- Fixed a vulnerability in the Self-service API that could allow an account take-over
- Fixed an issue that could lead to session ID's being leaked on the gateway
- Fixed an issue that could cause deadlocks while reading OAUTH_TOKEN table
- The Client secret is no longer displayed in plain text for OAuth IDP's
- Removed the Client secret from being returned in a self-service api call
- OpenID Connect
- Now allows a refresh token to be used for a token exchange
- Added additional checks and logging when an id token is requested
- The issuer can now be modified by setting the request header x-idhub-entity-id (From 9.1 this is replaced by a config field)
- When running the environment.yml, the files CentOS-* are deleted in the /etc/yum.repos.d/ folder
- Fixed an issue on the digipass API to block/reinstate tokens when there are multiple token instances
- Digipass: A cronto will no longer be generated if there is no assigned token to a license.
- Added the CHECK_AGENT_ID property to the trustbuilder.properties file
- Fixed an issue with the sessionstore & sentinel ports
- Fixed a synchronization issue with Sessionstore and Sentinel
- Added the option to ansible to bind Redis to a specific IP
- Added idhub_use_custom_conf parameter
- It is now possible to define the domain of the cookies. The variable 'domain' was added for this purpose inside the Gateway configuration."
- Fixed an issue with using "logback_custom: true" in a new environment
- Ansible Logging is now turned on by default
- Fixed an issue where gateway custom certificates (CA, crt and key) were not copied to a remote gateway
- Changes several 5xx errors into 40x errors when the client makes an incorrect request
- Now allows CORS for OPTION preflight calls to userinfo endpoint, for all origins
- Fixed a DuplicateKeyException in Hybrid Flow
- Fixed an issue that prevented saving Authentication Rules on an SP
- Added a check if a redirect uri is allowed for an OIDC logout
- Added a global setting to change the SAML Method Comparison to be sent to IDP
- Fixed an issue in the SAML component SLO with target parameter that was not working as expected
- Added header in nginx for security: more_set_header 'Server: Unknown'; under server_tokens off; will prevent from a simple curl to see what webserver is being used.
- Fixed an issue where commas were not treated as multi-value separators in the Application Rules
- Fixed an issue where the session-hook workflow was called twice at a login
- Fixed an issue that gateway session cookie were not invalidated by logout
- Changed the permissions of /opt/trustbuilder to be 0700 instead of 0755 for the ssh keys.
- Added an option to enable/disable CRL/OCSP checks in SAML Artifact resolve connection (2way SSL)
- Fixed an issue where idp/provisioning/user returned the wrong content-type
- Updated the openssl version of openresty
- Fixed an issue where a “$” character followed by a number combination in a SAML token would be seen as a parameter, even when it’s part of a text value.
- In IDHub DB settings, replaced:
- maxActive by maxTotal
- maxWait by maxWaitMillis.
- Thesearchable hashattribute type was added (TB-4471).
- Digipass: better support for escaped characters for free text authentication and improved flexibility for cronto message generation.
- RedisService: new optional service property: Password.
- Oidc: acr values are passed along and in derived attribute workflow the user can choose which one applies to the current request. Array of acr values can be found inside request.acr_values. The final chosen acr value should be put inside request.request.acr.
- Missing headers in authenticated requests (TB-3951).
- The calldigipass/license/delete/<uid>/<license>did not delete a license (TB-4349).
- A request after the inactivitiy timeout has reached resulted in a LUA error (TB-4350).
- Improved error reporting for Digipass API (TB-4406).
- Removed excessive error logging of connection pool timeouts (TB-4423).
- Fixed some OIDC token issues (TB-4468).
- MySQL rotate did not work properly. Akeep_log_daysparameter was added to the database role, with default value = 30 days. (TB-4488).
- MongoDB has been removed from the applicance (TB-4487).
- Extended information returned from .well-known/openid-configuration call (TB-4373).
- Added the possibility to specify a custom location of logback.xml, with thelogback_custom parameter in the orchestrator role. This will use the logback exported in TBA instead in the webapps/idhub/WEB-INF/classes/ (TB-4374).
- Disabled the Nginx version in configuration. This will not show the nginx version if the default Nginx error page is shown. (TB-4499).
- Tomcat keeps restarting if JVM has not enough allocated RAM [TB-4515]
- API call PUT digipass/license/reinstate/<license> sets all instances in ASSIGNED state [TB-4525]
- Cannot Delete User [TB-4534]
- SAML artifact binding doesn't handle a SSL handshake exception correctly [TB-4598]
Changes & Improvements
- Missing OIDC flow (act-as / multi-hop / on-behalf-of) [TB-4455]
- OIDC logout functionalitiy [TB-4495]
- RedisService MasterAndSentinels [TB-4526]
- Finish OIDC: add scopes in access token - modify audience in token 9.2 [TB-4557]
- The password policy of the user / password IDP is not loaded at startup [TB-4576]
- Disable Tomcat version - Core and GUI [TB-4507]
- Custom template for location 00_idhub.conf [TB-4574]
- Fixed problem when multiple partners use the same certificate.
- Enable to set up ssl on artifact resolution.
- Fix to orchestrator after updating from 9.0.3 to 9.0.4 (TB-4419)
- Add fields to AuthenticationRequest, which are mandatory for DigiD (TB-4252)
- New functionality for Digipass MDL (TB-3574)
- Add last used date for Digipass Instances with MDL (TB-4391)
- Map subject on User attribute (TB-4277)
- SAML issue where partnerentityid was not provided to the idp (TB-4244)
- Warning on empty header in nginx error.log (TB-4300)
- Session header cleared when azn cache hit (TB-4404)
- Loading screen is scrambled in new version of Chrome (TB-4297)
- REQUEST_SIGNATURE error (TB-4263)
Upload DPX file (TB-4259).
LUA error when orchestrator is accessed trough SSL (TB-3570).
The query parameters that are being passed to the IDP selection page have slightly changed. "authmethod" became "authnmethod"
SP locations are now case sensitive (TB-4188).
New REST call to return a Digipass activation code as a string rather than QR code (TB-4150).
TheOIDC token request by refresh tokennow also returns anid_token(TB-4111).
SMTP adapter requests now support custom (single-valued) headers (TB-3905).
Authentication rules for requests of type public_web were needlessly triggered by the application rules, which could result in certain scenarios an erroneous "access denied" response (TB-4156),
Validating a digipass OTP by principale failed if the token had multiple applications (TB-4183).
The "last used date" field was not properly updated for MDL tokens (TB-4198).
Browsers could drop the X-TB-CREDENTIAL cookie because of size limits, resulting in a loop during login (TB-4110).
In certain cases the original content-type and accept headers could be forgotten (TB-4223).
The getResponseBodyAsBase64 JS function called an invalid method on HTTP adapter responses (TB-4140).
The DER octect string part generated for a UUID could have wrong padding (TB-4152).
A cross site scripting issue was fixed (TB-4203).
Loading the STS component failed after restart of TrustBuilder (TB-4171).
Added support for larger cronto images.
Released in june 2017.
Thealgorithmandsalt settings of a user attribute of data typeHash are now editable.
Anundooption has been added to undo a DPX file upload.
Extended and improved debug logging.
Several enhancements were made to the ansible installation scripts.
The HTTP adapter now supports SNI.
The subject CN of the certificate for the ssl session should match the host name defined in the host configuration in the http adapter config.
OpenID Connect / OAuth2 endpoints
A new OpenID Connect / OAuth2 service supports the following endpoints:
- Authorization endpoint(OAuth2 / OpenID Connect). Clients must use this endpoint to start the authentication process. If successful, the result is either an access token (implicit grant) or an authorization code to be exchanged for an access token (code grant).
Token endpoint(OAuth2 / OpenID Connect). Exchanges an authorization code for an access token. May also be used to issue an access token in case of cient credential grants.
User info endpoint (OpenID Connect). Returns claims about authenticated users.
- Token revocation endpoint. Invalidates a token, and possibly other tokens based on the same authorization grant (and the grant itself).
- Token introspection endpoint. Returns information and status of a token.
- OpenID Configuration endpoint(OpenID Connect Discovery). Returns metadata of OpenID Connect IDP.
Scopes are linked to attributes.
SAML2 ACS endpoint
The ACS endpoint contains basic support for SAML2 artifact resolution.
Constructing a filter for enum values with multiple rules (TB-3593).
Unblocking a blocked user (TB-3840).
Date of upload format (TB-3923).
Handling of the connection pool size (TB-3798).
Logging of LDAP authentication failures (TB-3825).
Special characters allowed in root administrator password (TB-3936).
Nginx configuration resulting in an incorrectx-forwarded-for header.
403 error when logging in as Administrator in the selfservice portal and trying to access the admin portal.
Regeneration of session cookies when authenticating users.
'LOGOUT_INCORRECT_INRESPONSETO' error when trying to logout after being denied access to the admin portal.
Redundant CRED entries for the same user in Redis during the cleanup phase.
Access to incoming multi-valued attributes in TrustBuilder workflows (TB-3791).
Format of vendor-specific binary response attributes (TB-3791).
SLO problem (TB-3801).
Using the same partner as SP and IDP with same ID (TB-3877).
Handling of SAML signature validation (TB-3992).
Import of workflows without layout files (TB-3887).
Missing override values in SAML component (TB-3804).
Default port (TB-3624).
Several third-party libraries were upgraded (TB-3803).
Encryption of settings and saved override properties (TB-3863).
Tomcat was upgraded from 8.0 to 8.5.
These are the updated TrustBuilder RPMs for this release:
To start the release it is recommended to make backups. If you are using VMWare you can create a snapshot. Alternatively you can do a manual backup as described in the backup section.
Make sure that the backup database user's password is not expired before performing an upgrade.
Create a folder to hold your backups on every node. Use this command:
mkdir -p /opt/trustbuilder/release-backup
On the gateway node(s):
Goto the instances folder. there you will have one or more instances. you can backup them by using following command:
tar zcvf /opt/trustbuilder/release-backup/gw-instances-$(date +%d-%m-%Y).tgz --exclude .git --exclude logs /opt/trustbuilder/gateway/instances
On the orchestrator node(s):
Copy following files to the backup folder:
On the repository node(s):
Since the 8.2 release, a backup database is created and updated automatically. If, however, you want to create a database backup prior to upgrading. use following command:
mysqldump --all-databases --single-transaction > database-backup-$(date +%d-%m-%Y).sql
While the installation will stop services if needed it is recommended that you stop all the services for TrustBuilder.
On the gateway node(s):
- sudo systemctl stop tb-gw-<<instance_id>>
- sudo systemctl stop tb-gw-<<instance_id>>-sessionstore
- sudo systemctl stop tb-gw-<<instance_id>>-sessionstore-sentinel
On the orchestrator node(s):
- sudo systemctl stop tomcat-core
On the repository node(s):
- sudo systemctl stop mysql
On the admin node (node which runs tba)
- sudo systemctl stop tomcat-gui
To start the installation of the TrustBuilder update do the following steps.
On the node that runs the ansible playbook (f.e. the admin node), execute:
- sudo yum update trustbuilder-appliance (this should update to 9.0.0)
- cd /opt/trustbuilder/appliance/config
- change cluster.yml with the necessary changes described above
- run ansible-playbook -v your-config.yml
In rare cases it could be that the Gateway Service will not start. The root cause can be found by executing the following command:
sudo systemctl status tb-gw-default
Any errors need to be fixed manually and then you can rerun the ansible-playbook again.
If everything runs correctly TrustBuilder should be up and running.
All that is left now is to update the database scheme of idhub. You can do this by accessing https://your-hostname/idhub/install
- TomCat complains about unsupported MessageDispatch15Interceptor during startup.
This can be solved by editing the template and replacing this by MessageDispatchInterceptor
- It might be that the mysql_backup user its account is locked due to an expired password. This can be fixed with the following command that changes the expiration date:
sudo chage –M 99999 –m 99999 mysql_backup
- Uploading digipass dpx files might fail. It seems to be a workaround to upload the file twice.