Identity Server 2025.1 Release Notes
- John Jellema
- Keith Uber
- troinine-ubi
Release highlights
This release focuses on introduction of the following new features and improvements:
Improved Log Correlation with Session and Conversation Identifiers
A highly requested feature for SSO has now been implemented! We are pleased to announce that two new fields have been added to the SSO audit and diagnostic logs to improve traceability and streamline troubleshooting:
Session ID: A unique identifier generated when a single sign-on (SSO) session is created. This allows you to follow the lifecycle of an SSO session across logs.
Conversation ID: An identifier generated by SSO for each conversation within a session. This helps correlate related operations within the same session context.
These additions enable more effective log correlation, making it easier to trace the full flow of authentication and related events across both audit and diagnostic logs.
For an explanation of this functionality, please see the https://ubisecuredev.atlassian.net/wiki/x/7SOqRAI and specific examples can be found on Audit log description - SSO : Login
Please ensure you review the updated System Recommendations page and are aware of the 3rd Party License page.
Contents
- 1 Release highlights
- 2 Change log
- 2.1 SSO 9.6.0
- 2.1.1 New Features
- 2.1.2 Improvements
- 2.1.3 Corrections
- 2.2 CustomerID 6.6.0
- 2.2.1 New Features
- 2.2.2 Improvements
- 2.1 SSO 9.6.0
- 3 Deviations
- 3.1 SSO
- 3.2 CustomerID
- 3.2.1 Resolved Known Issue
Change log
SSO 9.6.0
New Features
Improvements
IDS-4856 - Client Display Name Logging has been improved for all authentication methods. We have extended the functionality of Client Display Name Logging from Mobile PKI to all methods, SAML, OIDC and modules. This improvement adds detail to audit logs.
AuditClientDisplayNamecompatibility flag enables Client Display Name audit log in Login event for all methods.IDS-4955 - when configuring the associated SMS services via Admin UI of SSO, the associated password could be stored in an unencrypted value. This did not occur if the SMS service password was configured via the SPI Mobile Phone service. Now both methods of SMS service password configuration ensure encrypted password storage in API, UI and direct LDAP viewing.
IDS-4963 - When using BankID adapter, the user certificate claims are now added to the response and the claims from the user certificate can be extracted with
policy.xml.IDS-4855 - Improves documentation for the flag
AuditClientDisplayNamewhen using the eventId parameter. This is a general improvement wherever eventId is used along with the flag.IDS-5059 - Adds a common Session ID to the Diag log, viewable within the Logviewer as well as diag log file.
IDS-5060 - Updates Audit log. Replaces Authentication ID with a common Session ID to the Audit log for entries Login, Ticket granted, Consent confirmed, Consent rejected. For detail, please see Audit log description - SSO | Authentication method selection , specifically Session ID found in the Login subsection.
IDS-5062 - Adds a Session Index to SSO’s diag log, this permits grouping of diag log entries for a specific application session.
Corrections
IDS-4448 - Accounting service had previously required 180 days of log files before the automated cleaner permitted file deletion. This has been corrected to 32 days, which is sufficient to ensure monthly reporting availability without requiring needless storage of pseudonymised accounting logs over a long duration; this is especially helpful for large deployments.
IDS-2092 - There was a known issue where the tomcat log will show a severe servlet warning for com.ubisecure.ss-ui. This warning has been corrected and will not cause logging at the INFO level. This item has been removed from the Considerations, Limitations and Known issues page as it is resolved now.
IDS-4654 - The legacy support for DB2, specifically remaining integration test, has been removed from SSO. This database has not been supported in Identity Server for a number of years, so this alteration will have no impact to customers on currently deployed versions of Identity Server.
IDS-5061 - Within Windows installations of SSO 9.5.1, there were “Failed to grant…” errors observed during installation. These were safely ingnored and the error has now been corrected.
CustomerID 6.6.0
New Features
Improvements
IDS-4989 - Logback dependencies have been removed from several non-application jar files.
IDS-4405 - curl.exe has been removed from the CustomerID packages, CustomerID will use curl.exe available from the Windows Installation that Identity Server is deployed on as needed. This also means that curl.exe has been removed from the 3rd Party License page as we no longer deliver the utility as part of the package.
Please review the change log if you are upgrading your system from a prior version to IDS 2024.2: Identity Platform
Deviations
The following deviations are found within Identity Platform and are expected to be corrected over time. For a listing of known issues found on Identity Platform please see: Considerations, limitations and known issues
SSO
Ticket number | External description |
|---|---|
IDS-561 | There is a known issue where SSO does not check the mappingURL value when creating or editing an inboundDirectoryMappings when using the SSO REST API. Directory Mappings are possible to be created, but then not opened or edited. |
IDS-1030 | There is a known issue where running the CertAP setup.cmd in a windows environment will post errors of missing linux tags. While these errors are unsightly, they can be safely ignored. This issue will be corrected in a future release. |
IDS-1499 | There is a known issue where SSO will return http 401, rather than http 400 when token introspection without an authentication header or when invalid credentials are present. |
IDS-1629 | There is a known issue resulting in unclear error messages. When a user is configured without a phone number and SMS OTP method is added to their profile result in one of two error messages. If the SMS OTP is the only authentication method enabled, the message will be “The user account is disabled”. If there are other authentication methods enabled, the message will be “Access to the requested resource is denied”. |
IDS-1648 | This is a known issue that only is only present with password2. User is presented with a popup "Update: Invalid account Status" if one of the previous three passwords are used when asked to update their password. There is no known work around. |
IDS-1662 | The use of the following special characters when making any search will result in an internal sever error 500 and a stack trace. Symbols: + = # ; , < > Work around, administrators should not use the special symbols when naming users or searching for users. |
IDS-1893 | There is a known issue if you use OpenID authentication, a user cannot access SAML or Ubilogin web applications. Work around use any other non-OpenID authentication method. If OpenID is required, then use OAuth 2.0 application. |
IDS-2090 | There is a known issue where the SSO management UI will not filter results correctly if the filter expression is short, contains incorrect filter expressions and there are Scandinavian characters included. |
IDS-2244 | There is a known issue when using special characters within SSO management API in persistentID name mapping that may result in incorrect side or policy id values being returned. Recommended work around, do not use special characters, like “=” “,” “#” in site and policy mapping names. |
IDS-2260 | There is a known installation issue when using SSO Password reset. Using the installation instructions for password reset tool requires an administrator to run tomcat update. This occasionally results in an empty context.xml file being created which causes SSO to fail when being restarted. Workaround, repeat the run tomcat update step which will create a correct .xml file and SSO will restart. |
IDS-2478 | There is a known issue in SSO that it is not possible to have different localisations for access_denied returned by IdP and local access_denied, for example if directory user mapping fails after successful authentication |
IDS-2790 | There is a known issue with sending in invalid formatted request to introspection endpoint returns stack trace including server version number. This can be mitigated by following our Security considerations for using reverse proxy and customising error pages with HAProxy Security considerations for production environments - SSO |
IDS-3092 | There is a known issue where Administrators are unable to alter password encoding through the SSO management UI. There is no known UI work around. |
IDS-3625 | There is a known issue where an ERROR 500 message with stack-trace is shown in the browser if there is no valid encryption key available in SSO. Mitigation use reverse proxy to catch all 500 error with user friendly information Security considerations for production environments - SSO |
IDS-3665 | There is a known issue where the authorisation endpoint may become corrupted if a URL contains "%20" in URL encoded format. |
IDS-3730 | There is a known issue where using “Force Reauthentication” configuration for an application that uses refresh tokens, the refresh tokens are immediately invalidated. Workaround is to not use “Force Reauthentication”, set max age to 0 in auth request → Authentication is forced and refresh tokens are valid. |
IDS-3971 | There is a known issue which results in a non-impacting stack trace being logged when updating metadata using ManagedScheudledExecutorService for SAML 2 AP. There is no known work around to this non-impacting log event. |
IDS-4202 | There is a known issue where attributes forwarded from an external authentication method are not available after the access token has been refreshed. No known work around is available at this time. |
IDS-4644 | There is a known issue where the use of special characters within a users name, like “)” for example “Bud)”, will break the user mapping view. Work around, do not permit special characters within user names. |
IDS-4669 | There is a known issue where the status refresh does not update entryTtl for dynamic session objects. There is no known work around at this t |
IDS-4733 | There is a known issue within SSO which could permit XML expansion from an external entity. Additionally, there is a known issue within SSO which could allow for header injection. Both items will be corrected in an upcoming patch, SSO 9.4.1. |
IDS-4967 | There is a known issue where SSO may leave IO Streams in an improperly closed state which results in a diag log warning when SSO server is shut down as the LDAP Connection thread could not be shut down. |
IDS-5031 | There is a known issue within TOTP as nextFactor for OIDC which will result in user access denied if the user has not selected an OIDC method of authentication first. The work around is to instruct users to select existing ODIC authentication first, with TOTP as MFA. |
CustomerID
Ticket number | Description |
|---|---|
IDS-1373 | There is a known issue in CustomerID when a new user is created in a non-virtual organisation, the invitation can contain a role when no role has been approved for that user. |
IDS-1509 | There is a known issue where a new user being invited to a virtual organisation the CustomerID administrator cannot approve the user; an internal server error occurs. |
IDS-1706 | There is a known issue with null values (DbAssignable.set and DbAssignable.isNull) which may result in NullPointer exceptions when using REST calls. This impacts Roles, Mandates and Invitations. |
IDS-2312 | There is a known issue in approval view where changing technical name of an organization to include Scandinavian letters doesn't work. |
IDS-2683 | There is a known issue where CID REST API's 2.0 and 2.1 do not locate organisations with URL encoded characters in their names. Work around, if possible, ensure there are no URL encoded characters within organisation names. (example Ä Ö Å). |
IDS-2703 | There is a known issue where a role name with different case can be created which results in one LDAP entry and two SQL entries. |
IDS-2816 | There is a known issue which will create an unhandeled exception if the users SMTP server cannot be resolved. This issue will cause a database collision issue which may prevent the same email address from being used, as it already exists within the database but not in a fully created form. |
IDS-2876 | There is a known issue if user is rejected from UI error is logged "Error when trying to get approval request with ID: null". A stack trace is logged. This stack trace can be safely ignored. |
IDS-2934 | There is a known issue in CustomerID within Mandates, where no renotify email is sent to new user to register using mandate invitation. Admin user sends mandate from Admin UI to new user that is not registered to the system. Email is sent correctly, but no renotify is sent to register to the system.Mandate expires correctly also and email is sent that mandate was expired. |
IDS-2941 | There is a known issue where a NPE will occur if an administrator is viewing an ORG2PER mandate from the CustomerID management UI. |
IDS-3058 | There is a known issue where in change password application of CustomerID where the return URL is missing a forward slash (returns "https:/" not "https://") resulting in failed redirect if the cancel button would be enabled. |
IDS-3765 | There is an issue with JDK 11.0.15 that prevents Wildfly from working |
IDS-5057 | There is a known issue where a user invitation can be used after its expiry date, if an invited user creates their account after the expiry (example: expire.pendinguser = 2d) then their account will not be created correctly and will need to be manually removed before a new invitation and account can be created. |
Resolved Known Issue
The following items have been listed as Known Issues, reviewing these has shown them to be resolved or no longer present.
IDS-941 - Found on the Known Issues page, There is a known issue where unregistered SMTP OTP authentication will not permit TLS or any secure authentication. Documentation improvement will be made to ensure proper configuration is shown if unsecure SMTP servers are required. And had been corrected, see: Installing SMTP authentication method - SSO Configuring an SMTP authentication method
mail.smtp.starttls.enable="true".IDS-1832 - There is a known issue where editing an existing authorisation policy (example case added an attribute) resulted in the alteration of ubiloginNameValue. This affects SSO 8.3.0 and later. There is no work around at this time. This has not been present in SSO 8.6.0 and later.
IDS-2089 - There is a known issue where shutting down Ubisecure Accounting service on a windows server will show errors within the ids-accounting.log. The errors are no longer present as of this release.
IDS-2315 - There is a known issue that SSO returns refresh token for un-registered users. This should not be done since there is no way of handling the lifecycle of the un-registered user's refresh token. This issue was resolved with SSO 9.0.0 updates.
IDS-2713 - There is a known issue impacting Windows server installations, where the import and export tools fail to move users between CustomerID 5.3.x and later versions. This has been resolved in CustomerID 6.0.0.
IDS-3698 - There is a known issue with rejecting a user registration that doesn’t remove the approval request from the CustomerID database. A workaround for this is to remove the pending approval request from the database. This was resolved in CustomerID 6.2.1 release.