Added API possibility to fetch and update custom messages for details please refer to the documentation
Bug fixes
Facebook attributes parsing now returns known attribute values, even when encounters attribute with unknown format.
Fixed issue with exception thrown when custom attribute had empty value
Improvements
Improved performance of persons search API while searching by email address
6.8.0
Features
Added default idin integration to Onegini IDP
Bug fixes
Problem with resolving entity id, signature validation and assertion encryption has been fixed for SAML identity provider
6.7.2
Improvements
Improved security of user login
6.7.1
Bug fixes
Minor bugfixes
6.7.0
Features
Added support for persistent PseudoID for eIDAS Identity Provider type
When eIDAS is responding with BSN or PseudoID the Onegini IDP will validate the incoming identifier signature
Improvements
Database connection pool can be configured with additional parameters:
IDP_DATABASE_CONNECTION_TIMEOUT can be adapted to set connection timeout (default 500ms)
IDP_DATABASE_IDLE_TIMEOUT can be adapted to set idle connection timeout (default 30000ms)
IDP_DATABASE_MINIMUM_IDLE can be adapted to set minimum amount of idle connections (default 4)
IDP_DATABASE_MAX_LIFETIME can be adapted to set max lifetime of connections (default 600000ms)
Bug fixes
Action Token Redirect URI can now contain up to 2000 characters.
6.6.0
Features
Added SSL configuration for SAML identity providers, e.g. DigiD
Key pair system tab in admin panel is now called Certificates. Keys are now uploaded by files.
Introduced possibility to configure priority of preferred step up methods, for details please refer to the documentation
Introduced new healthcheck endpoint that also verifies status of the database and mail server, available under /actuator/health
Extended login response for authentication via extension with additional information pointing to the authentication failure reason. Implementation requires AuthenticationExtension implementation in customer extension. The feature has been added to the following flows:
Login via web
additional parameter personAuthenticationErrorCode is returned to the view
parameter points to the authentication failure reason
added possibility to define message shown on login page
message key is returned by AuthenticationExtension
translations need to be added to the extension messages file
reason is returned as part of the Unauthorized 401 response
SAML
reason is returned as error code in SAML response
Improvements
The Onegini IDP extension will be notified about attribute verification events
Bug fixes
The Configuration API for resolving configured identity providers has changed to make the casing of the response consistent.
Fixed issue where providing incorrect credentials for API authentication resulted in 405 return status
Fixed issue where mobile number could sometimes be missing in person's profile after accepting invitation
6.5.0
Features
Introduced new API for decoupling person identities, please refer to the documentation to get more details
Introduced new API for coupling person identities which uses identity provider identifier instead of type, please refer to the documentation to get more details
Introduced new configuration API for resolving configured identity providers, please refer to the documentation to get more details
Fixed issues with resolving correct language when default language set contained country or variant code
Improvements
Removed dependency to personal templates from admin templates to fix potential customization problems in the Onegini IDP extensions
6.4.0
Features
Introduced new external Identity Provider type - Sign in with Apple. Users can now log into the Onegini IDP using of their AppleIDs. See topic guide for details
Introduced a new REST API (storage api) which allows storing values within the Onegini IDP cache for a preconfigured amount of
time. This feature can be used to store authentication data in external authorization flows like Sign-in with Apple
When acting as a SAML Service Provider the Onegini IDP will advertise within it's metadata that it sends the AuthnRequest signed (AuthnRequestsSigned=true)
Bug fixes
Fixed issue where user could be redirected to Redirect to URL after login in SAML authorization flow when consuming action token in web flow
User can now successfully login with QR Code when starting and finishing the flow on the same mobile device
Fixed possible login issues when the activation feature was enabled
Added variant code locale resolving after redirect from invitation and verification email
6.1.1
Improvements
Added possibility to run migrations out of order with environment variable IDP_DATABASE_MIGRATIONS_OUTOFORDER
Bug fixes
Fixed issue where user could be redirected to Redirect to URL after login in SAML authorization flow when consuming action token in web flow
Fixed axon deserialization issue caused by lack of proper event definition
6.1.0
Features
Migration during sign up feature can now be switched per Identity Provider type
Added possibility to authenticate via LDAP identity provider in SAML ECP flow
Added detailed information about reason why Saml login failed
Added new extension point for person pre creation processing. Please see topic guide for details.
Improvements
Changed the maximum length of the custom attribute value from 255 to 2047
Added support for setting customized or randomized admin password during initial install
Custom messages with default locale can now be set in admin panel and are resolved correctly
Improved application performance by additional data caching
Bug fixes
DigiD is now correctly resolved as SAML IdP when it comes to attributes mapping
Email verification is now send after email is updated via api and user is not activated
Invitation flow with return url is now possible
Fixed bug that allowed to skip not finished Post Process Action
Identity linking fixed for saml identity providers on dashboard page
Fixed bug that allowed unintentional idp coupling
6.0.0
Features
Added support for person migration when password reset is triggered for account without Username&Password identity coupled
Added "send_notification" flag to /api/persons/{person_id}/tokens endpoint to allow sending email notifications after token has been generated
Moved Action Token related classes to sdk. ActionType, ActionTokenProcessResult, ActionTokenApiExecutionStatus, ActionTokenProcessResponse
Added new login method using QR code. More information in documentation
Added email saml attribute with valid urn
Introduced new API for validating the Action Tokens, please refer to the documentation to get more details
Added possibility to signup, activate and couple identities in one api call to /api/persons/activated
Added possibility to signup already coupled person without providing password
Extended Profile Attributes Update extension point to take control of updating profile attributes whenever it has been called by Onegini IDP
Added possibility to set email params such as: from, reply to and sent to (for admin related emails) via message keys
depending on the user's locale. Newly added message keys are:
onegini.common.email.from
onegini.common.email.replyTo
admin.emailNotifications.toAddress
The JWT keys are now generated and managed by the Onegini IDP. For more details please refer to Configure JWT Keys chapter
Added possibility to add redirect uri to action token request. For more details please refer to Action Token topic guide
Added action token redirect uri whitelist to admin panel
Email is now marked as verified whenever email_verified claim is returned by OIDC provider.
Implemented right to be forgotten for accounts that have been deleted
already deleted accounts can be cleaned up in admin panel
data for accounts deleted since this version is removed automatically
Added support for OpenID Connect Identity Provider type. For more details please refer to OIDC topic guide
Added support for Itsme Identity Provider type
Added support for DigiD Identity Provider type. For more details please refer to DigiD topic guide
Added new option for modifying existing velocity engine templates
Header Authentication for Administrator Users
Introduced new flag Synchronise Attributes on identity provider configuration form that gives possibility to turn on or off attributes synchronisation during sign in
Added support for profile attributes transformation. For more details see appropriate topic guide
Added a new search API that includes additional person info (such as account status) in the search result
A new password policy rule is added which blocks usage of passwords that have been discovered in a data breach. It uses data from haveibeenpwned.com
It is now possible to define an IP range in CIDR format for Identity Providers of LDAP type which will allow only users with matching IP address to login.
Added support for forced authentication in SAML
User account can now be activated via activation link sent by email, for more detailed info please refer to person activation chapter in the Onegini IDP documentation
Deleted LDAP configuration for mobile login functionality
Moved Mobile step-up authentication related properties to Smart Security - Step-up Authentication configuration section in the admin console, please check upgrade instructions for more info
Moved Mobile Login related properties to Configuration -> Identity Providers configuration section in the admin console, please check upgrade instructions for more info
Improvements
Added parameter "user_id" to Search Events API endpoint in order to allow searching for events associated with specific user.
Make all actions on action token creation atomic. Each one of them can now be processed independently.
Updated GitlabCI and Java docker images
Changed way of choosing the redirect URI when the Action Token is being created. For more information please refer to the Action Token documentation
The Action Token REST APIs will now respond with more precise error messages
Changed the way the Onegini IDP is processing the actions which are assigned to the Action Token to transactional
Extended the list of entries that informs extension about updated attributes for particular person
Added error handling on both sides of token processing (token creation and token usage)
Update attributes extension point is now also called directly after sign up
Moved Data clean-up section from Configuration tab to System tab in admin panel
Added automatic removal of expired mobile transactions. For more information please refer to the Token Server Configuration
Changed default order of resolving messages to check all of the locale-specific bundles before using default ones. For more information please refer to the Messages resolution order
Geolocation data is now send to Onegini Token Server (if it's available) when using QR code login or mobile login
Added IdpObjectMapper instance that is expected to be used for serializing/deserializing communication in between extension and CIM core
Replace CustomObjectMapper with ExtensionObjectMapper instance that is expected to be used for serializing/deserializing communication in between the idp-extension and CIM core
Improved person lookup view in admin panel by displaying partition list only if partitioning is enabled
Metadata for OpenID Connect and itsme identity providers is now cached in Redis
Axon snapshots for deleted accounts are removed from database directly after deleting the person (GDPR regulations)
Turned off default email verification during automatic sign up and introduced verified by default checkbox in the external idp attribute mapping configuration.
Added option to manually configure OpenID Connect identity provider
Added option to force User Info encryption for OpenID Connect identity provider
Added ACR security level configuration to itsme identity provider
Updated LinkedIn API to version 2
Migrate from Google Plus Sign-In
Added option to choose Assertion Consumer Service URL in SAML response based on URL or index specified in SAML request
Added versions matrix to keep track of compatibility between the Onegini IDP and IDP Extension SDK
Extended the ProfileAttributesUpdateExtensionPoint extension point which is triggered whenever person's profile attributes are being updated with a new property containing the whole up-to-date profile representation
Added IP range configuration for LDAP identity providers.
When email tag is not set it will not be returned within the OAuth flows. A sample response structure can be found in the SDK integration docs
Bug fixes
Notifications can be sent to the user that is in CREATED state when activation is not required
User can now successfully register in the Onegini IDP when in the SAML flow with ForceAuthn flag set to true
The verified flag is now respected when creating or updating person's attributes via Person API
The ui-extension URL validation is now working as expected when both the Onegini IDP and the ui-extension are deployed behind a load balancer
Fixed a bug causing a person's custom attributes set via either an API call or the Onegini IDP extension being removed during attributes
synchronization process
Fixed problem with coupling person's account via Create signed-up person endpoint while having more than one Identity provider with given type enabled.
Since this version there is no possibility to create and couple account while having more than one identity provider with the same type enabled. Error More than one identity provider with given type enabled (1053) is returned in such case
Fixed problem with non-ascii characters encoding for data sent via html forms. More information in upgrade instructions
Fixed copyright in emails to update every year
Fixed bug with deleting and adding custom attribute with the same name
Fixed issue with uid-urn:oid:0.9.2342.19200300.100.1.1 SAML attribute value not being returned in the SAML AuthnResponse
Fixed error which prevented an administrator from updating the Mobile Login configuration
Fixed issue with welcome email being sent before user activation
Fixed authentication level not being returned as part of the SAML response when ECP binding is used
Fixed attributes synchronization when LDAP user credentials are validated via Credentials API
Fixed profile attributes not returned in SAML response
Fixed issue after removing all custom attributes
SAML error will be returned on authentication with social Identity Provider failure
Fixed non-unique list of translations in SAML metadata
Fixed blocked and inactive person credentials validation issue
Fixed SAML Single Logout functionality which did not redirect to origin url parameter
Fixed issue preventing users from performing mobile authentication after external idp login
Fixed an issue with coupling a person who has a / character within external id
Fixed a bug with duplicated primary emails on extension side when updating person via API
6.0.0-M16
Features
Added support for person migration when password reset is triggered for account without Username&Password identity coupled
Bug fixes
User can now successfully register in the Onegini IDP when in the SAML flow with ForceAuthn flag set to true
6.0.0-M15
Improvements
Updated GitlabCI and Java docker images
Bug fixes
The verified flag is now respected when creating or updating person's attributes via Person API
The ui-extension URL validation is now working as expected when both the Onegini IDP and the ui-extension are deployed behind a load balancer
6.0.0-M14
Improvements
Changed way of choosing the redirect URI when the Action Token is being created. For more information please refer to the Action Token documentation
The Action Token REST APIs will now respond with more precise error messages
Changed the way the Onegini IDP is processing the actions which are assigned to the Action Token to transactional
Bug fixes
Fixed a bug causing a person's custom attributes set via either an API call or the Onegini IDP extension being removed during attributes
synchronization process
6.0.0-M13
Improvements
Extended the list of entries that informs extension about updated attributes for particular person
Added error handling on both sides of token processing (token creation and token usage)
Update attributes extension point is now also called directly after sign up
6.0.0-M11
Features
Added "send_notification" flag to /api/persons/{person_id}/tokens endpoint to allow sending email notifications after token has been generated
Moved Action Token related classes to sdk. ActionType, ActionTokenProcessResult, ActionTokenApiExecutionStatus, ActionTokenProcessResponse
Added new login method using QR code. More information in documentation
Improvements
Moved Data clean-up section from Configuration tab to System tab in admin panel
Added automatic removal of expired mobile transactions. For more information please refer to the Token Server Configuration
Changed default order of resolving messages to check all of the locale-specific bundles before using default ones. For more information please refer to the Messages resolution order
Geolocation data is now send to Onegini Token Server (if it's available) when using QR code login or mobile login
Added IdpObjectMapper instance that is expected to be used for serializing/deserializing communication in between extension and CIM core
Replace CustomObjectMapper with ExtensionObjectMapper instance that is expected to be used for serializing/deserializing communication in between the idp-extension and CIM core
Bug fixes
Fixed problem with coupling person's account via Create signed-up person endpoint while having more than one Identity provider with given type enabled.
Since this version there is no possibility to create and couple account while having more than one identity provider with the same type enabled. Error More than one identity provider with given type enabled (1053) is returned in such case
6.0.0-M10
Features
Added email saml attribute with valid urn
Introduced new API for validating the Action Tokens, please refer to the documentation to get more details
Added possibility to signup, activate and couple identities in one api call to /api/persons/activated
Added possibility to signup already coupled person without providing password
Extended Profile Attributes Update extension point to take control of updating profile attributes whenever it has been called by Onegini IDP
Added possibility to set email params such as: from, reply to and sent to (for admin related emails) via message keys
depending on the user's locale. Newly added message keys are:
onegini.common.email.from
onegini.common.email.replyTo
admin.emailNotifications.toAddress
The JWT keys are now generated and managed by the Onegini IDP. For more details please refer to Configure JWT Keys chapter
Bug fixes
Fixed issue with uid-urn:oid:0.9.2342.19200300.100.1.1 SAML attribute value not being returned in the SAML AuthnResponse
Fixed error which prevented an administrator from updating the Mobile Login configuration
6.0.0-M7
Features
Added possibility to add redirect uri to action token request. For more details please refer to Action Token topic guide
Added action token redirect uri whitelist to admin panel
Email is now marked as verified whenever email_verified claim is returned by OIDC provider.
Implemented right to be forgotten for accounts that have been deleted
already deleted accounts can be cleaned up in admin panel
data for accounts deleted since this version is removed automatically
Bug fixes
Fixed issue with welcome email being sent before user activation
Improvements
Metadata for OpenID Connect and itsme identity providers is now cached in Redis
Axon snapshots for deleted accounts are removed from database directly after deleting the person (GDPR regulations)
Turned off default email verification during automatic sign up and introduced verified by default checkbox in the external idp attribute mapping configuration.
Added option to manually configure OpenID Connect identity provider
Added option to force User Info encryption for OpenID Connect identity provider
Added ACR security level configuration to itsme identity provider
6.0.0-M6
Features
Added support for OpenID Connect Identity Provider type (currently in beta). For more details please refer to OIDC topic guide
Added support for Itsme Identity Provider type (currently in beta)
Added support for DigiD Identity Provider type. For more details please refer to DigiD topic guide
Added new option for modifying existing velocity engine templates
Bug fixes
Fixed authentication level not being returned as part of the SAML response when ECP binding is used
Fixed attributes synchronization when LDAP user credentials are validated via Credentials API
6.0.0-M5
Features
Header Authentication for Administrator Users
Introduced new flag Synchronise Attributes on identity provider configuration form that gives possibility to turn on or off attributes synchronisation during sign in
Improvements
Updated LinkedIn API to version 2
Migrate from Google Plus Sign-In
Added option to choose Assertion Consumer Service URL in SAML response based on URL or index specified in SAML request
Fixed non-unique list of translations in SAML metadata
6.0.0-M3
Features
It is now possible to define an IP range in CIDR format for Identity Providers of LDAP type which will allow only users with matching IP address to login.
Added support for forced authentication in SAML
Improvements
Updated Mobile Authentication APIs
Bug fixes
Fixed blocked and inactive person credentials validation issue
6.0.0-M2
Features
User account can now be activated via activation link sent by email, for more detailed info please refer to person activation chapter in the Onegini IDP documentation
Added versions matrix to keep track of compatibility between the Onegini IDP and IDP Extension SDK
Extended the ProfileAttributesUpdateExtensionPoint extension point which is triggered whenever person's profile attributes are being updated with a new property containing the whole up-to-date profile representation
Added IP range configuration for LDAP identity providers.
Bug fixes
Fixed SAML Single Logout functionality which did not redirect to origin url parameter
6.0.0-M1
Features
Deleted LDAP configuration for mobile login functionality
Moved Mobile step-up authentication related properties to Smart Security - Step-up Authentication configuration section in the admin console, please check upgrade instructions for more info
Moved Mobile Login related properties to Configuration -> Identity Providers configuration section in the admin console, please check upgrade instructions for more info
Improvements
When email tag is not set it will not be returned within the OAuth flows. A sample response structure can be found in the SDK integration docs
Bug fixes
Fixed issue preventing users from performing mobile authentication after external idp login
Fixed an issue with coupling a person who has a / character within external id