Introduction
Today we release version 10.2 of the TrustBuilder IDHub, with new features and integration with the overall TrustBuilder Suite.
TrustBuilder.io Suite consists of 3 products:
- TrustBuilder.io, the Service Catalog of the TrustBuilder.io Suite that allows easy connections towards standardized applications and Identity Providers (IdPs). TrustBuilder.io is cloud-based.
- TrustBuilder IDHub, the orchestration engine of the TrustBuilder.io Suite processing all the flexible security policies. This instance can run on the customers’ premise (local, private cloud, or public cloud) as well as in a SaaS offering.
- TrustBuilder Mobile Authenticator, the strong authentication solution for mobile devices combining the world’s safest authentication method with the best user login experience.
All 3 products work seamlessly together in a full cloud or hybrid setup.
TrustBuilder.io: Service Catalog of applications and Identity Providers.
The Service Catalog is available on TrustBuilder.io and can be used in pure cloud installation on TrustBuilder.io as well as in hybrid environments where the on-premise TrustBuilder IDHub connects to TrustBuilder.io. It allows customers to deploy new Identity Providers and applications in a fast, reliable, and secure manner. In a few simple steps, new identity providers are activated and connected to your applications. New applications are activated with an easy-to-use wizard.
With the release of TrustBuilder IDHub 10.2 and its latest token storage feature (see below), we can now also include API-based applications in the Service Catalog.
The first API applications now available on TrustBuilder.io are Monizze and Tranzer.
Thanks to the integration of Monizze, our customers can now easily integrate with its digital services and securely link their users with the Monizze users to display account information, transaction status and more. TrustBuilder handles the authorization requests and consent management when users want to link their accounts. Once their account is linked, users benefit from single sign-on between the different applications that are integrated through the Service Catalog of TrustBuilder.io.
Tranzer Introduces Mobility as a Service to the product catalog. Customers that integrate the Tranzer APIs can now offer tickets of multiple public transportation services throughout Europe. You no longer need to choose and purchase individual tickets. A route planner offers you the shortest, fastest or cheapest way to your destination and the APIs will offer the list of required tickets. TrustBuilder will make sure the purchases are linked to the correct account of the user or his employer. Through derived attributes and our policy engine, it's possible to specify rules of which tickets can be purchased or if additional authorization for large amounts is required. In HR environments, the data of these purchases can instantly be sent to an expense application through the workflow engine.
We’ve also added the Belgian e-ID card as an IdP, allowing customers to onboard and authenticate Belgian citizens that want to sign up or onboard using their PC with an installed card reader.
To elevate regular password security, TrustBuilder.io now also has the option to verify account information through an SMS OTP. This allows verification when onboarding users as well as a simple way to authenticate users using a second factor. It’s meant for organizations with a large user base that cannot integrate with better security measures such as the TrustBuilder Mobile Authenticator yet.
TrustBuilder Mobile Authenticator
To increase security and user awareness, we added a new feature that warns users when a new TrustBuilder Mobile Authenticator has been registered to their account.
This eliminates the risk of malicious account takeover should a hacker succeed in retrieving the account or enrollment information before the legitimate user has installed and activated the mobile authenticator.
Additionally, TrustBuilder Mobile Authenticator has the advantage that it can be installed on multiple client devices. This is especially handy when you want to integrate the SDK in your application but don’t want to have the burden of administrating devices and linking them to the correct user accounts. Instead, each installed application has its unique private key, linked to the user account through the secure enrollment process. Activating the warning system ensures users are aware that a new application has been linked to their account.
OAuth token storage
One of the USPs of TrustBuilder is that besides access management for users and mobile devices, TrustBuilder can increase the security of APIs by enforcing policies between microservices.
In this release, we have added the possibility to store external OAuth tokens and link them to an authenticated user. This token can then be injected by our gateway if you need to call APIs of that third party.
After giving consent to access a third-party application, a token for this user is stored in TrustBuilder. Next time the user wants to access this application through our customers' ecosystem, the authentication happens seamlessly, offering the best user experience combined with the strongest security measures.
This feature is crucial when implementing an ecosystem and allows a strong and secure authentication of your users when they access the third-party applications you wish to add to your ecosystem. Monizze (meal vouchers) and Tranzer (a European Mobility-as-a-Service provider) are the first applications that benefit from this feature and are now available in our Service Catalog on TrustBuilder.io.
If the service provider you wish to add is not yet available in the Service Catalog, we’ve added a new Service Provider type: Proxied Cloud SP on TrustBuilder.io
The Proxied Cloud SP makes integration with many third-party APIs a lot easier, and through TrustBuilder.io this is available with any local instance of TrustBuilder IDHub.
To simplify compliance with GDPR and PSD2 regulations, we’ve also provided endpoints to query if a certain user is already linked to the available API resources and to unlink when the user wishes. This allows you to manage the consent users are giving to third-party applications.
More information about this new service provider type is available on: https://trustbuilder.zendesk.com/hc/en-us/articles/360021433540-Service-Provider-Types-Proxied-Cloud
TrustBuilder IDHub
Numeric user attributes
We now have support for numeric user attributes. These attributes can also be used in the policies. This allows easier handling of building policies based on amounts or risk scores.
Improved gateway management
Management of Gateways can now be set up and configured within the TrustBuilder GUI.
The graphical user interface and the central management make Gateway configuration more intuitive, more secure, and more flexible.
All Proxy, API SP, and Proxied Cloud service providers are now exclusively linked to one or more VHosts.
The gateway can now also be configured with JSON access logging. This allows for easier integration in log management systems.
Certificate-based authentication
An update on our certificate-based authentication is integrated. This allows validation of Luxembourg’s national ID card and LuxTrust.
Other changes
- The OAuth redirect URI is now the same for all IdPs and thus no longer contains the unique ID of the IdP. The new URI is https://<hostname>/idhub/oauth2/callback/
- Additional events are added to the Audit page: configuration changes and mobile app registrations.
- Improved support for SAML Recipient for SAML SPs.
- API SP policies now have support for all common HTTP verbs.
- Derived attribute workflows can now be configured to only run for certain authentication schemes. We’ve also added the possibility to select whether they should run before and/or after the authentication.
Admin API changes
Removed
- idps/redirectexample
- idp/sprequest
- /gateway/vhost/*
- /gateway/backendservers/*
- /gateway/config/{id}/duplicate
Changed
- principalAttribute endpoint now also takes runDerivedConfiguration data
- deleting authentication scheme will return objection info when in use
- deleting templates will return objection info when in use
- API SP
- Removed attribute: hostname
- Added attributes: vHostIds, backendServerId, hostHeader, targetLocation, advancedParameters
- Proxy SP
- Removed attribute: hostname
- Added attributes: vHostIds, backendServerId, hostHeader, targetLocation, advancedParameters
- Proxied Cloud SP
- New type of SP
- GatewayConfig
- Removed: sps
- Added: vHosts
Added
- endpoints for backendservers
- endpoints for vhosts
- endpoints for application categories (copies protected api)
- endpoints for applications (copies protected api)
- /enums/subjectrecipientstrategies
- /sp/policy/httpmethods
10.2.1 Release notes
- TB-6583 Added support for STARTTLS for SMTP server connectivity
- TB-7228 CRL import fails on some occasions
- TB-7590 CRL2DB not starting on some occasions
- TB-7366 OAuth Client SP throws an error if scope parameter is omitted
- TB-7479 Cannot save Host Header or Advanced parameters on Service Providers
- TB-7480 Editing a user containing a hashed attribute re-hashes the previously stored hash.
- TB-7498 CORS request fails for Cloud SPs
- TB-7564 Add request parameters on SPs and IDPs failed
- TB-7571 NPE when starting Trustbuilder Core
- TB-7579 SAML Recipient subject goes to default ACS on internal error
- TB-7587 Unable to edit mobile IDP after creation
- TB-7633 Not able to configure token introspection URL via GUI on OAuth IDP
- TB-7655 Only one value was sent to the Proxy API Sp on multivalue enumeration
- TB-7662 An introspect request with an expired token could result in an HTTP status 400
- TB-7328 IDHub Protected API - create IdP creates OAuth 2.0 when asked to create 2.1
- TB-7272 We now also store tokens when using an OAuth IDP if it is also configured as a token server
- TB-7243 GW Logging - add the possibility to format access log as JSON.
- TB-7364 Added Mobile Device Mgmt calls to protected API
- TB-7449 Created Principal endpoints in protected API
- TB-7597 OAuth token exchange lacked debug logging
10.2.2 Release notes
- TB-7784 Update consent when principal is known
- TB-7763 CLOUD_SP session mapping issue
- TB-7762 Proxied Cloud SP - token TTL not configurable
- TB-7586 derived attribute should have at least one "execute when"
- TB-7596 add info label in derived attribute config
Comments
Please sign in to leave a comment.