Release notes 6.x

6.3.0

Features

Improvements

  • Improved database connection pool performance

Bug fixes

  • Fixed issue with updating multiple custom attributes when executing call to Person API update person endpoint

6.2.2

Bug fixes

  • Fixed person aggregate deserialization issue caused by class repackaging

6.2.1

Improvement

  • Added possibility to enable experimental features in Features section

Bug fixes

  • Fixed issue where redirecting to whitelisted origin url would fail in some cases
  • Email validity in now visible inside email content in case of reset password
  • Fixed issue that caused infinity redirect loop when user's email addres was verified by API update call, when email verification was enabled.

6.2.0

Features

Improvements

  • Added support for displaying RequestDenied and PartialLogout DigiD error messages.
  • The Onegini IDP gives possibility to load configuration from the extension repeatedly.
  • When acting as a SAML Service Provider the Onegini IDP will advertise within it's metadata that it sends the AuthnRequest signed (AuthnRequestsSigned=true)

Bug fixes

  • Fixed issue where user could be redirected to Redirect to URL after login in SAML authorization flow when consuming action token in web flow
  • User can now successfully login with QR Code when starting and finishing the flow on the same mobile device
  • Fixed possible login issues when the activation feature was enabled
  • Added variant code locale resolving after redirect from invitation and verification email

6.1.1

Improvements

  • Added possibility to run migrations out of order with environmental variable IDP_DATABASE_MIGRATIONS_OUTOFORDER

Bug fixes

  • Fixed issue where user could be redirected to Redirect to URL after login in SAML authorization flow when consuming action token in web flow
  • Fixed axon deserialization issue caused by lack of proper event definition

6.1.0

Features

  • Migration during sign up feature can now be switched per Identity Provider type
  • Added possibility to authenticate via LDAP identity provider in SAML ECP flow
  • Added detailed information about reason why Saml login failed
  • Added new extension point for person pre creation processing. Please see topic guide for details.

Improvements

  • Changed the maximum length of the custom attribute value from 255 to 2047
  • Added support for setting customized or randomized admin password during initial install
  • Custom messages with default locale can now be set in admin panel and are resolved correctly
  • Improved application performance by additional data caching

Bug fixes

  • DigiD is now correctly resolved as SAML IdP when it comes to attributes mapping
  • Email verification is now send after email is updated via api and user is not activated
  • Invitation flow with return url is now possible
  • Fixed bug that allowed to skip not finished Post Process Action
  • Identity linking fixed for saml identity providers on dashboard page
  • Fixed bug that allowed unintentional idp coupling

6.0.0

Features

  • Added support for person migration when password reset is triggered for account without Username&Password identity coupled
  • Added "send_notification" flag to /api/persons/{person_id}/tokens endpoint to allow sending email notifications after token has been generated
  • Moved Action Token related classes to sdk. ActionType, ActionTokenProcessResult, ActionTokenApiExecutionStatus, ActionTokenProcessResponse
  • Added new login method using QR code. More information in documentation
  • Added email saml attribute with valid urn
  • Introduced new API for validating the Action Tokens, please refer to the documentation to get more details
  • Marked old Action Token credentials API as deprecated
  • Added new post-process action - Force UnP identity. For more information please refer to the (Authentication post process actions) chapter
  • Added possibility to signup, activate and couple identities in one api call to /api/persons/activated
  • Added possibility to signup already coupled person without providing password
  • Extended Profile Attributes Update extension point to take control of updating profile attributes whenever it has been called by Onegini IDP
  • Added possibility to set email params such as: from, reply to and sent to (for admin related emails) via message keys depending on the user's locale. Newly added message keys are:
    • onegini.common.email.from
    • onegini.common.email.replyTo
    • admin.emailNotifications.toAddress
  • The JWT keys are now generated and managed by the Onegini IDP. For more details please refer to Configure JWT Keys chapter
  • Added possibility to add redirect uri to action token request. For more details please refer to Action Token topic guide
  • Added action token redirect uri whitelist to admin panel
  • Email is now marked as verified whenever email_verified claim is returned by OIDC provider.
  • Implemented right to be forgotten for accounts that have been deleted
    • already deleted accounts can be cleaned up in admin panel
    • data for accounts deleted since this version is removed automatically
  • Added support for OpenID Connect Identity Provider type (currently in beta). For more details please refer to OIDC topic guide
  • Added support for Itsme Identity Provider type (currently in beta)
  • Added support for DigiD Identity Provider type. For more details please refer to DigiD topic guide
  • Added new option for modifying existing velocity engine templates
  • Header Authentication for Administrator Users
  • Introduced new flag Synchronise Attributes on identity provider configuration form that gives possibility to turn on or off attributes synchronisation during sign in
  • Added support for profile attributes transformation. For more details see appropriate topic guide
  • Added a new search API that includes additional person info (such as account status) in the search result
  • A new password policy rule is added which blocks usage of passwords that have been discovered in a data breach. It uses data from haveibeenpwned.com
  • It is now possible to define an IP range in CIDR format for Identity Providers of LDAP type which will allow only users with matching IP address to login.
  • Added support for forced authentication in SAML
  • User account can now be activated via activation link sent by email, for more detailed info please refer to person activation chapter in the Onegini IDP documentation
  • Deleted LDAP configuration for mobile login functionality
  • Extended configuration API by attributes validation rules
  • Moved Mobile step-up authentication related properties to Smart Security - Step-up Authentication configuration section in the admin console, please check upgrade instructions for more info
  • Moved Mobile Login related properties to Configuration -> Identity Providers configuration section in the admin console, please check upgrade instructions for more info

Improvements

  • Added parameter "user_id" to Search Events API endpoint in order to allow searching for events associated with specific user.
  • Make all actions on action token creation atomic. Each one of them can now be processed independently.
  • Updated GitlabCI and Java docker images
  • Changed way of choosing the redirect URI when the Action Token is being created. For more information please refer to the Action Token documentation
  • The Action Token REST APIs will now respond with more precise error messages
  • Changed the way the Onegini IDP is processing the actions which are assigned to the Action Token to transactional
  • Extended the list of entries that informs extension about updated attributes for particular person
  • Tokens validate endpoint has been deprecated
  • Added error handling on both sides of token processing (token creation and token usage)
  • Update attributes extension point is now also called directly after sign up
  • Moved Data clean-up section from Configuration tab to System tab in admin panel
  • Added automatic removal of expired mobile transactions. For more information please refer to the Token Server Configuration
  • Changed default order of resolving messages to check all of the locale-specific bundles before using default ones. For more information please refer to the Messages resolution order
  • Geolocation data is now send to Onegini Token Server (if it's available) when using QR code login or mobile login
  • Added IdpObjectMapper instance that is expected to be used for serializing/deserializing communication in between extension and CIM core
  • Replace CustomObjectMapper with ExtensionObjectMapper instance that is expected to be used for serializing/deserializing communication in between the idp-extension and CIM core
  • Improved person lookup view in admin panel by displaying partition list only if partitioning is enabled
  • Metadata for OpenID Connect and itsme identity providers is now cached in Redis
  • Axon snapshots for deleted accounts are removed from database directly after deleting the person (GDPR regulations)
  • Turned off default email verification during automatic sign up and introduced verified by default checkbox in the external idp attribute mapping configuration.
  • Added option to manually configure OpenID Connect identity provider
  • Added option to force User Info encryption for OpenID Connect identity provider
  • Added ACR security level configuration to itsme identity provider
  • Updated LinkedIn API to version 2
  • Migrate from Google Plus Sign-In
  • Added option to choose Assertion Consumer Service URL in SAML response based on URL or index specified in SAML request
  • Extended credentials validation API to validate LDAP credentials
  • Merged step-up and mobile login callback url configuration and moved it to the Token Server Configuration in System Tab in admin panel
  • Search API is now deprecated and additionally available from /api/v1/persons/search-profile, new search api is available under /api/v2/persons/search
  • Added signature handling to SAML metadata
  • Added overall and time period user activations statistics to admin panel
  • Action token configuration has been changed. See Action token configuration for details
  • Updated Mobile Authentication APIs
  • Persons partitioning extended by login with external identity providers
  • Added versions matrix to keep track of compatibility between the Onegini IDP and IDP Extension SDK
  • Extended the ProfileAttributesUpdateExtensionPoint extension point which is triggered whenever person's profile attributes are being updated with a new property containing the whole up-to-date profile representation
  • Added IP range configuration for LDAP identity providers.
  • When email tag is not set it will not be returned within the OAuth flows. A sample response structure can be found in the SDK integration docs

Bug fixes

  • Notifications can be sent to the user that is in CREATED state when activation is not required
  • User can now successfully register in the Onegini IDP when in the SAML flow with ForceAuthn flag set to true
  • The verified flag is now respected when creating or updating person's attributes via Person API
  • The ui-extension URL validation is now working as expected when both the Onegini IDP and the ui-extension are deployed behind a load balancer
  • Fixed a bug causing a person's custom attributes set via either an API call or the Onegini IDP extension being removed during attributes synchronization process
  • Fixed problem with coupling person's account via Create signed-up person endpoint while having more than one Identity provider with given type enabled. Since this version there is no possibility to create and couple account while having more than one identity provider with the same type enabled. Error More than one identity provider with given type enabled (1053) is returned in such case
  • Fixed problem with non-ascii characters encoding for data sent via html forms. More information in upgrade instructions
  • Fixed copyright in emails to update every year
  • Fixed bug with deleting and adding custom attribute with the same name
  • Fixed issue with uid-urn:oid:0.9.2342.19200300.100.1.1 SAML attribute value not being returned in the SAML AuthnResponse
  • Fixed error which prevented an administrator from updating the Mobile Login configuration
  • Fixed issue with welcome email being sent before user activation
  • Fixed authentication level not being returned as part of the SAML response when ECP binding is used
  • Fixed attributes synchronization when LDAP user credentials are validated via Credentials API
  • Fixed profile attributes not returned in SAML response
  • Fixed issue after removing all custom attributes
  • SAML error will be returned on authentication with social Identity Provider failure
  • Fixed non-unique list of translations in SAML metadata
  • Fixed blocked and inactive person credentials validation issue
  • Fixed SAML Single Logout functionality which did not redirect to origin url parameter
  • Fixed issue preventing users from performing mobile authentication after external idp login
  • Fixed an issue with coupling a person who has a / character within external id
  • Fixed a bug with duplicated primary emails on extension side when updating person via API

6.0.0-M16

Features

  • Added support for person migration when password reset is triggered for account without Username&Password identity coupled

Bug fixes

  • User can now successfully register in the Onegini IDP when in the SAML flow with ForceAuthn flag set to true

6.0.0-M15

Improvements

  • Updated GitlabCI and Java docker images

Bug fixes

  • The verified flag is now respected when creating or updating person's attributes via Person API
  • The ui-extension URL validation is now working as expected when both the Onegini IDP and the ui-extension are deployed behind a load balancer

6.0.0-M14

Improvements

  • Changed way of choosing the redirect URI when the Action Token is being created. For more information please refer to the Action Token documentation
  • The Action Token REST APIs will now respond with more precise error messages
  • Changed the way the Onegini IDP is processing the actions which are assigned to the Action Token to transactional

Bug fixes

  • Fixed a bug causing a person's custom attributes set via either an API call or the Onegini IDP extension being removed during attributes synchronization process

6.0.0-M13

Improvements

6.0.0-M12

Improvements

  • Added error handling on both sides of token processing (token creation and token usage)
  • Update attributes extension point is now also called directly after sign up

6.0.0-M11

Features

  • Added "send_notification" flag to /api/persons/{person_id}/tokens endpoint to allow sending email notifications after token has been generated
  • Moved Action Token related classes to sdk. ActionType, ActionTokenProcessResult, ActionTokenApiExecutionStatus, ActionTokenProcessResponse
  • Added new login method using QR code. More information in documentation

Improvements

  • Moved Data clean-up section from Configuration tab to System tab in admin panel
  • Added automatic removal of expired mobile transactions. For more information please refer to the Token Server Configuration
  • Changed default order of resolving messages to check all of the locale-specific bundles before using default ones. For more information please refer to the Messages resolution order
  • Geolocation data is now send to Onegini Token Server (if it's available) when using QR code login or mobile login
  • Added IdpObjectMapper instance that is expected to be used for serializing/deserializing communication in between extension and CIM core
  • Replace CustomObjectMapper with ExtensionObjectMapper instance that is expected to be used for serializing/deserializing communication in between the idp-extension and CIM core

Bug fixes

  • Fixed problem with coupling person's account via Create signed-up person endpoint while having more than one Identity provider with given type enabled. Since this version there is no possibility to create and couple account while having more than one identity provider with the same type enabled. Error More than one identity provider with given type enabled (1053) is returned in such case

6.0.0-M10

Features

Improvements

  • Improved person lookup view in admin panel by displaying partition list only if partitioning is enabled

Bug fixes

  • Fixed problem with non-ascii characters encoding for data sent via html forms. More information in upgrade instructions
  • Fixed copyright in emails to update every year

6.0.0-M9

Bug fixes

  • Fixed bug with deleting and adding custom attribute with the same name

6.0.0-M8

Features

  • Added new post-process action - Force UnP identity. For more information please refer to the (Authentication post process actions) chapter
  • Added possibility to signup, activate and couple identities in one api call to /api/persons/activated
  • Added possibility to signup already coupled person without providing password
  • Extended Profile Attributes Update extension point to take control of updating profile attributes whenever it has been called by Onegini IDP
  • Added possibility to set email params such as: from, reply to and sent to (for admin related emails) via message keys depending on the user's locale. Newly added message keys are:
    • onegini.common.email.from
    • onegini.common.email.replyTo
    • admin.emailNotifications.toAddress
  • The JWT keys are now generated and managed by the Onegini IDP. For more details please refer to Configure JWT Keys chapter

Bug fixes

  • Fixed issue with uid-urn:oid:0.9.2342.19200300.100.1.1 SAML attribute value not being returned in the SAML AuthnResponse
  • Fixed error which prevented an administrator from updating the Mobile Login configuration

6.0.0-M7

Features

  • Added possibility to add redirect uri to action token request. For more details please refer to Action Token topic guide
  • Added action token redirect uri whitelist to admin panel
  • Email is now marked as verified whenever email_verified claim is returned by OIDC provider.
  • Implemented right to be forgotten for accounts that have been deleted
    • already deleted accounts can be cleaned up in admin panel
    • data for accounts deleted since this version is removed automatically

Bug fixes

  • Fixed issue with welcome email being sent before user activation

Improvements

  • Metadata for OpenID Connect and itsme identity providers is now cached in Redis
  • Axon snapshots for deleted accounts are removed from database directly after deleting the person (GDPR regulations)
  • Turned off default email verification during automatic sign up and introduced verified by default checkbox in the external idp attribute mapping configuration.
  • Added option to manually configure OpenID Connect identity provider
  • Added option to force User Info encryption for OpenID Connect identity provider
  • Added ACR security level configuration to itsme identity provider

6.0.0-M6

Features

  • Added support for OpenID Connect Identity Provider type (currently in beta). For more details please refer to OIDC topic guide
  • Added support for Itsme Identity Provider type (currently in beta)
  • Added support for DigiD Identity Provider type. For more details please refer to DigiD topic guide
  • Added new option for modifying existing velocity engine templates

Bug fixes

  • Fixed authentication level not being returned as part of the SAML response when ECP binding is used
  • Fixed attributes synchronization when LDAP user credentials are validated via Credentials API

6.0.0-M5

Features

  • Header Authentication for Administrator Users
  • Introduced new flag Synchronise Attributes on identity provider configuration form that gives possibility to turn on or off attributes synchronisation during sign in

Improvements

  • Updated LinkedIn API to version 2
  • Migrate from Google Plus Sign-In
  • Added option to choose Assertion Consumer Service URL in SAML response based on URL or index specified in SAML request
  • Extended credentials validation API to validate LDAP credentials

Bug fixes

  • Fixed profile attributes not returned in SAML response
  • Fixed issue after removing all custom attributes
  • SAML error will be returned on authentication with social Identity Provider failure

6.0.0-M4

Features

  • Added support for profile attributes transformation. For more details see appropriate topic guide
  • Added a new search API that includes additional person info (such as account status) in the search result
  • A new password policy rule is added which blocks usage of passwords that have been discovered in a data breach. It uses data from haveibeenpwned.com

Improvements

  • Merged step-up and mobile login callback url configuration and moved it to the Token Server Configuration in System Tab in admin panel
  • Search API is now deprecated and additionally available from /api/v1/persons/search-profile, new search api is available under /api/v2/persons/search
  • Added signature handling to SAML metadata
  • Added overall and time period user activations statistics to admin panel
  • Action token configuration has been changed. See Action token configuration for details

Bug fixes

  • Fixed non-unique list of translations in SAML metadata

6.0.0-M3

Features

  • It is now possible to define an IP range in CIDR format for Identity Providers of LDAP type which will allow only users with matching IP address to login.
  • Added support for forced authentication in SAML

Improvements

  • Updated Mobile Authentication APIs

Bug fixes

  • Fixed blocked and inactive person credentials validation issue

6.0.0-M2

Features

  • User account can now be activated via activation link sent by email, for more detailed info please refer to person activation chapter in the Onegini IDP documentation

Improvements

  • Persons partitioning extended by login with external identity providers
  • Added versions matrix to keep track of compatibility between the Onegini IDP and IDP Extension SDK
  • Extended the ProfileAttributesUpdateExtensionPoint extension point which is triggered whenever person's profile attributes are being updated with a new property containing the whole up-to-date profile representation
  • Added IP range configuration for LDAP identity providers.

Bug fixes

  • Fixed SAML Single Logout functionality which did not redirect to origin url parameter

6.0.0-M1

Features

  • Deleted LDAP configuration for mobile login functionality
  • Extended configuration API by attributes validation rules
  • Moved Mobile step-up authentication related properties to Smart Security - Step-up Authentication configuration section in the admin console, please check upgrade instructions for more info
  • Moved Mobile Login related properties to Configuration -> Identity Providers configuration section in the admin console, please check upgrade instructions for more info

Improvements

  • When email tag is not set it will not be returned within the OAuth flows. A sample response structure can be found in the SDK integration docs

Bug fixes

  • Fixed issue preventing users from performing mobile authentication after external idp login
  • Fixed an issue with coupling a person who has a / character within external id