Release notes 12.x versions

12.2.0

Introduced a new Security Controls protocol. This makes client registration and authentication for mobile applications that use the Onegini SDK faster, easier and more secure. It also improved the Payload Encryption mechanism by using the latest technologies. The new Security Controls will be used after upgrading to the latest mobile SDK, which will be available soon!

When an exception occurred in the SAML login flow, and the user was redirected back to the client with an error, the exception was not logged.
Loading the error template caused a Hibernate lazy initialization exception in some cases.

The Onegini Token Server sets cookies for the authorization flow when it redirects to a SAML or OAuth identity provider to sign in. Some browsers do not store these cookies during the redirect. Without cookies the customer cannot sign in. The Onegini Token Server can now show a page to set the cookies. This page will send the customer automatically to the login page, but it can and probably will be visible for a short period. This step was introduced to ensure that the cookies for the Onegini Token Server will be set correctly. This page is optional and is disabled by default. Enable this page with the environment variable AUTHENTICATION_FLOW_RENDER_PAGE_BEFORE_REDIRECT_TO_IDP=true.
With some SAML identity providers login could fail, because there was no support for the element NameIDPolicy. This has been improved. From now on, the optional element NamedIDPolicy will be included in authentication requests towards SAML identity providers depending on conditions in the SAML identity provider configuration.

Logout could fail when multiple SAML identity providers were configured in the Onegini Token Server. This has been fixed.

In Onegini Token Server version 11.0.0, the support for Microsoft SQL Server and Oracle databases had been removed. This support has been restored: the Onegini Token Server can use Microsoft SQL Server or Oracle for storage again. Refer to the upgrade instructions.

The Onegini Token Server could return an error. This has been fixed and may require an upgrade of Redis. The error occurred under the following conditions:
1. a mobile app had obtained an access token via a previously issued refresh token
2. the mobile app fetched data via multiple calls to its resource gateway within a very short time frame
3. the resource gateway requested token introspection for each of these data again within a very short time frame
In authentication requests towards SAML identity providers, the element NameIDPolicy contained an attribute SPNameQualifier. Login failed with some SAML identity providers because this attribute should not be present for requests from the Onegini Token Server. This problem has been solved: the attribute SPNameQualifier is no longer sent with SAML authentication requests.
When the authentication failed at a SAML identity provider, the Onegini Token Server did not return the underlying error cause to the OAuth client. This has been solved: the underlying error cause is now returned to the client.
When Bearer authentication was used with an invalid or expired token, the response header WWW-Authenticate did not contain error information as specified in RFC 6750, section 3. This has been fixed by adding the error information to the WWW-Authenticate header.

Added backwards compatibility support for the browsers that are not handling the SameSite cookies (e.g. Safari running on iOS 12). Refer to the upgrade instructions for the OpenID Connect session iframe.
Users get an improved single sign on experience when multiple OpenID Connect Relying Parties connect to a single Onegini CIM or other kind of SAML identity provider via the Onegini Token Server.
The test client now fetches resources directly via the browser. This is a more realistic test scenario for single page apps.

When the person API of Onegini CIM was called and it returned an attribute without a value, the Onegini Token Server would throw an error. This has been fixed.
The test client could expose arbitrary endpoints of an internal network to the outside world. The test client is now restricted to access preconfigured endpoints only.
When an OpenID Connect relying party performed an authentication request with prompt=none, the Onegini Token Server did not always comply to the OpenID Connect specification. This has been fixed. Refer to the upgrade instructions for the impact on error handling.