Release Notes TrustBuilder Identity Hub (August)

Follow

The Identity Hub August Release is here. Next to several bugfixes it has the following new features:

  • Internal TrustBuilder Workflow Engine
  • Derived Attributes
  • Session Hook
  • SAML2 IDP Push
  • Vasco Digipass for Mobile support

Installation

To install the new release you can run the "yum update" command. Before installing the new release it is recommended to create snapshots of the virtual machines and create a backup of your database. Afer the update you can rerun the Ansible installation scripts to ensure the update was done completely. 

Features

TrustBuilder Workflow Engine

In previous versions of TrustBuilder Identity Hub it was required to have a Standalone Trustbuilder Application in your Identity Hub Cluster as authentication broker if you wanted to have custom authentication. While this is still a supported option, we integrated a TrustBuilder Workflow Engine to the Identity Hub Orchestrator that can be used for custom workflows. This TrustBuilder Workflow Engine has all the features of a Standalone TrustBuilder Application.

To start using this you add new server(s) to TrustBuilder Administration GUI with following details: Orchestrator IP/Hostname and Port 9998

Derived Attributes

Derived attributes are attributes that are a result of a TrustBuilder workflow that is executed. If one or more derived attributes are defined, the Orchestrator will execute the connected workflows during the lookup phase of a user. The result of the workflows will be added as an attribute to the session of the user.

This creates new possibilities to attach custom repositories (like 3rd party LDAP, Active Directory, Database or WebServices) and to enrich a user identity with the data in these repositories without the need of synchronization.

The start using this you create a new Derived Attribute workflow that connects to your repository in TrustBuilder Administration GUI and create a new Derived Attribute in the Identity Hub Administration Portal and attach your workflow to this attribute. 

More info about the output of this workflow is found in the manual

Session Hook

A Session Hook workflow allows you to enrich the response headers of the Identity Hub Orchestrator with extra value's when a user is successfully authenticated by the Identity Hub. This is very useful to authenticate users with a third party Access Management system (for example: ISAM with EAI). 

The workflow is created in the same way as the Derived Attributes workflow

SAML 2 IDP Push

IDP initiated authentication is a feature in SAML 2 that can be handy in some cases. The previous versions Identity Hub did not support this. Now it is possible to achieve this.

In the relaystate you can now define which Service Provider should be the connected to after a successful authentication. This is done by creating a JSON and encrypt this using the public encryption certificate of the Identity Hub. This Encrypted object must be base64 encoded and added to the relaystate.

An Example of the unencrypted JSON:

{ ts: 123456789, partnercode: "IDHUB_SP_PARTNERCODE", target: "/myapplication" }

The partnercode is the code of the service provider in the Identity Hub, this can be retrieved using the Administration Portal. This is a required field. The target field is optional and is transmitted to the service provider. If the service provider supports this, it will use the target entry to redirect to the URL specified after a successful federated authentication. 

Vasco Digipass for mobile support

TrustBuilder Identity Hub now supports Vasco Digipass for mobile. There are REST API's to create a self service enrollment and administrators can Link and unlink mobile devices to a certain Identity Hub user.

Stories resolved by this release

  • yum update does not find the latest release
  • User defaults to top of list(Users page) after clicking on Users IDP Provisioning icon
  • Saving the IDP attribute mapping in the AdminPortal fails
  • Translation Needed
  • Strange Error message when Login page(Home page) is left idle for sometime
  • SSO between two locations not working
  • Caching of scopes in ServiceProviderFacade is buggy
  • Add new authentication scheme displays blank page
  • Installer fails to update root password
  • Selected Authn Methods intemittently does not display in pane
  • Editing a user places user at top of list as if new
  • "Remove Inscription ""Undefined"" on Identity screen of both IDP and SP"
  • Calculation of allowed IDPs goes wrong when starting point is a method (with context classes)
  • "IDHub Default Method ""Exact"" Authentication does not load login page"
  • Step Up for Application Rule Not Working
  • "SAML2 SP's still have button ""Add New URI Resource"""
  • "Alert ""Invalid Values"" when two statements have the same items selected"
  • No Validation for subsequent New Statement
  • Numeric overrides: org.xml.sax.SAXParseException: cvc-datatype-valid.1.2.1: '${VASCO.StorageDeriveKey1-number}' is not a valid value for 'integer'
  • In App Authorisation - Design Issue
  • Strange Error message for In-App Authorisation(Re-Authenticate)
  • application authorisations disable step-up method when max selected
  • Wrong Error Message for In-App Authorisation(AND Rule - Better Comparison Method)
  • Inconsistency in Code and Edit Views for In-App Authorisation
  • Stepup authentication bugs
  • authorization rule validation and bugs
  • Wrong Error Message for In-App Authorisation
  • Documentation missing images after re-structuring
  • "Authorisation Rule Design Issue - ""Simple Rule"" button"
  • Caching of IDPs (Part I)
  • In-App Authorisation - Wrong error message when permission/access is denied
  • In-App Authorisation spelling mistake
  • In-App Authorisation spelling mistake
  • "Inconsistent Inscription on ""Code"" and ""Edit"" views"
  • Remove blank options in select boxes
  • Add support for samlextensions in IDHub
  • When changing condition statement operator to empty does not clear value
  • Support SAML2 IDP Push
  • "Possible to provision a User with a ""Forbidden Password"" phrase(word)"
  • Extend AZN
  • Add Configuration Options to SAML2_IDP
  • "For an internal U/P IDP: Read status and timestamps (login, failed, reset) of U/P entry (locked/not-locked) via API and GUI"
  • Configurable SAML2 issuer (setting)
  • SP policy checks should validate the user attributes and attribute / function combinations
  • Allow administrator to re-order rules for in-app authorizations
  • Error Pages 403... not triggered at the moment the Error occurs
  • Part of Error page inscription truncated
  • "Application Authorization rule, problem with select boxes of enum values"
  • Possible to Identity and Provision two different Users with same login ID but not possible to login
  • Mobile digipass service
  • Queueing: Initial design
  • Derived Attribute Hook
  • serviceProviderAccessService.hasProviderAccess() does not validate the Subject
  • Wrong Attribute Naming/Representation on Self Service
  • It should not be possible to change read-only attributes of principals when using the self service controller
  • Add support for caching of often-used data (Part I)
Have more questions? Submit a request

Comments

  • Avatar
    Gerwin Bastiaansen

    Nice work, thanks for documenting!