From now on it is possible to exclude attributes sent to a service provider when the option Include unmapped custom attributes within
SAML Response is enabled.
Fixed SAML SLO for external identity provider session overwritten by username and password session.
A problem with resolving resources from extensions has been fixed.
A new action token was being generated even though the Login via Action Token was not enabled. It caused an error when tried to authenticate
using such token. This has been fixed.
Fixed SAML communication problem while exchanging data between Onegini IdP and external identity provider.
The Execution of migration logic has been removed from External Identity Coupling, because it triggered sending a PersonMigratedEvent,
which was not correct. By removing the logic, the problem has been fixed.
Fixed an issue where verified flag could be set to false on already verified email during sign up via API.
Fixed an issue with creating an additional User and Password (UnP) identity with an ID from an external Identity Provider.
An error was thrown on automatic signup when Allow sign-up without invitation validation and Automated external identity coupling were enabled which
resulted in an account not being created. This has been fixed.
Fixed an issue with attributes mapping while returning data to the service provider.
When a confirmation email was sent via a custom email gateway, the person identifier was not shared with the gateway. As a result the email could not
be marked as verified. This has been fixed.
Post login action redirect flow is now integrated with SAML. If a user enters Onegini IdP with SAML request,
the redirection works correctly.
Added SSL configuration for SAML identity providers, e.g. DigiD
Key pair system tab in admin panel is now called Certificates. Keys are now uploaded by files.
Introduced possibility to configure priority of preferred step up methods, for details please refer to the documentation
Introduced new healthcheck endpoint that also verifies status of the database and mail server, available under /actuator/health
Extended login response for authentication via extension with additional information pointing to the authentication failure reason. Implementation requires AuthenticationExtension implementation in customer extension. The feature has been added to the following flows:
Login via web
additional parameter personAuthenticationErrorCode is returned to the view
parameter points to the authentication failure reason
added possibility to define message shown on login page
message key is returned by AuthenticationExtension
translations need to be added to the extension messages file
Introduced new API for decoupling person identities, please refer to the documentation to get more details
Introduced new API for coupling person identities which uses identity provider identifier instead of type, please refer to the documentation to get more details
Introduced new configuration API for resolving configured identity providers, please refer to the documentation to get more details
Fixed issues with resolving correct language when default language set contained country or variant code
Introduced new external Identity Provider type - Sign in with Apple. Users can now log into the Onegini IdP using of their AppleIDs. See topic guide for details
Introduced a new REST API (storage api) which allows storing values within the Onegini IdP cache for a preconfigured amount of
time. This feature can be used to store authentication data in external authorization flows like Sign-in with Apple
Added support for displaying RequestDenied and PartialLogout DigiD error messages
The Onegini IdP gives possibility to load configuration from the extension repeatedly.
When acting as a SAML Service Provider the Onegini IdP will advertise within it's metadata that it sends the AuthnRequest signed (AuthnRequestsSigned=true)
Added possibility to signup, activate and couple identities in one api call to /api/persons/activated
Added possibility to signup already coupled person without providing password
Extended Profile Attributes Update extension point to take control of updating profile attributes whenever it has been called by Onegini IdP
Added possibility to set email params such as: from, reply to and sent to (for admin related emails) via message keys
depending on the user's locale. Newly added message keys are:
onegini.common.email.from
onegini.common.email.replyTo
admin.emailNotifications.toAddress
The JWT keys are now generated and managed by the Onegini IdP. For more details please refer to Configure JWT Keys chapter
Added possibility to add redirect uri to action token request. For more details please refer to Action Token topic guide
Added action token redirect uri whitelist to admin panel
Email is now marked as verified whenever email_verified claim is returned by OIDC provider
Implemented right to be forgotten for accounts that have been deleted
already deleted accounts can be cleaned up in admin panel (more info in upgrade instructions)
data for accounts deleted since this version is removed automatically
Added support for OpenID Connect Identity Provider type. For more details please refer to OIDC topic guide
Added support for Itsme Identity Provider type
Added support for DigiD Identity Provider type. For more details please refer to DigiD topic guide
Added new option for modifying existing velocity engine templates
Header Authentication for Administrator Users
Introduced new flag Synchronise Attributes on identity provider configuration form that gives possibility to turn on or off attributes synchronisation during sign in
Added support for profile attributes transformation. For more details see appropriate topic guide
Added a new search API that includes additional person info (such as account status) in the search result
A new password policy rule is added which blocks usage of passwords that have been discovered in a data breach. It uses data from haveibeenpwned.com
It is now possible to define an IP range in CIDR format for Identity Providers of LDAP type which will allow only users with matching IP address to login
Added support for forced authentication in SAML
User account can now be activated via activation link sent by email, for more detailed info please refer to person activation chapter in the Onegini IdP documentation
Deleted LDAP configuration for mobile login functionality
Moved Mobile step-up authentication related properties to Smart Security - Step-up Authentication configuration section in the admin console, please check upgrade instructions for more info
Moved Mobile Login related properties to Configuration -> Identity Providers configuration section in the admin console, please check upgrade instructions for more info
Added error handling on both sides of token processing (token creation and token usage)
Update attributes extension point is now also called directly after sign up
Moved Data clean-up section from Configuration tab to System tab in admin panel
Added automatic removal of expired mobile transactions. For more information please refer to the Token Server Configuration
Changed default order of resolving messages to check all of the locale-specific bundles before using default ones. For more information please refer to the Messages resolution order
Geolocation data is now send to Onegini Token Server (if it's available) when using QR code login or mobile login
Added IdpObjectMapper instance that is expected to be used for serializing/deserializing communication in between extension and CIM core
Replace CustomObjectMapper with ExtensionObjectMapper instance that is expected to be used for serializing/deserializing communication in between the idp-extension and CIM core
Improved person lookup view in admin panel by displaying partition list only if partitioning is enabled
Metadata for OpenID Connect and itsme identity providers is now cached in Redis
Axon snapshots for deleted accounts are removed from database directly after deleting the person (GDPR regulations)
Turned off default email verification during automatic sign up and introduced verified by default checkbox in the external idp attribute mapping configuration
Added option to manually configure OpenID Connect identity provider
Added option to force User Info encryption for OpenID Connect identity provider
Added ACR security level configuration to itsme identity provider
Updated LinkedIn API to version 2
Migrate from Google Plus Sign-In
Added option to choose Assertion Consumer Service URL in SAML response based on URL or index specified in SAML request
Added versions matrix to keep track of compatibility between the Onegini IdP and IDP Extension SDK
Extended the ProfileAttributesUpdateExtensionPoint extension point which is triggered whenever person's profile attributes are being updated with a new property containing the whole up-to-date profile representation
Added IP range configuration for LDAP identity providers
Notifications can be sent to the user that is in CREATED state when activation is not required
User can now successfully register in the Onegini IdP when in the SAML flow with ForceAuthn flag set to true
The verified flag is now respected when creating or updating person's attributes via Person API
The ui-extension URL validation is now working as expected when both the Onegini IdP and the ui-extension are deployed behind a load balancer
Fixed a bug causing a person's custom attributes set via either an API call or the Onegini IdP extension being removed during attributes
synchronization process
Fixed problem with coupling person's account via Create signed-up person endpoint while having more than one Identity provider with given type enabled.
Since this version there is no possibility to create and couple account while having more than one identity provider with the same type enabled. Error More than one identity provider with given type enabled (1053) is returned in such case
Fixed problem with non-ascii characters encoding for data sent via html forms (more information in upgrade instructions)
Fixed copyright in emails to update every year
Fixed bug with deleting and adding custom attribute with the same name
Fixed issue with uid-urn:oid:0.9.2342.19200300.100.1.1 SAML attribute value not being returned in the SAML AuthnResponse
Fixed error which prevented an administrator from updating the Mobile Login configuration
Fixed issue with welcome email being sent before user activation
Fixed authentication level not being returned as part of the SAML response when ECP binding is used
Fixed attributes synchronization when LDAP user credentials are validated via Credentials API
Fixed profile attributes not returned in SAML response
Fixed issue after removing all custom attributes
SAML error will be returned on authentication with social Identity Provider failure
Fixed non-unique list of translations in SAML metadata
Fixed blocked and inactive person credentials validation issue
Fixed SAML Single Logout functionality which did not redirect to origin url parameter
Fixed issue preventing users from performing mobile authentication after external idp login
Fixed an issue with coupling a person who has a / character within external id
Fixed a bug with duplicated primary emails on extension side when updating person via API
Fixed a bug causing a person's custom attributes set via either an API call or the Onegini IdP extension being removed during attributes
synchronization process
Moved Data clean-up section from Configuration tab to System tab in admin panel
Added automatic removal of expired mobile transactions. For more information please refer to the Token Server Configuration
Changed default order of resolving messages to check all of the locale-specific bundles before using default ones. For more information please refer to the Messages resolution order
Geolocation data is now send to Onegini Token Server (if it's available) when using QR code login or mobile login
Added IdpObjectMapper instance that is expected to be used for serializing/deserializing communication in between extension and CIM core
Replace CustomObjectMapper with ExtensionObjectMapper instance that is expected to be used for serializing/deserializing communication in between the idp-extension and CIM core
Fixed problem with coupling person's account via Create signed-up person endpoint while having more than one Identity provider with given type enabled
Since this version there is no possibility to create and couple account while having more than one identity provider with the same type enabled. Error More than one identity provider with given type enabled (1053) is returned in such case
Added possibility to signup, activate and couple identities in one api call to /api/persons/activated
Added possibility to signup already coupled person without providing password
Extended Profile Attributes Update extension point to take control of updating profile attributes whenever it has been called by Onegini IdP
Added possibility to set email params such as: from, reply to and sent to (for admin related emails) via message keys
depending on the user's locale. Newly added message keys are:
onegini.common.email.from
onegini.common.email.replyTo
admin.emailNotifications.toAddress
The JWT keys are now generated and managed by the Onegini IdP. For more details please refer to Configure JWT Keys chapter
Metadata for OpenID Connect and itsme identity providers is now cached in Redis
Axon snapshots for deleted accounts are removed from database directly after deleting the person (GDPR regulations)
Turned off default email verification during automatic sign up and introduced verified by default checkbox in the external idp attribute mapping configuration.
Added option to manually configure OpenID Connect identity provider
Added option to force User Info encryption for OpenID Connect identity provider
Added ACR security level configuration to itsme identity provider
Introduced new flag Synchronise Attributes on identity provider configuration form that gives possibility to turn on or off attributes synchronisation during sign in
It is now possible to define an IP range in CIDR format for Identity Providers of LDAP type which will allow only users with matching IP address to login
User account can now be activated via activation link sent by email, for more detailed info please refer to person activation chapter in the Onegini IdP documentation
Added versions matrix to keep track of compatibility between the Onegini IdP and IDP Extension SDK
Extended the ProfileAttributesUpdateExtensionPoint extension point which is triggered whenever person's profile attributes are being updated with a new property containing the whole up-to-date profile representation
Added IP range configuration for LDAP identity providers
Moved Mobile step-up authentication related properties to Smart Security - Step-up Authentication configuration section in the admin console, please check upgrade instructions for more info
Moved Mobile Login related properties to Configuration -> Identity Providers configuration section in the admin console, please check upgrade instructions for more info