- The upgrade script will attempt to configure the TBA as Proxy SP on the "/tba" location. Even if TBA is already configured in IDHub.
- A new mandatory field was added to SAML Service Providers called "Post Profile Template" but the default value was not applied in the final version. This may result in errors in the logging. To avoid this, specify a value in this field.
- Some users have experienced that the order of Authentication Methods on an Authentication Scheme was changed. Please check the order after upgrading.
- Some users have experienced changes in the certificate start- and enddates on the Service Provider and Identity Provider pages.
TrustBuilder Mobile Authenticator
Support for using the Trustbuilder 4 Mobile application.
WS Federation Service Providers
New Service Provider type that uses the WS Federation Protocol.
AttributeConsumingServices and AttributeConsumingServiceIndex (SAML)
An optional configuration in SAML, where the requested attributes to be asserted are specified. Useful in privacy sensitive set-ups. Functionally analogue to Scopes in OpenIDConnect.
Supporting feature for AttributeConsumingServices (AtCS). Attributes are grouped in sets, which make up an AtCS.
Will later be extended to also support OpenIDConnect Scopes.
Step-up support in Authentication Rules
Authentication rules can now be configured that the outcome requests the user to step-up his authentication level.
New Identity Provider type that executes a workflow
The internal IDP type now can execute a workflow that will handle the Authentication & Authorization.
- Added support for TrustBuilder Mobile Authenticator
- Added support for WS Federation Service Providers
- Added support for AttributeConsumingServices and AttributeConsumingServiceIndex (SAML)
- Added Attribute Sets functionality
- Added step-up support in Authentication Rules
- Added the possibility to have multiple gateway instances on one redis
- Added support for IDP initiated login (IDP Push) on SAML
- Added support to specify the DigestMethod on a SAML SP
- Added the option to IDPs to allow anonymous as a subject (or other principals)
- Added "Resource Owner Password Credentials Grant" (currently only available on Internal IDP's)
- Added support for the different OAUth/OIDC Flow Types
- Provided an option to enable and disable CRL/OCSP checks in SAML Artifact resolve connections (2way SSL)
- Added support for extended keyusage on certificate management
- Added a link (Workflows) in the main IDHub menu to TBA
- Added KeyAlias to the HttpAdapter (in TBA)
- Implemented a new tb-token issuer creation call (allows management of tb-tokens in the database)
- Added support for "well-known" functionality (OAuth IDP)
- Include our certificates in our JWKS (OAuth IDP)
- IDHub now shows a tooltip informing that an attribute is used as the subject of an SP/IDP
- Improvement on Gateway installation to use custom configuration files ("idhub_use_custom_conf" parameter)
- Added a header in nginx as a security measure (to obscure the nginx version to the user)
- Added a new IDP type that executes a workflow (eliminating the need for SAML components)
- Added support to allow empty SP requests for internal IDPs
- Added the option to "Enable ForceAuthentication" in AuthenticationRequests for Proxy SP's
- Added support to "enable Extensions" in Authentication Requests (SAML)
- Added support for logout redirect uri (OIDC)
- Added cluster support for the internal IDP (username/password IDP)
- Improvements to the internal code of existing templates
- Reduce blocking of all SPs to only SAML and OAuth SPs
- added the CHECK_AGENT_ID property to the trustbuilder.properties file
- Ansible logging now enabled by default
- Upgrading OpenSSL version in nginx
- In Settings - Authentication - Templates it is no longer necessary to specify all parameters in the location URL. IDHub will now automatically add all known parameters. For a full list click here.
- Will now block Tomcat from installing if the internal memory has less than 2 GB available
- Extra parameter added in ansible on the gateway role (redis_bind_ip). This allows to bind the gateway to a specific redis and not defined in the ansible script
- Performance tuning on various places (enabling caching)
- Trustbuilder core now uses Java 8
- IDP type OAuth had a few label and field changes, for correctness
- The TTL property has been removed, because there is a TimeOutInSec property that fulfills the same function.
- The MasterAndSentinels property has been divided into two properties: Master and Sentinels.
- The Host property is being prepared for deprecation. It can still be used for single node deployments, but for future use you can set the Sentinel's property containing only one address of a Sentinel.
- The optional Password property has been added.
- Fixed a bug where jwks.json endpoint was not properly handled for cross origin requests (OIDC)
- Fixed an issue where extensions from an SP Request were not taken into account in the AuthnRequest to the IDP (SAML)
- Fixed an issue in the Application rules where commas were treated as multi-value separators
- Fixed an issue where the wrong 'SignatureMethod Algorithm' was used in a 'saml:Assertion'
- Fixed an issue where the browser gave a "Document Expired" response when using the "back" button
- Improved the OIDC errors to give proper 40X responses
- Fixed an issue so that SAML extensions in AuthnRequest use the correct namespace
- Fixed an issue where InitialPartner serialization fails when no parameters present. (OIDC)
- Fixed an issue where the OCSP could not find the trust store
- Fixed an issue when validate a SAML token this caused an error saying it can't find the signature validation key
- Fixed an issue that sometimes generated a nullpointer exception when using openid connect without an Issuer value
- Fixed an issue that allowed some characters in attribute values that could create XSS vulnerabilities
- Fixed an issue where User attribute values were not correctly updated.
- Fixed an issue where a user could not be deleted
- Made several small sorting and filtering improvements and fixes
- Made several front-end validation and messaging improvements
- Fixed an issue where Gateway custom certificates (CA, crt and key) were not copied to a remote gateway
- Fixed an issue where no logback.xml is set in IDHUB_CUSTOM_HOME the hardlink is not set, that failed the ansible
- Fixed an issue where the default permissions on the home directory prevented ssh key usage
Notice for deprecation
The "SAML Component" will slowly be phased out. The current release of IDHub should now cover the existing functionality to a sufficient degree. From this point forward, no new changes to the SAML component will be made. The component itself remains available for legacy reasons.
9.2.1 Release Notes
- Changed the design of the TB4Mobile app
- Added several kernel parameters to the Digipass settings page
- Fixed an issue where the Session Hook workflow was triggered twice after a logout was completed
- Fixed an issue when the Assertion provided encrypted attributes via an artifact that could not be handled. (SAML)
- Fixed an issue during the upgrade to 9.2 when the /tba location is already present as an SP.
- Fixed an issue where the SAML cancellation error parameters were not passed to the Proxy SP
- Changed some of the SAML status messages to better distinguish the kinds of errors (TB-5117):
- Responder, AuthnFailed will give the code AUTHN_FAILED
- Requester, AuthnFailed will give the code MESSAGE_VALIDATION_FAILED
- Responder, NoAuthnContext will give the code NO_AUTHN_CONTEXT
- Responder, RequestDenied will give the code REQUEST_DENIED
- The redirect to the error page in case of an error to be communicated to a proxy sp has an additional query parameter "type" indicating if it is a cancellation (with value "CANCELLATION") or not. This will be removed in 9.3.
9.2.2 Release Notes
- Fixed an issue where the session cookie was not properly invalidated on a log-out (TB-5118)
- Fixed an issue on the re-using of Attribute Sets across SAML IDP's (TB-5094)
- Improvement in cluster environments: All the nodes that are in the hosts file will be updated by the environment.yml file (TB-5269)
- Fixed an issue when using the API SP by sending an empty header
9.2.3 Release Notes
- Fixed an issue in the uploading of SAML Metadata
- OpenJDK can now be used as a Java JRE
- Fixed an issue in subject mapping of the TBA Proxy SP
- Fixed an issue in subject mapping for Searchable_hash attribute types on IDP's where "lookup principal" was enabled
9.2.4 Release Notes
- Fixed an exploit in Self-Service that could allow users to perform account takeover attacks (TB-5523)
- Removed the client secret from certain Selfservice API calls (TB-5670)
- Closed an open redirect in gw-login (TB-5419)
- Obscured the Client Secret in IDHub (front-end and API) (TB-5492)
- It is now allowed to use a refresh token to get a token exchange (TB-5495)
- Fixed an issue in the gateway that could create a session mixup with 5 or more simultaneous threads (TB-5639)
- Fixed an issue in the Mobile built-in registration (TB-5648)
9.2.5 Release Notes
- Fixed an issue in which an encoded URL is encoded again when an authentication is performed. (TB-5694)
- Fixed an issue in the digipass API that prevented blocking/reinstating tokens when there were multiple instances of this token. (TB-5689)