9.1 Release Notes

9.1.3 Release

  • TBA: fixed an issue that occurred when the "environment" variable was not present during export
  • Changed behavior: if the authentication context of a method is empty we use the authentication context from the incoming assertion from the IDP instead of using the Authentication Method which is configured in IDHub.
  • Added nameidformat under the 'subject' field for SAML SP's
  • Fixed several XSS vulnerabilities

  • Fixed an issue where SAML extensions from the SpRequest were not taken into account in the AuthnRequest to the IDP
  • Fixed a vulnerability in the Self-service API that could allow an account take-over
  • Fixed an issue that could lead to session ID's being leaked on the gateway
  • Fixed an issue that could cause deadlocks while reading OAUTH_TOKEN table
  • The Client secret is no longer displayed in plain text for OAuth IDP's
  • Removed the Client secret from being returned in a self-service api call
  • Fixed some encoding issues on the gw-login after authentication
  • Fixed an issue on the digipass API to block/reinstate tokens when there are multiple token instances
  • OIDC:
    • Changes several 5xx errors into 40x errors when the client makes an incorrect request
    • Now allows CORS for OPTION preflight calls to userinfo endpoint, for all origins
    • Fixed a DuplicateKeyException in Hybrid Flow
    • Now allows a refresh token to be used for a token exchange
    • Added additional checks and logging when an id token is requested
  • Ansible changes

    • Added the option to ansible to bind Redis to a specific IP
    • Added idhub_use_custom_conf parameter
    • It is now possible to define the domain of the cookies. The variable 'domain' was added for this purpose inside the Gateway configuration."
    • Fixed an issue with using "logback_custom: true"  in a new environment
    • Ansible Logging is now turned on by default
    • Fixed an issue where gateway custom certificates (CA, crt and key) were not copied to a remote gateway
    • Added the option to have multiple gateway instances on one redis
    • When running the environment.yml, the files CentOS-* are deleted in the /etc/yum.repos.d/ folder

9.1.2 Release

  • Added a check if a redirect uri is allowed for an OIDC logout
  • Added a global setting to change the SAML Method Comparison to be sent to IDP
  • Fixed an issue in the SAML component SLO with target parameter that was not working as expected
  • Fixed an issue with the OpenID UserInfo endpoint that returned a wrong sub value
  • Added header in nginx for security: more_set_header 'Server: Unknown'; under server_tokens off; will prevent from a simple curl to see what webserver is being used.
  • Fixed an issue in the user attributes list screen: the highlight status of the "system" property is inverse of checkbox value on the user attribute detail screen
  • Added the BCrypt hashing algorithm
  • Fixed an issue where commas were not treated as multi-value separators in the Application Rules
  • Fixed an issue that gateway session cookie were not invalidated by logout
  • Added the Hostname column to the SP overview
  • Changed the permissions of /opt/trustbuilder to be 0700 instead of 0755 for the ssh keys.
  • Fixed the SAML extensions in AuthnRequest to use the correct namespace
  • Provided an option to enable/disable CRL/OCSP checks in SAML Artifact resolve connection (2way SSL)
  • Fixed an issue where idp/provisioning/user returned the wrong content-type
  • Fixed a NullPointer exception on authentication methods with a missing saml authentication context
  • Updated  the openssl version of openresty
  • Fixed an issue  in OpenID where the InitialPartner serialization fails when no parameters present.
  • Added SP relaystate in samlextensions to IDP
  • Fixed an issue that occurs when doing an IDP-initiated login from a SAML IDP to IDHub and a derived attribute workflow exists.
  • Fixed an issue with the OCSP signer lookup in truststore
  • Fixed an issue where the SAML Adapter signature validation fails
  • Fixed an issue where the User password loginid was not updated correctly upon changing
  • Fixed an issue where the password policy of the user / password IDP was not loaded at startup
  • Fixed an issue where you could not sort user columns when it contained multiple values
  • Fixed an issue with form-controls in user filter, which were too close to each other when stacked vertically
  • In IDHub DB settings, replaced:
    • maxActive by maxTotal
    • maxWait by maxWaitMillis.
  • TBA: 
    • Added a property on the http server config for the alias of the key to be used in mutual SSL
    • Added the HttpServer KeyAlias to TBA
    • Fixed an issue where sometimes TBAdmin GUI does not show the home page any more
    • TBA will no longer export ".git" directories to the TB servers

9.1.1 Release

Changes

  • If authentication context of a method (facing the SP) is empty we use the authentication context from the incoming assertion from the idp.
  • OIDC: add scopes in access token - modify audience in token

Bug fixes

  • Fixed a bug in loading the password policy of the built-in user / password IDP at startup (TB-4576).
  • Wrong empty trust store message.
  • Menu to select grid headings does not hide correctly
  • Blocking an SP is only supported for SAML and OAuth providers, yet the front-end providers blocking support for all providers
  • Cannot sort user columns when multiple value
  • API call PUT digipass/license/reinstate/<license> sets all instances in ASSIGNED state
  • Reset locked user password in gui

9.1 Release

Bug fixes

Admin portal

Fixed several GUI related bugs and cosmetic issues.

Activity timeout

When updating the user session in Redis, the activity timeout was being reset instead of reusing the existing one. The activity timeout should now expire regardless of any activity (hence its name).

Attribute mapping

Multiple user attributes with the same name (ignoring case) could result in a server error when mapping these attributes (TB-4050).

Consent protection

Fixed a problem with consent protection when the user was not stored in the internal user database, using external identity providers (TB-4161).

Deployment of CA certificates

The installation script can now deploy the CA certificate to all gateways in the cluster.

Locations

Fixed a bug allowing the same location to be used simultaneously for API and PROXY service providers (TB-4187).

Logging

Fixed issue with unwanted log exclamations in the /idhub location.

Logout problems

Fixed several logout-related errors (TB-3842, TB-4087).

SAML2 metadata upload

The SAML2 metadata upload of identity and service providers was broken.

Scopes

System attributes like e-mail and SMS could not be assigned to scopes (TB-4235).

TrustBuilder core

In some scenarios the TrustBuilder engine could not locate a configured component on restart (TB-4440).

Changes

Admin portal user interface changes

Authentication scheme

The default method comparison and default method are now required.

Consents

 TheToggle Scopesbutton on the user consents screen has been removed.

Home page

ThePreferenceslink on the home page has been removed.

Identity provider edit screen

Using the principal UUID as subject for an IDP is no longer supported.

Service provider edit screen

It is no longer required to define a subject onProxyservice providers andAPIservice providers when creating such a provider (default = anonymous).

Settings screen

The global "entity id" setting located atsettings > authentication > general is still used, but will be removed in a following version (see new propertyidhub entity id in identity and service provider edit screen.

The same goes for thex-idhub-entity-idheader set in the gateway.

Login screen

The login screen has been reworked.

REST calls

Removed calls

  • /idhub/admin/api/v1/authorization2/scoreIt

  • /idhub/admin/api/v1/consent/{principalCode}

  • /idhub/admin/api/v1/consent/{spId}

  • /idhub/admin/api/v1/identityproviderattributes

  • /idhub/admin/api/v1/serviceproviderattributes

  • /idhub/admin/api/v1/sp/allowedidps/{code}

  • /idhub/installation/keystore/add

  • /idhub/installation/keystore/addkeystore

  • /idhub/logout - Replaced by /idhub/authenticate/logout
  • /idhub/public/api/v1/consent/grant/{id}

  • /idhub/selfservice/api/v1/consent/{principalCode}

  • /idhub/selfservice/api/v1/consent/{spId}/{uuid}

Changed calls

  • /idhub/admin/api/v1/principal (GET) - Retrieves all principals using back-end pagination parameterised with page size, offset, sort column and sort order.

  • /idhub/admin/api/v1/principal/filter (POST) - Retrieves principals by filter using back-end pagination parameterised with page size, offset, sort column and sort order. Use /idhub/admin/api/v1/principal/count to retrieve the number of users satisfying the filter.

  • /idhub/authenticate (GET) - Has idpCode, authenticationContext and relayState as required query parameters.

  • /idhub/gw-login (GET) - Replaces orchestrator workflow.

  • /idhub/oidc/v1/approved/{id} (GET) - X-TB-SESSION header is automatically set by gateway.

  • /idhub/oidc/v1/denied/{id} (GET) - X-TB-SESSION header is automatically set by gateway.

  • /idhub/saml2/acs (GET, POST) - Replaces orchestrator workflow.

  • /idhub/saml2/slo (GET, POST) - Replaces orchestrator workflow.

  • /idhub/saml2/sso (GET, POST) - Replaces orchestrator workflow.

  • /idhub/selfservice/api/v1/principalttributes (GET) - Filters hidden attributes (hidden attributes are introduced in 9.1).

Added calls

  • /idhub/admin/api/v1/certificate (GET) - private

  • /idhub/admin/api/v1/certificate/{alias} (DELETE) - private

  • /idhub/admin/api/v1/certificate/addkeystore (POST)

  • /idhub/admin/api/v1/certificate/contextinfo (GET) - private

  • /idhub/admin/api/v1/certificate/generate (POST) - private

  • /idhub/admin/api/v1/certificate/import (POST) - private

  • /idhub/admin/api/v1/certificate/upload/{alias}/{type} (POST) - private

  • /idhub/admin/api/v1/consent (GET)

  • /idhub/admin/api/v1/consent/{principalCode}/{spId} (DELETE)

  • /idhub/admin/api/v1/consent/{spId} (DELETE)

  • /idhub/admin/api/v1/consent/info/{consentId} (GET)

  • /idhub/admin/api/v1/digipass//resetstaticpassword/{serialNumber} (GET)
  • /idhub/admin/api/v1/digipass/token/reinstate/app/{serialNumber}/{app} (PUT)

  • /idhub/admin/api/v1/principal/count (POST)

  • /idhub/admin/api/v1/version (GET)

  • /idhub/authenticate/internalidp (POST)

  • /idhub/authenticate/logout (GET) - Replaces /idhub/logout

  • /idhub/oidc/v1/consent/{id} (GET)

  • /idhub/saml2/idp/{idpCode} (GET)

  • /idhub/saml2/sp/{spCode} (GET)

  • /idhub/selfservice/api/v1/consent (GET) 

Note

REST calls documented in swagger files marked as private are currently for internal use only. 

Installation

Roles

  • The 'common' role in the installation script no longer updates all yum packages.
  • new role 'arbitrator': use this to deploy a stable 2-node MariaDB cluster (more info: http://galeracluster.com/documentation-webpages/arbitrator.html)
  • new role 'environment': easily choose which version of Trustbuilder to install or switch from the stable to the nightly release channel

TBA

Communication channel

The communication channel between TBA and the Tomcat admin service has changed, so it is required to upgrade TBA to 9.1 as well.

Other

  • The subject of an IDP (upon return from the IDP) is now stored into the corresponding principal attribute.

  • To enhance performance, the user session is only saved when returned by the Authorization server for API calls (instead of for all types of calls).
  • The built-in username/password IDP is not a SAML IDP anymore. If you have changed the default login page, then it is required to change the action of the form to "/idhub/authenticate/internalidp" instead of "/idhub/idp/pwd_auth", and to add an extra hidden input field named "idpCode" with value "IDHUB_IDP_UP".

  • The token introspection endpoint is now accessible by all OAuth service providers.

New features

Backend pagination

Previous versions of TrustBuilder supported pagination in the user list screen, but required the data to be downloaded first.

TrustBuilder 9.1 supports pagination on the backend as well. The relevant REST call now allows clients to pass optional parameters to retrieve a subset of users at one time. The Admin portal retrieves 24 users at a time.

Certificate management

TrustBuilder now provides an easy way to manage the certificates used by TrustBuilder. Certificates may be created or imported on the service and identity provider screens (if relevant for the provider type). The complete list of certificates can be viewed and maintained on a separateCertificatesscreen. ( Note that custom workflows continue to use on their own Java key- and truststores.)

It is now possible to specify different certificates for each Service Provider and for each Identity Provider for encryption / decryption and signing purposes. Multiple certificates may be registered for the same purpose. Each suchcertificate usagehas a validity period, which must be covered by the certificate expiration period. TrustBuilder checks if overlap between validity periods of different certificate usages is allowed.

On the certificates management screen TrustBuilder also checks if a certificate may be safely removed (expired or not in use).

This scheme allows administrators to specify in advance the certificates to use for a each purpose from a certain date on.

For more information on how to configure this it is advised to read the documentation.

Note. The private key format currently uses PKCS8.

GeoIP service

A GeoIP client service is now available as a TrustBuilder service.

Host name

TrustBuilder now offers the possibility to attach a hostname to a Proxy or API SP. (The hostname is optional.)

Note that each hostname must be a subdomain of a (single) main domain.

For more information on how to configure this it is advised to read the documentation.

Templates

TrustBuilder now provides an OpenID post profile template.

The template editor now comes with line numbers, syntax colouring and undo functionality.

User attributes

A user attribute can now be marked as hidden. Hidden attributes are skipped by the self service REST calls. Hidden attributes are automatically read-only.

Admin portal user interface enhancements

Certificates screen

This new screen allows administrators to safely remove certificates, and to inspect and copy certificates.

Digipass

The DPX upload option on the Authentication/Digipass settings screen now supports uploading larger DPX files.

Home screen

ACertificateslink on the home page has been added. Clicking the link opens a screen with key and trust (store) certificates.

Identity provider list screen

The Admin portal now allows administrators to specify which columns to show in the identity provider list screen. Administrators can also specify the order and size of the columns, as well as the sort order.

Identity provider edit screen

The edit screens of the various types of identity providers now contain an option to select the subject attribute.

The OAuth identity provider screen contains a section to manage certificates for the IDP.

The built-in user / password identity provider is no longer a SAML IDP. The edit screen for this provider now shows a simplified list of (read-only) settings.

Audience and Subject Recipient have been added to SAML identity providers. There is also a new propertyidhub entity id(field "idhub_entity_id" in JSON) for SAML identity providers.

Service provider list screen

The Admin portal now allows administrators to specify which columns to show in the service provider list screen. Administrators can also specify the order and size of the columns, as well as the sort order.

A SAML or OAuth service provider may be (temporarily) blocked. Attempting to access a blocked provider results in an error.

Service provider edit screen

Selection of the authentication scheme is now also available on the SP edit page when creating a new SP (using a default comparison and method).

Audience and Subject Recipient have been added to SAML service providers. There is also a new propertyidhub entity id(field "idhub_entity_id" in JSON) for SAML service providers.

Templates screen

The templates screen now provides an OpenIDpost profiletemplate.

User list screen

In previous versions of the Admin portal it was not always clear if the user list shown on the screen resulted from a filter, and if so which filter. The user list screen now displays the filter (if any) that has been applied. Each element of the filter is presented as an individual condition in a box. Individual conditions can be easily removed.

In the filter definition, theIgnore Categorycheckbox has been removed and now always defaults to true. The attribute selection menu now also includes built-in user properties likeBlockedandUpdated.

Previous versions of the Admin portal allowed administrators to specify which columns to show in the user list screen. The columns may now also include built-in user properties likeBlockedandUpdated. This functionality has been further enhanced by allowing administrators to specify also the order and size of the columns, as well as the sort order. Clicking the header of a column cycles through sorting in ascending order, sorting in descending order or disabling explicit sorting. If no sort order is specified explicitly, the users are sorted by id. Note that changing the sort order results in a new query on the backend.

Version number

The Admin portal now always displays the version number to the right of the TrustBuilder logo.

Gateway

Engine

Upgraded to OpenResty v1.13 (more info: http://openresty.org/en/changelog-1013006.html)

Note: This new version requires the SSE4.2 instruction set to be active on the CPU.

Logging

The gateway writes more information into the log files. Existing log operations have been improved.

Cookie domain

It is now possible to define the domain of the cookies. The variable 'domain' was added for this purpose inside the Gateway configuration.

Tomcat

Addedhost-managerandmanageras new web application context. These will be automatically installed in the webapps folder and 2 context xmls will be created in conf/Catalina/<host>/.

By default these require basic authentication, this is set in ansible. These will use the users that are defined in the tomcat-user.xml file.

In the server.xml added GlobalNamingResources to add userdatabase conf/tomcat-user.xml and the user realm in the catalina service.

In ansible you can configure new parameters in the roles:

  • tomcat_manager_uses: Set the username for basic authentication ( default: manager )
  • tomcat_manager_pass: Set the password for basic authentication ( default: <random gen by ansible> )
  • manager_allow_ips: This is a regex that will control what IP's can be used to access the manager and host-manager context. ( default: 127\\.\\d+\\.\\d+\\.\\d+;\\d*|::1;\\d*|0:0:0:0:0:0:0:1;\\d* )

Other

  • Consent expiration:a time-to-live has also been added to the consents (for OAuth SPs)

Upgrade guidelines

Before starting the upgrade it is strongly advised to create a backup of your virtuals machine(s). 

As of this release we will publish new versions ONLY on our new repository (repository.trustbuilder.io). The existing repository is considered end-of-life and will be removed by June 1st 2018.

During installation, we no longer automatically update all the software on the server. This to avoid any unwanted side effects. 

Start by pulling in the latest installation scripts:

# sudo yum update trustbuilder-appliance

After that run your playboook. e.g.:

# cd /opt/trustbuilder/appliance/config

# ansible-playbook -v my-playbook.yml

The database role can sometimes be unstable for clustered environments. You can leave this role out of the playbook when running an upgrade.

In rare cases it could be that the Gateway Service will not start. The root cause can be found by executing the following command:

sudo systemctl status tb-gw-default

or 'sudo systemctl status tb-gw-{your-instance-id}' in case you specified a custom instance id for your gateway

Any errors need to be fixed manually and then you can rerun the ansible-playbook again.

If everything runs correctly TrustBuilder should be up and running.

All that is left now is to update the database scheme of idhub. You can do this by accessing https://your-hostname/idhub/install

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.