password.history = N configuration in SSO for CustomerID password method (password.2) now works as expected. If N is set to be 3, the user is unable to update their password to their current one or to the 2 previous ones
- IDS-1947 - Input fields in pop-up windows are now pre-selected. This removes the need to select the input field before entering the verification code in, for example, mobile or email verification during registration
- IDS-2227 - Two node upgrade on Windows - CustomerID documentation are updated and tested with Windows Server 2019
Corrections
- IDS-2943 - Inviting a user to a role through mandates when the user did not have previous mandate objects available caused errors in the CustomerID UI although role was added. This has now been resolved and correct message is displayed to the Administrator.
- IDS-2709 - Registering a user without filling in optional custom attribute field previously caused a stack trace error and did not populate SQL db with user information. This has now been resolved and optional custom attributes can again be used within registration.
Here you can find links to previous version's change logs for SSO and CustomerID
Known Issues
SSO
Ticket number | External description |
|---|---|
| IDS-561 | There is a known issue where SSO does not check the mappingURL value when creating or editing an inboundDirectoryMappings when using the SSO REST API. Directory Mappings are possible to be created, but then not opened or edited. |
| IDS-608 | There is a known UI/UX issue where a very large site list is displayed within the SSO management UI. This results in hard to use UI if large lists of sites are present in the SSO deployment. A possible workaround is to use an ldap editor to configure the authorization policies and groups. |
| IDS-941 | There is a known issue where unregistered SMTP OTP authentication will not permit TLS or any secure authentication. Documentation improvement will be made to ensure proper configuration is shown if unsecure SMTP servers are required. |
| IDS-1030 | There is a known issue where running the CertAP setup.cmd in a windows environment will post errors of missing linux tags. While these errors are unsightly, they can be safely ignored. This issue will be corrected in a future release. |
| IDS-1039 | There is a known issue where a user account will ask for a sixth OTP verification after five consecutive failed OTP verifications have occurred. The five consecutive failures results in a locked account, the user should be informed that they must wait for the OTP timeout to expire before they attempt to login again. |
| IDS-1171 | There is a known issue when using OpenLDAP 2.4.44 when performing SSO session cleanup which will cause replication issues. |
| IDS-1499 | There is a known issue where SSO will return http 401, rather than http 400 when token introspection without an authentication header or when invalid credentials are present. |
| IDS-1525 | There is a known issue where SSO logs will contain a stopped search warning entry when tomcat is shutdown. This error can be safely ignored. |
| IDS-1526 | There is a known issue where SSO logs will contain a unstopped thread warning entry when tomcat is shutdown. This error can be safely ignored. |
| IDS-1629 | There is a known issue resulting in unclear error messages. When a user is configured without a phone number and SMS OTP method is added to their profile result in one of two error messages. If the SMS OTP is the only authentication method enabled, the message will be “The user account is disabled”. If there are other authentication methods enabled, the message will be “Access to the requested resource is denied”. |
| IDS-1648 | This is a known issue that only is only present with password2. User is presented with a popup "Update: Invalid account Status" if one of the previous three passwords are used when asked to update their password. There is no known work around. |
| IDS-1652 | There is a known issue where the error message can be more clear for end users. Currently when changing passwords, if the entered passwords do not match the error reads, "The new credentials were not accepted." |
| IDS-1662 | The use of the following special characters when making any search will result in an internal sever error 500 and a stack trace. Symbols: + = # ; , < > Work around, administrators should not use the special symbols when naming users or searching for users. |
| IDS-1832 | There is a known issue where editing an existing authorisation policy (example case added an attribute) resulted in the alteration of ubiloginNameValue. This affects SSO 8.3.0 and later. There is no work around at this time. |
| IDS-1893 | There is a known issue if you use OpenID authentication, a user cannot access SAML or Ubilogin web applications. Work around use any other non-OpenID authentication method. If OpenID is required, then use OAuth 2.0 application. |
| IDS-1995 | When using BankID and Safari, during initial login Safari displays a 0kb file being downloaded when there is no downloaded file |
| IDS-2059 | There is a known issue where the authorisation endpoint may become corrupted if a URL contains "%b" in URL encoded format. |
| IDS-2089 | There is a known issue where shutting down Ubisecure Accounting service on a windows server will show errors within the ids-accounting.log. |
| IDS-2090 | There is a known issue where the SSO management UI will not filter results correctly if the filter expression is short, contains incorrect filter expressions and there are Scandinavian characters included. |
| IDS-2092 | There is a known issue where the tomcat log will show a severe servlet warning for com.ubisecure.ss-ui. However, this warning is due to a user repeating the same action (double clicking an item or using the back button). This warning can be safely ignored and will be addressed in a future release. |
| IDS-2094 | There is a known issue where disabling the main account in the SSO login directory does not disable the User Driven Federation accounts. Users are still able to login to services with the Federated account even while the main account is disabled. Work around: Administrators who are disabling a main login directory account should ensure that they check and disable any associated UDF accounts at the same time. This issue will be addressed in a future release. |
| IDS-2095 | There is a known issue that the Acccounting service generates a temp folder under Ubisecure\ubilogin-sso\accounting\temp each time it is restarted. A workaround that system administrator can do is to create a cron job that removes these folders on a regular interval. |
| IDS-2096 | There is a known issue where attempting to use exceptionally long SAML Entity IDs will result in creation failure (larger than 64 characters) . There is no known work around and may not be possible to resolve due to LDAP field limitations. We will address this in a future release. |
| IDS-2120 | There is a known issue where dual node SSO will require jndi.properties to be manually configured on the second node during SSO upgrade. |
| IDS-2121 | There is a known issue where dual node SSO will require settings.sh to be manually configured on the second node during SSO upgrade. |
| IDS-2226 | There is a known issue with using escape characters like '=' for a Site that causes the SSO management UI to be unable to map applications to the site. Workaround is to make sure not to use any Escape values for Site names (https://ldapwiki.com/wiki/DN%20Escape%20Values). |
| IDS-2260 | There is a known installation issue when using SSO Password reset. Using the installation instructions for password reset tool requires an administrator to run tomcat update. This occasionally results in an empty context.xml file being created which causes SSO to fail when being restarted. Workaround, repeat the run tomcat update step which will create a correct .xml file and SSO will restart. |
| IDS-2261 | There are several known issues with javascript tools when using SSO Password reset. Similar javascript is used in UAS with no issue. If you are experiencing password reset javascript issue, please contact Ubisecure Support referencing this internal ticket for potential work arounds. |
| IDS-2314 | There is a known issue with passing a refresh token to token endpoint results in "invalid_grant" error, if the refresh token has been issued to an unregistered user from an authentication method having a connected Directory Service. |
| IDS-2315 | There is a known issue that SSO returns refresh token for un-registered users. This should not be done since there is no way of handling the lifecycle of the un-registered user's refresh token. |
| IDS-2332 | There is a known issue when using OpenLDAP in SSO where slapd runs out of connections to process incoming requests. |
| IDS-2478 | There is a known issue in SSO that it is not possible to have different localisations for access_denied returned by IdP and local access_denied, for example if directory user mapping fails after successful authentication |
| IDS-2663 | There is a known issue where creating a new site via a Safari browser where the site as an @ symbol in the email address will cause an error and no site will be created. This error is not experiences with current Chrome or Firefox browsers. As a work around please use one of these alternate browsers. |
| IDS-2790 | There is a known issue with sending in invalid formatted request to introspection endpoint returns stack trace including server version number. This can be mitigated by following our Security considerations for using reverse proxy and customising error pages with HAProxy Security considerations for production environments - SSO |
| IDS-2828 | There is a known issue with Ubiki.jar which causes it to be unable to output a CSR file for the certificate contained in unix/win32.config |
| IDS-2829 | There is a known issue that TOTP API is unable to generate secret for user if keysize has not been configured in the method. This is mitigated by ensuring that keysize is set when creating TOTP method. |
| IDS-2880 | There is a known issue when not including the scope of a sub claim in the authorisation policy for API protection. If this is not included during the API call, the response will not include any sub claims in the introspection response. A work around is to ensure your authorisation policy include the required claims. |
| IDS-3092 | There is a known issue where Administrators are unable to alter password encoding through the SSO management UI. There is no known UI work around. |
| IDS-3113 | There is know issue after upgrading to SSO 8.8. If there were old Unregistered CIBA methods configured in the system, Administrators are unable to see the configuration information. To resolve this, Administrators are able to update the method Type from previous "Backchannel Authentication Adapter" to new "Unregistered OpenID Connect CIBA" type and restart SSO server. |
CustomerID
Ticket number | Description |
|---|---|
| IDS-693 | There is a known issue with user approvals from Users view. If there are required attributes for the approval step, these are not validated if approval is done through the Users view. |
| IDS-1332 | There is a known issue with CustomerID where it is not possible to use one email account for multiple UIDs created in CustomerID. Work around: It is possible for the system administrator to use custom attributes holding the same email address in the second or third CustomerID UID. |
| IDS-1358 | There is a known issue within CustomerID where an administrator applying permissions across a whole organization will result in a failure of CustomerID to initialise. Work around: Admins should ensure that they do not apply permissions to an entire organisation, but apply the permission to a specific organisation class. All classes within an organisation may have the permission added, but not to the whole organisation at the same time, during the same commit. |
| IDS-1365 | There is a known UI improvement for lists of Users and Roles for CustomerID administrators. Currently the lists are not ajax based, which means that cannot be called via popup, unlike other lists seen in CustomerID Admin UI. While this does not cause an error, it is not ideal from a usage point of view. |
| IDS-1373 | There is a known issue in CustomerID when a new user is created in a non-virtual organisation, the invitation can contain a role when no role has been approved for that user. |
| IDS-1380 | There is a known issue with CustomerID organisational attributes where the UI validation (validation.json) is not utilised. This impacts MOD001, POST100, PUT101 and MOD003. Using the API calls will result in good responses, but no organisational attribute change will be made. |
| IDS-1382 | There is a known issue within CustomerID mandates where no email is sent to the user or organisation when the configuration is set to false ( mandate.receiver.approval = false), even though the administrator requests a mail to be sent. No error or warning screen is displayed. |
| IDS-1389 | There is a known usage limit in CustomerID Mandates. When viewing a mandate, currently only the role is shown. It would be more user friendly to show both the role and its organisation within the mandate view. There is no workaround. |
| IDS-1411 | There is a known issue within the CustomerID XML schema ID, if an administrator makes an error and reuses and existing variable ID, this second use of the variable ID will not be assigned but the organisation will still be created. No error is reported. This can cause troubleshooting and usage errors. Workaround: Administrators should ensure that variable IDs are unique prior to creating new variable IDs within the system installation. |
| IDS-1413 | There is a known error in CustomerID mandates if the mandate name is longer than 61 characters. If longer than 61 characters, creating the mandate will fail. Workaround: Do not create mandate names longer than 61 characters. |
| IDS-1418 | There is a known issue with CustomerID REST API MOD008. If an administrator removes a single mandate role from a user with multiple mandate role, the original (removed) mandate template still exists within the LDAP database. This can result in troubleshooting errors and database checking errors (backup, etc). |
| IDS-1419 | There is a known issue with CustomerID REST API MOD021 when creating a new user. Even when the API call appears to work, the user is not added to the organisation. Workaround: Do not use REST MOD021 (modification) during the creation of a new account. Please ensure you use create APIs when making new users. |
| IDS-1446 | There is a known issue when using CustomerID REST API MOD009 to create a new user. The API will return 200 OK even when the new user password is not set; this results in a failed account creation. Workaround: Do not use REST API MOD009 (modification) to create a new user account. Please ensure you use create APIs when making new users. |
| IDS-1463 | There is a known issue when using the CustomerID lost password recovery wizard where the wildfly server will log an exception in the error log. The password reset works correctly for the end user, but the resulting log file is cumbersome for large deployments where end users often reset their passwords. The error exceptions can be safely ignored, these will be corrected in a future release. |
| IDS-1468 | There is a known issue caused by an Administrator altering the name of an Organisation when a new user has registered but not yet been approved. An application error occurs and is logged. Workaround: To avoid this only change an organization name when the pending user view is empty. |
| IDS-1474 | There is a known issue that results in unsaved organisational custom attributes occurring when approval is set to false; attributes are saved when they should not be. |
| IDS-1476 | There is a known issue within User DrivenFederation (UDF) of a social login during registration. If a user attempts to register more than one social login (UDF) against an external account a warning error message is presents. Resolution will be to provide the user a message explaining that they have already UDF'd a social account to this internal account and it is not possible to register a second social account. |
| IDS-1478 | There is a known issue that results in a null pointer exception with stack trace if a user attempts Self Service User Driven Registration (UDF) of a social login account when UDF is not enabled within the CustomerID service. |
| IDS-1494 | There is a known issue that causes occasional error pages to be displayed when a user logs out of their federated (User Driven Federation, UDF) social login account. |
| IDS-1504 | This known issue is a regression. When a user is invited to multiple roles, only one role appears in the invitation screen. This impacts both CustomerID Admin UI and user Self-Service. |
| IDS-1509 | There is a known issue where a new user being invited to a virtual organisation the CustomerID administrator cannot approve the user; an internal server error occurs. |
| IDS-1555 | There is a known issue where the mandate tab cannot be accessed on the CustomerID UI if the localisation information is incomplete. Workaround is to ensure that all localisation fields are completed. |
| IDS-1681 | There is a known issue where the cursor focus remains in the mobile text field after a user has selected the email confirmation, when both email and mobile confirmations are required. |
| IDS-1706 | There is a known issue with null values (DbAssignable.set and DbAssignable.isNull) which may result in NullPointer exceptions when using REST calls. This impacts Roles, Mandates and Invitations. |
| IDS-2033 | Search response when using the CustomerID authoriser rule will return duplicate entries if capitalisation is present in the searched term or in the database field. In the future, no duplicates will be returned even if capitals are used or present in the naming field. Example: friendlyName and friendlyname. |
| IDS-2091 | There is a known issue that the "New Organization" field in the "Open user applications" approval tab sometimes shows incorrect status |
| IDS-2093 | There is a known issue that listing of users doesn't take into considerations users that are in locked status |
| IDS-2162 | There is a known issue in CustomerID within Mandates, where no renotify email is sent to the administrator when an existing user requests a mandate for an existing additional organisation. No email is sent to Administrators for approval and no errors are logged. There is no workaround for this issue. |
| IDS-2201 | There is a known issue in CustomerID where an email to a user with a single expiring or expired role will have all open roll invitations listed in the email, not just the expiring or expired role invitation. |
| IDS-2205 | There is a know issue in user registration where the "Mobile input field was not confirmed" error message is left in the UI even after the user has verified their mobile number if they have other invalid fields to correct |
| IDS-2207 | There is a known issue in CustomerID where interrupting the creation of a pending user will reset localisation of the browser session. |
| IDS-2231 | There is a known issue when Administrator denies a role request for a user, that user gets two emails sent to them. One stating "Role invitation denied" and a second one stating "Role denied". |
| IDS-2233 | There is a known issue in CustomerID API 1.2 REST call MOD025 "Create Role Invitation" related to email notification. If this REST call is used, the inviter mail address configured does not get a notification when the end-user approves the received role. The notification still works if role invitations are done through the GUI. |
| IDS-2234 | There is a known issue where a user who has been invited to a role but not registered for that role within the defined time limit does not receive a reminder email that they have been invited to a role. See also: IDS-2235 below. |
| IDS-2235 | There is a known issue where a user who has been invited to a role but not registered for that role within the defined time limit is not informed that the role invitation has expired. The user will have an email invitation with URL that does not function, they may become confused as they are not informed that the invitation has expired. See also: IDS-2234 above. |
| IDS-2290 | There is an issue opening approval tab under main organization branch if there are around 10 000 sub-organizations. As a workaround, you can choose not to use recursive selection by adding "admin.approvals.recursive.selection.default = false" to you eidm2.properties file. See also: IDS-2310 below. |
| IDS-2310 | There is an issue searching roles under main organization branch if there are around 10 000 sub-organizations. As a workaround, you can choose not to use recursive roles by adding "ui.organization.roles.recursive = false" to you eidm2.properties file. See also: IDS-2290 above. |
| IDS-2311 | There is a known issue in approval view where changing main organization for a pending user in a sub-organization fails to create the new sub-organization in LDAP. This will need to manually be resolved by removing the invalid sub-organization in SQL |
| IDS-2312 | There is a known issue in approval view where changing technical name of an organization to include Scandinavian letters doesn't work. |
| IDS-2420 | There is a known issue in registration when pressing Enter without filling in all required fields causes registration to get cancelled instead of highlighting the required fields needed to complete the registration. Identified in CID 5.3.5 |
| IDS-2649 | There is a known issue with REST API 1.0 (MOD004b) & 2.1 (PUT103) when updating user's custom attribute to empty it does not remove the value for LDAP |
| IDS-2652 | There is a known issue if a username attribute is removed via Admin or Self-Service UI then saved in an empty state, the UI will display an internal error. |
| IDS-2683 | There is a known issue where CID REST API's 2.0 and 2.1 do not locate organisations with URL encoded characters in their names. Work around, if possible, ensure there are no URL encoded characters within organisation names. (example Ä Ö Å). |
| IDS-2703 | There is a known issue where a role name with different case can be created which results in one LDAP entry and two SQL entries. |
| IDS-2712 | There is a known issue where an internal error is shown and stack trace is logged when a user registers with the same organisation name as an existing organisation but in a different case. Example. "UBISECURE" when "Ubisecure" already exists. |
| IDS-2713 | There is a known issue impacting Windows server installations, where the import and export tools fail to move users between CustomerID 5.3.x and later versions. |
| IDS-2814 | There is a known issue where Self Service will not open a user control window if the UDF (user driven federation) link refers to an obsolete authentication method. For example if the external identity has switched from SAML to OIDC. An exception is presented. There is no work around at this time. |
| IDS-2816 | There is a known issue which will create an unhandeled exception if the users SMTP server cannot be resolved. This issue will cause a database collision issue which may prevent the same email address from being used, as it already exists within the database but not in a fully created form. |
| IDS-2876 | There is a known issue if user is rejected from UI error is logged "Error when trying to get approval request with ID: null". A stack trace is logged. This stack trace can be safely ignored. |
| IDS-2891 | There is a known issue if the Lockout Duration is set to 0, then no lockout time will be used ever. Work around is to set a very high number (in seconds) for accounts which should be locked out, but in a long duration. Remember to stop and start service for this configuration change to take place. |
| IDS-2936 | There is a known issue with data.attribute.mapping.surname = sn when using OpenLDAP. The attribute mapping will not occur. |
| IDS-2941 | There is a known issue where a NPE will occur if an administrator is viewing an ORG2PER mandate from the CustomerID management UI. |
| IDS-2930 | There is a known issue that CustomerID REST API returns invalid response code for internal server errors. If there is an internal server error, CustomerID REST API now returns 404 Not Found instead of 500 Internal Server Error. |
| IDS-3032 | There is a known issue where registering a user via self-service registration, if the user includes a trailing space after their name, registration will fail causing an application error. |
| IDS-3058 | There is a known issue where in change password application of CustomerID where the return URL is missing a forward slash (returns "https:/" not "https://") resulting in failed redirect if the cancel button would be enabled. |
Considerations and limitations
SameSite cookie changes in Google Chrome
In Google Chrome version 80 and above, the default behaviour of cookies that are used in cross-domain use cases have changed. If your applications or services are communicating between different top-level domains you need to take the following actions as described in our SameSite cookies changes technical announcement to ensure that they continue to operate as before.
Long Certificates Require Manual Installation in Linux Version
When a certificate is set in suffix.pfx, whose base64 encoded string is longer than about 4000 characters, the installation of SSO ends in a failure. This is due to an issue with an OpenLDAP tool ldapmodify, which is unable to read lines longer than 4096 characters long and the installation script writes the base64 encoded certificate in one line in secrets.ldif. To address this issue, a tool ldiffold.sh was included with SSO 7.1.0 linux version, which wraps given ldif file so that it no longer contains lines that are too long. It can be run as follows:
cd /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap ../../tools/misc/ldiffold.sh < secrets.ldif > secrets.ldif.tmp mv -f secrets.ldif.tmp secrets.ldif
Ubilogin Ticket Protocol Attribute Size Limits
The Ubilogin Ticket Protocol uses the HTTP GET method to send authentication and authorization information from UAS to Web Agents. The HTTP GET method has a size limit. The size limit affects the amount of information it is possible to successfully send from UAS to Web Agents. The SAML 2.0 protocol resolves this size limit by using the HTTP POST method to send information from UAS to Web Agents.
Ubilogin SAML Service Providers use SAML 2.0 protocol.
Ubisecure SSO, SAML 2.0 and High Availability
When installing Ubisecure SSO in High Availability mode, there are some restrictions due to some protocol requirements when using SAML 2.0. Please refer to the Ubisecure Clustering document for more information.
Backwards compatibility issues
Swedish BankID Authentication Adapter
For installations of SSO 8.4.1 through 8.7.0, the Swedish BankID Mobile authentication adapter has to be configured using the JWKS key id (kid) exposed in the SSO JWKS metadata. See Installing and configuring Swedish BankID - SSO for more details. It should be noted that Swedish BankID have altered several details of their authenticator, as we strongly recommend using their latest application.
To use all current Swedish BankID features and functions, you are required to use SSO 8.8.0 with CIBA authenticator 1.1.1.
SQL directory and OTP printout or TOTP
With SSO 8.8.0, if you have users coming from SQL directory and you are using OTP printout or TOTP, you need to add LegacyUserCredentialsTable compatibility flag to the method and restart SSO server to make sure it takes affect.