Release notes 10.x versions

10.0.1

Give the ability to skip cache when using Token Introspection and User info endpoints.
Added Public Base Uri configuration for the Onegini Identity provider.

Fixed configuration issue with in-memory password authentication after Spring Boot 2 upgrade.

New identity provider type: Onegini Identity provider for easier integration with Onegini CIM.
App to Web SSO functionality for mobile devices.
SAML SP binding order can be rearranged.
Geolocation data is available when using Mobile Authentication with Push or One Time Password (OTP).
New API to manage Application versions.
Ability to use JSON Web Tokens (JWT) as Access tokens for Web clients.
OpenID Connect: encrypt ID Tokens.
Events API delivers details about operations executed within the Onegini Token Server.

Zip archives loaded into the system are checked against most common vulnerabilities.
SAML signature and encryption can be configured with PEM encoded PKCS #8 RSA keys.
Added support for PEM encoded PKCS #8 RSA keys in the certificate configuration of a SAML Identity provider.
SAML IdP Metadata URI cache TTL can be configured.
The Application identifier is added to the response for available authentication options for a user.
Token Introspection will include updated Person API details if the User Info endpoint is configured.
Added bulk delete support to the Device API when using a list of device identifiers.
Templates have been migrated to ThymeLeaf 3.0.
Locale can be passed to Onegini CIM.
Upgraded to Spring Boot 2.
Switched to OpenJDK 11 in Docker images.
UX improvements in the Admin console.
Application Property changes via the Admin console no longer require the Onegini Token Server(s) to restart for changes to take effect.
Some of the caches can be cleared from the Admin console.
Added support for acr_values with OpenID Connect.

Specifying an Identity Provider (IdP) in the Authorization flow now works as expected.
SAML SP will check with the IdP's capabilities when choosing the binding protocol.
Admin/Config API list response is aligned with the documentation.
Authentication Level is properly passed back in user details when using the ROPC grant type.
Mobile Auth v4 with push allows for SMS fallback when no device_id is provided.
API exceptions will no longer return HTML in some situations.
Minor JavaScript issues have been fixed in the Admin console.
Refresh Token exchange is more reliable for mobile applications.