Release notes 10.x versions




  • Zip archives loaded into the system are checked against most common vulnerabilities.
  • SAML signature and encryption can be configured with PEM encoded PKCS #8 RSA keys.
  • Added support for PEM encoded PKCS #8 RSA keys in the certificate configuration of a SAML Identity provider.
  • SAML IdP Metadata URI cache TTL can be configured.
  • The Application identifier is added to the response for available authentication options for a user.
  • Token Introspection will include updated Person API details if the User Info endpoint is configured.
  • Added bulk delete support to the Device API when using a list of device identifiers.
  • Templates have been migrated to ThymeLeaf 3.0.
  • Locale can be passed to Onegini CIM.
  • Upgraded to Spring Boot 2.
  • Switched to OpenJDK 11 in Docker images.
  • UX improvements in the Admin console.
  • Application Property changes via the Admin console no longer require the Onegini Token Server(s) to restart for changes to take effect.
  • Some of the caches can be cleared from the Admin console.
  • Added support for acr_values with OpenID Connect.

Bug Fixes

  • Specifying an Identity Provider (IdP) in the Authorization flow now works as expected.
  • SAML SP will check with the IdP's capabilities when choosing the binding protocol.
  • Admin/Config API list response is aligned with the documentation.
  • Authentication Level is properly passed back in user details when using the ROPC grant type.
  • Mobile Auth v4 with push allows for SMS fallback when no device_id is provided.
  • API exceptions will no longer return HTML in some situations.
  • Minor JavaScript issues have been fixed in the Admin console.
  • Refresh Token exchange is more reliable for mobile applications.