Upgrade instructions 6.x

6.0.0-M11

Deprecation of tokens validate endpoint in credentials api

Tokens validate endpoint has been deprecated and will be removed in next major version. Since this version please use tokens process endpoint.

Changed a way in which showIdps variable is calculated

Since this version showIdps modelmap variable which is available in templates personal/fragments/login/login_form.html and personal/fragments/login/wayf_box.html has value true only if identity providers except Username and password, LDAP and iDIN are defined. Before this change it's value was always true.

6.0.0-M10

Saml email attribute name modification

We have changed urn in the email saml attribute to valid one (urn:oid:1.2.840.113549.1.9.1). The old value (1.2.840.113549.1.9.1) is now deprecated and will be deleted in another major release. Until then if attribute is not mapped, we will return both uid values.

Error response unification

In order to unify ErrorResponses across all products, we have fixed existing ErrorResponse to contain error details in List instead of Map. New version is placed in SDK: com.onegini.sdk.model.error.ErrorResponse. So previous result:

{
  "error_code" : "3012",
  "error_message" : "One or more actions have failed",
  "details" : {
    "failed_actions" : ["LOGIN"]
  }

}

will now look like:

{
  "error_code" : "3012",
  "error_message" : "One or more actions have failed",
  "details" : [{
      "failed_actions" : ["LOGIN"]
      }
  ]
}

Error responses associated with Account Link contained error code as integer. Now it's unified and strings are applied everywhere.

Action Token API Endpoint.

Current year solving

We introduced new code [current.year] that can be used inside message.properties. This one is resolved automatically and represents current year. It needs to be updated in all extensions separately (especially in the copyright messages).

6.0.0-M9

Password encoding compatibility fallback

The IDP_PASSWORD_ENCODING_COMPATIBILITY_FALLBACK_ENABLED property has been added. IdP changed encoding of data sent via html forms so the reason for enabling it is to rewrite hash of password for existing users who has non-ascii characters in their password.

If property is undefined it is set to true for existing CIM installations and false for new installations.

6.0.0-M8

The following configuration properties have been removed :

  • IDP_OIDC_TOKEN_ENCRYPTION_JWK
  • IDP_OIDC_PRIVATEKEY
  • IDP_OIDC_CERTIFICATE

Since this version the Onegini IDP generates and manages keys which are used for signing and encryption in OpenID Connect related flows. Please refer to managing JWKs chapter for more details.

6.0.0-M7

Right to be forgotten

To maintain compatibility with GDPR (right to be forgotten) please run personal data cleanup. It needs to be executed once and is available in admin panel Configuration -> Data clean up -> Clean-up personal data in action log.

This operation is available after completing snapshots synchronisation operation.

Automatic email verification

Automatic email verification has been turned off in all automatic sign up flows. If an email saml attribute is mapped and email verification during sign up with external idp is not required, select "Verified by default" checkbox in external IdP configuration.

6.0.0-M5

Action token changes

Action token configuration is moved from Identity Providers tab to Features tab. Each action token action now has its own expiration time, and thus there is no global option to set expiration time on token itself. Such change required action token api changes - there is no possibility to set the token expiration time using API calls. All expiration times are now configured on the admin panel, next to each token action configuration.

LinkedIn API update

LinkedIn API has been updated to version 2 which means that applications created before January 14, 2019 may not work. Because of that please update LinkedIn application configuration if needed.

Quote from LinkedIn page:

All developer applications created on the LinkedIn Developer Portal after January 14, 2019 have access to the LinkedIn v2 API by default. 
Alternatively, if your developer application has made a successful LinkedIn v1 API request from September 1, 2018 to December 17, 2018, your developer 
application has immediate access to the v2 API.

Google Authentication API update

Database driver migration

  • MySQL database driver is not supported anymore. MariaDB driver should be used instead and proper variable should be set to:
    • IDP_DATABASE_DRIVER=org.mariadb.jdbc.Driver

6.0.0-M4

Property changes

  • Key store file location have been made configurable with IDP_KEYSTORE_FILE environment variable (it defaults to the previous path: /opt/data/keystore/keystore.jks)
  • IDP_HTTPS_TRUST_STORE property have been renamed to IDP_HTTPS_TRUST_STORE_FILE

Mobile authentication callback url changes:

  • Step-up and mobile login callback url were merged into one and moved to the Token Server system tab in admin panel. (it is removed from Step-up configuration and Identity providers).

Features

  • Search API is now deprecated and additionally available from /api/v1/persons/search-profile, the new api version is /api/v2/persons/search

Bug fixes

  • Added missing prefix to partitioning feature property descriptor

6.0.0-M1

Mobile Authentication configuration changes:

The Onegini Token Server related configuration properties has been moved to a new section in the Onegini IDP admin console.

Copy the values from following variables

  • IDP_MOBILE_AUTH_API_USERNAME
  • IDP_MOBILE_AUTH_API_PASSWORD
  • IDP_MOBILE_AUTH_API_URL to the corresponding fields in the form under the System -> Token Server tab.

Copy the values from the following variables:

  • IDP_MOBILE_LOGIN_AUTH_TYPE
  • IDP_MOBILE_LOGIN_AVAILABILITY_AUTH_TYPE
  • IDP_MOBILE_LOGIN_MESSAGE
  • IDP_MOBILE_LOGIN_ALLOWED_ATTEMPTS to the corresponding fields in Mobile login form under the Configuration -> Identity Providers tab.

Added configurable mobile login callback property has been moved to appropriate section in admin console.

Copy the values from following variables:

  • IDP_MOBILE_AUTH_TYPE
  • IDP_MOBILE_AUTH_MESSAGE
  • IDP_MOBILE_AUTH_CALLBACK-URL to corresponding fields in Mobile login form under Smart security -> Step-up authentication configuration tab.

The following configuration property has been removed:

  • IDP_MOBILE_AVAILABILITY_AUTH TYPE

Removed LDAP configuration for Mobile Login, now only person identifier is used when communicating with Token Server. Please update configuration for those users who are coupled with token server via configured LDAP attribute.

Axon Snapshot synchronization

This procedure must be performed. It is necessary only for existing installations. No work for new installations is needed.

The procedure may take from couple of minutes to several hours depending on the size of the DomainEventEntry table. These are the required steps:

  1. Consider creating a backup or snapshot of the database before attempting this procedure
  2. Deploy newest idp-core.
  3. Run snapshot synchronization:
    • Open admin panel,
    • "Configuration" tab,
    • "Event clean up" tab,
    • Press the "Run snapshot synchronization" button.
  4. Wait for synchronization job to finish. Refresh the page until you see information that snapshot synchronization has been completed. You can track the progress on the same page. There will be information how many events were processed and the speed of processing expressed in events per second.
  5. Stop idp-core.
  6. Run synchronization verification query manually on DB. The query verifies that there are no events left without corresponding snapshot. Queries are listed below. Only proceed if the query returns no results.
  7. If synchronization verification query returned 0 rows then delete all records from the DomainEventEntry table manually.
  8. Start idp-core again.
  9. Enable regular clean-up via cron job is enabled (The same tab in admin panel as for the snapshot synchronization).

If synchronization verification query returned any row this is an indication that the synchronisation process may have failed in some part. In such case please:

  • Do not proceed with the procedure.
  • Start idp-core again and continue using the application normally.
  • Make sure the regular clean-up feature in "Event clean up" tab in Admin Panel is disabled.
  • Contact Onegini Support.

Verification queries:

MySQL
SELECT dee.aggregateIdentifier,
       dee.type,
       max(dee.sequenceNumber) AS dee_sequenceNumber,
       max(see.sequenceNumber) AS see_sequenceNumber
FROM DomainEventEntry dee
LEFT JOIN SnapshotEventEntry see ON dee.aggregateIdentifier=see.aggregateIdentifier
AND dee.type=see.type
AND dee.sequenceNumber=see.sequenceNumber
GROUP BY dee.aggregateIdentifier,
         dee.type
HAVING dee_sequenceNumber>see_sequenceNumber
OR see_sequenceNumber IS NULL
LIMIT 100;
Oracle
SELECT o.*
FROM (SELECT dee.aggregateIdentifier,
           dee.type,
           max(dee.sequenceNumber) AS dee_sequenceNumber,
           max(see.sequenceNumber) AS see_sequenceNumber
    FROM DomainEventEntry dee
    LEFT JOIN SnapshotEventEntry see ON dee.aggregateIdentifier=see.aggregateIdentifier
    AND dee.type=see.type
    AND dee.sequenceNumber=see.sequenceNumber
    GROUP BY dee.aggregateIdentifier,
             dee.type
    HAVING max(dee.sequenceNumber) > max(see.sequenceNumber)
    OR max(see.sequenceNumber) IS NULL) o
WHERE rownum < 100;
MSSQL (SQL Server)
SELECT dee.aggregateIdentifier,
       dee.type,
       max(dee.sequenceNumber) AS dee_sequenceNumber,
       max(see.sequenceNumber) AS see_sequenceNumber
FROM DomainEventEntry dee
LEFT JOIN SnapshotEventEntry see ON dee.aggregateIdentifier=see.aggregateIdentifier
AND dee.type=see.type
AND dee.sequenceNumber=see.sequenceNumber
GROUP BY dee.aggregateIdentifier,
         dee.type
HAVING max(dee.sequenceNumber)>max(see.sequenceNumber)
OR max(see.sequenceNumber) IS NULL

Mobile login and mobile step-up authentication behaviour change

From this version of the Onegini IDP the Mobile Login and mobile step-up authentication functionality will no longer work if you are not using the Person ID as the user identifier in the Onegini Token Server.