9.3 Release Notes

New Features

  • OpenID Connect (Only for IDHub as client): 
    • Added support for the request Parameter with encryption & signing support
    • Added support for the request_uri Parameter
    • Added support for custom claims (only available through a service)
    • Added API Services for OpenID Connect (IDHub acts as SP)
  • Added a SAML IDP Push endpoint (to trigger an IDP Push to a SP from IDHub)
    • The relaystate can now also be a domainname
    • Whitelisting (see settings) is applied  
  • Example (template) of Application Catalog
  • Improvements on Authentication Methods for Risk/Context Aware Access Control
    • Added a rule that can be executed before the user authenticates. Eg. To filter out certain Authentication Methods.
    • Added a "force re-authenticate" option on a Service Provider "Authentication Rule" which can be specified to a single IDP (on Proxy Service Providers this is only possible via "application rules")
  • Argon2 encryption support
  • Added "Provisioning workflow" to all IDP types. This will trigger a workflow after the authentication is completed.


  • Certain data for short-term usage can now be stored in REDIS instead of MySQL (automatically if REDIS is available):
    • Request_URI's (always in REDIS)
    • Access Tokens (if REDIS is available, MySQL as fallback)
    • ID Tokens (if REDIS is available, MySQL as fallback)
    • Authorization Codes (if REDIS is available, MySQL as fallback)
  • Front-end changes:
    • "Provisioning URI" on an OAUth IDP is now replaced by "Provisioning Workflow" - Note: this field did not work in previous versions, so it is not migrated.
    • The default IDP display name has been changed from "Username & Password" to "TrustBuilder Repository"
    • The display name of the user attribute "User Password LoginID" was changed to "Username"
  • OIDC Tokens: Claims without values will now not be added to tokens
  • Appliance Changes
    • Fixed an issue where the repository was not updated on cluster nodes
    • Default TLS version has been changed to TLSv1.2. Parameters can be set in 00_secure_gw.conf 
    • REDIS will now also be installed on a IDHub node (for token storage, etc). This will be installed with the orchestrator role. Two new parameters are available: idhub_sessionstore_port (default: 6379) and idhub_sessionstore_sentinel_port (default: 26379)
  • Trace logging was added on SAML and OAuth SP's
  • SAML metadata will now only export the appropriate section (SPSSO or IDPSSO descriptor)
  • API Changes
    • /idhub/admin/api/v1/authentication/method : idpCode changed to idp_code
    • /idhub/admin/api/v1/authentication/method : contextRef changed to context_ref
    • /idhub/admin/api/v1/authentication/method : idpName changed to idp_name

On the  short-term data storage change:

Note that we will not remove the existing codes and tokens from the MySQL database to keep database downtime to a minimum. This step may be done manually at a more convenient time.  Refresh tokens will remain in the MySQL database.

IDHub will first look for the code, token or Request_URI in REDIS (if available) and secondly in MySQL.  This avoids the need for token migration after the upgrade.


  • Fixed an issue where OIDC requests in a Hybrid Flow sometimes result in a DuplicateKeyException. Fixed by including a jti claim (TB-5180).
  • Fixed an issue where the IDP provides an assertion where some of the attributes are encrypted, instead of the entire assertion being encrypted.  (TB-5174)
  • Fixed an issue where the SAML cancellation error parameters were not passed to the Proxy SP
  • Changed some of the SAML status messages to better distinguish the kinds of errors (TB-5117):
    • Responder, AuthnFailed will give the code AUTHN_FAILED
    • Requester, AuthnFailed will give the code MESSAGE_VALIDATION_FAILED
    • Responder, NoAuthnContext will give the code NO_AUTHN_CONTEXT
    • Responder, RequestDenied will give the code REQUEST_DENIED
  •  Fixed an issue where IDHub was relying on external resources (eg. https://maxcdn.bootstrapcdn.com/) (TB-5191)
  • Fixed an issue where duplicate SP's appeared to be created when creating the same SP twice via the API. (TB-5305)
  • Fixed an issue in OAuth where the /idhub/ path was incorrectly added in the well-known in case url rewriting is applied. (TB-5286)
  • Fixed an issue where sending an empty header to an API Service Provider resulted in a nullpointer (TB-5278)
  • Fixed an issue where the SAML Metadata "AuthnRequestSigned" was not correctly set. (TB-5253)
  • Fixed an issue where sometimes the Application Rules on SP's would not be loaded after a tomcat restart (TB-5246)
  • Fixed an issue where it was possible to replay mobile requests (TB-5181)

Upgrade procedure

Before initiating the upgrade we recommend to make snapshot backups of your virtual machines.

On your primary/mgmt node:

Edit the environments playbook to point the yum repositories to version 9.3

# cd /opt/trustbuilder/appliance/config 

# vi environments.yml 

# ansible-playbook -v environments.yml

Start by pulling in the latest installation scripts:

# sudo yum update trustbuilder-appliance 

After that run your playboook. e.g.:

# cd /opt/trustbuilder/appliance/config 

# ansible-playbook -v my-playbook.yml 

The database role can sometimes be unstable for clustered environments. You can leave this role out of the playbook when running an upgrade.

Any errors need to be fixed manually and then you can rerun the ansible-playbook again.

If everything runs correctly TrustBuilder should be up and running.

All that is left now is to update the database scheme of idhub. You can do this by accessing https://your-hostname/idhub/install

This release includes a new component, the Redis database engine, that will be installed on the orchestrator side. This might affect existing firewall rules.

9.3.1 Release notes

  • Fixed a vulnerability in the Self-service API that could allow an account take-over
  • Fixed an issue that could lead to session ID's being leaked on the gateway
  • Fixed an issue that could cause deadlocks while reading OAUTH_TOKEN table
  • The Client secret is no longer displayed in plain text for OAuth IDP's
  • Removed the Client secret from being returned in a self-service api call
  • Fixed some encoding issues on the gw-login after authentication
  • Fixed an issue on the digipass API to block/reinstate tokens when there are multiple token instances
  • Added support for Radius passwords to be longer than 16 characters
  • The Provisioning workflow now uses the same response format as the Derived Attributes workflow
  • Fixed an issue with the Mobile Authenticator when used in a cluster setup
  • Fixed a caching issue on the Authentication Schemes and Methods in a cluster setup
  • OIDC
    • Now allows a refresh token to be used for a token exchange
    • Added additional checks and logging when an id token is requested
    • Fixed an issue where PKCE fails if the client_secret parameter is missing
  • When running the environment.yml, the files CentOS-* are deleted in the /etc/yum.repos.d/ folder

9.3.2 Release Notes

  • Fixed a scrolling issue in the TBA script editor (TB-5754)
  • Fixed an "Upstream prematurely closed" issue in the Gateway while reading the response header from upstream by adding a retry. (TB-5693)
  • Fixed an error that could occur when exchanging a refresh token for an Access token in OpenIDConnect (TB-5802)

9.3.3 Release Notes

  • Extended the RADIUS adapter to support Called-Station-ID
  • The X-TB-AZN-CACHE header is no longer passed unnecessarily to the browser (TB-5692)
  • Fixed an issue in the validation of the SAML logout response, ID's are now always proceeded by "IDHUB_" (TB-5777)
  • Fixed an Internal Server issue when using a WS Fed. Service Provider (TB-5863)
  • Requesting an OIDC Token via the Token Exchange Grant, now also returns a refresh token (TB-5795)
  • Added an auto-reconnect to REDIS  (TB-5878)
  • Fixed an issue where gateway config variables would not bind to a vhost (TB-5885)
  • Fixed a scrolling issue the TBA script editor (TB-5943)
  • Fixed an issue that could prevent the Kerberos service from starting (TB-6068)
  • Fixed an issue where changes in attributes needed nodes to restart tomcat in clustered environment to get the config changes (TB-6095).
  • Fixed an issue where attempting to block a user resulted in an "operation not allowed" (TB-6012)
  • Fixed an issue where the package version in the environment.yml  file was not accurate (TB-5849)
Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.