- Fixed issue saml component logout redirect url is encoded
- oidc logout redirect uri: check if in allowed redirect uri's
- Fixed issue with comma's in application rule
- Fixed issue with special characters in tba
- Fixed the problem that some rest calls were responding with an incorrect content-type
- Fixed an issue with saml tokens and entityId containing a $ sign
- Fixed the issue that after an update the parameters for the session store are reset
- Fixed issue with Digipass where a cronto as generated while there was no active license
- Fixed error when clicking policies in tba
Changes & Improvements
- Updated ssl version of the gateway
- In gateway hide webserver type for requests
- Changed default permissions on tbhome directory
- Provided option to enable/disable CRL/OCSP checks in SAML Artifact resolve connection
- Improved some datasource configuration parameters
- Tomcat keeps restarting if JVM has not enough allocated RAM [TB-4515]
- API call PUT digipass/license/reinstate/<license> sets all instances in ASSIGNED state [TB-4525]
- Cannot Delete User [TB-4534]
- SAML artifact binding doesn't handle a SSL handshake exception correctly [TB-4598]
Changes & Improvements
- Missing OIDC flow (act-as / multi-hop / on-behalf-of) [TB-4455]
- OIDC logout functionalitiy [TB-4495]
- RedisService MasterAndSentinels [TB-4526]
- Finish OIDC: add scopes in access token - modify audience in token 9.2 [TB-4557]
- The password policy of the user / password IDP is not loaded at startup [TB-4576]
- Disable Tomcat version - Core and GUI [TB-4507]
- Custom template for location 00_idhub.conf [TB-4574]
- Digipass: better support for escaped characters for free text authentication and improved flexibility for cronto message generation.
- RedisService: new optional service property: Password.
- Oidc: acr values are passed along and in derived attribute workflow the user can choose which one applies to the current request. Array of acr values can be found inside request.acr_values. The final chosen acr value should be put inside request.request.acr.
- Missing headers in authenticated requests (TB-3951).
- The call digipass/license/delete/<uid>/<license> did not delete a license (TB-4349).
- A request after the inactivitiy timeout has reached resulted in a LUA error (TB-4350).
- Improved error reporting for Digipass API (TB-4406).
- Removed excessive error logging of connection pool timeouts (TB-4423).
- Fixed some OIDC token issues (TB-4468).
- MySQL rotate did not work properly. A keep_log_days parameter was added to the database role, with default value = 30 days. (TB-4488).
- MongoDB has been removed from the applicance (TB-4487).
- Added ability to added cookies in session hook workflow (TB-4513).
- Extended information returned from .well-known/openid-configuration call (TB-4373).
- Added the possibility to specify a custom location of logback.xml, with the logback_custom parameter in the orchestrator role. This will use the logback exported in TBA instead in the webapps/idhub/WEB-INF/classes/ (TB-4374).
- Disabled the Nginx version in configuration. This will not show the nginx version if the default Nginx error page is shown. (TB-4499).
- The searchable hash attribute type was added (TB-4471).
- Fixed problem when multiple partners use the same certificate.
- Enable to set up ssl on artifact resolution.
- Fix to orchestrator after updating from 9.0.3 to 9.0.4 (TB-4419)
- Add fields to AuthenticationRequest, which are mandatory for DigiD (TB-4252)
- New functionality for Digipass MDL (TB-3574)
- Add last used date for Digipass Instances with MDL (TB-4391)
- Map subject on User attribute (TB-4277)
- SAML issue where partnerentityid was not provided to the idp (TB-4244)
- Warning on empty header in nginx error.log (TB-4300)
- Session header cleared when azn cache hit (TB-4404)
- Loading screen is scrambled in new version of Chrome (TB-4297)
- REQUEST_SIGNATURE error (TB-4263)
Upload DPX file (TB-4259).
LUA error when orchestrator is accessed trough SSL (TB-3570).
The query parameters that are being passed to the IDP selection page have slightly changed. "authmethod" became "authnmethod"
SP locations are now case sensitive (TB-4188).
New REST call to return a Digipass activation code as a string rather than QR code (TB-4150).
The OIDC token request by refresh token now also returns an id_token (TB-4111).
SMTP adapter requests now support custom (single-valued) headers (TB-3905).
Authentication rules for requests of type public_web were needlessly triggered by the application rules, which could result in certain scenarios an erroneous "access denied" response (TB-4156),
Validating a digipass OTP by principale failed if the token had multiple applications (TB-4183).
The "last used date" field was not properly updated for MDL tokens (TB-4198).
Browsers could drop the X-TB-CREDENTIAL cookie because of size limits, resulting in a loop during login (TB-4110).
In certain cases the original content-type and accept headers could be forgotten (TB-4223).
The getResponseBodyAsBase64 JS function called an invalid method on HTTP adapter responses (TB-4140).
The DER octect string part generated for a UUID could have wrong padding (TB-4152).
A cross site scripting issue was fixed (TB-4203).
Loading the STS component failed after restart of TrustBuilder (TB-4171).
Added support for larger cronto images.
Released in june 2017.
The algorithm and salt settings of a user attribute of data type Hash are now editable.
An undo option has been added to undo a DPX file upload.
Extended and improved debug logging.
Several enhancements were made to the ansible installation scripts.
The HTTP adapter now supports SNI.
The subject CN of the certificate for the ssl session should match the host name defined in the host configuration in the http adapter config.
OpenID Connect / OAuth2 endpoints
A new OpenID Connect / OAuth2 service supports the following endpoints:
- Authorization endpoint (OAuth2 / OpenID Connect). Clients must use this endpoint to start the authentication process. If successful, the result is either an access token (implicit grant) or an authorization code to be exchanged for an access token (code grant).
- Token endpoint (OAuth2 / OpenID Connect). Exchanges an authorization code for an access token. May also be used to issue an access token in case of cient credential grants.
User info endpoint (OpenID Connect). Returns claims about authenticated users.
- Token revocation endpoint. Invalidates a token, and possibly other tokens based on the same authorization grant (and the grant itself).
- Token introspection endpoint. Returns information and status of a token.
- OpenID Configuration endpoint (OpenID Connect Discovery). Returns metadata of OpenID Connect IDP.
Scopes are linked to attributes.
SAML2 ACS endpoint
The ACS endpoint contains basic support for SAML2 artifact resolution.
Constructing a filter for enum values with multiple rules (TB-3593).
Unblocking a blocked user (TB-3840).
Date of upload format (TB-3923).
Handling of the connection pool size (TB-3798).
Logging of LDAP authentication failures (TB-3825).
Special characters allowed in root administrator password (TB-3936).
Nginx configuration resulting in an incorrect x-forwarded-for header.
403 error when logging in as Administrator in the selfservice portal and trying to access the admin portal.
Regeneration of session cookies when authenticating users.
'LOGOUT_INCORRECT_INRESPONSETO' error when trying to logout after being denied access to the admin portal.
Redundant CRED entries for the same user in Redis during the cleanup phase.
Access to incoming multi-valued attributes in TrustBuilder workflows (TB-3791).
Format of vendor-specific binary response attributes (TB-3791).
SLO problem (TB-3801).
Using the same partner as SP and IDP with same ID (TB-3877).
Handling of SAML signature validation (TB-3992).
Import of workflows without layout files (TB-3887).
Missing override values in SAML component (TB-3804).
Default port (TB-3624).
Several third-party libraries were upgraded (TB-3803).
Encryption of settings and saved override properties (TB-3863).
Tomcat was upgraded from 8.0 to 8.5.
These are the updated TrustBuilder RPMs for this release:
To start the release it is recommended to make backups. If you are using VMWare you can create a snapshot. Alternatively you can do a manual backup as described in the backup section.
Make sure that the backup database user's password is not expired before performing an upgrade.
Create a folder to hold your backups on every node. Use this command:
mkdir -p /opt/trustbuilder/release-backup
On the gateway node(s):
Goto the instances folder. there you will have one or more instances. you can backup them by using following command:
tar zcvf /opt/trustbuilder/release-backup/gw-instances-$(date +%d-%m-%Y).tgz --exclude .git --exclude logs /opt/trustbuilder/gateway/instances
On the orchestrator node(s):
Copy following files to the backup folder:
On the repository node(s):
Since the 8.2 release, a backup database is created and updated automatically. If, however, you want to create a database backup prior to upgrading. use following command:
mysqldump --all-databases --single-transaction > database-backup-$(date +%d-%m-%Y).sql
While the installation will stop services if needed it is recommended that you stop all the services for TrustBuilder.
On the gateway node(s):
- sudo systemctl stop tb-gw-<<instance_id>>
- sudo systemctl stop tb-gw-<<instance_id>>-sessionstore
- sudo systemctl stop tb-gw-<<instance_id>>-sessionstore-sentinel
On the orchestrator node(s):
- sudo systemctl stop tomcat-core
On the repository node(s):
- sudo systemctl stop mysql
On the admin node (node which runs tba)
- sudo systemctl stop tomcat-gui
To start the installation of the TrustBuilder update do the following steps.
On the node that runs the ansible playbook (f.e. the admin node), execute:
- sudo yum update trustbuilder-appliance (this should update to 9.0.0)
- cd /opt/trustbuilder/appliance/config
- change cluster.yml with the necessary changes described above
- run ansible-playbook -v your-config.yml
In rare cases it could be that the Gateway Service will not start. The root cause can be found by executing the following command:
sudo systemctl status tb-gw-default
Any errors need to be fixed manually and then you can rerun the ansible-playbook again.
If everything runs correctly TrustBuilder should be up and running.
All that is left now is to update the database scheme of idhub. You can do this by accessing https://your-hostname/idhub/install
- TomCat complains about unsupported MessageDispatch15Interceptor during startup.
This can be solved by editing the template and replacing this by MessageDispatchInterceptor
- It might be that the mysql_backup user its account is locked due to an expired password. This can be fixed with the following command that changes the expiration date:
sudo chage –M 99999 –m 99999 mysql_backup
- Uploading digipass dpx files might fail. It seems to be a workaround to upload the file twice.