/
Change log - SSO

Change log - SSO

2023-05-10

Please see the current Release Notes (here - scroll down to change log) for the active release change log

Ubisecure SSO 9.x.x

SSO 9.2.0 (27/04/2023)

New Features

Improvements

Corrections

 

SSO 9.1.0 (25/10/2022)

SSO 9.1.0

New Features

Improvements

  • IDS-3694 - There is an update for the SAML SP for Java module (for Java 11) used to integrate web applications to SSO.  Please review SAML SP activation - SSO.

  • IDS-3578 - There is an improvement for TOTP logging level (to ALL). Please review TOTP API Configuration - SSO.

Corrections

  • IDS-3745 - There was a known issue with id_token expiration times between application specific and server specific timeouts. If the application and server timeout is separate, the application specific expiration time will take the server timeout + application timeout as the id_token expiration time

  • IDS-3767 - There was a known issue with Unregistered SMS or SMTP method used as second factor. If the method is not allowed for the intended group (not allowed for any group) or the configuration is left in a half configured state, then SSO shows ERROR 500 and a stack trace to the user

  • IDS-3863 - There was a redirection vulnerability within the password-reset tool that permitted open domain, any URL, to be used as potential redirection. While there is no known instance of use of this deviation, we have resolved this by adding the ability to define allowed hostnames in returnurls.

  • IDS-3871 - There was a redirection vulnerability within the password-reset tool that permitted cross site scripting to be post-pended to urls and used as potential redirection. While there is no known instance of use of this deviation, we have resolved this by adding the ability to define allowed hostnames in returnurls.

  • IDS-1832 - There was a known issue where editing an existing authorisation policy (example case added an attribute) resulted in the alteration of ubiloginNameValue. This was corrected in other work found within SSO 8.6 and no longer impacts any supported version of SSO.

SSO 9.0.0 (21/06/2022)

Change log 

SSO 9.0.0

New Features

  • IDS-3140 - SSO support for Java 11

  • IDS-3142 - Accounting Service support for Java 11

  • IDS-3143 - CIBA Adapter (Swedish BankID) support for Java 11

  • IDS-1531 - OpenLDAP version has been updated to 2.5.6 and backend changed from BDB to use MDB. See System Recommendations and Supported Platforms for details related to disk space and memory requirements

  • IDS-3492 - SessionManagerFactoryLDAP has been added as default session manager for better performance with OpenLDAP MDB

  • IDS-2671 - SSO now support Sign in with Apple. A few new parameters have been introduced to enable this integration. Check out our Configure Sign in with Apple knowledge base article

  • IDS-2117 - SSO acting as broker now supports ftn_spname for OpenID Connect methods. This parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the ftn_spname value. Read more about the configuration from OpenID Connect authentication method - SSO configurations

  • IDS-3491 - SSO OAuth 2.0 applications can be configured to overwrite the spname value configured in the system, to use the value coming from another trusted broker in the Finnish Trust Network. This is configured through the AllowFtnSpname configuration string. More details on this configuration string can be found from OAuth 2.0 integration guide - SSO

  • IDS-2979 - SSO acting as broker now support spname for SAML methods. Similar to OpenID Connect, this parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the spname value. Configuration information can be found from SAML IDP Proxy - SSO

  • IDS-3518 - SSO SAML applications can be configured to overwrite the spname value configured in the system, to use the value coming from another trusted broker in the Finnish Trust Network. This is configured through the AllowFtnSpname configuration string. More details on this configuration string can be found from SAML2 configuration - SSO

  • IDS-3006 - SSO acting as broker now support spname for Mobile PKI methods. This parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the spname value. The value is shown in the DisplayName field of schema as shown in the Installing and configuring ETSI MSS Mobile PKI - SSO

  • IDS-3673 - Unregistered SMTP OTP can be used as multi-factor authentication for OpenID Connect and SAML methods

  • IDS-3672 - Unregistered SMS OTP can be used as multi-factor authentication for OpenID Connect and SAML methods

  • IDS-3676 - SSO Management API has been updated to enable linking of Unregistered SMS and SMTP methods to SAML and OIDC methods. API calls for nextFactor and previousFactor, as well as usage can be found from Management API - SSO in section Linking objects

Improvements

  • IDS-3149 - A new client configuration has been added to SSO to mitigate Downgrade attacks. "require_signed_request_object" can be set to true in client metadata to require authorisation requests to be signed. See Client configuration reference - SSO for details

  • IDS-2827 - Public clients can now be configured to use PKCE without client_secret. When including "token_endpoint_auth_method": "none" in the client metadata - PKCE (code_challenge is required in the authorisation requests). Configuration information can be found from Authorization code grant and web single sign-on - SSO

  • IDS-3617 - Improvements to the TicketProtocolOAuth2Exception and TicketProtocolException loggings for OAuth2 and SAML2 applications to include client Id (where available) to easier debug where issues with application configurations. Example of new log entries extended with client IdSAML2 application

  • SAML2 application

    2022-03-18 10:22:50,380 protocol [192.168.0.108] SingleSignOnServlet: protocol.TicketProtocolException: [saml-application] Ticket validation error: ...

    OAuth2 application

    2022-03-28 12:50:57,409 protocol ERROR [172.30.0.1] AuthorizationServlet: protocol.oauth2.TicketProtocolOAuth2Exception: [oauth2-application] Invalid ticket request: ...

  • IDS-2992 - Springboot version has been updated to 2.5.x version for Accounting Service to remove known CVEs. With this update there is a need to manually update the logging.file.max-history value to logging.logback.rollingpolicy.max-history in sso/ubilogin/config/accounting/config/application.yaml. More details can be found from the SSO upgrade guides Upgrade on Linux - SSO and Upgrade on Windows - SSO

  • IDS-3521 - SpringBoot version has been updated to 2.5.x version for TOTP API to remove known CVEs

  • IDS-3683 - SpringBoot version has been updated to 2.5.x version for CIBA Adapter (Swedish BankID) to remove known CVEs

  • IDS-3744 - The default heapsize for Tomcat has been increased from 512MB to 2048MB (2GB), which reflects current operational needs for many installations. This may be adjusted up or down depending on your environment.

  • IDS-3733 - ubilogin-server service description has been updated from "Tomcat" to "Ubisecure SSO" in connection to systemd changes

  • IDS-3594 - TOTP API and Accounting Service Springfox library has been replaced with Springdoc related to Swagger documentation

  • IDS-3741 - CIBA Adapter (Swedish BankID) Springfox library has been replaced with Springdoc related to Swagger documentation

Corrections

  • IDS-2059 - A correction to state value where previously if state included '%2B' it converted it to '+' in authorisation response. This is now resolved and returns the expected '%2Bin the response

  • IDS-3601 - A security vulnerability in password-reset application that allowed updating password of a user without verifying OTP code has been corrected

Ubisecure SSO 8.x.x

SSO 8.10.1 (21/06/2022)

New Features

  • IDS-2671 - SSO now support Sign in with Apple. A few new parameters have been introduced to enable this integration. Check out our Configure Sign in with Apple knowledge base article

  • IDS-2117 - SSO acting as broker now supports ftn_spname for OpenID Connect methods. This parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the ftn_spname value. Read more about the configuration from OpenID Connect authentication method - SSO configurations

  • IDS-3491 - SSO OAuth 2.0 applications can be configured to overwrite the spname value configured in the system, to use the value coming from another trusted broker in the Finnish Trust Network. This is configured through the AllowFtnSpname configuration string. More details on this configuration string can be found from OAuth 2.0 integration guide - SSO

  • IDS-2979 - SSO acting as broker now support spname for SAML methods. Similar to OpenID Connect, this parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the spname value. Configuration information can be found from SAML IDP Proxy - SSO

  • IDS-3518 - SSO SAML applications can be configured to overwrite the spname value configured in the system, to use the value coming from another trusted broker in the Finnish Trust Network. This is configured through the AllowFtnSpname configuration string. More details on this configuration string can be found from SAML2 configuration - SSO

  • IDS-3006 - SSO acting as broker now support spname for Mobile PKI methods. This parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the spname value. The value is shown in the DisplayName field of schema as shown in the Installing and configuring ETSI MSS Mobile PKI - SSO

Improvements

  • IDS-3149 - A new client configuration has been added to SSO to mitigate Downgrade attacks. "require_signed_request_object" can be set to true in client metadata to require authorisation requests to be signed. See Client configuration reference - SSO for details

  • IDS-2827 - Public clients can now be configured to use PKCE without client_secret. When including "token_endpoint_auth_method": "none" in the client metadata - PKCE (code_challenge is required in the authorisation requests). Configuration information can be found from Authorization code grant and web single sign-on - SSO

  • IDS-3617 - Improvements to the TicketProtocolOAuth2Exception and TicketProtocolException loggings for OAuth2 and SAML2 applications to include client Id (where available) to easier debug where issues with application configurations. Example of new log entries extended with client Id

    SAML2 application

    2022-03-18 10:22:50,380 protocol [192.168.0.108] SingleSignOnServlet: protocol.TicketProtocolException: [saml-application] Ticket validation error: ...

    OAuth2 application

    2022-03-28 12:50:57,409 protocol ERROR [172.30.0.1] AuthorizationServlet: protocol.oauth2.TicketProtocolOAuth2Exception: [oauth2-application] Invalid ticket request: ...

Corrections

  • IDS-2059 - A correction to state value where previously if state included '%2B' it converted it to '+' in authorisation response. This is now resolved and returns the expected '%2Bin the response

  • IDS-3601 - A security vulnerability in password-reset application that allowed updating password of a user without verifying OTP code has been corrected

  • IDS-3660 - A custom redirect URI scheme previously caused failure in redirect with OAuth2 applications, this was now been resolved

SSO 8.9.3 (11/02/2022)

Improvements

SSO 8.9.2 (05/01/2022)

Corrections

SSO 8.9.1 was omitted due to new patch version of Log4j2 being released

SSO 8.9.0 (16/12/2021)

New Features

  • IDS-399 - SSO key rotation possibilities has been enabled for SSO server

  • IDS-2956 - SSO API calls related to create, update and delete signing and encryption keys for SSO server has been included. Examples can be found from Key rotation - SSO

  • IDS-2957 - SSO API calls related to associate or remove association of signing and encryption keys with SSO server has been included. How to perform key rotation in SSO can be found from here

  • IDS-2961 - SSO API call to get certificate signing request for a specific key. This CSR is forwarded to a CA for signing and later on associated back to the specific key

  • IDS-2962 - SSO API call to store the signed certificate with a specific key. Only one certificate is allowed for a key, if there are multiple available in the body, the first will be read and the others will be ignored

  • IDS-2964 - New and/or updated signing and encryption keys are published in OpenID Provider JWKS when changes are detected. All non-expired signing keys and one valid encryption key is shown in the metadata.jwks. The scheduler is run every minute to check for changes

  • IDS-2963 - New and/or updated signing and encryption keys are published in SAML2 IdP Metadata when changes are detected. All non-expired signing keys and one valid encryption key is shown in the Metadata. The scheduler is run every minute to check for changes. Each valid key is provided twice in the SAML2 IdP Metadata, once inside IDPSSODescriptor element and once inside SPSSODescriptor element

  • IDS-2970 - New and/or updated signing and encryption keys are published in WS-Federation IdP Metadata when changes are detected. All non-expired signing keys and one valid encryption key is shown in the FederationMetadata. The scheduler is run every minute to check for changes

  • IDS-3241 & IDS-3242 - Client registration request provides jwks_uri instead of static jwks to better support key rotation

Improvements

  • IDS-1486 - A documentation pages for diag log description has been created to match the audit log description pages, for easier use by developers. 

  • IDS-2757 - id_tokens are included in refresh_token grant responses when "openid" is included in the scope. Extending the requested scopes with additional claims after the refresh token has been created will not fetch additional information. More information can be found from Authorization code grant and web single sign-on - SSO

  • IDS-3303 - Password application IDP metadata is automatically updated from the IDP metadata endpoint once a minute to support key rotation. More details are available from Password application installation - SSO

Corrections

  • IDS-3125 - A Cross-site scripting (XSS) vulnerability has been resolved in SSO error page

  • IDS-1039 - SSO UI now shows "User account is locked" for OTP List and TOTP method after a user has tried to login with invalid code 5 times (or the amount configured in login attempts). Previously the user was shown the message after they tried to login on the 6th time after the method had already been locked

  • IDS-1652 - Message shown to user that have a mismatch of password and confirmation during password change now states a clearer reason for error "Make sure the passwords match. Please try again". Previously the message stated "The new credentials were not accepted" which did not point towards the reason for not being accepted

  • IDS-3176 - SSO UI now shows "User account is locked" for Unregistered SMTP OTP and Unregistered SMS OTP method after a user has tried to login with invalid code 5 times (or the amount configured in login attempts). Previously the user was shown the message after they tried to login on the 6th time after the method had already been locked

  • IDS-2828 - ubikt.jar now generates Certificate Signing Request (CSR) file from certificate contained in unix/win32.config. An example how to use the tool can be found from Increase the SSO metadata certificate private key size

  • IDS-3109 - SSO UI and audit logs now show correct "The user account is locked" message for TOTP method when a user has input invalid OTP code too many times and their account has gotten locked. Previously the message showed "The authentication method configuration is invalid: UNSPECIFIED"

  • IDS-3014 - SSO now shows correct template when returning from an external authentication method (SAML). Previously when a user returned back to the application, the default application template was shown to the user

SSO 8.8.1 (21/06/2021)

Corrections

  • IDS-3125 - Cross-site scripting (XSS) vulnerability has been corrected in error template

SSO 8.8.0 (09/06/2021)

New Features

  • IDS-105 - Administrators are now able to configure OpenID Connect methods in SSO Management UI without using the Management API. Read our Knowledge base article Configure OpenID Connect authentication method in SSO Management UI

  • IDS-2861 - UserInfo endpoint now supports POST requests. See Authorization code grant and web single sign-on - SSO for more information

  • IDS-2765 - SPI OpenID Connect CIBA method has been included to SSO. This allows CIBA method to be used as step-up method for your registered users. Read more about the configuration from OpenID Connect CIBA authentication method

  • IDS-2937 - New API calls have been added to the Accounting Service to get more information on the ticket granted events happening in your system. The API calls return method and application used for each of the events and are able to be queried daily, hourly or per minute. More information about the API calls can be found from Event details API section in Accounting Service API

  • IDS-2256 - Freja eID is now supported by SSO. Read our Knowledge base article Configure OpenID Connect Freja eID login

  • IDS-3008 - TOTP API has been extended with a new call to get information if a user has the TOTP method enabled or disabled for their account. Detailed information how to use the API is available in TOTP API swagger documentation that can be configured with the TOTP API - SSO

Improvements

  • IDS-2862 - In Authentication requests that require End-user interaction to continue although prompt parameter is none the error response has been changed from previous access_denied to interaction_required, according to the OpenID Connect Core 1.0 specifications

  • IDS-2847 - Hardcoded acr_value for Client Initiated Backchannel Authentications method has been removed

  • IDS-2833 - CIBA adapter (previously UBAA) OpenID Provider metadata has been updated with backchannel_token_delivery_modes_supported and token_endpoint_auth_signing_alg_values_supported values. More information about the metadata can be found from Installing and configuring Swedish BankID - SSO

  • IDS-2837 - invalid_grant error message has been updated to use LOGIN_CANCEL error message instead of previous AUTHENTICATION_METHOD_INVALID for CIBA methods

  • IDS-2940 - CIBA adapter's Spring Boot version has been updated and Swagger UI URL has changed, check the new URL from Installing and configuring Swedish BankID - SSO

  • IDS-1670 - Step-up method usability has been improved to not show any selection between step-up methods if there is only one configured for the application. For example, if only TOTP method is available as 2FA method in application, the user no longer needs to click "totp.1" button after signing in with password, but is immediately asked for TOTP code

  • IDS-2160 - Improved performance when generating and downloading reports from the Accounting Service. In our testing we have noted substantially decreased download times observable in larger datasets

  • IDS-2794 - Updated unix.config/win32.config file to include sso-api.uuid, totp.uuid and accounting.client.uuid to preserve the client IDs during upgrade of your system. Info about this can be found from Preserve essential configuration settings in upgrade

  • IDS-3019 - Accounting Service methods have been updated for CIBA methods. Previously named UBAA method is now referred to as UNREGISTERED.CIBA and registered CIBA method is referred to as DIR.CIBA. See Accounting Service - SSO for more information

  • IDS-3011 - Unregistered CIBA method: Transformation of id_token claims was changed to be same as in OpenID Connect method. Also added a new configuration option `usernameClaim` for defining the id_token claim used as the subject for the unregistered user

  • IDS-3015 - Token endpoint responses have been updated to have HTTP headers "Cache-Control: no-store" and "Pragma: no-cache" set by default to prevent information to be cached

  • IDS-3018 - Refresh token endpoint error responses have been updated in accordance to 
    OpenID Connect Core 1.0

  • IDS-3061 - New compatibility flag was introduced to resolve backwards incompatibility with OTP printout and TOTP secrets in the case that the users are stored in SQL database. If this is the case LegacyUserCredentialsTable needs to be added to the method for the users to keep using their set secrets. New SQL users or existing users recreating their secrets will be handled correctly. See more details from TOTP Authentication Method and OTP Printout authentication method - SSO

  • IDS-3062 - CIBA adapter has been updated to include client_id in aud claim and id_token expiration time. Configuration information can be found from Installing and configuring Swedish BankID

  • IDS-3009 - TOTP method can now be used without additional schema changes when using AD LDS as Ubilogin Directory together with external SQL directory

Corrections

  • IDS-1511 - SSO Password reset: old tokens not invalidated.  There are built-in features that can be used to mitigate

    • OTP should be set to expire (policy.oauth.otp.timeout)

    • Password min-age should be set greater than OTP expiration time (policy.password.min-age)

  • IDS-2721 - MENU_INTRO2_TEXT in SSO messages properties has been fixed to show the client name in SSO login screen when configured in client_name is configured in the metadata. Review Login screens - SSO for more details

  • IDS-2247 - OTP_LOGIN_REMAINING_PASSWORD_AMOUNT in SSO properties has been fixed to show the remaining one-time passwords left on the printed list to warn the user to renew the list before it runs out of passwords. More details on configurations can be found from Login screens - SSO and OTP Printout authentication method - SSO

  • IDS-2750 - Refresh tokens were invalid for Unregistered SMS with an Ubilogin Directory user. This issue has been fully resolved.

  • IDS-3104 - SPI TOTP method: Account lockout policy section is now shown in TOTP method configuration in SSO Management UI and pressing "Update" without any changes doesn't remove the lockout policy configurations.

SSO 8.7.1 (21/06/2021)

Corrections

  • IDS-3125 - Cross-site scripting (XSS) vulnerability has been corrected in error template

SSO 8.7.0 (20/01/2021)

New Features

  • IDS-1256 - SSO now supports Authorisation Code Flow with Proof Key for Code Exchange (PKCE) and will start validating the code_challenge and code_verifier for clients that are already sending them now. PKCE is currently only supported when SSO acts as Authorisation server (IDP). More information can be found from Authorization code grant - SSO and Provider metadata reference - SSO

Improvements

  • IDS-2784 - Accounting Service dependencies has been updated to remove vulnerabilities. You can find the latest versions used in the Accounting Table 2 on 3rd party licenses - SSO

  • IDS-2706 - SSO dependencies have been updated to remove vulnerabilities. You can find the latest versions used in the SSO Table 1 on 3rd party licenses - SSO

  • IDS-2498 - Issue with policy.password.history parameter has been fixed and new passwords are compared against the amount of previous passwords in the system. If value is set to 5, the user can not change to the any of the 5 previous passwords used. This policy still has issues with CustomerID and causes issues in user creation if enabled for password method used in CustomerID, see IDS-2851 in known issues

  • IDS-2985 - Refresh token logging have been extended with details of which refresh token was trying to be accessed to help with troubleshooting. This can be enabled by setting debug level on diag.protocol logs.

SSO 8.6.1 (21/06/2021)

Corrections

  • IDS-3125 - Cross-site scripting (XSS) vulnerability has been corrected in error template

SSO 8.6.0 (05/11/2020)

New Features

  • IDS-1885 - SSO now supports Time-based One-time Password as a new step-up method. See TOTP Authentication Method for more details

  • IDS-2631 - TOTP API application has been created for handling of user TOTP secrets. These API calls allow Administrators to set and remove the secrets for users through their own self-service UI/application (this is not provided within the Ubisecure Identity Server). See TOTP API - SSO for more info how to setup and configure 

Improvements

  • IDS-2714 - Support for PBKDF2-SHA256 password encoding has been added to SSO. All supported values can be found from Management UI authentication methods

  • IDS-2571 - Improvement for handling multiple IPs in "proxy.remote-addr-name = x-forwarded-for" configuration. If there are multiple IPs included in the request, all of the IPs will be shown in the audit logs, separated by ",". This will need to be taken into consideration when parsing the audit logs. Previously multiple IPs caused issues with Ubilogin Management, Logviewer and Search applications.

  • IDS-2717 - Changes to application configuration for two-factor authentication methods. If both password and a step-up method is enabled for an application, users who do not have the specific step-up method enabled on their account can log in to the application with password only. See Authentication and authorization process - SSO

SSO 8.5.2 (21/06/2021)

Corrections

  • IDS-3125 - Cross-site scripting (XSS) vulnerability has been corrected in error template

SSO 8.5.1 (07/10/2020)

Improvements

SSO 8.5.0 (17/06/2020)

New Features

  • IDS-1303 - Mobile Connect integration has been extended with support related to logging and consent. This enables Mobile Operators to take Mobile Connect Authentication and Authentication Plus product into commercial use. The items that have been updated for this feature can be found in the improvements section.

Improvements

  • IDS-2516 - OAuth 2.0 applications can be extended with compatibility flag ExtendedOAuth2AuditLogging. This enables additional log entries to the audit log to facilitate Mobile Connect billing use cases. This can also be use for other OpenID Connect use cases. More detailed information can be found from Additional audit logging for OAuth 2.0

  • IDS-1304 - Authorisation policies have been updated with scope field. This will allow Administrators to specify which scopes should be evaluated for OpenID Connect and OAuth 2.0 applications. You can read more about how to Manage authorization policies - SSO here

  • IDS-2522 - Improved consent page includes requested scopes and confirm/cancel buttons instead of previous static text and checkbox. This improvement can be used for OpenID Connect methods and OAuth 2.0 applications. For other applications and methods, an updated static page of consent information will be shown to the end user. Read more about how to configure the consent screen from our Login screens - SSO and Internationalization - SSO documentation pages. 

  • IDS-1591 - Mobile ID (Mobiilivarmenne) phone number input field has been changed from 'text' to 'tel' to improve the user experience on mobile devices. Users default screen will show number keypad rather than alphabet keyboard, easing use of the service

  • IDS-2486 - Optimisation of LDAP search in Password Reset application related to lookup of available methods

  • IDS-2014 - Additional information for the different entry types has been added to our Audit log description - SSO

  • IDS-2034 - Improved documentation how to setup authentication methods using SSO Management API can be found from OpenID Connect authentication method - SSO

  • IDS-750 - Improved documentation related to handling of error situation not to expose any sensitive server or software information. Read more about how to use reverse proxy in our Security considerations for production environments - SSO

  • IDS-1487 - Improved version handling of SSO components in order to have a better understanding of which version is currently installed. Logging of correct version (i.e. same as the release version) during SSO startup

  • IDS-2445 - Improvement to how threads are handled for Health check API. In clustered environments it was noticed that the health check calls could go into a deadlock due to timing issue when connection was shutting down

  • IDS-2615 - OAuth2 / OpenID Connect Token responses have been changed to exclude the id_token for refresh requests. This is to make sure that no additional information is shared with the application that the user has not approved to be shared. Read more about Access Token and ID Token from Authorization code grant and web single sign-on - SSO

  • IDS-2608 - Updated audit log field "Web Application User ID" to get username sent to the application in the log entries that have this field available. More information can be found from Audit log description - SSO

Corrections

  • IDS-2158 - Version number in the footer of SSO Management UI now correctly displays the installed version of the application

  • IDS-2317 - UsernameUserMappingIdentityFactory flag has been set to disabled as default as specified in SSO 8.4.1 release notes. If this functionality needs to be enabled follow the Enabling UsernameUserMappingIdentityFactory instructions

  • IDS-2032 - Changing log levels in SSO management UI will now come into affect without restarting SSO application, this would previously require a restart

  • IDS-1182 & IDS-1469 - Documentation has been updated related to how to configure your reverse proxy in order not to expose any sensitive server or software information. Read more about how to use reverse proxy in our Security considerations for production environments - SSO page

  • IDS-2537 - Correction to jQuery call that broke WS-Federation logout in 8.4.0 and 8.4.1. If using WS-Federation methods, we suggest to upgrade to SSO 8.5.0 to resolve this issue

SSO 8.4.1 (06/02/2020)

Improvements

Corrections

  • IDS-2208 - Fix for StrictAudiencePolicy to be able to set the compatibility flag system-wide, this did not overwrite application or authentication method flags set in SSO 8.3.8 (OpenID Connect authentication method - SSO)

SSO 8.4.0 (12/11/2019)

New Features

Improvements

  • IDS-58 - Server side session storage/Redis product documentation (Use Redis with Identity Server)

  • IDS-79 - NameIDPolicy must be set for AuthnRequest sent by SSO

  • IDS-110 - Updated SSO external library (3rd party) dependencies (3rd party licenses - SSO)

  • IDS-684 - AuthnContextClassRef from a SAML Identity Provider to SSO (IdP Proxy) should also be possible to be forwarded to SP

  • IDS-930 - SSO management API for persistentID (PCR) name mapping

  • IDS-1080 - Identity Server supports BCrypt for password encoding

Corrections

  • IDS-653 - Name change: Agent has been replaced with Application in SSO UI

  • IDS-683 - Fix for deadlock in JLDAP

  • IDS-712 - Fix usability on Unregistered SMS login screens. Focus set to OTP field

  • IDS-1106 - Fix for SSO server jwks interoperability issue in Chrome

  • IDS-1190 - Fix for one time feature not working for OAuth applications when there is SSO session available

  • IDS-1412 - Fix for REDIS failover when the node configured in SSO goes offline

Ubisecure SSO 8.3.8 (24/10/2019)

This release improves the compatibility with Finnish Trust Network. It also includes improvements on general OpenID Connect compatibility.

Improvements

  • IDS-2037: OpenID Connect: Ability to duplicate parameters outside the request object when sending Authorization requests as JWTs

  • IDS-2107: OpenID Connect: Implementation of Key ID in JWKs, JWS and JWE

  • IDS-2108: OpenID Connect: Send client_id as a request parameter in Token requests when using client assertions

  • IDS-2110: OpenID Connect: Ability to perform relaxed or strict JWT aud claim validation

  • IDS-2113: OpenID Connect: Improved UI locale handling

  • IDS-2114: OpenID Connect: Ability to perform Authentication request with HTTP POST instead of GET

This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2026. All Rights Reserved.