Upgrade instructions 5.x
Next version
Changes in documentation
Added matrix to keep track of compatibility between IDP core and IDP Extension SDK.
5.2.0
Changes in API
New api error code (1043
) indicating custom attribute's length is too long has been added.
5.1.0
Changes in configuration
Please note that feature previously named Activation enabled
related to invitation flow has been renamed to Accepeting invitation enabled
in the admin panel
New Activation enabled
feature in admin is related to new account flow. See person activation topic guide for detailed information.
Changes in API
Following API error codes have been updated:
- Verify if person is coupled API -
1027
->1030
- Fetch multiple persons profiles API -
1021
->1042
- Bad request error response -
1020
->1041
- Update person - attempt to define more than one primary email address -
1019
->1040
Origins whitelist
Origins whitelist functionality was renamed to Redirect URL whitelist
as it was extended to support not only origin
parameter but also return_url
. See Redirect url whitelist for details.
5.0.1
Persons partitioning
For customers, who have a large databases, a migration will be performed that potentially takes a while to complete.
The migrations recreate indexes for the following tables: usernames
, failed_password_logins
, phone_numbers
, custom_attributes
.
In order to avoid timeout errors during the migration:
- for MySQL please execute
set global wait_timeout=28800
before running the migration; - for Oracle please run the Onegini IDP with the
JAVA_OPTS
environment variable that contains the value-Doracle.net.keepAlive=true
(it prevents breaking off TCP connections in an environment with firewalls).
5.0.0
New required properties
2 new required properties have been added for the SAML assertion encryption feature. Please define the following properties in the extension configuration.
- IDP_SAML_ENCRYPTION_CERTIFICATE=<ENCRYPTION_CERTIFICATE>
- IDP_SAML_ENCRYPTION_PRIVATEKEY=<ENCRYPTION_PRIVATE_KEY>
Note: For security reasons it is strongly advised to use a separate key for SAML signing and encryption.
Google IdP configuration changes
We are moving to new Google API endpoints. Because of that Google IdP requires additional configuration after update.
Additional required field is scope
. To get all the person related data this field must be configured with value https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/user.addresses.read https://www.googleapis.com/auth/user.birthday.read https://www.googleapis.com/auth/user.phonenumbers.read
For information related to mapping attributes please see the topic guide Configuring Google IdP
Removed keystore password configuration property
The IDP_SAML_KEYSTORE_PASSWORD
configuration property is no longer required by the Onegini IDP. Please remove it from your configuration.
Removed mail
attribute from Identity Provider configuration
Starting from this version the Onegini IDP will not allow to map user attributes to mail
attribute. This configuration option has been removed from the Identity Provider configuration page in the Onegini IDP admin console. If any of your applications, including Onegini's Token Server, is configured or implemented in a way that it expects the mail
attribute to be returned as part of the SAML Response send by the Onegini IDP you need to update it to use the email
attribute instead.