Upgrade Instructions 3.x
Upgrade Instructions 3.17.0
Captcha configuration changes
ReCaptcha configuration has been moved from system environment properties to Administration Panel.
After upgrading IDP to this version please move below properties to Administration Panel (Smart security
-> ReCaptcha configuration
).
IDP_RECAPTCHA_PUBLICKEY=
IDP_RECAPTCHA_PRIVATEKEY=
Upgrade Instructions 3.13.0
Properties encryption
Version 3.13 requires PROPERTIES_ENCRYPTION_KEY environment variable to be set. Please refer to properties description for more info.
Microsoft SQL Server support
To run IDP with Microsoft SQL Server below properties should be updated
IDP_DATABASE_MIGRATIONS_FOLDER=/db/migrations/mssql
IDP_DATABASE_DRIVER=com.microsoft.sqlserver.jdbc.SQLServerDriver
IDP_DATABASE_URL=jdbc:sqlserver://database.example.com:1433;DatabaseName=databaseName
IDP_DATABASE_USER=dbUserName
IDP_DATABASE_PASSWORD=dbUserPassword
IDP_DATABASE_VALIDATION_QUERY=select 1
IDP_DATABASE_PLATFORM=org.hibernate.dialect.SQLServer2008Dialect
IDP_DATABASE_TYPE=SQL_SERVER
IDP_QUARTZ_JDBC_DELEGATE=org.quartz.impl.jdbcjobstore.MSSQLDelegate
IDP_HIBERNATE_GLOBALLY_QUOTED_IDENTIFIERS=true
Web template changes
Attribute loginUnrestrictedFormat
added to the template wayf_box
Since default Username and Password login form validates whether entered username has a valid email format, in order to allow logging in with LDAP the form must
have the username input validation disabled. The IDP sets loginUnrestrictedFormat
flag which is available in the frontend and can be used to enable / disable
validation.
The loginUnrestrictedFormat
property is set to true when any of following requirements is met:
- migration feature is enabled in the admin console
- at least one Identity Provider of type LDAP is configured and enabled
Example property usage:
<div class="controls">
<input th:unless="${loginUnrestrictedFormat}" type="email" name="email" id="email" autocomplete="off"
tabindex="1" th:field="*{email}"
th:attr="data-msg-required=#{personal.fields.email.error.emptyUsername},data-msg-email=#{personal.fields.email.error.malformed}"/>
<input th:if="${loginUnrestrictedFormat}" type="text" name="email" id="email" autocomplete="off"
tabindex="1" th:field="*{email}"
th:attr="data-msg-required=#{personal.fields.email.error.emptyUsername.migration}"/>
<th:block th:include="personal/components/field_error :: field_error" th:with="fieldName='email'"/>
</div>
Upgrade Instructions 3.11.00
LDAP Identity Provider configuration change
LDAP configuration has been moved from system environment properties to admin panel. After upgrading IDP to this version please move below properties to admin panel:
IDP_LDAP_SERVER_URLS
IDP_LDAP_SERVER_BASE
IDP_LDAP_SERVER_USERDN
IDP_LDAP_SERVER_PASSWORD
IDP_LDAP_AUTHENTICATE_DN_TEMPLATE
Remote cache provider changed
From now IDP will require a Redis server, to work properly. Redis server should be operative before IDP is deployed. Cache replication with infinispan is no longer supported.
Additional properties have been introduced for Redis
server configuration:
IDP_REDIS_SENTINEL_NODES
IDP_REDIS_SENTINEL_MASTER_ID
IDP_REDIS_PASSWORD
IDP_CACHE_ENCRYPTION_KEY
More details on these properties can be found on the Remote cache configuration page
Upgrade Instructions 3.07
Template changes
Listed templates has been changed (<input type="submit"/>
has ben replaced with <button type="submit"/>
):
templates/personal/components/submit_cancel.html
templates/personal/fragment_common.html
templates/personal/sign-up-unp.html
Please keep it in mind in case of template customization in idp extension.
Migration interfaces
API of interfaces in package com.onegini.extension.migrate
used during migration changed thanks to which it is possible to migrate all user data defined in Profile
class.
Upgrade Instructions 3.05
Person Search API
Changes that has been introduced for person search api requires to personAttributeCluster
replay. It can be done via admin panel.
Upgrade Instructions 3.04.02
Additional properties have been introduced for SAML Artifact Resolution Service feature:
IDP_SAML_ENTITY_PROTOCOL=http
IDP_SAML_ARTIFACT_RESOLUTION_PROTOCOL=http
More details on these properties can be found on the properties page.
Upgrade Instructions 3.04
SAML Artifact Resolution Properties configuration
From this version SAML Artifact Resolution Service is served on API port. In case separate API port is enabled via IDP_HTTP_API_ENABLED
property, the following properties must be configured:
IDP_SAML_ENTITY_HOST=172.16.10.10:8990
IDP_SAML_ARTIFACT_RESOLUTION_HOST=172.16.10.10:8991
More details on these properties can be found on the properties page.
3.03
Property names changes
Two docker properties has been changed:
Previous (wrong) name | New (correct) name |
---|---|
IDP_DATABASE_VALIDATION-query | IDP_DATABASE_VALIDATION_QUERY |
IDP_HEADER_INTERCEPTOR_P3ppolicy | IDP_HEADER_INTERCEPTOR_P3PPOLICY |
SAML artifact binding
SAML artifact binding has been introduced in this version and because of that two things needs to be taken into account while sending AuthnRequest
from Service Provider to Onegini IDP:
- Before artifact binding has been introduced, Onegini IDP did not validate
ProtocolBinding
so please keep in mind thatProtocolBinding
attribute that is part ofAuthnRequest
needs to be consistent with Service Provider metadata:- for post binding (browser response) Service Provider needs to send
ProtocolBinding
equal tourn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
- for artifact binding (SOAP response) Service Provider needs to send
ProtocolBinding
equal tourn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
- for post binding (browser response) Service Provider needs to send
- The response sent back to Service Provider is resolved by looking at the
AuthnRequest
parameters:- if
AuthnRequest
containsAssertionConsumerServiceIndex
then Onegini IDP will look at the Service Provider metadata and answer to theAssertionConsumerService
with appropriate index - if
AuthnRequest
containsAssertionConsumerServiceURL
andProtocolBinding
then Onegini IDP will look at the Service Provider metadata and answer to theAssertionConsumerService
with appropriateAssertionConsumerServiceURL
andProtocolBinding
- if
3.00
Email gateway configuration
Deprecated property
Extension Email Gateway has been introduced therefore property IDP_EMAIL_PROVIDER
is deprecated. Please define property IDP_EXTENSION_EMAILGATEWAY_ENABLED
in order to use Extension Email Gateway instead of default SMTP Email Gateway.
- IDP_EXTENSION_EMAILGATEWAY_ENABLED=true
Deprecated remote email service credential properties
The following properties are deprecated. Please remove them and use extension specific properties to set credentials.
- IDP_EMAIL_REMOTE_SERVICE_USER
- IDP_EMAIL_REMOTE_SERVICE_PASSWORD
- IDP_EMAIL_REMOTE_SERVICE_URI
Extension configuration properties
The following properties are requires in case application is set up with the extension:
IDP_EXTENSION_PROTOCOL=http
IDP_EXTENSION_BASEURL=172.17.42.1:8182
IDP_EXTENSION_USERNAMEVALIDATION_ENABLED=false
IDP_EXTENSION_AUTHENTICATION_ENABLED=false
IDP_EXTENSION_PROFILEATTRIBUTESUPDATE_ENABLED=false
IDP_EXTENSION_ACCOUNTLINK_ENABLED=false
IDP_EXTENSION_DELIVEREXTERNALCODE_ENABLED=false
IDP_EXTENSION_EMAILGATEWAY_ENABLED=false
IDP_EXTENSION_USERINFO_ENABLED=false
IDP_EXTENSION_RESOURCES_ENABLED=false
IDP_EXTENSION_MIGRATION_DEFAULTPROCESSING_ENABLED=false
IDP_EXTENSION_MIGRATION_PASSWORDRESETMIGRATION_ENABLED=false