Upgrade instructions 6.x
NEXT RELEASE
Action token changes
Action token configuration is moved from Identity Providers tab to Features tab. Each action token action now has its own expiration time, and thus there is no global option to set expiration time on token itself. Such change required action token api changes - there is no possibility to set the token expiration time using API calls. All expiration times are now configured on the admin panel, next to each token action configuration.
LinkedIn API update
LinkedIn API has been updated to version 2 which means that applications created before January 14, 2019 may not work. Because of that please update LinkedIn application configuration if needed.
Quote from LinkedIn page:
All developer applications created on the LinkedIn Developer Portal after January 14, 2019 have access to the LinkedIn v2 API by default.
Alternatively, if your developer application has made a successful LinkedIn v1 API request from September 1, 2018 to December 17, 2018, your developer
application has immediate access to the v2 API.
Google Authentication API update
- As Google is turning off Google Plus authentication, identity provider OAuth scope attributes for Google authentication have been renamed:
plus.login
is nowprofile
as described in https://developers.google.com/identity/sign-in/web/quick-migration-guide
6.0.0-M4
Mobile authentication callback url changes:
- Step-up and mobile login callback url were merged into one and moved to the Token Server system tab in admin panel. (it is removed from Step-up configuration and Identity providers).
Features
- Search API is now deprecated and additionally available from
/api/v1/persons/search-profile
, the new api version is/api/v2/persons/search-profile
Bug fixes
- Added missing prefix to partitioning feature property descriptor
6.0.0-M1
Mobile Authentication configuration changes:
The Onegini Token Server related configuration properties has been moved to a new section in the Onegini IDP admin console.
Copy the values from following variables
- IDP_MOBILE_AUTH_API_USERNAME
- IDP_MOBILE_AUTH_API_PASSWORD
- IDP_MOBILE_AUTH_API_URL
to the corresponding fields in the form under the
System
->Token Server
tab.
Copy the values from the following variables:
- IDP_MOBILE_LOGIN_AUTH_TYPE
- IDP_MOBILE_LOGIN_AVAILABILITY_AUTH_TYPE
- IDP_MOBILE_LOGIN_MESSAGE
- IDP_MOBILE_LOGIN_ALLOWED_ATTEMPTS
to the corresponding fields in
Mobile login
form under theConfiguration
->Identity Providers
tab.
Added configurable mobile login callback property has been moved to appropriate section in admin console.
Copy the values from following variables:
- IDP_MOBILE_AUTH_TYPE
- IDP_MOBILE_AUTH_MESSAGE
- IDP_MOBILE_AUTH_CALLBACK-URL
to corresponding fields in
Mobile login
form underSmart security
->Step-up authentication
configuration tab.
The following configuration property has been removed:
- IDP_MOBILE_AVAILABILITY_AUTH TYPE
Removed LDAP configuration for Mobile Login, now only person identifier is used when communicating with Token Server. Please update configuration for those users who are coupled with token server via configured LDAP attribute.
Axon Snapshot synchronization
This procedure must be performed. It is necessary only for existing installations. No work for new installations is needed.
The procedure may take from couple of minutes to several hours depending on the size of the DomainEventEntry
table. These are the required steps:
- Consider creating a backup or snapshot of the database before attempting this procedure
- Deploy newest idp-core.
- Run snapshot synchronization:
- Open admin panel,
- "Configuration" tab,
- "Event clean up" tab,
- Press the "Run snapshot synchronization" button.
- Wait for synchronization job to finish. Refresh the page until you see information that snapshot synchronization has been completed. You can track the progress on the same page. There will be information how many events were processed and the speed of processing expressed in events per second.
- Stop idp-core.
- Run synchronization verification query manually on DB. The query verifies that there are no events left without corresponding snapshot. Queries are listed below. Only proceed if the query returns no results.
- If synchronization verification query returned 0 rows then delete all records from the
DomainEventEntry
table manually. - Start idp-core again.
- Enable regular clean-up via cron job is enabled (The same tab in admin panel as for the snapshot synchronization).
If synchronization verification query returned any row this is an indication that the synchronisation process may have failed in some part. In such case please:
- Do not proceed with the procedure.
- Start idp-core again and continue using the application normally.
- Make sure the regular clean-up feature in "Event clean up" tab in Admin Panel is disabled.
- Contact Onegini Support.
Verification queries:
MySQL
SELECT dee.aggregateIdentifier,
dee.type,
max(dee.sequenceNumber) AS dee_sequenceNumber,
max(see.sequenceNumber) AS see_sequenceNumber
FROM DomainEventEntry dee
LEFT JOIN SnapshotEventEntry see ON dee.aggregateIdentifier=see.aggregateIdentifier
AND dee.type=see.type
AND dee.sequenceNumber=see.sequenceNumber
GROUP BY dee.aggregateIdentifier,
dee.type
HAVING dee_sequenceNumber>see_sequenceNumber
OR see_sequenceNumber IS NULL
LIMIT 100;
Oracle
SELECT o.*
FROM (SELECT dee.aggregateIdentifier,
dee.type,
max(dee.sequenceNumber) AS dee_sequenceNumber,
max(see.sequenceNumber) AS see_sequenceNumber
FROM DomainEventEntry dee
LEFT JOIN SnapshotEventEntry see ON dee.aggregateIdentifier=see.aggregateIdentifier
AND dee.type=see.type
AND dee.sequenceNumber=see.sequenceNumber
GROUP BY dee.aggregateIdentifier,
dee.type
HAVING max(dee.sequenceNumber) > max(see.sequenceNumber)
OR max(see.sequenceNumber) IS NULL) o
WHERE rownum < 100;
MSSQL (SQL Server)
SELECT dee.aggregateIdentifier,
dee.type,
max(dee.sequenceNumber) AS dee_sequenceNumber,
max(see.sequenceNumber) AS see_sequenceNumber
FROM DomainEventEntry dee
LEFT JOIN SnapshotEventEntry see ON dee.aggregateIdentifier=see.aggregateIdentifier
AND dee.type=see.type
AND dee.sequenceNumber=see.sequenceNumber
GROUP BY dee.aggregateIdentifier,
dee.type
HAVING max(dee.sequenceNumber)>max(see.sequenceNumber)
OR max(see.sequenceNumber) IS NULL
Mobile login and mobile step-up authentication behaviour change
From this version of the Onegini IDP the Mobile Login and mobile step-up authentication functionality will no longer work if you are not using the Person ID as the user identifier in the Onegini Token Server.