Upgrade instructions 6.x

NEXT RELEASE

Action token changes

Action token configuration is moved from Identity Providers tab to Features tab. Each action token action now has its own expiration time, and thus there is no global option to set expiration time on token itself. Such change required action token api changes - there is no possibility to set the token expiration time using API calls. All expiration times are now configured on the admin panel, next to each token action configuration.

LinkedIn API update

LinkedIn API has been updated to version 2 which means that applications created before January 14, 2019 may not work. Because of that please update LinkedIn application configuration if needed.

Quote from LinkedIn page:

All developer applications created on the LinkedIn Developer Portal after January 14, 2019 have access to the LinkedIn v2 API by default. 
Alternatively, if your developer application has made a successful LinkedIn v1 API request from September 1, 2018 to December 17, 2018, your developer 
application has immediate access to the v2 API.

Google Authentication API update

6.0.0-M4

Mobile authentication callback url changes:

  • Step-up and mobile login callback url were merged into one and moved to the Token Server system tab in admin panel. (it is removed from Step-up configuration and Identity providers).

Features

  • Search API is now deprecated and additionally available from /api/v1/persons/search-profile, the new api version is /api/v2/persons/search-profile

Bug fixes

  • Added missing prefix to partitioning feature property descriptor

6.0.0-M1

Mobile Authentication configuration changes:

The Onegini Token Server related configuration properties has been moved to a new section in the Onegini IDP admin console.

Copy the values from following variables

  • IDP_MOBILE_AUTH_API_USERNAME
  • IDP_MOBILE_AUTH_API_PASSWORD
  • IDP_MOBILE_AUTH_API_URL to the corresponding fields in the form under the System -> Token Server tab.

Copy the values from the following variables:

  • IDP_MOBILE_LOGIN_AUTH_TYPE
  • IDP_MOBILE_LOGIN_AVAILABILITY_AUTH_TYPE
  • IDP_MOBILE_LOGIN_MESSAGE
  • IDP_MOBILE_LOGIN_ALLOWED_ATTEMPTS to the corresponding fields in Mobile login form under the Configuration -> Identity Providers tab.

Added configurable mobile login callback property has been moved to appropriate section in admin console.

Copy the values from following variables:

  • IDP_MOBILE_AUTH_TYPE
  • IDP_MOBILE_AUTH_MESSAGE
  • IDP_MOBILE_AUTH_CALLBACK-URL to corresponding fields in Mobile login form under Smart security -> Step-up authentication configuration tab.

The following configuration property has been removed:

  • IDP_MOBILE_AVAILABILITY_AUTH TYPE

Removed LDAP configuration for Mobile Login, now only person identifier is used when communicating with Token Server. Please update configuration for those users who are coupled with token server via configured LDAP attribute.

Axon Snapshot synchronization

This procedure must be performed. It is necessary only for existing installations. No work for new installations is needed.

The procedure may take from couple of minutes to several hours depending on the size of the DomainEventEntry table. These are the required steps:

  1. Consider creating a backup or snapshot of the database before attempting this procedure
  2. Deploy newest idp-core.
  3. Run snapshot synchronization:
    • Open admin panel,
    • "Configuration" tab,
    • "Event clean up" tab,
    • Press the "Run snapshot synchronization" button.
  4. Wait for synchronization job to finish. Refresh the page until you see information that snapshot synchronization has been completed. You can track the progress on the same page. There will be information how many events were processed and the speed of processing expressed in events per second.
  5. Stop idp-core.
  6. Run synchronization verification query manually on DB. The query verifies that there are no events left without corresponding snapshot. Queries are listed below. Only proceed if the query returns no results.
  7. If synchronization verification query returned 0 rows then delete all records from the DomainEventEntry table manually.
  8. Start idp-core again.
  9. Enable regular clean-up via cron job is enabled (The same tab in admin panel as for the snapshot synchronization).

If synchronization verification query returned any row this is an indication that the synchronisation process may have failed in some part. In such case please:

  • Do not proceed with the procedure.
  • Start idp-core again and continue using the application normally.
  • Make sure the regular clean-up feature in "Event clean up" tab in Admin Panel is disabled.
  • Contact Onegini Support.

Verification queries:

MySQL
SELECT dee.aggregateIdentifier,
       dee.type,
       max(dee.sequenceNumber) AS dee_sequenceNumber,
       max(see.sequenceNumber) AS see_sequenceNumber
FROM DomainEventEntry dee
LEFT JOIN SnapshotEventEntry see ON dee.aggregateIdentifier=see.aggregateIdentifier
AND dee.type=see.type
AND dee.sequenceNumber=see.sequenceNumber
GROUP BY dee.aggregateIdentifier,
         dee.type
HAVING dee_sequenceNumber>see_sequenceNumber
OR see_sequenceNumber IS NULL
LIMIT 100;
Oracle
SELECT o.*
FROM (SELECT dee.aggregateIdentifier,
           dee.type,
           max(dee.sequenceNumber) AS dee_sequenceNumber,
           max(see.sequenceNumber) AS see_sequenceNumber
    FROM DomainEventEntry dee
    LEFT JOIN SnapshotEventEntry see ON dee.aggregateIdentifier=see.aggregateIdentifier
    AND dee.type=see.type
    AND dee.sequenceNumber=see.sequenceNumber
    GROUP BY dee.aggregateIdentifier,
             dee.type
    HAVING max(dee.sequenceNumber) > max(see.sequenceNumber)
    OR max(see.sequenceNumber) IS NULL) o
WHERE rownum < 100;
MSSQL (SQL Server)
SELECT dee.aggregateIdentifier,
       dee.type,
       max(dee.sequenceNumber) AS dee_sequenceNumber,
       max(see.sequenceNumber) AS see_sequenceNumber
FROM DomainEventEntry dee
LEFT JOIN SnapshotEventEntry see ON dee.aggregateIdentifier=see.aggregateIdentifier
AND dee.type=see.type
AND dee.sequenceNumber=see.sequenceNumber
GROUP BY dee.aggregateIdentifier,
         dee.type
HAVING max(dee.sequenceNumber)>max(see.sequenceNumber)
OR max(see.sequenceNumber) IS NULL

Mobile login and mobile step-up authentication behaviour change

From this version of the Onegini IDP the Mobile Login and mobile step-up authentication functionality will no longer work if you are not using the Person ID as the user identifier in the Onegini Token Server.