Identity Server 2023.1 Release Notes
ubisebastian
John Jellema
Former user (Deleted)
Nikolai Denissov
Release highlights
This release focuses on introduction of the following new features and improvements:
Swedish BankID - Same Device Flow
While we have supported BankID via our CIBA adaptor since 2018, in this release we have added the commonly used features of Same Device Flow for BankID as a relying party. This enables a customer to integrate BankID authentication into their SSO environment with ease. For instructions on how to integrate into SSO, please see the following developer portal documentation: Swedish BankID - SSO. You will find documentation covering our introduction to BankID, followed by detail pages for configuring and its usage. There is also a screen shot example of a configuration found on SSO Authentication Methods, please look for "Unregistered Device Swedish BankID".
And for details over Swedish BankID in general and the specification followed to enable SSO to be a relying party please see the following links directly at Sweden's BankID:
- https://www.bankid.com/en/utvecklare/guider/teknisk-integrationsguide/rp-introduktion
- https://www.bankid.com/assets/bankid/rp/bankid-relying-party-guidelines-v3.8.pdf
Wildfly 26.1.2
WIldfly is the underlying webserver supporting CustomerID. During this release cycle we have updated the version of Wildfly to 26.1.2. You can read the update details from the Wildfly community page here; https://www.wildfly.org/news/2021/12/16/WildFly26-Final-Released/. This latest update highlights our commitment to ensure that all supported portions of the Identity Server are kept as up to date as possible. Ubisecure's ongoing commitment to remove or contain Common Vulnerabilities and Exposures (CVE's) is an ongoing effort to ensure that you have the most secure software possible for your identity and access management needs.
Linux Support
We would like to bring to your attention the continued support of Linux. For this release we have performed test installations in both signal and high availability configurations for both Red Hat 7 / Centos 7 and Red Hat 8 / Rocky Linux 8. We always encourage you to review our System Recommendations page for details over architectural guidelines to ensure your environment functions optimally. If you have any questions or would like to review your operating environment, please open a support ticket, we would be happy to help.
Additionally, you will find a listing of known issues, with internal ticket references at the bottom of this page
Contents
Change log
SSO 9.2.3
Corrections
- IDS-4540 - We have observed and corrected intermittent authentication errors for Customers attempting authentications with a legacy Microsoft integration (SignIn with SAML). These intermittent authentication errors were due to the combination of Microsoft allowing the use of non-unique entityIDs in their legacy SignIn with SAML service and cache performance improvements that we implemented to improve the overall stability of the Identity Platform .
- IDS-4571 - We have corrected the issue with mapping Remote Identities (also called
ubiloginAuthMapping) to Ubilogin Directory identities when the same Remote Identity is used in two or more Authentication Mappings. If this lesser-used historical feature is used in your environment, please visit Enabling UsernameUserMappingIdentityFactory.
SSO 9.2.2
Corrections
- IDS-4140 - We have made an improvement to SSO’s CleanupManager to ensure that it will continue to clean up sessions even if there are connectivity issues between SSO and LDAP. Environments that have long uptime could eventually run out of memory due to CleanupManager failing silently.
- IDS-4233 - We have observed and corrected SSO consuming increased amounts of memory during testing. This ticket corrects SSO ExpiringMessageTracker, which was found to leak memory causing issues for very large environments or environments with very long uptime.
SSO 9.2.1
Improvements
- IDS-4262 - A minor alteration was made to the cancellation workflow to conform with end user existing expectations.
SSO 9.2.0
New Features
- IDS-3886 - Found within SSO 9.2.0, is the ability to utilise Swedish BankID in same device flow operations. Tested with Android and iOS mobile phones over the most common web browsers. This new feature is conformant to Swedish BankID specification 3.7
Improvements
- IDS-4042 - For very high capacity environments, there is the option to augment SSO with a Redis cluster. We have updated Redis to version 6.2.8. Please ensure you have consulted with Support prior to implementing Redis.
- IDS-3983 - OpenLDAP MDB has been updated to version 2.5.14 LTS, please see OpenLDAP pages for additional details: https://www.openldap.org/software/release/changes_lts.html over the directory. Please review System Recommendations and Supported Platforms for the requirements of OpenLDAP within Identity Server.
Corrections
- IDS-3311 - Corrected the inability to localise the deployment in the Swedish language and use password-reset. This is now possible without error.
- IDS-3835 - Corrected a directory cache cleaning error which resulted in very high capacity environments requiring periodic reboots to clear inactive sessions found in com.ubisecure.ubilogin.directory.authz.Methods
CustomerID 6.2.1
Improvements
- IDS-3771 - We have suppressed the default help files found in CustomerID UI. These help files have been fully replaced by the Developer Portal. It is possible to return the help link icon to your environment, please see the following documentation if you use the help link icon within your environment. See: Custom CSS Styling and Help Files
Corrections
- IDS-2791 - We have observed and corrected an error where a user who cancels their CustomerID registration, without completing the process, will result in a SSO session remaining open. As a security improvement, the default setting has been changed for CusotmerID version 6.2.1 and later. Please see CustomerID Self-registration workflow configuration and search for "registration.N.logout.when.cancel".
- IDS-3698 - We have observed and corrected an error where not all user data is deleted from datastores when a user application is rejected.
- IDS-3727 - We have observed and corrected an error where CustomerID default email validator permitted an existing email address to be used for new registration if capital letters were used.
- IDS-4034 - There was a known issue when using the CustomerID user interface to delete user custom attributes that results in a data conflict between the two datastores used for the Identity Platform. Manual correction of LDAP is required. This known issue has been corrected as of CID 6.2.1
CustomerID 6.2.0
New Features
- None developed for this IDS 2023.2 release
Improvements
- IDS-3851 - CustomerID utalises WildFly as its webserver, the underlying WildFly has been updated to WildFly 26.1.2 for this release.
Corrections
- None required for this IDS 2022.2 release
Here you can find links to previous version's change logs for SSO and CustomerID
Deviations
The following deviations are found within Identity Platform and are expected to be corrected over time. For a listing of known issues found on Identity Platform please see: Considerations, limitations and known issues
SSO
Ticket number | External description |
|---|---|
| IDS-561 | There is a known issue where SSO does not check the mappingURL value when creating or editing an inboundDirectoryMappings when using the SSO REST API. Directory Mappings are possible to be created, but then not opened or edited. |
| IDS-1030 | There is a known issue where running the CertAP setup.cmd in a windows environment will post errors of missing linux tags. While these errors are unsightly, they can be safely ignored. This issue will be corrected in a future release. |
| IDS-1499 | There is a known issue where SSO will return http 401, rather than http 400 when token introspection without an authentication header or when invalid credentials are present. |
| IDS-1629 | There is a known issue resulting in unclear error messages. When a user is configured without a phone number and SMS OTP method is added to their profile result in one of two error messages. If the SMS OTP is the only authentication method enabled, the message will be “The user account is disabled”. If there are other authentication methods enabled, the message will be “Access to the requested resource is denied”. |
| IDS-1648 | This is a known issue that only is only present with password2. User is presented with a popup "Update: Invalid account Status" if one of the previous three passwords are used when asked to update their password. There is no known work around. |
| IDS-1662 | The use of the following special characters when making any search will result in an internal sever error 500 and a stack trace. Symbols: + = # ; , < > Work around, administrators should not use the special symbols when naming users or searching for users. |
| IDS-1893 | There is a known issue if you use OpenID authentication, a user cannot access SAML or Ubilogin web applications. Work around use any other non-OpenID authentication method. If OpenID is required, then use OAuth 2.0 application. |
| IDS-2090 | There is a known issue where the SSO management UI will not filter results correctly if the filter expression is short, contains incorrect filter expressions and there are Scandinavian characters included. |
| IDS-2244 | There is a known issue when using special characters within SSO management API in persistentID name mapping that may result in incorrect side or policy id values being returned. Recommended work around, do not use special characters, like “=” “,” “#” in site and policy mapping names. |
| IDS-2260 | There is a known installation issue when using SSO Password reset. Using the installation instructions for password reset tool requires an administrator to run tomcat update. This occasionally results in an empty context.xml file being created which causes SSO to fail when being restarted. Workaround, repeat the run tomcat update step which will create a correct .xml file and SSO will restart. |
| IDS-2314 | There is a known issue with passing a refresh token to token endpoint results in "invalid_grant" error, if the refresh token has been issued to an unregistered user from an authentication method having a connected Directory Service. |
| IDS-2478 | There is a known issue in SSO that it is not possible to have different localisations for access_denied returned by IdP and local access_denied, for example if directory user mapping fails after successful authentication |
| IDS-2790 | There is a known issue with sending in invalid formatted request to introspection endpoint returns stack trace including server version number. This can be mitigated by following our Security considerations for using reverse proxy and customising error pages with HAProxy Security considerations for production environments - SSO |
| IDS-3092 | There is a known issue where Administrators are unable to alter password encoding through the SSO management UI. There is no known UI work around. |
| IDS-3174 | There is a known issue within common-ubiutil that will return a an unescaped value where an escaped value is expected. This was identified during a misconfiguration, so is not expected to impact any operational environments. Work around is to ensure proper use of ldap names in configurations. |
| IDS-3625 | There is a known issue where an ERROR 500 message with stack-trace is shown in the browser if there is no valid encryption key available in SSO. Mitigation use reverse proxy to catch all 500 error with user friendly information Security considerations for production environments - SSO |
| IDS-3665 | There is a known issue where the authorisation endpoint may become corrupted if a URL contains "%20" in URL encoded format. |
| IDS-3730 | There is a known issue where using “Force Reauthentication” configuration for an application that uses refresh tokens, the refresh tokens are immediately invalidated. Workaround is to not use “Force Reauthentication”, set max age to 0 in auth request → Authentication is forced and refresh tokens are valid. |
| IDS-3971 | There is a known issue which results in a non-impacting stack trace being logged when updating metadata using ManagedScheudledExecutorService for SAML 2 AP. There is no known work around to this non-impacting log event. |
| IDS-4608 | There is a known issue with IDP and SP-initiated logouts from SAML-authenticated methods and applications not terminating the session appropriately. This behavior is observed with most of the latest Firefox browser versions, Google Chrome, and Edge versions of at least 119+. The recommended temporary workaround is to keep the "iframelogout=default" setting in the "default.properties" configuration file. |
CustomerID
Ticket number | Description |
|---|---|
| IDS-1373 | There is a known issue in CustomerID when a new user is created in a non-virtual organisation, the invitation can contain a role when no role has been approved for that user. |
| IDS-1509 | There is a known issue where a new user being invited to a virtual organisation the CustomerID administrator cannot approve the user; an internal server error occurs. |
| IDS-1706 | There is a known issue with null values (DbAssignable.set and DbAssignable.isNull) which may result in NullPointer exceptions when using REST calls. This impacts Roles, Mandates and Invitations. |
| IDS-2312 | There is a known issue in approval view where changing technical name of an organization to include Scandinavian letters doesn't work. |
| IDS-2683 | There is a known issue where CID REST API's 2.0 and 2.1 do not locate organisations with URL encoded characters in their names. Work around, if possible, ensure there are no URL encoded characters within organisation names. (example Ä Ö Å). |
| IDS-2703 | There is a known issue where a role name with different case can be created which results in one LDAP entry and two SQL entries. |
| IDS-2876 | There is a known issue if user is rejected from UI error is logged "Error when trying to get approval request with ID: null". A stack trace is logged. This stack trace can be safely ignored. |
| IDS-2934 | There is a known issue in CustomerID within Mandates, where no renotify email is sent to new user to register using mandate invitation. Admin user sends mandate from Admin UI to new user that is not registered to the system. Email is sent correctly, but no renotify is sent to register to the system.Mandate expires correctly also and email is sent that mandate was expired. |
| IDS-2941 | There is a known issue where a NPE will occur if an administrator is viewing an ORG2PER mandate from the CustomerID management UI. |
| IDS-3058 | There is a known issue where in change password application of CustomerID where the return URL is missing a forward slash (returns "https:/" not "https://") resulting in failed redirect if the cancel button would be enabled. |
| IDS-3483 | There is a known issue with GET113 List Organization's Users API call. When adding parameter ?status=Enabled the call returns Internal error |
| IDS-3698 | There is a known issue with rejecting the a user registration that doesn’t remove the approval request from the CustomerID database. A workaround for this is to remove the pending approval request from the database. |
| IDS-3765 | There is an issue with JDK 11.0.15 that prevents Wildfly from working |
| IDS-3727 | There is a known issue with email validator in regards to case-sensitive emails. For example user@email.com and User@email.com are treated as different emails. To fix this;
|
| IDS-4034 | There is a known issue when using the CustomerID user interface to delete user custom attributes that results in a data conflict between the two datastores used for the Identity Platform. Manual correction of LDAP is required. Suggested work around is to use the APIs if possible for this partial user attribute deletion. |
This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2024. All Rights Reserved.