Added possibility to signup, activate and couple identities in one api call to /api/persons/activated
Added possibility to signup already coupled person without providing password
Extended Profile Attributes Update extension point to take control of updating profile attributes whenever it has been called by Onegini IDP
Added possibility to set email params such as: from, reply to and sent to (for admin related emails) via message keys
depending on the user's locale. Newly added message keys are:
onegini.common.email.from
onegini.common.email.replyTo
admin.emailNotifications.toAddress
The JWT keys are now generated and managed by the Onegini IDP. For more details please refer to Configure JWT Keys chapter
Added possibility to add redirect uri to action token request. For more details please refer to Action Token topic guide
Added action token redirect uri whitelist to admin panel
Email is now marked as verified whenever email_verified claim is returned by OIDC provider.
Implemented right to be forgotten for accounts that have been deleted
already deleted accounts can be cleaned up in admin panel
data for accounts deleted since this version is removed automatically
Added support for OpenID Connect Identity Provider type (currently in beta). For more details please refer to OIDC topic guide
Added support for Itsme Identity Provider type (currently in beta)
Added support for DigiD Identity Provider type. For more details please refer to DigiD topic guide
Added new option for modifying existing velocity engine templates
Header Authentication for Administrator Users
Introduced new flag Synchronise Attributes on identity provider configuration form that gives possibility to turn on or off attributes synchronisation during sign in
Added support for profile attributes transformation. For more details see appropriate topic guide
Added a new search API that includes additional person info (such as account status) in the search result
A new password policy rule is added which blocks usage of passwords that have been discovered in a data breach. It uses data from haveibeenpwned.com
It is now possible to define an IP range in CIDR format for Identity Providers of LDAP type which will allow only users with matching IP address to login.
Added support for forced authentication in SAML
User account can now be activated via activation link sent by email, for more detailed info please refer to person activation chapter in the Onegini IDP documentation
Deleted LDAP configuration for mobile login functionality
Moved Mobile step-up authentication related properties to Smart Security - Step-up Authentication configuration section in the admin console, please check upgrade instructions for more info
Moved Mobile Login related properties to Configuration -> Identity Providers configuration section in the admin console, please check upgrade instructions for more info
Improvements
Added parameter "user_id" to Search Events API endpoint in order to allow searching for events associated with specific user.
Make all actions on action token creation atomic. Each one of them can now be processed independently.
Updated GitlabCI and Java docker images
Changed way of choosing the redirect URI when the Action Token is being created. For more information please refer to the Action Token documentation
The Action Token REST APIs will now respond with more precise error messages
Changed the way the Onegini IDP is processing the actions which are assigned to the Action Token to transactional
Extended the list of entries that informs extension about updated attributes for particular person
Added error handling on both sides of token processing (token creation and token usage)
Update attributes extension point is now also called directly after sign up
Moved Data clean-up section from Configuration tab to System tab in admin panel
Added automatic removal of expired mobile transactions. For more information please refer to the Token Server Configuration
Changed default order of resolving messages to check all of the locale-specific bundles before using default ones. For more information please refer to the Messages resolution order
Geolocation data is now send to Onegini Token Server (if it's available) when using QR code login or mobile login
Added IdpObjectMapper instance that is expected to be used for serializing/deserializing communication in between extension and CIM core
Replace CustomObjectMapper with ExtensionObjectMapper instance that is expected to be used for serializing/deserializing communication in between the idp-extension and CIM core
Improved person lookup view in admin panel by displaying partition list only if partitioning is enabled
Metadata for OpenID Connect and itsme identity providers is now cached in Redis
Axon snapshots for deleted accounts are removed from database directly after deleting the person (GDPR regulations)
Turned off default email verification during automatic sign up and introduced verified by default checkbox in the external idp attribute mapping configuration.
Added option to manually configure OpenID Connect identity provider
Added option to force User Info encryption for OpenID Connect identity provider
Added ACR security level configuration to itsme identity provider
Updated LinkedIn API to version 2
Migrate from Google Plus Sign-In
Added option to choose Assertion Consumer Service URL in SAML response based on URL or index specified in SAML request
Added versions matrix to keep track of compatibility between the Onegini IDP and IDP Extension SDK
Extended the ProfileAttributesUpdateExtensionPoint extension point which is triggered whenever person's profile attributes are being updated with a new property containing the whole up-to-date profile representation
Added IP range configuration for LDAP identity providers.
When email tag is not set it will not be returned within the OAuth flows. A sample response structure can be found in the SDK integration docs
Bug fixes
Notifications can be sent to the user that is in CREATED state when activation is not required
User can now successfully register in the Onegini IDP when in the SAML flow with ForceAuthn flag set to true
The verified flag is now respected when creating or updating person's attributes via Person API
The ui-extension URL validation is now working as expected when both the Onegini IDP and the ui-extension are deployed behind a load balancer
Fixed a bug causing a person's custom attributes set via either an API call or the Onegini IDP extension being removed during attributes
synchronization process
Fixed problem with coupling person's account via Create signed-up person endpoint while having more than one Identity provider with given type enabled.
Since this version there is no possibility to create and couple account while having more than one identity provider with the same type enabled. Error More than one identity provider with given type enabled (1053) is returned in such case
Fixed problem with non-ascii characters encoding for data sent via html forms. More information in upgrade instructions
Fixed copyright in emails to update every year
Fixed bug with deleting and adding custom attribute with the same name
Fixed issue with uid-urn:oid:0.9.2342.19200300.100.1.1 SAML attribute value not being returned in the SAML AuthnResponse
Fixed error which prevented an administrator from updating the Mobile Login configuration
Fixed issue with welcome email being sent before user activation
Fixed authentication level not being returned as part of the SAML response when ECP binding is used
Fixed attributes synchronization when LDAP user credentials are validated via Credentials API
Fixed profile attributes not returned in SAML response
Fixed issue after removing all custom attributes
SAML error will be returned on authentication with social Identity Provider failure
Fixed non-unique list of translations in SAML metadata
Fixed blocked and inactive person credentials validation issue
Fixed SAML Single Logout functionality which did not redirect to origin url parameter
Fixed issue preventing users from performing mobile authentication after external idp login
Fixed an issue with coupling a person who has a / character within external id
Fixed a bug with duplicated primary emails on extension side when updating person via API
6.0.0-M16
Features
Added support for person migration when password reset is triggered for account without Username&Password identity coupled
Bug fixes
User can now successfully register in the Onegini IDP when in the SAML flow with ForceAuthn flag set to true
6.0.0-M15
Improvements
Updated GitlabCI and Java docker images
Bug fixes
The verified flag is now respected when creating or updating person's attributes via Person API
The ui-extension URL validation is now working as expected when both the Onegini IDP and the ui-extension are deployed behind a load balancer
6.0.0-M14
Improvements
Changed way of choosing the redirect URI when the Action Token is being created. For more information please refer to the Action Token documentation
The Action Token REST APIs will now respond with more precise error messages
Changed the way the Onegini IDP is processing the actions which are assigned to the Action Token to transactional
Bug fixes
Fixed a bug causing a person's custom attributes set via either an API call or the Onegini IDP extension being removed during attributes
synchronization process
6.0.0-M13
Improvements
Extended the list of entries that informs extension about updated attributes for particular person
Added error handling on both sides of token processing (token creation and token usage)
Update attributes extension point is now also called directly after sign up
6.0.0-M11
Features
Added "send_notification" flag to /api/persons/{person_id}/tokens endpoint to allow sending email notifications after token has been generated
Moved Action Token related classes to sdk. ActionType, ActionTokenProcessResult, ActionTokenApiExecutionStatus, ActionTokenProcessResponse
Added new login method using QR code. More information in documentation
Improvements
Moved Data clean-up section from Configuration tab to System tab in admin panel
Added automatic removal of expired mobile transactions. For more information please refer to the Token Server Configuration
Changed default order of resolving messages to check all of the locale-specific bundles before using default ones. For more information please refer to the Messages resolution order
Geolocation data is now send to Onegini Token Server (if it's available) when using QR code login or mobile login
Added IdpObjectMapper instance that is expected to be used for serializing/deserializing communication in between extension and CIM core
Replace CustomObjectMapper with ExtensionObjectMapper instance that is expected to be used for serializing/deserializing communication in between the idp-extension and CIM core
Bug fixes
Fixed problem with coupling person's account via Create signed-up person endpoint while having more than one Identity provider with given type enabled.
Since this version there is no possibility to create and couple account while having more than one identity provider with the same type enabled. Error More than one identity provider with given type enabled (1053) is returned in such case
6.0.0-M10
Features
Added email saml attribute with valid urn
Introduced new API for validating the Action Tokens, please refer to the documentation to get more details
Added possibility to signup, activate and couple identities in one api call to /api/persons/activated
Added possibility to signup already coupled person without providing password
Extended Profile Attributes Update extension point to take control of updating profile attributes whenever it has been called by Onegini IDP
Added possibility to set email params such as: from, reply to and sent to (for admin related emails) via message keys
depending on the user's locale. Newly added message keys are:
onegini.common.email.from
onegini.common.email.replyTo
admin.emailNotifications.toAddress
The JWT keys are now generated and managed by the Onegini IDP. For more details please refer to Configure JWT Keys chapter
Bug fixes
Fixed issue with uid-urn:oid:0.9.2342.19200300.100.1.1 SAML attribute value not being returned in the SAML AuthnResponse
Fixed error which prevented an administrator from updating the Mobile Login configuration
6.0.0-M7
Features
Added possibility to add redirect uri to action token request. For more details please refer to Action Token topic guide
Added action token redirect uri whitelist to admin panel
Email is now marked as verified whenever email_verified claim is returned by OIDC provider.
Implemented right to be forgotten for accounts that have been deleted
already deleted accounts can be cleaned up in admin panel
data for accounts deleted since this version is removed automatically
Bug fixes
Fixed issue with welcome email being sent before user activation
Improvements
Metadata for OpenID Connect and itsme identity providers is now cached in Redis
Axon snapshots for deleted accounts are removed from database directly after deleting the person (GDPR regulations)
Turned off default email verification during automatic sign up and introduced verified by default checkbox in the external idp attribute mapping configuration.
Added option to manually configure OpenID Connect identity provider
Added option to force User Info encryption for OpenID Connect identity provider
Added ACR security level configuration to itsme identity provider
6.0.0-M6
Features
Added support for OpenID Connect Identity Provider type (currently in beta). For more details please refer to OIDC topic guide
Added support for Itsme Identity Provider type (currently in beta)
Added support for DigiD Identity Provider type. For more details please refer to DigiD topic guide
Added new option for modifying existing velocity engine templates
Bug fixes
Fixed authentication level not being returned as part of the SAML response when ECP binding is used
Fixed attributes synchronization when LDAP user credentials are validated via Credentials API
6.0.0-M5
Features
Header Authentication for Administrator Users
Introduced new flag Synchronise Attributes on identity provider configuration form that gives possibility to turn on or off attributes synchronisation during sign in
Improvements
Updated LinkedIn API to version 2
Migrate from Google Plus Sign-In
Added option to choose Assertion Consumer Service URL in SAML response based on URL or index specified in SAML request
Fixed non-unique list of translations in SAML metadata
6.0.0-M3
Features
It is now possible to define an IP range in CIDR format for Identity Providers of LDAP type which will allow only users with matching IP address to login.
Added support for forced authentication in SAML
Improvements
Updated Mobile Authentication APIs
Bug fixes
Fixed blocked and inactive person credentials validation issue
6.0.0-M2
Features
User account can now be activated via activation link sent by email, for more detailed info please refer to person activation chapter in the Onegini IDP documentation
Added versions matrix to keep track of compatibility between the Onegini IDP and IDP Extension SDK
Extended the ProfileAttributesUpdateExtensionPoint extension point which is triggered whenever person's profile attributes are being updated with a new property containing the whole up-to-date profile representation
Added IP range configuration for LDAP identity providers.
Bug fixes
Fixed SAML Single Logout functionality which did not redirect to origin url parameter
6.0.0-M1
Features
Deleted LDAP configuration for mobile login functionality
Moved Mobile step-up authentication related properties to Smart Security - Step-up Authentication configuration section in the admin console, please check upgrade instructions for more info
Moved Mobile Login related properties to Configuration -> Identity Providers configuration section in the admin console, please check upgrade instructions for more info
Improvements
When email tag is not set it will not be returned within the OAuth flows. A sample response structure can be found in the SDK integration docs
Bug fixes
Fixed issue preventing users from performing mobile authentication after external idp login
Fixed an issue with coupling a person who has a / character within external id