Release notes 4.x versions

4.05.00

Improvements

  • Change from HTTP-POST binding to HTTP-Redirect binding in SAML Authentication requests.

4.04.17

Improvements

  • Security improvements

4.04.16

Improvements

  • Security improvements

4.04.15

Bug fixes

  • Fixed building redirect uri when only the X-Forwarded-Proto header is set in the request

4.04.14

Bug fixes

  • Fixed SAML response validation for SSO responses

4.04.13

Bug fixes

  • Fixed persisting redirect bugs for specific scenarios

4.04.12

Bug fixes

  • Removed duplicated context root in request url for some scenarios

4.04.11

Bug fixes

  • Removed double context path in redirects for some scenarios

4.04.10

Bug fixes

  • UTF-8 BOM stripped from template files to prevent database storage issues.
  • Correct client id set for client credential events.
  • PGP invalid signature length error resolved.
  • Https to http redirect issues in IdP communication resolved.
  • Only allow mobile authentication message data to be fetched once.
  • Properly remove all data related to an application for a user when using the application end user api.

4.04.09

Improvements

  • Added preemptive authentication support for the external REST services proxy configuration

4.04.08

Improvements

  • Switched to Docker Compose variables for configuration instead of ETCD properties.
  • Added proxy support for GCM.

Bug fixes

  • Remove FIDO user authenticators on delete consent.
  • Invalid attempts during SMS abuse now properly stored in cache.
  • FIDO deregistration now only deregisters one authenticator instead of all of them.

4.04.07

Bug fixes

  • Improved FIDO error handling.

4.04.06

Bug fixes

  • Unique constraint issue with multiple IdP attribute mappings on Oracle and MSSQL.
  • Display max resend value for Mobile authentication via SMS in read only view.

4.04.05

Bug fixes

  • Use of semicolon as user dns separator instead of space.
  • Mobile authentication via SMS exception in stateless cluster setup.

4.04.04

Improvements

  • Dummy user IdP shows a page to provide a userId if no userId was provided as request parameter.

Bug fixes

  • Mobile authentication transaction marked as unanswered when result fetched before callback is answered in stateless cluster setup.
  • Acknowledged mobile authentication transactions resend in stateless cluster setup.

4.04.03

Improvements

  • Integrated custom implementation of two way OTP authentication into core code base, transparent change.

4.04.02

Bug fixes

  • Send the callback after a mobile authentication answer asynchronous.
  • Make REST communication with other services stateless.
  • Don't fully rely on FIDO server to validate registration during authentication.
  • Validate the user identifier not empty in SAML response.
  • Mobile authentication disabled when device disconnection via Token end user api.

4.04.01

Bug fixes

  • Users with operator role not able to download app config and template set exports.
  • Unable to find user details when clicking on user id in events overview for case sensitive user identifiers.
  • Performance improvements user search admin console.

4.04.00

Features

  • Allow fallback on PIN for mobile authentication via FIDO.
  • More detailed events for FIDO success and failure responses.
  • SSL/TLS ciphers are made configurable.

Bug fixes

  • Mobile authentication via FIDO fixes.
  • Add check for duplicate name for Mobile authentication types.
  • No longer allow to send a mobile authentication answer multiple times until callback is handled by portal.
  • Potential concurrent modification exception during push resend for iOS.

4.03.00

Features

  • FIDO moved from experimental feature to supported feature
  • FIDO configuration via admin console
  • Mobile authentication via FIDO
  • Use of sha256 in RSA keys for mobile authentication

Bug fixes

  • Database exception on iOS push resend

4.02.02

Bug fixes

  • Oauth identify provider endpoints return page not found

4.02.01

Bug fixes

  • Mobile authentication initialization doesn't work with email address as user id.
  • Non UTF-8 characters in device name can't be stored in MySQL.
  • Scope verification rest api json does not use snake case parameters.
  • Event list in admin console does not perform well in MySQL.
  • Error for missing Log4j2.xml printed at application startup.
  • Switching default identity provider in admin console raises exception.
  • Event filter date fields in admin console ignored.
  • Menu items admin console renamed.
  • Identity provider and pin policy of application config can not be unset.
  • Adding API client doesn't work on Oracle.
  • Renamed authorization properties to mobile authentication types.
  • Updating mobile authentication types in Oracle can lead to exception.
  • FIDO integration fails to initiate due to class not found exception.
  • Spaces and special characters no longer allowed in certificate names.

4.02.00

Features

  • Updated logging framework
  • Option to exclude token validation events via event log filter in admin console.
  • Application secret renamed to application signature in the admin console.
  • Import and export functionality for translations in the admin console.
  • Statistics dashboard is the homepage for admin console users with the role admin or operator.
  • User section is the homepage for admin console users with role helpdesk.
  • All configuration in admin console is moved to a configuration tab.
  • Copy paste functionality in admin console without flash requirement.
  • Removed event statistics from statistics dashboard.

Bug fixes

  • Disabled logging of SAML metadata reloading by default.
  • Unable to handle email address as user id in mobile authentication init request.

4.01.01

Bug fixes

  • Removal of mapping table from db template entities.
  • MSSQL migrations needing the db user to be Onegini.
  • Invalid redirect uri used during authorization for custom app schemas when consent and authorization complete page disabled.
  • Profile picture not loaded by test resource gateway.
  • DCU fails from non tampering protected version to tampering protected version or the other way around.
  • Database migration for push message configuration fails on MariaDB.

4.01.00

Features

  • Resending of non handled iOS push messages on client validation.
  • Statistics:
    • Trend in unique user logins.
    • A summary of used OS versions.
    • Total of unique users enrolled.
    • Total of application installations per platform.
    • Overview between failed and passed login attempts per login method.
  • Possibility to explicitly disable the consent notification service.
  • Rest/JSON extension point for scope validation service.
  • Custom i18n message translations can be managed via the Admin panel.
  • Custom templates sets can be uploaded and managed via the Admin panel.
  • Mobile authentication API protected with the use of API clients.
  • Redesign admin panel user interface.
  • Separate dockers for Admin, Engine and Test client.
  • Push message config can be reused for multiple mobile application versions.
  • Configurable pin length.
  • SMS code used for mobile authentication can be resend.
  • Optionally allow enrollment of mobile authentication on a different device.
  • Improved error handling for json and html responses.
  • Discontinue the support for custom platforms.
  • New white label templates using Thymeleaf layout dialect.

Bug fixes

  • Improve the performance of the user event search for MySQL.
  • Remove oauth client when last user is disconnected via the admin panel.
  • Exception when client not found when using FIDO.