9.1 Release


9.1.1 Release


  • If authentication context of a method (facing the SP) is empty we use the authentication context from the incoming assertion from the idp.
  • OIDC: add scopes in access token - modify audience in token

Bug fixes

  • Fixed a bug in loading the password policy of the built-in user / password IDP at startup (TB-4576).
  • Wrong empty trust store message.
  • Menu to select grid headings does not hide correctly
  • Blocking an SP is only supported for SAML and OAuth providers, yet the front-end providers blocking support for all providers
  • Cannot sort user columns when multiple value
  • API call PUT digipass/license/reinstate/<license> sets all instances in ASSIGNED state
  • Reset locked user password in gui

9.1 Release

Bug fixes

Admin portal

Fixed several GUI related bugs and cosmetic issues.

Activity timeout

When updating the user session in Redis, the activity timeout was being reset instead of reusing the existing one. The activity timeout should now expire regardless of any activity (hence its name).

Attribute mapping

Multiple user attributes with the same name (ignoring case) could result in a server error when mapping these attributes (TB-4050).

Consent protection

Fixed a problem with consent protection when the user was not stored in the internal user database, using external identity providers (TB-4161).

Deployment of CA certificates

The installation script can now deploy the CA certificate to all gateways in the cluster.


Fixed a bug allowing the same location to be used simultaneously for API and PROXY service providers (TB-4187).


Fixed issue with unwanted log exclamations in the /idhub location.

Logout problems

Fixed several logout-related errors (TB-3842, TB-4087).

SAML2 metadata upload

The SAML2 metadata upload of identity and service providers was broken.


System attributes like e-mail and SMS could not be assigned to scopes (TB-4235).

TrustBuilder core

In some scenarios the TrustBuilder engine could not locate a configured component on restart (TB-4440).


Admin portal user interface changes

Authentication scheme

The default method comparison and default method are now required.


 The Toggle Scopes button on the user consents screen has been removed.

Home page

The Preferences link on the home page has been removed.

Identity provider edit screen

Using the principal UUID as subject for an IDP is no longer supported.

Service provider edit screen

It is no longer required to define a subject on Proxy service providers and API service providers when creating such a provider (default = anonymous).

Settings screen

The global "entity id" setting located at settings > authentication > general is still used, but will be removed in a following version (see new property idhub entity id in identity and service provider edit screen.

The same goes for the x-idhub-entity-id header set in the gateway.

Login screen

The login screen has been reworked.

REST calls

Removed calls

  • /idhub/admin/api/v1/authorization2/scoreIt

  • /idhub/admin/api/v1/consent/{principalCode}

  • /idhub/admin/api/v1/consent/{spId}

  • /idhub/admin/api/v1/identityproviderattributes

  • /idhub/admin/api/v1/serviceproviderattributes

  • /idhub/admin/api/v1/sp/allowedidps/{code}

  • /idhub/installation/keystore/add

  • /idhub/installation/keystore/addkeystore

  • /idhub/logout - Replaced by /idhub/authenticate/logout
  • /idhub/public/api/v1/consent/grant/{id}

  • /idhub/selfservice/api/v1/consent/{principalCode}

  • /idhub/selfservice/api/v1/consent/{spId}/{uuid}

Changed calls

  • /idhub/admin/api/v1/principal (GET) - Retrieves all principals using back-end pagination parameterised with page size, offset, sort column and sort order.

  • /idhub/admin/api/v1/principal/filter (POST) - Retrieves principals by filter using back-end pagination parameterised with page size, offset, sort column and sort order. Use /idhub/admin/api/v1/principal/count to retrieve the number of users satisfying the filter.

  • /idhub/authenticate (GET) - Has idpCode, authenticationContext and relayState as required query parameters.

  • /idhub/gw-login (GET) - Replaces orchestrator workflow.

  • /idhub/oidc/v1/approved/{id} (GET) - X-TB-SESSION header is automatically set by gateway.

  • /idhub/oidc/v1/denied/{id} (GET) - X-TB-SESSION header is automatically set by gateway.

  • /idhub/saml2/acs (GET, POST) - Replaces orchestrator workflow.

  • /idhub/saml2/slo (GET, POST) - Replaces orchestrator workflow.

  • /idhub/saml2/sso (GET, POST) - Replaces orchestrator workflow.

  • /idhub/selfservice/api/v1/principalttributes (GET) - Filters hidden attributes (hidden attributes are introduced in 9.1).

Added calls

  • /idhub/admin/api/v1/certificate (GET) - private

  • /idhub/admin/api/v1/certificate/{alias} (DELETE) - private

  • /idhub/admin/api/v1/certificate/addkeystore (POST)

  • /idhub/admin/api/v1/certificate/contextinfo (GET) - private

  • /idhub/admin/api/v1/certificate/generate (POST) - private

  • /idhub/admin/api/v1/certificate/import (POST) - private

  • /idhub/admin/api/v1/certificate/upload/{alias}/{type} (POST) - private

  • /idhub/admin/api/v1/consent (GET)

  • /idhub/admin/api/v1/consent/{principalCode}/{spId} (DELETE)

  • /idhub/admin/api/v1/consent/{spId} (DELETE)

  • /idhub/admin/api/v1/consent/info/{consentId} (GET)

  • /idhub/admin/api/v1/digipass//resetstaticpassword/{serialNumber} (GET)
  • /idhub/admin/api/v1/digipass/token/reinstate/app/{serialNumber}/{app} (PUT)

  • /idhub/admin/api/v1/principal/count (POST)

  • /idhub/admin/api/v1/version (GET)

  • /idhub/authenticate/internalidp (POST)

  • /idhub/authenticate/logout (GET) - Replaces /idhub/logout

  • /idhub/oidc/v1/consent/{id} (GET)

  • /idhub/saml2/idp/{idpCode} (GET)

  • /idhub/saml2/sp/{spCode} (GET)

  • /idhub/selfservice/api/v1/consent (GET) 


REST calls documented in swagger files marked as private are currently for internal use only. 



  • The 'common' role in the installation script no longer updates all yum packages.
  • new role 'arbitrator': use this to deploy a stable 2-node MariaDB cluster (more info: http://galeracluster.com/documentation-webpages/arbitrator.html)
  • new role 'environment': easily choose which version of Trustbuilder to install or switch from the stable to the nightly release channel


Communication channel

The communication channel between TBA and the Tomcat admin service has changed, so it is required to upgrade TBA to 9.1 as well.


  • The subject of an IDP (upon return from the IDP) is now stored into the corresponding principal attribute.

  • To enhance performance, the user session is only saved when returned by the Authorization server for API calls (instead of for all types of calls).
  • The built-in username/password IDP is not a SAML IDP anymore. If you have changed the default login page, then it is required to change the action of the form to "/idhub/authenticate/internalidp" instead of "/idhub/idp/pwd_auth", and to add an extra hidden input field named "idpCode" with value "IDHUB_IDP_UP".

  • The token introspection endpoint is now accessible by all OAuth service providers.

New features

Backend pagination

Previous versions of TrustBuilder supported pagination in the user list screen, but required the data to be downloaded first.

TrustBuilder 9.1 supports pagination on the backend as well. The relevant REST call now allows clients to pass optional parameters to retrieve a subset of users at one time. The Admin portal retrieves 24 users at a time.

Certificate management

TrustBuilder now provides an easy way to manage the certificates used by TrustBuilder. Certificates may be created or imported on the service and identity provider screens (if relevant for the provider type). The complete list of certificates can be viewed and maintained on a separate Certificates screen. ( Note that custom workflows continue to use on their own Java key- and truststores.)

It is now possible to specify different certificates for each Service Provider and for each Identity Provider for encryption / decryption and signing purposes. Multiple certificates may be registered for the same purpose. Each such certificate usage has a validity period, which must be covered by the certificate expiration period. TrustBuilder checks if overlap between validity periods of different certificate usages is allowed.

On the certificates management screen TrustBuilder also checks if a certificate may be safely removed (expired or not in use).

This scheme allows administrators to specify in advance the certificates to use for a each purpose from a certain date on.

For more information on how to configure this it is advised to read the documentation.

Note. The private key format currently uses PKCS8.

GeoIP service

A GeoIP client service is now available as a TrustBuilder service.

Host name

TrustBuilder now offers the possibility to attach a hostname to a Proxy or API SP. (The hostname is optional.)

Note that each hostname must be a subdomain of a (single) main domain.

For more information on how to configure this it is advised to read the documentation.


TrustBuilder now provides an OpenID post profile template.

The template editor now comes with line numbers, syntax colouring and undo functionality.

User attributes

A user attribute can now be marked as hidden. Hidden attributes are skipped by the self service REST calls. Hidden attributes are automatically read-only.

Admin portal user interface enhancements

Certificates screen

This new screen allows administrators to safely remove certificates, and to inspect and copy certificates.


The DPX upload option on the Authentication/Digipass settings screen now supports uploading larger DPX files.

Home screen

A Certificates link on the home page has been added. Clicking the link opens a screen with key and trust (store) certificates.

Identity provider list screen

The Admin portal now allows administrators to specify which columns to show in the identity provider list screen. Administrators can also specify the order and size of the columns, as well as the sort order.

Identity provider edit screen

The edit screens of the various types of identity providers now contain an option to select the subject attribute.

The OAuth identity provider screen contains a section to manage certificates for the IDP.

The built-in user / password identity provider is no longer a SAML IDP. The edit screen for this provider now shows a simplified list of (read-only) settings.

Audience and Subject Recipient have been added to SAML identity providers. There is also a new property idhub entity id (field "idhub_entity_id" in JSON) for SAML identity providers.

Service provider list screen

The Admin portal now allows administrators to specify which columns to show in the service provider list screen. Administrators can also specify the order and size of the columns, as well as the sort order.

A SAML or OAuth service provider may be (temporarily) blocked. Attempting to access a blocked provider results in an error.

Service provider edit screen

Selection of the authentication scheme is now also available on the SP edit page when creating a new SP (using a default comparison and method).

Audience and Subject Recipient have been added to SAML service providers. There is also a new property idhub entity id (field "idhub_entity_id" in JSON) for SAML service providers.

Templates screen

The templates screen now provides an OpenID post profile template.

User list screen

In previous versions of the Admin portal it was not always clear if the user list shown on the screen resulted from a filter, and if so which filter. The user list screen now displays the filter (if any) that has been applied. Each element of the filter is presented as an individual condition in a box. Individual conditions can be easily removed.

In the filter definition, the Ignore Category checkbox has been removed and now always defaults to true. The attribute selection menu now also includes built-in user properties like Blocked and Updated.

Previous versions of the Admin portal allowed administrators to specify which columns to show in the user list screen. The columns may now also include built-in user properties like Blocked and Updated. This functionality has been further enhanced by allowing administrators to specify also the order and size of the columns, as well as the sort order. Clicking the header of a column cycles through sorting in ascending order, sorting in descending order or disabling explicit sorting. If no sort order is specified explicitly, the users are sorted by id. Note that changing the sort order results in a new query on the backend.

Version number

The Admin portal now always displays the version number to the right of the TrustBuilder logo.



Upgraded to OpenResty v1.13 (more info: http://openresty.org/en/changelog-1013006.html)

Note: This new version requires the SSE4.2 instruction set to be active on the CPU.


The gateway writes more information into the log files. Existing log operations have been improved.

Cookie domain

It is now possible to define the domain of the cookies. The variable 'domain' was added for this purpose inside the Gateway configuration.


Added host-manager and manager as new web application context. These will be automatically installed in the webapps folder and 2 context xmls will be created in conf/Catalina/<host>/.

By default these require basic authentication, this is set in ansible. These will use the users that are defined in the tomcat-user.xml file.

In the server.xml added GlobalNamingResources to add userdatabase conf/tomcat-user.xml and the user realm in the catalina service.

In ansible you can configure new parameters in the roles:

  • tomcat_manager_uses: Set the username for basic authentication ( default: manager )
  • tomcat_manager_pass: Set the password for basic authentication ( default: <random gen by ansible> )
  • manager_allow_ips: This is a regex that will control what IP's can be used to access the manager and host-manager context. ( default: 127\\.\\d+\\.\\d+\\.\\d+;\\d*|::1;\\d*|0:0:0:0:0:0:0:1;\\d* )


  • Consent expiration: a time-to-live has also been added to the consents (for OAuth SPs)

Upgrade guidelines

Before starting the upgrade it is strongly advised to create a backup of your virtuals machine(s). 

As of this release we will publish new versions ONLY on our new repository (repository.trustbuilder.io). The existing repository is considered end-of-life and will be removed by June 1st 2018.

During installation, we no longer automatically update all the software on the server. This to avoid any unwanted side effects. 

Start by pulling in the latest installation scripts:

# sudo yum update trustbuilder-appliance

After that run your playboook. e.g.:

# cd /opt/trustbuilder/appliance/config

# ansible-playbook -v my-playbook.yml

The database role can sometimes be unstable for clustered environments. You can leave this role out of the playbook when running an upgrade.

In rare cases it could be that the Gateway Service will not start. The root cause can be found by executing the following command:

sudo systemctl status tb-gw-default

or 'sudo systemctl status tb-gw-{your-instance-id}' in case you specified a custom instance id for your gateway

Any errors need to be fixed manually and then you can rerun the ansible-playbook again.

If everything runs correctly TrustBuilder should be up and running.

All that is left now is to update the database scheme of idhub. You can do this by accessing https://your-hostname/idhub/install




Have more questions? Submit a request