Upgrade instructions 5.x


Changes in documentation

Added matrix to keep track of compatibility between IDP core and IDP Extension SDK.


Changes in API

New api error code (1043) indicating custom attribute's length is too long has been added.


Changes in configuration

Please note that feature previously named Activation enabled related to invitation flow has been renamed to Accepeting invitation enabled in the admin panel New Activation enabled feature in admin is related to new account flow. See person activation topic guide for detailed information.

Changes in API

Following API error codes have been updated:

Origins whitelist

Origins whitelist functionality was renamed to Redirect URL whitelist as it was extended to support not only origin parameter but also return_url. See Redirect url whitelist for details.


Persons partitioning

For customers, who have a large databases, a migration will be performed that potentially takes a while to complete. The migrations recreate indexes for the following tables: usernames, failed_password_logins, phone_numbers, custom_attributes. In order to avoid timeout errors during the migration:

  • for MySQL please execute set global wait_timeout=28800 before running the migration;
  • for Oracle please run the Onegini IdP with the JAVA_OPTS environment variable that contains the value -Doracle.net.keepAlive=true (it prevents breaking off TCP connections in an environment with firewalls).


New required properties

2 new required properties have been added for the SAML assertion encryption feature. Please define the following properties in the extension configuration.


Note: For security reasons it is strongly advised to use a separate key for SAML signing and encryption.

Google IdP configuration changes

We are moving to new Google API endpoints. Because of that Google IdP requires additional configuration after update. Additional required field is scope. To get all the person related data this field must be configured with value https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/user.addresses.read https://www.googleapis.com/auth/user.birthday.read https://www.googleapis.com/auth/user.phonenumbers.read

For information related to mapping attributes please see the topic guide Configuring Google IdP

Removed keystore password configuration property

The IDP_SAML_KEYSTORE_PASSWORD configuration property is no longer required by the Onegini IdP. Please remove it from your configuration.

Removed mail attribute from Identity Provider configuration

Starting from this version the Onegini IdP will not allow to map user attributes to mail attribute. This configuration option has been removed from the Identity Provider configuration page in the Onegini IdP admin console. If any of your applications, including Onegini's Token Server, is configured or implemented in a way that it expects the mail attribute to be returned as part of the SAML Response send by the Onegini IdP you need to update it to use the email attribute instead.