Release notes 7.x
- Basic flows with Identity Assurance Level are available. For more info check this topic guide.
- Updated missing Person API documentation regarding illegal characters for name error
- Handling of an email address has been fixed in person search API
- Custom messages displayed in mobile login flow are no longer in single quotes.
- Fixed passive login flow error with doubled redirects.
- Operation status is updated for changing email and password actions.
- Phone number can now be assigned to user via Person API when mobile number is mandatory.
nullwhen the value should have been
none. This has been fixed.
- Person API now also uses the illegal character validation for first name and last name.
- Added checkbox for disabling illegal character validation.
- Added a possibility to set the
NameIdPolicyformat in the configuration of external SAML IdPs.
- SAML passive flow has been improved.
- Fixed an issue with cache eviction when person's UnP identity is blocked.
- Added a possibility to fetch, via the API, available actions that can be performed for a person. Please refer to the Person API for more information.
- Fixed PreSearch query execution to avoid empty query select
- Added a possibility to send events to the AWS EventBridge.
- Added a possibility to decouple a person from Identity provider based on
identity_id. Refer to Person API for more information.
- Added a possibility to resend verification code for both email and mobile phone via the API.
- Added new events:
- Fixed a problem with updating some service providers.
- AuthnContext is now optional during passive authentication
- Added possibility to fetch and update redirections config via the Configuration API.
PersonCreationPreProcesSearchExtension Point logic to support tracking digital identity of users Refer to Person search pre process for more information.
- Added possibility to specify characters that cannot be used in first/last name in sign up forms.
- Added more details about identity used to create an account to PersonCreationPreProcess extension point.
- Fixed automatic sign-up for accounts that provide required attributes in PersonCreationPreProcess.
- Fixed an error when no
NamePolicyformat was specified for SAML Organization attributes.
- The Configuration API can now save Organisations and Service Providers.
- Extended Configuration API with email notification configuration. Refer to Configuration API.
- OAuth Service Provider type has been removed.
- Extended support for passive authentication for SAML identity provider by checking if active CIM session fulfills requirements.
- Fix problem with switching language on migration login page
- Added support for passive authentication for SAML identity provider.
- IDP_DATABASE_TYPE environment variable value is now case insensitive.
- It is now possible to reset password with both username or email in the unauthenticated migration flow.
- Fixed profile attribute's database inconsistency in case of an already invited person signup.
- Fixed a problem with logging in after cancelling step-up with requested authentication level higher that stored in the user's session.
- Fixed showing phone number in step up with code view
- Added a possibility to get organisations in the Configuration API.
- Onegini IdP shows the logins of the last 24 hours when Insights are disabled or fails to load with a link to contact support.
- Improved events page in the Admin Panel.
- Fields marked as editable are not treated as required anymore.
- Displaying incorrect credential errors next to the
- When defining a mapping for IdPs, an attribute can be set to editable or not. When it was set to editable, it was also treated as required. This has been fixed.
- Added possibility to set automatic email verification on trusted external identity providers.
nonceparameter is now automatically added to inline
scripttags when CSP is enabled.
- Tag value is now mandatory to remove attribute via Person API for multi value attributes.
- Job cleaning
DomainEventEntrytable is now deleting data in chunks.
- Fixed email verification problem with iDIN identity provider.
- Primary email can no longer be removed from profile.
- Fixed missing address and custom attributes on invitation sign up page when field validation returned error.
- Added a possibility to configure DigiD and SAML Identity Providers per partition.
- Number of failed login attempts before captcha appears is now configurable in Admin Panel.
- Added a possibility to customise login error messages.
- Cron jobs definitions are no longer lost on multi node setup.
- Wrong default message has been shown on login page for blocked Username & Password identity. This has been fixed.
- Added direct support for externally delivered code activation type (no ui extension needed).
- Migration login updates attributes from original login method used for authentication.
- Primary email can now be replaced in
PersonCreationPreProcessExtensionwhen it's provided in the response.
- Fixed issue where mobile authentication could get stuck during authentication status fetching.
- After a user accepted the invitation, the activation email was sent even though the
Force activation after accepting invitationwas unchecked. This has been fixed.
- Username and Password sign up page is not prefilled with data returned by external identity provider.
- Added additional error message for Credentials API validate endpoint when incorrect password was provided too many times.
- Fixed a problem with returning identifier of a person to service provider in cookie based authentication.
- Fixed problem with changing profile attribute after authenticating in SAML passive method.
- Twilio specific properties were still required even though a different SMS provider was used. This has been fixed.
- User was allowed to complete invitation process despite being blocked. This has been fixed.
- Issuer can now be configured in Google Authenticator TOTP uri. Refer to Google authenticator for more information.
- Added possibility to configure Alphanumeric Sender ID on SMS messages
- Update profile attributes extension point has been extended by possibility to delete profile attributes.
- Added information about user's address and custom attributes on invitation sign up page to model map.
- Fixed password reset username validation on web flow.
- Introduced new FlowContext type for all password reset flows.
- Admin console could not have been accessed when the idp partitioning was turned off. This has been fixed.
- Added new Import API.
- Configuration of attributes mapping for iDIN identity provider has been fixed.
- Fixed an issue when user needed to double click login button after incorrectly typing password for the first time.
- Fixed an issue where user's last identity could not be removed via API.
removableflag is now respected when decoupling identity via API.
- Mapping for custom attributes has been fixed in migration during signup flow.
- Fixed HEAD requests for some links.
- Enforced session creation in domain cookie controller.
- Added a possibility to configure Identity Providers per partition.
- Extended LDAP IdP configuration allowing to specify which attributes will be requested when a user logs in.
- Added a possibility to return attributes with authentication information to a Service Provider.
- Added possibility to choose Name ID Format returned by Service Providers in the Organisation.
- Improved integration with password managers.
- Added new events indicating failure during failed LDAP authentication.
- Fixed an issue with failing identity decoupling via API call.
- Fixed an issue where mobile step up always failed when user logged in with an action token.
- Verified flag from email address of newly migrated user was ignored. This has been fixed.
- Users can now be logged out of OpenID Connect Identity Providers in all logout flows. Refer to OIDC Logout for more information.
- It is now possible to localize push message notifications for Step-up Authentication and Mobile Login.
- The Configuration API is now extended with settings for a Content Security Policy (CSP).
- When a user logged in with a SAML external Identity Provider on an older iOS device, a SameSite bug in Safari browsers could cause a redirect to an error page. This issue has been fixed.
- Added an admin section under
Smart Securitythat enables to set a CSP header for user pages.
- Onegini IdP can now export security events to OneSee. These events can be used by Security Information and Event Management (SIEM) systems.
- From now on, the option
Use stronger coupled Identity Provideris available under
Step-up authentication. This option enables a user to use Identity Providers to increase the authentication level during Step-up authentication.
- Improved and updated the documentation on the following topics:
- Post login action redirect flow is now integrated with SAML. If a user enters Onegini IdP with SAML request, the redirection works correctly.
- When a confirmation email was sent via a custom email gateway, the person identifier was not shared with the gateway. As a result the email could not be marked as verified. This has been fixed.
- Added partitionId information in
PersonDetailsobject (Person API)
- Added possibility to fetch login methods via Configuration API.
Sign in with appleand other OIDC-flavored flows are adapted to work with a SameSite cookie flag
- Implemented resiliency policy for the application
- Added initial setup of the step-up method documentation
- Made Configuration API V2 backwards compatible
- Fixed translation in Smart Security form
- Fixed error with automatic signup when "Allow sign-up without invitation validation" is enabled
- Fixed problem with returning attributes to service provider
- Fixed issue where
Force creating username & password during sign-upwas not respected during automatic sign up
- Fixed release notes link.
- Fixed upgrade instructions.
- User is redirected to service provider in case post login action is configured instead of being redirected to dashboard
- Added StepUp to the Configuration API
- SAML SLO is not executed for identity providers that don't have
SingleLogoutServicedefined in metadata. Because of that change SAML
Successresponse is returned to Service provider instead of
PartialLogoutafter logging out the user.
- Added logs for measuring metadata generation time
- property name changed from
- property name changed from
- Fixed an issue where verified flag could be set to false on already verified email during sign up via API
- Fixed an issue with creating additional UnP identity with id from external Identity Provider
- Added possibility to force activation via externally delivered code after accepting invitation
- Added new idp AzureAD B2C
- Allowing to setup a step up method for the first time even though authentication level is insufficient
- Sign up flow is now handled in one transaction to ensure data consistency
- Added support for HTTP-Redirect binding used for SLO with external identity provider
- Updated controls labels texts in Smart Config admin panel
- The dashboard is hidden behind authentication level protection
- Introduced new
BLOCK_LOGINaction in the
- Added ability to request a specific authentication method when logging in with an external SAML IdP.
- Exposed new dialect for thymeleaf that allows to access flow context storage bean via
- Added UI Extension to the Configuration API
- Added new message
personal.login.error.insufficientAuthLevelwhen external IDP returns insufficient authentication level
- Redis cache prefix is generated on application startup (can be overridden by
- Added new password encryption implementation examples in documentation
- Fixed problem associated with resolving resources from extension
- Fixed check if action token feature is enabled when generating new token
- Fixed SAML communication problem while exchanging data between CIM and external identity provider
- Removed execution of migration logic from automated external identity coupling
- Password parameter is optional when creating activated person through the API
- Added possibility to activate created person without any identity. See person api documentation for details.
- Added ability to exclude attributes send to service provider when
Include unmapped custom attributes within SAML Responseis enabled.
- Action Token Login no longer requires user to have Username and Password identity
- Removed support for oracle and sql server databases
- Fixed SAML SLO for external identity provider session overwritten by username and password session