IDS-4540 - We have observed and corrected intermittent authentication errors for Customers attempting authentications with a legacy Microsoft integration (SignIn with SAML). These intermittent authentication errors were due to the combination of cache performance improvements that we implemented and Microsoft allowing the use of non-unique entityIDs in their legacy SignIn with SAML service.
IDS-4571 - We have corrected the issue with mapping Remote Identities (also called ubiloginAuthMapping) to Ubilogin Directory identities when the same Remote Identity is used in two or more Authentication Mappings. If this lesser-used historical feature is used in your environment, please visit Enabling UsernameUserMappingIdentityFactory.
SSO 9.2.2 (20/06/2023)
Corrections
IDS-4140- We have made an improvement to SSO’s CleanupManager to ensure that it will continue to clean up sessions even if there are connectivity issues between SSO and LDAP. Environments that have long uptime could eventually run out of memory due to CleanupManager failing silently.
IDS-4233 - We have observed and corrected SSO consuming increased amounts of memory during testing. This ticket corrects SSO ExpiringMessageTracker, which was found to leak memory causing issues for very large environments or environments with very long uptime.
SSO 9.2.1 (22/05/2023)
Improvements
IDS-4262 - A minor alteration was made to the cancellation workflow to conform with end user existing expectations.
SSO 9.2.0 (27/04/2023)
New Features
IDS-3886 - Found within SSO 9.2.0, is the ability to utilise Swedish BankID in same device flow operations. Tested with Android and iOS mobile phones over the most common web browsers. This new feature is conformant to Swedish BankID specification 3.7
Improvements
IDS-4042 - For very high capacity environments, there is the option to augment SSO with a Redis cluster. We have updated Redis to version 6.2.8. Please ensure you have consulted with Support prior to implementing Redis.
IDS-3311 - Corrected the inability to localise the deployment in the Swedish language and use password-reset. This is now possible without error.
IDS-3835 - Corrected a directory cache cleaning error which resulted in very high capacity environments requiring periodic reboots to clear inactive sessions found in com.ubisecure.ubilogin.directory.authz.Methods
CustomerID 6.2.1 (20/06/2023)
New Features
Improvements
IDS-3771 - We have suppressed the default help files found in CustomerID UI. These help files have been fully replaced by the Developer Portal. It is possible to return the help link icon to your environment, please see the following documentation if you use the help link icon within your environment. See: Custom CSS Styling and Help Files
Corrections
IDS-2791 - We have observed and corrected an error where a user who cancels their CustomerID registration, without completing the process, will result in a SSO session remaining open. As a security improvement, the default setting has been changed for CusotmerID version 6.2.1 and later. Please see CustomerID Self-registration workflow configuration and search for "registration.N.logout.when.cancel".
IDS-3698 - We have observed and corrected an error where not all user data is deleted from datastores when a user application is rejected.
IDS-3727 - We have observed and corrected an error where CustomerID default email validator permitted an existing email address to be used for new registration if capital letters were used.
IDS-4034 - There was a known issue when using the CustomerID user interface to delete user custom attributes that results in a data conflict between the two datastores used for the Identity Platform. Manual correction of LDAP is required. This known issue has been corrected as of CID 6.2.1
CustomerID 6.2.0 (27/04/2023)
New Features
None required for this release
Improvements
IDS-3851 - CustomerID utalises WildFly as its webserver, the underlying WildFly has been updated to WildFly 26.1.2 for this release.
Corrections
None required for this release
IDS 2022.2
SSO 9.1.0 (25/10/2022)
New Features
IDS-3494 - Logging for SSO webapps has been updated from Log4j to SLF4J and new logback.xml files are available for log configuration. All logs are now written to sso_diag.yyyy-MM-DD.log instead of catalina. Please ensure you review the Logging migration guide - SSO.
IDS-3655 - SMS OTP, OTP Printout, TOTP and OpenID Connect CIBA can be used as multi-factor authentication for OpenID Connect and SAML methods when using Directory User Mapping. Configuration information can be found from Multi-factor Authentication with Directory User Mapping - SSO
IDS-3694 - There is an update for the SAML SP for Java module (for Java 11) used to integrate web applications to SSO. Please review SAML SP activation - SSO.
IDS-3745 - There was a known issue with id_token expiration times between application specific and server specific timeouts. If the application and server timeout is separate, the application specific expiration time will take the server timeout + application timeout as the id_token expiration time
IDS-3767 - There was a known issue with Unregistered SMS or SMTP method used as second factor. If the method is not allowed for the intended group (not allowed for any group) or the configuration is left in a half configured state, then SSO shows ERROR 500 and a stack trace to the user
IDS-3863 - There was a redirection vulnerability within the password-reset tool that permitted open domain, any URL, to be used as potential redirection. While there is no known instance of use of this deviation, we have resolved this by adding the ability to define allowed hostnames in returnurls.
IDS-3871 - There was a redirection vulnerability within the password-reset tool that permitted cross site scripting to be post-pended to urls and used as potential redirection. While there is no known instance of use of this deviation, we have resolved this by adding the ability to define allowed hostnames in returnurls.
IDS-1832 - There was a known issue where editing an existing authorisation policy (example case added an attribute) resulted in the alteration of ubiloginNameValue. This was corrected in other work found within SSO 8.6 and no longer impacts any supported version of SSO.
CustomerID 6.1.0 (25/10/2022)
New Features
None developed for this IDS 2022.2 release
Improvements
IDS-3572 - SSN validation in CustomerID has been updated to also accept new formats of SSNs that are coming into effect in Finland from 1st of January 2023
IDS-3872 - As part of ongoing maintenance, the PostgreSQL driver has been updated from 42.4.0 to 42.5.0
Corrections
None required for this IDS 2022.2 release
IDS 2022.1
Change log SSO 9.0.0 (21/06/2022)
New Features
IDS-3140 - SSO support for Java 11
IDS-3142 - Accounting Service support for Java 11
IDS-3143 - CIBA Adapter (Swedish BankID) support for Java 11
IDS-1531 - OpenLDAP version has been updated to 2.5.6 and backend changed from BDB to use MDB. See System Recommendations and Supported Platforms for details related to disk space and memory requirements
IDS-3492 - SessionManagerFactoryLDAP has been added as default session manager for better performance with OpenLDAP MDB
IDS-2671 - SSO now support Sign in with Apple. A few new parameters have been introduced to enable this integration. Check out our Configure Sign in with Apple knowledge base article
IDS-2117 - SSO acting as broker now supports ftn_spname for OpenID Connect methods. This parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the ftn_spname value. Read more about the configuration from OpenID Connect authentication method - SSO configurations
IDS-3491 - SSO OAuth 2.0 applications can be configured to overwrite the spname value configured in the system, to use the value coming from another trusted broker in the Finnish Trust Network. This is configured through the AllowFtnSpname configuration string. More details on this configuration string can be found from OAuth 2.0 integration guide - SSO
IDS-2979 - SSO acting as broker now support spname for SAML methods. Similar to OpenID Connect, this parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the spname value. Configuration information can be found from SAML IDP Proxy - SSO
IDS-3518 - SSO SAML applications can be configured to overwrite the spname value configured in the system, to use the value coming from another trusted broker in the Finnish Trust Network. This is configured through the AllowFtnSpname configuration string. More details on this configuration string can be found from SAML2 configuration - SSO
IDS-3006 - SSO acting as broker now support spname for Mobile PKI methods. This parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the spname value. The value is shown in the DisplayName field of schema as shown in the Installing and configuring ETSI MSS Mobile PKI - SSO
IDS-3673 - Unregistered SMTP OTP can be used as multi-factor authentication for OpenID Connect and SAML methods
IDS-3672 - Unregistered SMS OTP can be used as multi-factor authentication for OpenID Connect and SAML methods
IDS-3676 - SSO Management API has been updated to enable linking of Unregistered SMS and SMTP methods to SAML and OIDC methods. API calls for nextFactor and previousFactor, as well as usage can be found from Management API - SSO in section Linking objects
Improvements
IDS-3149 - A new client configuration has been added to SSO to mitigate Downgrade attacks. "require_signed_request_object" can be set to true in client metadata to require authorisation requests to be signed. See Client configuration reference - SSO for details
IDS-2827 - Public clients can now be configured to use PKCE without client_secret. When including "token_endpoint_auth_method": "none" in the client metadata - PKCE (code_challenge is required in the authorisation requests). Configuration information can be found from Authorization code grant and web single sign-on - SSO
IDS-3617 - Improvements to the TicketProtocolOAuth2Exception and TicketProtocolException loggings for OAuth2 and SAML2 applications to include client Id (where available) to easier debug where issues with application configurations. Example of new log entries extended with client IdSAML2 application
IDS-2992 - Springboot version has been updated to 2.5.x version for Accounting Service to remove known CVEs. With this update there is a need to manually update the logging.file.max-history value to logging.logback.rollingpolicy.max-history in sso/ubilogin/config/accounting/config/application.yaml. More details can be found from the SSO upgrade guides Upgrade on Linux - SSO and Upgrade on Windows - SSO
IDS-3521 - SpringBoot version has been updated to 2.5.x version for TOTP API to remove known CVEs
IDS-3683 - SpringBoot version has been updated to 2.5.x version for CIBA Adapter (Swedish BankID) to remove known CVEs
IDS-3744 - The default heapsize for Tomcat has been increased from 512MB to 2048MB (2GB), which reflects current operational needs for many installations. This may be adjusted up or down depending on your environment.
IDS-3733 - ubilogin-server service description has been updated from "Tomcat" to "Ubisecure SSO" in connection to systemd changes
IDS-3594 - TOTP API and Accounting Service Springfox library has been replaced with Springdoc related to Swagger documentation
IDS-3741 - CIBA Adapter (Swedish BankID) Springfox library has been replaced with Springdoc related to Swagger documentation
Corrections
IDS-2059 - A correction to state value where previously if state included '%2B' it converted it to '+' in authorisation response. This is now resolved and returns the expected '%2B' in the response
IDS-3601 - A security vulnerability in password-reset application that allowed updating password of a user without verifying OTP code has been corrected
CustomerID 6.0.0 (21/06/2022)
New Features
IDS-3141 - CustomerID support for Java 11
IDS-3506 - Logging in CustomerID has been updated from previous Log4j to use SLF4J. No changes are needed for the configurations and logging format is kept the same
Improvements
IDS-1238 - ORG2ORG mandate creation have been improved to allow email optional and email message not to be asked. by updating the eidm2.properties and mailmessages.properties with the following configurations;eidm2.properties
IDS-2713 - Resolved issues with import/export users to handle EntityName as the UniqueId by default. A new parameter has been added to REST API 1.0 (REQ001b List Users) for handling plain CN as the uniqueID of the user instead of the Entity Name
IDS-3381 - remove-datasource.cmd|sh scripts have been fixed to make it easier to upgrade PostgreSQL JDBC drivers. CustomerID upgrade documentation has been updated
IDS 2021.3 - Note: SSO 8.10.x and 8.9.x both utilise CustomerID 5.9.x
Ubisecure SSO 8.10.1 (21/06/2022)
New Features
IDS-2671 - SSO now support Sign in with Apple. A few new parameters have been introduced to enable this integration. Check out our Configure Sign in with Apple knowledge base article
IDS-2117 - SSO acting as broker now supports ftn_spname for OpenID Connect methods. This parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the ftn_spname value. Read more about the configuration from OpenID Connect authentication method - SSO configurations
IDS-3491 - SSO OAuth 2.0 applications can be configured to overwrite the spname value configured in the system, to use the value coming from another trusted broker in the Finnish Trust Network. This is configured through the AllowFtnSpname configuration string. More details on this configuration string can be found from OAuth 2.0 integration guide - SSO
IDS-2979 - SSO acting as broker now support spname for SAML methods. Similar to OpenID Connect, this parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the spname value. Configuration information can be found from SAML IDP Proxy - SSO
IDS-3518 - SSO SAML applications can be configured to overwrite the spname value configured in the system, to use the value coming from another trusted broker in the Finnish Trust Network. This is configured through the AllowFtnSpname configuration string. More details on this configuration string can be found from SAML2 configuration - SSO
IDS-3006 - SSO acting as broker now support spname for Mobile PKI methods. This parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the spname value. The value is shown in the DisplayName field of schema as shown in the Installing and configuring ETSI MSS Mobile PKI - SSO
Improvements
IDS-3149 - A new client configuration has been added to SSO to mitigate Downgrade attacks. "require_signed_request_object" can be set to true in client metadata to require authorisation requests to be signed. See Client configuration reference - SSO for details
IDS-2827 - Public clients can now be configured to use PKCE without client_secret. When including "token_endpoint_auth_method": "none" in the client metadata - PKCE (code_challenge is required in the authorisation requests). Configuration information can be found from Authorization code grant and web single sign-on - SSO
IDS-3617 - Improvements to the TicketProtocolOAuth2Exception and TicketProtocolException loggings for OAuth2 and SAML2 applications to include client Id (where available) to easier debug where issues with application configurations. Example of new log entries extended with client Id
IDS-2059 - A correction to state value where previously if state included '%2B' it converted it to '+' in authorisation response. This is now resolved and returns the expected '%2B' in the response
IDS-3601 - A security vulnerability in password-reset application that allowed updating password of a user without verifying OTP code has been corrected
IDS-3660 - A custom redirect URI scheme previously caused failure in redirect with OAuth2 applications, this was now been resolved
SSO 8.9.3 (11/02/2022)
Improvements
IDS-3485 - To prevent Cross-JWT Confusion we have removed the client ID in the sub claim when Passing a Request Object by Value. If, for some reason this would still be required we have introduced the client metadata parameter "ubisecure_request_object_sub_claim_required" to allow backwards compatibility, see configuration parameters in OpenID Connect authentication method - SSO. This, however is not recommended.
SSO 8.9.1 was omitted due to new patch version of Log4j2 being released
SSO 8.9.0 (16/12/2021)
New Features
IDS-399 - SSO key rotation possibilities has been enabled for SSO server
IDS-2956 - SSO API calls related to create, update and delete signing and encryption keys for SSO server has been included. Examples can be found from Key rotation - SSO
IDS-2957 - SSO API calls related to associate or remove association of signing and encryption keys with SSO server has been included. How to perform key rotation in SSO can be found from here
IDS-2961 - SSO API call to get certificate signing request for a specific key. This CSR is forwarded to a CA for signing and later on associated back to the specific key
IDS-2962 - SSO API call to store the signed certificate with a specific key. Only one certificate is allowed for a key, if there are multiple available in the body, the first will be read and the others will be ignored
IDS-2964 - New and/or updated signing and encryption keys are published in OpenID Provider JWKS when changes are detected. All non-expired signing keys and one valid encryption key is shown in the metadata.jwks. The scheduler is run every minute to check for changes
IDS-2963 - New and/or updated signing and encryption keys are published in SAML2 IdP Metadata when changes are detected. All non-expired signing keys and one valid encryption key is shown in the Metadata. The scheduler is run every minute to check for changes. Each valid key is provided twice in the SAML2 IdP Metadata, once inside IDPSSODescriptor element and once inside SPSSODescriptor element
IDS-2970 - New and/or updated signing and encryption keys are published in WS-Federation IdP Metadata when changes are detected. All non-expired signing keys and one valid encryption key is shown in the FederationMetadata. The scheduler is run every minute to check for changes
IDS-3241 & IDS-3242 - Client registration request provides jwks_uri instead of static jwks to better support key rotation
Improvements
IDS-1486 - A documentation pages for diag log description has been created to match the audit log description pages, for easier use by developers.
IDS-2757 - id_tokens are included in refresh_token grant responses when "openid" is included in the scope. Extending the requested scopes with additional claims after the refresh token has been created will not fetch additional information. More information can be found from Authorization code grant and web single sign-on - SSO
IDS-3303 - Password application IDP metadata is automatically updated from the IDP metadata endpoint once a minute to support key rotation. More details are available from Password application installation - SSO
Corrections
IDS-3125 - A Cross-site scripting (XSS) vulnerability has been resolved in SSO error page
IDS-1039 - SSO UI now shows "User account is locked" for OTP List and TOTP method after a user has tried to login with invalid code 5 times (or the amount configured in login attempts). Previously the user was shown the message after they tried to login on the 6th time after the method had already been locked
IDS-1652 - Message shown to user that have a mismatch of password and confirmation during password change now states a clearer reason for error "Make sure the passwords match. Please try again". Previously the message stated "The new credentials were not accepted" which did not point towards the reason for not being accepted
IDS-3176 - SSO UI now shows "User account is locked" for Unregistered SMTP OTP and Unregistered SMS OTP method after a user has tried to login with invalid code 5 times (or the amount configured in login attempts). Previously the user was shown the message after they tried to login on the 6th time after the method had already been locked
IDS-2828 - ubikt.jar now generates Certificate Signing Request (CSR) file from certificate contained in unix/win32.config. An example how to use the tool can be found from Increase the SSO metadata certificate private key size
IDS-3109 - SSO UI and audit logs now show correct "The user account is locked" message for TOTP method when a user has input invalid OTP code too many times and their account has gotten locked. Previously the message showed "The authentication method configuration is invalid: UNSPECIFIED"
IDS-3014 - SSO now shows correct template when returning from an external authentication method (SAML). Previously when a user returned back to the application, the default application template was shown to the user
Ubisecure CustomerID 5.9.1 (30/05/2022)
Corrections
IDS-3674 - A deviation was observed within CustomerID 5.9.0 where metadata.xml polling spawned a new polling bean for each update query. In very large deployments, this creates environment overload. This CustomerID 5.9.1 patch release fully resolves the observed polling loading issue.
When updating to this CID 5.9.1 patch, administrators should ensure that the SSO instance has been stopped, apply the patch and then restart SSO
CustomerID 5.9.0 (16/12/2021)
New Features
IDS-3236 - A new API 2.1 API, PATCH124, has been created which permits updating user information without requiring validation of all existing user information. Documentation can is available REST API 2.1 PATCH 124
Improvements
IDS-1206 - Role invitation messages has been updated to be optional, this can be set to required again by setting ui.role.invite.message.required = true in eidm2.properties
IDS-2869 - An improvement has been made for CustomerID when used with User Driven Federation (UDF). It is no longer possible for a user to register and UDF an external authentication method if their SSN is already present within the system
IDS-3303 - CustomerID IDP metadata is automatically updated from the IDP metadata endpoint once a minute to support key rotation in SSO. New configuration changes can be seen from Configuration changes in versions - CustomerID
Corrections
IDS-2234 - Reminder email is now sent to user with pending role invitation. Interval can be configured using the "renotify.roleinvitation" parameter in eidm2.properties. Previously a reminder email was not sent to the user when role invitation was done through REST API
IDS-2235 - Role invitation expiration email is now sent to invited user. The Administrator that invited user to the role also now gets notified if the user approved the invitation to the new role. Previously if the role invitation was done through REST API the user was not informed that the invitation had expired and the Administrator was not informed when the user approved the invitation.
IDS-3153 - Custom attributes can now be emptied using REST API 2.1 (PUT103) Update User. Previously the API call did not remove the custom attribute from LDAP directory
IDS-2649 - Custom attribute can now be updated and emptied using REST API 1.0 (MOD004b) Update User. Previously the API call did not update nor remove the custom attribute from LDAP directory
IDS-2652 - Clearing username field in CustomerID UI no longer shows an internal error to the user. It is strongly recommended to use validation.json configuration for this field to set it as required if it is used as login field. See information about General properties - CustomerID and Validation configuration - CustomerID
IDS-3032 - Trailing space for registration name configuration in eidm2.properties no longer breaks the registration workflow. Previously the workflow was invalid. It is still recommended to not include any trailing spaces in CustomerID configuration files
IDS-3183 - REST API 1.0 (MOD004b) did not update a user's SSN in LDAP in all cases. This has been resolved.
IDS-3057 - Updating login or email through API now updates LDAP entry as well as long as the new parameter general.login.enforce.equals.email is set to false (which is default). If you want to make sure that the login is enforced to be the user's email address, this parameter can be updated to true. Read more about this new parameter in General properties - CustomerID
IDS-2765 - SPI OpenID Connect CIBA method has been included to SSO. This allows CIBA method to be used as step-up method for your registered users. Read more about the configuration from OpenID Connect CIBA authentication method
IDS-2937 - New API calls have been added to the Accounting Service to get more information on the ticket granted events happening in your system. The API calls return method and application used for each of the events and are able to be queried daily, hourly or per minute. More information about the API calls can be found from Event details API section in Accounting Service API
IDS-3008 - TOTP API has been extended with a new call to get information if a user has the TOTP method enabled or disabled for their account. Detailed information how to use the API is available in TOTP API swagger documentation that can be configured with the TOTP API - SSO
Improvements
IDS-2862 - In Authentication requests that require End-user interaction to continue although prompt parameter is none the error response has been changed from previous access_denied to interaction_required, according to the OpenID Connect Core 1.0 specifications
IDS-2847 - Hardcoded acr_value for Client Initiated Backchannel Authentications method has been removed
IDS-2833 - CIBA adapter (previously UBAA) OpenID Provider metadata has been updated with backchannel_token_delivery_modes_supported and token_endpoint_auth_signing_alg_values_supported values. More information about the metadata can be found from Installing and configuring Swedish BankID - SSO
IDS-2837 - invalid_grant error message has been updated to use LOGIN_CANCEL error message instead of previous AUTHENTICATION_METHOD_INVALID for CIBA methods
IDS-1670 - Step-up method usability has been improved to not show any selection between step-up methods if there is only one configured for the application. For example, if only TOTP method is available as 2FA method in application, the user no longer needs to click "totp.1" button after signing in with password, but is immediately asked for TOTP code
IDS-2160 - Improved performance when generating and downloading reports from the Accounting Service. In our testing we have noted substantially decreased download times observable in larger datasets
IDS-2794 - Updated unix.config/win32.config file to include sso-api.uuid, totp.uuid and accounting.client.uuid to preserve the client IDs during upgrade of your system. Info about this can be found from Preserve essential configuration settings in upgrade
IDS-3019 - Accounting Service methods have been updated for CIBA methods. Previously named UBAA method is now referred to as UNREGISTERED.CIBA and registered CIBA method is referred to as DIR.CIBA. See Accounting Service - SSO for more information
IDS-3011 - Unregistered CIBA method: Transformation of id_token claims was changed to be same as in OpenID Connect method. Also added a new configuration option `usernameClaim` for defining the id_token claim used as the subject for the unregistered user
IDS-3015 - Token endpoint responses have been updated to have HTTP headers "Cache-Control: no-store" and "Pragma: no-cache" set by default to prevent information to be cached
IDS-3018 - Refresh token endpoint error responses have been updated in accordance to OpenID Connect Core 1.0
IDS-3061 - New compatibility flag was introduced to resolve backwards incompatibility with OTP printout and TOTP secrets in the case that the users are stored in SQL database. If this is the case LegacyUserCredentialsTable needs to be added to the method for the users to keep using their set secrets. New SQL users or existing users recreating their secrets will be handled correctly. See more details from TOTP Authentication Method and OTP Printout authentication method - SSO
IDS-3062 - CIBA adapter has been updated to include client_id in aud claim and id_token expiration time. Configuration information can be found from Installing and configuring Swedish BankID
IDS-3009 - TOTP method can now be used without additional schema changes when using AD LDS as Ubilogin Directory together with external SQL directory
Corrections
IDS-1511 - SSO Password reset: old tokens not invalidated. There are built-in features that can be used to mitigate
OTP should be set to expire (policy.oauth.otp.timeout)
Password min-age should be set greater than OTP expiration time (policy.password.min-age)
IDS-2721 - MENU_INTRO2_TEXT in SSO messages properties has been fixed to show the client name in SSO login screen when configured in client_name is configured in the metadata. Review Login screens - SSO for more details
IDS-2247 - OTP_LOGIN_REMAINING_PASSWORD_AMOUNT in SSO properties has been fixed to show the remaining one-time passwords left on the printed list to warn the user to renew the list before it runs out of passwords. More details on configurations can be found from Login screens - SSO and OTP Printout authentication method - SSO
IDS-2750 - Refresh tokens were invalid for Unregistered SMS with an Ubilogin Directory user. This issue has been fully resolved.
IDS-3104 - SPI TOTP method: Account lockout policy section is now shown in TOTP method configuration in SSO Management UI and pressing "Update" without any changes doesn't remove the lockout policy configurations.
CustomerID 5.8.0 (21/06/2021)
New Features
IDS-2770 - CustomerID REST API 2.1 has been updated with "PUT117 Reinvite User" (the endpoint was later renamed to "PUT123 Reinvite User" in the documentation). This allows an Administrator send a new email to a user with status "Waiting for registration". This might be useful if the user that is waiting to register has lost their invitation email or if their email address was invalid an Administrator can update the email and reinvite the user without having to start the process from scratch. Please find more information about this API call in REST API 2.1 - CustomerID
Improvements
IDS-2851 - policy.password.history = N configuration in SSO for CustomerID password method (password.2) now works as expected. If N is set to be 3, the user is unable to update their password to their current one or to the 2 previous ones
IDS-1947 - Input fields in pop-up windows are now pre-selected. This removes the need to select the input field before entering the verification code in, for example, mobile or email verification during registration
IDS-2943 - Inviting a user to a role through mandates when the user did not have previous mandate objects available caused errors in the CustomerID UI although role was added. This has now been resolved and correct message is displayed to the Administrator.
IDS-2709 - Registering a user without filling in optional custom attribute field previously caused a stack trace error and did not populate SQL db with user information. This has now been resolved and optionalcustom attributes can again be used within registration.
IDS 2021.1
SSO 8.7.1 (21/06/2021)
Corrections
IDS-3125 - Cross-site scripting (XSS) vulnerability has been corrected in error template
SSO 8.7.0 (20/01/2021)
New Features
IDS-1256 - SSO now supports Authorisation Code Flow with Proof Key for Code Exchange (PKCE) and will start validating the code_challenge and code_verifier for clients that are already sending them now. PKCE is currently only supported when SSO acts as Authorisation server (IDP). More information can be found from Authorization code grant - SSO and Provider metadata reference - SSO
Improvements
IDS-2784 - Accounting Service dependencies has been updated to remove vulnerabilities. You can find the latest versions used in the Accounting Table 2 on 3rd party licenses - SSO
IDS-2706 - SSO dependencies have been updated to remove vulnerabilities. You can find the latest versions used in the SSO Table 1 on 3rd party licenses - SSO
IDS-2498 - Issue with policy.password.history parameter has been fixed and new passwords are compared against the amount of previous passwords in the system. If value is set to 5, the user can not change to the any of the 5 previous passwords used. This policy still has issues with CustomerID and causes issues in user creation if enabled for password method used in CustomerID, see IDS-2851 in known issues
IDS-2985 - Refresh token logging have been extended with details of which refresh token was trying to be accessed to help with troubleshooting. This can be enabled by setting debug level on diag.protocol logs.
CustomerID 5.7.0 (20/01/2021)
New Features
IDS-2766 - CustomerID REST API now support OAuth2 access tokens for authentication. This allows Administrators to enable access to specific users instead of relying on hardcoded username and password being distributed throughout the organisation. More information on how to configure this for your system can be found from Configuring OAuth2 authentication for REST API
IDS-2767 - API calls using OAuth2 access tokens have been added to audit logs. This will allow Administrators of the system to better monitor which users are using with API calls compared to previous hardcoded username and password. More information can be found from Logging - CustomerID
IDS-2768 - Administrators are able to disable basic HTTP authentication and query parameter authentication using simple username and password for REST APIs to make sure REST calls can only be done with OAuth2 access tokens. See REST API configuration options - CustomerID for details
Improvements
IDS-2707 - CustomerID dependencies have been updated to remove vulnerabilities. You can find the latest versions used in the CustomerID Table 1 on 3rd party licenses - CustomerID
IDS-2855 - CustomerID REST API 1.0 has been updated to use same authentication methods as other API versions. Information on how to use different authentications can be found from REST API authentication - CustomerID