Upgrade Instructions 3.x

Upgrade Instructions 3.17.0

Captcha configuration changes

ReCaptcha configuration has been moved from system environment properties to Administration Panel. After upgrading IDP to this version please move below properties to Administration Panel (Smart security -> ReCaptcha configuration).

IDP_RECAPTCHA_PUBLICKEY=
IDP_RECAPTCHA_PRIVATEKEY=

Upgrade Instructions 3.13.0

Properties encryption

Version 3.13 requires PROPERTIES_ENCRYPTION_KEY environment variable to be set. Please refer to properties description for more info.

Microsoft SQL Server support

To run IDP with Microsoft SQL Server below properties should be updated

IDP_DATABASE_MIGRATIONS_FOLDER=/db/migrations/mssql
IDP_DATABASE_DRIVER=com.microsoft.sqlserver.jdbc.SQLServerDriver
IDP_DATABASE_URL=jdbc:sqlserver://database.example.com:1433;DatabaseName=databaseName
IDP_DATABASE_USER=dbUserName
IDP_DATABASE_PASSWORD=dbUserPassword
IDP_DATABASE_VALIDATION_QUERY=select 1
IDP_DATABASE_PLATFORM=org.hibernate.dialect.SQLServer2008Dialect
IDP_DATABASE_TYPE=SQL_SERVER
IDP_QUARTZ_JDBC_DELEGATE=org.quartz.impl.jdbcjobstore.MSSQLDelegate
IDP_HIBERNATE_GLOBALLY_QUOTED_IDENTIFIERS=true

Web template changes

Attribute loginUnrestrictedFormat added to the template wayf_box

Since default Username and Password login form validates whether entered username has a valid email format, in order to allow logging in with LDAP the form must have the username input validation disabled. The IDP sets loginUnrestrictedFormat flag which is available in the frontend and can be used to enable / disable validation.

The loginUnrestrictedFormat property is set to true when any of following requirements is met:

  • migration feature is enabled in the admin console
  • at least one Identity Provider of type LDAP is configured and enabled

Example property usage:

  <div class="controls">
    <input th:unless="${loginUnrestrictedFormat}" type="email" name="email" id="email" autocomplete="off"
           tabindex="1" th:field="*{email}"
           th:attr="data-msg-required=#{personal.fields.email.error.emptyUsername},data-msg-email=#{personal.fields.email.error.malformed}"/>
    <input th:if="${loginUnrestrictedFormat}" type="text" name="email" id="email" autocomplete="off"
           tabindex="1" th:field="*{email}"
           th:attr="data-msg-required=#{personal.fields.email.error.emptyUsername.migration}"/>
    <th:block th:include="personal/components/field_error :: field_error" th:with="fieldName='email'"/>
  </div>

Upgrade Instructions 3.11.00

LDAP Identity Provider configuration change

LDAP configuration has been moved from system environment properties to admin panel. After upgrading IDP to this version please move below properties to admin panel:

IDP_LDAP_SERVER_URLS
IDP_LDAP_SERVER_BASE
IDP_LDAP_SERVER_USERDN
IDP_LDAP_SERVER_PASSWORD
IDP_LDAP_AUTHENTICATE_DN_TEMPLATE

Remote cache provider changed

From now IDP will require a Redis server, to work properly. Redis server should be operative before IDP is deployed. Cache replication with infinispan is no longer supported.

Additional properties have been introduced for Redis server configuration:

  IDP_REDIS_SENTINEL_NODES
  IDP_REDIS_SENTINEL_MASTER_ID
  IDP_REDIS_PASSWORD
  IDP_CACHE_ENCRYPTION_KEY

More details on these properties can be found on the Remote cache configuration page

Upgrade Instructions 3.07

Template changes

Listed templates has been changed (<input type="submit"/> has ben replaced with <button type="submit"/>):

  • templates/personal/components/submit_cancel.html
  • templates/personal/fragment_common.html
  • templates/personal/sign-up-unp.html

Please keep it in mind in case of template customization in idp extension.

Migration interfaces

API of interfaces in package com.onegini.extension.migrate used during migration changed thanks to which it is possible to migrate all user data defined in Profile class.

Upgrade Instructions 3.05

Person Search API

Changes that has been introduced for person search api requires to personAttributeCluster replay. It can be done via admin panel.

Upgrade Instructions 3.04.02

Additional properties have been introduced for SAML Artifact Resolution Service feature:

IDP_SAML_ENTITY_PROTOCOL=http
IDP_SAML_ARTIFACT_RESOLUTION_PROTOCOL=http

More details on these properties can be found on the properties page.

Upgrade Instructions 3.04

SAML Artifact Resolution Properties configuration

From this version SAML Artifact Resolution Service is served on API port. In case separate API port is enabled via IDP_HTTP_API_ENABLED property, the following properties must be configured:

IDP_SAML_ENTITY_HOST=172.16.10.10:8990
IDP_SAML_ARTIFACT_RESOLUTION_HOST=172.16.10.10:8991

More details on these properties can be found on the properties page.

3.03

Property names changes

Two docker properties has been changed:

Previous (wrong) name New (correct) name
IDP_DATABASE_VALIDATION-query IDP_DATABASE_VALIDATION_QUERY
IDP_HEADER_INTERCEPTOR_P3ppolicy IDP_HEADER_INTERCEPTOR_P3PPOLICY

SAML artifact binding

SAML artifact binding has been introduced in this version and because of that two things needs to be taken into account while sending AuthnRequest from Service Provider to Onegini IDP:

  1. Before artifact binding has been introduced, Onegini IDP did not validate ProtocolBinding so please keep in mind that ProtocolBinding attribute that is part of AuthnRequest needs to be consistent with Service Provider metadata:
    • for post binding (browser response) Service Provider needs to send ProtocolBinding equal to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
    • for artifact binding (SOAP response) Service Provider needs to send ProtocolBinding equal to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
  2. The response sent back to Service Provider is resolved by looking at the AuthnRequest parameters:
    • if AuthnRequest contains AssertionConsumerServiceIndex then Onegini IDP will look at the Service Provider metadata and answer to the AssertionConsumerService with appropriate index
    • if AuthnRequest contains AssertionConsumerServiceURL and ProtocolBinding then Onegini IDP will look at the Service Provider metadata and answer to the AssertionConsumerService with appropriate AssertionConsumerServiceURL and ProtocolBinding

3.00

Email gateway configuration

Deprecated property

Extension Email Gateway has been introduced therefore property IDP_EMAIL_PROVIDER is deprecated. Please define property IDP_EXTENSION_EMAILGATEWAY_ENABLED in order to use Extension Email Gateway instead of default SMTP Email Gateway.

 - IDP_EXTENSION_EMAILGATEWAY_ENABLED=true
Deprecated remote email service credential properties

The following properties are deprecated. Please remove them and use extension specific properties to set credentials.

 - IDP_EMAIL_REMOTE_SERVICE_USER
 - IDP_EMAIL_REMOTE_SERVICE_PASSWORD
 - IDP_EMAIL_REMOTE_SERVICE_URI
Extension configuration properties

The following properties are requires in case application is set up with the extension:

IDP_EXTENSION_PROTOCOL=http
IDP_EXTENSION_BASEURL=172.17.42.1:8182
IDP_EXTENSION_USERNAMEVALIDATION_ENABLED=false
IDP_EXTENSION_AUTHENTICATION_ENABLED=false
IDP_EXTENSION_PROFILEATTRIBUTESUPDATE_ENABLED=false
IDP_EXTENSION_ACCOUNTLINK_ENABLED=false
IDP_EXTENSION_DELIVEREXTERNALCODE_ENABLED=false
IDP_EXTENSION_EMAILGATEWAY_ENABLED=false
IDP_EXTENSION_USERINFO_ENABLED=false
IDP_EXTENSION_RESOURCES_ENABLED=false
IDP_EXTENSION_MIGRATION_DEFAULTPROCESSING_ENABLED=false
IDP_EXTENSION_MIGRATION_PASSWORDRESETMIGRATION_ENABLED=false