/
Change Log - Identity Platform

Change Log - Identity Platform

Identity Platform Change Log

Identity Platform Change Log

IDS 2024.2

 

SSO 9.5.1

Corrections

  • IDS-5046 - There was an observation in Windows installation where the Accounting service caused CPU usage to spike. This was due to an error in Apache Commons Daemon for Windows. The Apache Commons has been updated and the CPU usage spike is no longer present.

SSO 9.5.0

Improvements

  • IDS-2429 - An often requested, but low level improvement to SSO is to create an example-template location within the installation package to permit Administrators creating new environments to more easily locate all of the available configuration options. Please see the Example configuration directories for Linux and windows within Configuration - SSO.

  • IDS-3330 - Ability to configure the timeout value within Redis when used with SSO. Please see Timeout Configuration on Redis Configuration - SSO

  • IDS-3429 - Improved SMS authentication method (SPI Mobile Phone) to include both GET and POST message sending methods. Default remains as a GET.  Please see the documentation, section 6. Click SPI Mobile Phone tab, for more detail. 

  • IDS-4449 - SSO OAuth2 supports URL encoded client credentials as required by section 2.3.1 of RFC6749.

  • IDS-4818 - An improvement has been made to both UI and API for SSO when creating or updated an applications metadata to ensure a unique clientID is used. 

  • IDS-4827 - Included the ability to configure the trusted SAML keys for ETSI MSS MPKI via API. 

  • IDS-4719 - Swedish BankID adapter no longer uses a personal number during authentication of a session. Code improvement has been made to remove the use of personal number, which is no longer supported within BankID authentications.

Corrections

  • IDS-4885 - Within Client Credentials, password applications which use URL encoded client secret will function without error, see also IDS-4886 in the CustomerID section.

  • IDS-4868 / IDS-4763 - Through a customers low level auditing of SSO there was a hypothetical XML expansion bug found within SSO. With extensive knowledge of SSO, it was possible to craft a hypothetical attack, however during testing these attacks were found to result in "Ticket Validation Error" being displayed to the user (or attemptive attacker) and ERROR messages being logged. A solution has been implemented which prevents this hypothetical XML expansion attack vector. 

  • IDS-4847 - a correction of Azure metadata export, where the tenantid is presented with curly braces. SSO will now manage this improper format permitting improved use of this resource.

  • IDS-4526 - There was a know issue that occurs in SSO Management UI when removing the last user from an existing application, the UI will appear blank with no application to select. Note: Only one user can be impersonated by an application.

  • IDS-4431 - There is a known issue where SSO will provide an incomplete OAuth2 response when access has been denied. This has been improved and is no longer a deviation.

  • IDS-3117 - The body option has been removed from the TOTP GET call. 

  • IDS-3026 - Corrected key management between RSA_OAEP_256 in JWE tokens, used by Nimbus and Jose4j . It has been observed that errors occur when these libraries are used with previous versions of SSO. 

  • IDS-2314 - This item is not a defect, SSO verifies the account represented by refresh token still exists, is enabled etc. when a refresh token is used to get a new access token. This is obviously not possible with unregistered users where we by definition have no record of the account. Historically, this ticket carried the following description: There is a known issue with passing a refresh token to token endpoint results in "invalid_grant" error, if the refresh token has been issued to an unregistered user from an authentication method having a connected Directory Service. This issue is now closed. Please open a Service Desk ticket if you require additional details.

SSO Modules

Over the course of twenty years of development, there have been a number of code modules that have been developed for Identity Platform, specifically for SSO, which provide functionality to some deployments but where the code is not an essential component or function found within the SSO release package itself. Within the IDS 2024.2 development cycle we have updated a number of these external modules. They provide specific solutions for specific use cases, so if you are unaware of these modules, they likely do not impact or benefit your environment. However, if you have been using one or more of these modules, we would like to work with you to ensure that your current operating environment can benefit from these latest updates. Each of the updates require a Java11 environment and have only be tested with SSO 9.5, therefore until your environment upgrades to this release, please continue using your existing modules. We would ask you to contact Support via Service Desk so we can prepare the modules to be downloadable for you - this will occur after the release of the IDS 2024.2 software. 

  • Metadata Updater

  • CertAP

  • SAML SP for Java

  • SAML palvelu

CustomerID 6.5.1

Improvements 

  • IDS-4984 - There was an improvement made to the Countries class in CustomerID to prevent concurrency issues in production. 

CustomerID 6.5.0

Improvements

  • IDS-3765 - There was a known issue where JDK 11.0.15 would prevent Wildfly from working/starting correctly. This has been resolved in later versions of JDK 11.x.x

  • IDS-1340 - CustomerID Rest 2.1 API has been improved to permit an administrator to force password changes for existing users, this can be performed via Rest API 2.1 - CustomerID.  Please see the documentation for PUT125 Force Password Change for User.

  • IDS-4911 - Improved the diag logs for CustomerID, it had been observed that warnings were being logged in diag log when invalid event listener was included in a previously release CID package.  While these events could be safely ignored, the invalid event listener has been removed which also removes the warning found in diag logs.

  • IDS-4886 - Improvements have been made to CustomerID to permit the use of a URL encoded secret. The following flag is no longer required:  DisableOAuth2CredentialsUrlDecoding.

  • IDS-4877 - Improved the management of user with OAuth 2.0 authentication to ensure both API and UI requested user moves are possible for all the following functions; 

    • Password

    • SAML 

    • OIDC

    • SMS

    • SMTP 

    • OTP 

    • TOTP

Corrections: 

  • IDS-3392 / IDS-4889 - There was a known issue when an Administrator user is used moved to another organisation then error was logged. The Administrator users was correctly moved, but a safely ignorable log entry was created. This known issue has been corrected. Now there is no log entry error present.

 

IDS 2024.1

SSO 9.4.1

Improvements

  • A number of improvements within the Mobile PKI / MPKI service implementation were improved to conform with updated use cases and logging requirements specified by Traficom.

  • SSO’s Tomcat was updated to 9.0.87

SSO 9.4.0

New Features

  • IDS-4438 - We have updated the Swedish BankID authentication implementation to include BankID Web service API v6.0. This is experienced by end-users as the animated QR codes when authenticating sessions or payments on the web (via two-device or mobile phone scanning of the animated QR code).

Improvements

  • IDS-4108 - We have optimised the codebase, deprecating "tokeninfo_endpoint" from /uas/oauth2/metadata.json. Please use the more general "introspection_endpoint" instead.

  • IDS-4545 - We have verified the ability of Identity Platform to run on Red Hat Linux 9 compatible platforms.

  • IDS-4493 - We have improved SSO’s CORS handling process by allowing browser application to make calls to the /introspection and /userinfo endpoints. Please review Restricting allowed origins

Corrections

  • IDS-3174 - There was a known issue within common-ubiutil that returned an unescaped value where an escaped value is expected. This was identified during a misconfiguration and has not been reported to impact any operational environments. This error has been corrected and will no longer occur.

CustomerID 6.4.1

Improvements

  • IDS-4863 - Removed a coding error present when using SSO’s TOTP along with CustomerID’s ability to move users between Organisations. Prior to this patch, moving a user would result in errors and impact both LDAP and PostgreSQL.

CustomerID 6.4.0

New Features

Improvements

  • IDS-3681 - It was possible to receive too many notifications due to the incorrect configuration of renotify.roleinvitation. Product documentation improvements have been made to better describe the use cases of Expiration periods - CustomerID and Reminder periods - CustomerID.

  • IDS-3826 - It was possible to misconfigure PostgreSQL which would result in continuous invitations being sent out by CustomerID. The invitation worker code has been updated to ensure this no longer happens. 

  • Under the hood improvements to CustomerID

Corrections

 

IDS 2023.2

 

SSO 9.3.1

Corrections

  • IDS-4540 - We have observed and corrected intermittent authentication errors for Customers attempting authentications with a legacy Microsoft integration (SignIn with SAML). These intermittent authentication errors were due to the combination of cache performance improvements that we implemented and Microsoft allowing the use of non-unique entityIDs in their legacy SignIn with SAML service.

  • IDS-4571 - We have corrected the issue with mapping Remote Identities (also called ubiloginAuthMapping) to Ubilogin Directory identities when the same Remote Identity is used in two or more Authentication Mappings. If this lesser-used historical feature is used in your environment, please visit Enabling UsernameUserMappingIdentityFactory.

SSO 9.3.0

New Features

  • IDS-1315 - Implementation of the OAuth 2.0 Client Credentials Grant authentication method into SSO.

Improvements

  • IDS-4013 - We have allowed the Health of the Accounting to be checked without authenticaion.

  • IDS-4140 - We have made an improvement to SSO’s CleanupManager to ensure that it will continue to clean up sessions even if there are connectivity issues between SSO and LDAP. Environments that have long uptime could eventually run out of memory due to CleanupManager failing silently.

  • IDS-4232 - We have observed and corrected SSO consuming increased amounts of memory during testing. This ticket corrects SSO ExpiringMessageTracker, which was found to leak memory causing issues for very large environments or environments with very long uptime.

Corrections

  • IDS-2089 - There was a known issue where shutting down Ubisecure Accounting service on a windows server will show errors within the ids-accounting.log. This issue has been resolved.

CustomerID 6.3.0

New Features

  • None implemented for this release.

Improvements

  • IDS-3771 - We have suppressed the default help files found in CustomerID UI. These help files have been fully replaced by the Developer Portal. It is possible to return the help link icon to your environment, please see the following documentation if you use the help link icon within your environment. See: Custom CSS styling - CustomerID and Help files - CustomerID.

Corrections

  • IDS-2791 - We have observed and corrected an error where a user who cancels their CustomerID registration, without completing the process, will result in a SSO session remaining open. As a security improvement, the default setting has been changed for CusotmerID version 6.2.1 and later. Please see: CustomerID registration.N.logout.when.cancel. Self-registration workflow configuration - CustomerID | Self registrationworkflowconfiguration CustomerID registration.N.logout.when.ca...

  • IDS-4034 - There was a known issue when using the CustomerID user interface to delete user custom attributes that results in a data conflict between the two datastores used for the Identity Platform. Manual correction of LDAP is required. This known issue has been corrected as of CID 6.2.1.

  • IDS-4221 - Changing organizations friendlyName with REST API PUT call results in loosing role membership issue is now resolved.

  • IDS-3483 - There was a known issue with the GET113 List Organization's Users API call. When adding parameter ?status=Enabled the call returned Internal error. This issue has been resolved, no internal errors are experienced when using this API. 

  • IDS-3698 - There was a known issue when rejecting a user registration that didn't remove the approval request from the CustomerID database. This was resolved in CID 6.2.1 and is part of this CID 6.3 release.

  • IDS-3727 - There was a known issue with email validator in regards to case-sensitive emails. For example user@email.com and User@email.com were treated as different emails. This error has been corrected in CID 6.2.1 and is part of the CID 6.3 release.

IDS 2023.1

SSO 9.2.2 (20/06/2023)

Corrections

  • IDS-4140- We have made an improvement to SSO’s CleanupManager to ensure that it will continue to clean up sessions even if there are connectivity issues between SSO and LDAP. Environments that have long uptime could eventually run out of memory due to CleanupManager failing silently.

  • IDS-4233 - We have observed and corrected SSO consuming increased amounts of memory during testing. This ticket corrects SSO ExpiringMessageTracker, which was found to leak memory causing issues for very large environments or environments with very long uptime.

SSO 9.2.1 (22/05/2023)

Improvements

  • IDS-4262 - A minor alteration was made to the cancellation workflow to conform with end user existing expectations.

SSO 9.2.0 (27/04/2023)

New Features

  • IDS-3886 - Found within SSO 9.2.0, is the ability to utilise Swedish BankID in same device flow operations. Tested with Android and iOS mobile phones over the most common web browsers. This new feature is conformant to Swedish BankID specification 3.7  

Improvements

  • IDS-4042 - For very high capacity environments, there is the option to augment SSO with a Redis cluster. We have updated Redis to version 6.2.8. Please ensure you have consulted with Support prior to implementing Redis.

  • IDS-3983 - OpenLDAP MDB has been updated to version 2.5.14 LTS, please see OpenLDAP pages for additional details: https://www.openldap.org/software/release/changes_lts.html over the directory. Please review System Recommendations and Supported Platforms for the requirements of OpenLDAP within Identity Server.

Corrections

  • IDS-3311 - Corrected the inability to localise the deployment in the Swedish language and use password-reset.  This is now possible without error.

  • IDS-3835 - Corrected a directory cache cleaning error which resulted in very high capacity environments requiring periodic reboots to clear inactive sessions found in com.ubisecure.ubilogin.directory.authz.Methods

 

CustomerID 6.2.1 (20/06/2023)

New Features

Improvements

  • IDS-3771 - We have suppressed the default help files found in CustomerID UI. These help files have been fully replaced by the Developer Portal. It is possible to return the help link icon to your environment, please see the following documentation if you use the help link icon within your environment. See: Custom CSS Styling and Help Files

Corrections

  • IDS-2791 - We have observed and corrected an error where a user who cancels their CustomerID registration, without completing the process, will result in a SSO session remaining open. As a security improvement, the default setting has been changed for CusotmerID version 6.2.1 and later. Please see CustomerID Self-registration workflow configuration and search for "registration.N.logout.when.cancel".

  • IDS-3698 - We have observed and corrected an error where not all user data is deleted from datastores when a user application is rejected.

  • IDS-3727 - We have observed and corrected an error where CustomerID default email validator permitted an existing email address to be used for new registration if capital letters were used.

  • IDS-4034 - There was a known issue when using the CustomerID user interface to delete user custom attributes that results in a data conflict between the two datastores used for the Identity Platform. Manual correction of LDAP is required. This known issue has been corrected as of CID 6.2.1

CustomerID 6.2.0 (27/04/2023)

New Features

  • None required for this release

Improvements

  • IDS-3851 - CustomerID utalises WildFly as its webserver, the underlying WildFly has been updated to WildFly 26.1.2 for this release.

Corrections

  • None required for this release

IDS 2022.2

SSO 9.1.0 (25/10/2022)

New Features

Improvements

  • IDS-3694 - There is an update for the SAML SP for Java module (for Java 11) used to integrate web applications to SSO.  Please review SAML SP activation - SSO.

  • IDS-3578 - There is an improvement for TOTP logging level (to ALL). Please review TOTP API Configuration - SSO.

Corrections

  • IDS-3745 - There was a known issue with id_token expiration times between application specific and server specific timeouts. If the application and server timeout is separate, the application specific expiration time will take the server timeout + application timeout as the id_token expiration time

  • IDS-3767 - There was a known issue with Unregistered SMS or SMTP method used as second factor. If the method is not allowed for the intended group (not allowed for any group) or the configuration is left in a half configured state, then SSO shows ERROR 500 and a stack trace to the user

  • IDS-3863 - There was a redirection vulnerability within the password-reset tool that permitted open domain, any URL, to be used as potential redirection. While there is no known instance of use of this deviation, we have resolved this by adding the ability to define allowed hostnames in returnurls.

  • IDS-3871 - There was a redirection vulnerability within the password-reset tool that permitted cross site scripting to be post-pended to urls and used as potential redirection. While there is no known instance of use of this deviation, we have resolved this by adding the ability to define allowed hostnames in returnurls.

  • IDS-1832 - There was a known issue where editing an existing authorisation policy (example case added an attribute) resulted in the alteration of ubiloginNameValue. This was corrected in other work found within SSO 8.6 and no longer impacts any supported version of SSO.

CustomerID 6.1.0 (25/10/2022)

New Features

  • None developed for this IDS 2022.2 release

Improvements

  • IDS-3572 - SSN validation in CustomerID has been updated to also accept new formats of SSNs that are coming into effect in Finland from 1st of January 2023

  • IDS-3872 - As part of ongoing maintenance, the PostgreSQL driver has been updated from 42.4.0 to 42.5.0 

Corrections

  • None required for this IDS 2022.2 release

IDS 2022.1

Change log  SSO 9.0.0 (21/06/2022)

New Features

  • IDS-3140 - SSO support for Java 11

  • IDS-3142 - Accounting Service support for Java 11

  • IDS-3143 - CIBA Adapter (Swedish BankID) support for Java 11

  • IDS-1531 - OpenLDAP version has been updated to 2.5.6 and backend changed from BDB to use MDB. See System Recommendations and Supported Platforms for details related to disk space and memory requirements

  • IDS-3492 - SessionManagerFactoryLDAP has been added as default session manager for better performance with OpenLDAP MDB

  • IDS-2671 - SSO now support Sign in with Apple. A few new parameters have been introduced to enable this integration. Check out our Configure Sign in with Apple knowledge base article

  • IDS-2117 - SSO acting as broker now supports ftn_spname for OpenID Connect methods. This parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the ftn_spname value. Read more about the configuration from OpenID Connect authentication method - SSO configurations

  • IDS-3491 - SSO OAuth 2.0 applications can be configured to overwrite the spname value configured in the system, to use the value coming from another trusted broker in the Finnish Trust Network. This is configured through the AllowFtnSpname configuration string. More details on this configuration string can be found from OAuth 2.0 integration guide - SSO

  • IDS-2979 - SSO acting as broker now support spname for SAML methods. Similar to OpenID Connect, this parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the spname value. Configuration information can be found from SAML IDP Proxy - SSO

  • IDS-3518 - SSO SAML applications can be configured to overwrite the spname value configured in the system, to use the value coming from another trusted broker in the Finnish Trust Network. This is configured through the AllowFtnSpname configuration string. More details on this configuration string can be found from SAML2 configuration - SSO

  • IDS-3006 - SSO acting as broker now support spname for Mobile PKI methods. This parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the spname value. The value is shown in the DisplayName field of schema as shown in the Installing and configuring ETSI MSS Mobile PKI - SSO

  • IDS-3673 - Unregistered SMTP OTP can be used as multi-factor authentication for OpenID Connect and SAML methods

  • IDS-3672 - Unregistered SMS OTP can be used as multi-factor authentication for OpenID Connect and SAML methods

  • IDS-3676 - SSO Management API has been updated to enable linking of Unregistered SMS and SMTP methods to SAML and OIDC methods. API calls for nextFactor and previousFactor, as well as usage can be found from Management API - SSO in section Linking objects

Improvements

  • IDS-3149 - A new client configuration has been added to SSO to mitigate Downgrade attacks. "require_signed_request_object" can be set to true in client metadata to require authorisation requests to be signed. See Client configuration reference - SSO for details

  • IDS-2827 - Public clients can now be configured to use PKCE without client_secret. When including "token_endpoint_auth_method": "none" in the client metadata - PKCE (code_challenge is required in the authorisation requests). Configuration information can be found from Authorization code grant and web single sign-on - SSO

  • IDS-3617 - Improvements to the TicketProtocolOAuth2Exception and TicketProtocolException loggings for OAuth2 and SAML2 applications to include client Id (where available) to easier debug where issues with application configurations. Example of new log entries extended with client IdSAML2 application

  • SAML2 application

    2022-03-18 10:22:50,380 protocol [192.168.0.108] SingleSignOnServlet: protocol.TicketProtocolException: [saml-application] Ticket validation error: ...

    OAuth2 application

    2022-03-28 12:50:57,409 protocol ERROR [172.30.0.1] AuthorizationServlet: protocol.oauth2.TicketProtocolOAuth2Exception: [oauth2-application] Invalid ticket request: ...

  • IDS-2992 - Springboot version has been updated to 2.5.x version for Accounting Service to remove known CVEs. With this update there is a need to manually update the logging.file.max-history value to logging.logback.rollingpolicy.max-history in sso/ubilogin/config/accounting/config/application.yaml. More details can be found from the SSO upgrade guides Upgrade on Linux - SSO and Upgrade on Windows - SSO

  • IDS-3521 - SpringBoot version has been updated to 2.5.x version for TOTP API to remove known CVEs

  • IDS-3683 - SpringBoot version has been updated to 2.5.x version for CIBA Adapter (Swedish BankID) to remove known CVEs

  • IDS-3744 - The default heapsize for Tomcat has been increased from 512MB to 2048MB (2GB), which reflects current operational needs for many installations. This may be adjusted up or down depending on your environment.

  • IDS-3733 - ubilogin-server service description has been updated from "Tomcat" to "Ubisecure SSO" in connection to systemd changes

  • IDS-3594 - TOTP API and Accounting Service Springfox library has been replaced with Springdoc related to Swagger documentation

  • IDS-3741 - CIBA Adapter (Swedish BankID) Springfox library has been replaced with Springdoc related to Swagger documentation

Corrections

  • IDS-2059 - A correction to state value where previously if state included '%2B' it converted it to '+' in authorisation response. This is now resolved and returns the expected '%2B' in the response

  • IDS-3601 - A security vulnerability in password-reset application that allowed updating password of a user without verifying OTP code has been corrected

CustomerID 6.0.0 (21/06/2022)

New Features

  • IDS-3141 - CustomerID support for Java 11

  • IDS-3506 - Logging in CustomerID has been updated from previous Log4j to use SLF4J. No changes are needed for the configurations and logging format is kept the same

Improvements

  • IDS-1238 - ORG2ORG mandate creation have been improved to allow email optional and email message not to be asked. by updating the eidm2.properties and mailmessages.properties with the following configurations;eidm2.properties

    # Set mail not to be sent

    mandate.receiver.approval = false

    mailmessages.properties

    # Don't show message screen

    email.inviteUser.mandate.b2b.enabled = false

    # Set email field as optional

    email.inviteUserRenotify.mandate.b2b.enabled = false

    email.mandateInvitationExpiredInvitee.enabled = false

Corrections

  • IDS-2713 - Resolved issues with import/export users to handle EntityName as the UniqueId by default. A new parameter has been added to REST API 1.0 (REQ001b List Users) for handling plain CN as the uniqueID of the user instead of the Entity Name

  • IDS-3381 - remove-datasource.cmd|sh scripts have been fixed to make it easier to upgrade PostgreSQL JDBC drivers. CustomerID upgrade documentation has been updated

IDS 2021.3 - Note: SSO 8.10.x and 8.9.x both utilise CustomerID 5.9.x

Ubisecure SSO 8.10.1 (21/06/2022)

New Features

  • IDS-2671 - SSO now support Sign in with Apple. A few new parameters have been introduced to enable this integration. Check out our Configure Sign in with Apple knowledge base article

  • IDS-2117 - SSO acting as broker now supports ftn_spname for OpenID Connect methods. This parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the ftn_spname value. Read more about the configuration from OpenID Connect authentication method - SSO configurations

  • IDS-3491 - SSO OAuth 2.0 applications can be configured to overwrite the spname value configured in the system, to use the value coming from another trusted broker in the Finnish Trust Network. This is configured through the AllowFtnSpname configuration string. More details on this configuration string can be found from OAuth 2.0 integration guide - SSO

  • IDS-2979 - SSO acting as broker now support spname for SAML methods. Similar to OpenID Connect, this parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the spname value. Configuration information can be found from SAML IDP Proxy - SSO

  • IDS-3518 - SSO SAML applications can be configured to overwrite the spname value configured in the system, to use the value coming from another trusted broker in the Finnish Trust Network. This is configured through the AllowFtnSpname configuration string. More details on this configuration string can be found from SAML2 configuration - SSO

  • IDS-3006 - SSO acting as broker now support spname for Mobile PKI methods. This parameter is enabled with FinnishTrustNetwork parameter for the method and uses the client_name specified for the application as the spname value. The value is shown in the DisplayName field of schema as shown in the Installing and configuring ETSI MSS Mobile PKI - SSO

Improvements

  • IDS-3149 - A new client configuration has been added to SSO to mitigate Downgrade attacks. "require_signed_request_object" can be set to true in client metadata to require authorisation requests to be signed. See Client configuration reference - SSO for details

  • IDS-2827 - Public clients can now be configured to use PKCE without client_secret. When including "token_endpoint_auth_method": "none" in the client metadata - PKCE (code_challenge is required in the authorisation requests). Configuration information can be found from Authorization code grant and web single sign-on - SSO

  • IDS-3617 - Improvements to the TicketProtocolOAuth2Exception and TicketProtocolException loggings for OAuth2 and SAML2 applications to include client Id (where available) to easier debug where issues with application configurations. Example of new log entries extended with client Id

    SAML2 application

    2022-03-18 10:22:50,380 protocol [192.168.0.108] SingleSignOnServlet: protocol.TicketProtocolException: [saml-application] Ticket validation error: ...

    OAuth2 application

    2022-03-28 12:50:57,409 protocol ERROR [172.30.0.1] AuthorizationServlet: protocol.oauth2.TicketProtocolOAuth2Exception: [oauth2-application] Invalid ticket request: ...

Corrections

  • IDS-2059 - A correction to state value where previously if state included '%2B' it converted it to '+' in authorisation response. This is now resolved and returns the expected '%2B' in the response

  • IDS-3601 - A security vulnerability in password-reset application that allowed updating password of a user without verifying OTP code has been corrected

  • IDS-3660 - A custom redirect URI scheme previously caused failure in redirect with OAuth2 applications, this was now been resolved

SSO 8.9.3 (11/02/2022)

Improvements

SSO 8.9.2 (05/01/2022)

Corrections

SSO 8.9.1 was omitted due to new patch version of Log4j2 being released

SSO 8.9.0 (16/12/2021)

New Features

  • IDS-399 - SSO key rotation possibilities has been enabled for SSO server

  • IDS-2956 - SSO API calls related to create, update and delete signing and encryption keys for SSO server has been included. Examples can be found from Key rotation - SSO

  • IDS-2957 - SSO API calls related to associate or remove association of signing and encryption keys with SSO server has been included. How to perform key rotation in SSO can be found from here

  • IDS-2961 - SSO API call to get certificate signing request for a specific key. This CSR is forwarded to a CA for signing and later on associated back to the specific key

  • IDS-2962 - SSO API call to store the signed certificate with a specific key. Only one certificate is allowed for a key, if there are multiple available in the body, the first will be read and the others will be ignored

  • IDS-2964 - New and/or updated signing and encryption keys are published in OpenID Provider JWKS when changes are detected. All non-expired signing keys and one valid encryption key is shown in the metadata.jwks. The scheduler is run every minute to check for changes

  • IDS-2963 - New and/or updated signing and encryption keys are published in SAML2 IdP Metadata when changes are detected. All non-expired signing keys and one valid encryption key is shown in the Metadata. The scheduler is run every minute to check for changes. Each valid key is provided twice in the SAML2 IdP Metadata, once inside IDPSSODescriptor element and once inside SPSSODescriptor element

  • IDS-2970 - New and/or updated signing and encryption keys are published in WS-Federation IdP Metadata when changes are detected. All non-expired signing keys and one valid encryption key is shown in the FederationMetadata. The scheduler is run every minute to check for changes

  • IDS-3241 & IDS-3242 - Client registration request provides jwks_uri instead of static jwks to better support key rotation

Improvements

  • IDS-1486 - A documentation pages for diag log description has been created to match the audit log description pages, for easier use by developers. 

  • IDS-2757 - id_tokens are included in refresh_token grant responses when "openid" is included in the scope. Extending the requested scopes with additional claims after the refresh token has been created will not fetch additional information. More information can be found from Authorization code grant and web single sign-on - SSO

  • IDS-3303 - Password application IDP metadata is automatically updated from the IDP metadata endpoint once a minute to support key rotation. More details are available from Password application installation - SSO

Corrections

  • IDS-3125 - A Cross-site scripting (XSS) vulnerability has been resolved in SSO error page

  • IDS-1039 - SSO UI now shows "User account is locked" for OTP List and TOTP method after a user has tried to login with invalid code 5 times (or the amount configured in login attempts). Previously the user was shown the message after they tried to login on the 6th time after the method had already been locked

  • IDS-1652 - Message shown to user that have a mismatch of password and confirmation during password change now states a clearer reason for error "Make sure the passwords match. Please try again". Previously the message stated "The new credentials were not accepted" which did not point towards the reason for not being accepted

  • IDS-3176 - SSO UI now shows "User account is locked" for Unregistered SMTP OTP and Unregistered SMS OTP method after a user has tried to login with invalid code 5 times (or the amount configured in login attempts). Previously the user was shown the message after they tried to login on the 6th time after the method had already been locked

  • IDS-2828 - ubikt.jar now generates Certificate Signing Request (CSR) file from certificate contained in unix/win32.config. An example how to use the tool can be found from Increase the SSO metadata certificate private key size

  • IDS-3109 - SSO UI and audit logs now show correct "The user account is locked" message for TOTP method when a user has input invalid OTP code too many times and their account has gotten locked. Previously the message showed "The authentication method configuration is invalid: UNSPECIFIED"

  • IDS-3014 - SSO now shows correct template when returning from an external authentication method (SAML). Previously when a user returned back to the application, the default application template was shown to the user

Ubisecure CustomerID 5.9.1 (30/05/2022)

Corrections

  • IDS-3674 - A deviation was observed within CustomerID 5.9.0 where metadata.xml polling spawned a new polling bean for each update query. In very large deployments, this creates environment overload. This CustomerID 5.9.1 patch release fully resolves the observed polling loading issue.

    • When updating to this CID 5.9.1 patch, administrators should ensure that the SSO instance has been stopped, apply the patch and then restart SSO

CustomerID 5.9.0 (16/12/2021)

New Features

  • IDS-3236 - A new API 2.1 API, PATCH124, has been created which permits updating user information without requiring validation of all existing user information.  Documentation can is available REST API 2.1 PATCH 124

Improvements

  • IDS-1206 - Role invitation messages has been updated to be optional, this can be set to required again by setting ui.role.invite.message.required = true in eidm2.properties

  • IDS-2869 - An improvement has been made for CustomerID when used with User Driven Federation (UDF). It is no longer possible for a user to register and UDF an external authentication method if their SSN is already present within the system

  • IDS-3303 - CustomerID IDP metadata is automatically updated from the IDP metadata endpoint once a minute to support key rotation in SSO. New configuration changes can be seen from Configuration changes in versions - CustomerID

Corrections

  • IDS-2234 - Reminder email is now sent to user with pending role invitation. Interval can be configured using the "renotify.roleinvitation" parameter in eidm2.properties. Previously a reminder email was not sent to the user when role invitation was done through REST API

  • IDS-2235 - Role invitation expiration email is now sent to invited user. The Administrator that invited user to the role also now gets notified if the user approved the invitation to the new role. Previously if the role invitation was done through REST API the user was not informed that the invitation had expired and the Administrator was not informed when the user approved the invitation. 

Ubisecure Privacy Policy & Cookie Statement