Upgrade instructions 5.x
Changes in documentation
Added matrix to keep track of compatibility between IDP core and IDP Extension SDK.
Changes in API
New api error code (
1043) indicating custom attribute's length is too long has been added.
Changes in configuration
Please note that feature previously named
Activation enabled related to invitation flow has been renamed to
Accepeting invitation enabled in the admin panel
Activation enabled feature in admin is related to new account flow. See person activation topic guide for detailed information.
Changes in API
Following API error codes have been updated:
- Verify if person is coupled API -
- Fetch multiple persons profiles API -
- Bad request error response -
- Update person - attempt to define more than one primary email address -
Origins whitelist functionality was renamed to
Redirect URL whitelist as it was extended to support not only
origin parameter but also
return_url. See Redirect url whitelist for details.
For customers, who have a large databases, a migration will be performed that potentially takes a while to complete.
The migrations recreate indexes for the following tables:
In order to avoid timeout errors during the migration:
- for MySQL please execute
set global wait_timeout=28800before running the migration;
- for Oracle please run the Onegini IdP with the
JAVA_OPTSenvironment variable that contains the value
-Doracle.net.keepAlive=true(it prevents breaking off TCP connections in an environment with firewalls).
New required properties
2 new required properties have been added for the SAML assertion encryption feature. Please define the following properties in the extension configuration.
- IDP_SAML_ENCRYPTION_CERTIFICATE=<ENCRYPTION_CERTIFICATE> - IDP_SAML_ENCRYPTION_PRIVATEKEY=<ENCRYPTION_PRIVATE_KEY>
Note: For security reasons it is strongly advised to use a separate key for SAML signing and encryption.
Google IdP configuration changes
We are moving to new Google API endpoints. Because of that Google IdP requires additional configuration after update.
Additional required field is
scope. To get all the person related data this field must be configured with value
https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/user.addresses.read https://www.googleapis.com/auth/user.birthday.read https://www.googleapis.com/auth/user.phonenumbers.read
For information related to mapping attributes please see the topic guide Configuring Google IdP
Removed keystore password configuration property
IDP_SAML_KEYSTORE_PASSWORD configuration property is no longer required by the Onegini IdP. Please remove it from your configuration.
mail attribute from Identity Provider configuration
Starting from this version the Onegini IdP will not allow to map user attributes to