Skip to content

Release notes 7.x

7.52.0

Features

  • We introduced centralized session management, making it possible to restart (and update) the application without end-users being logged out.

7.51.1

Bug fixes

  • When eIDAS or eHerkenning Identity Provider was enabled, an error appeared when going to the Features tab in the admin panel. This is now fixed.

7.51.0

Features

  • We have split the feature Automated external identity coupling enabled into two features, namely Automated external identity sign up enabled and Automated external identity linking enabled, to support more scenarios when an external IDP is used. In order use the latter feature, automatic email verification needs to be enabled in the Identity Provider settings.
  • Extended the AuthenticationPostProcessExtension request object with the user's identity information containing; identity name, identity id, and external person id if it exists.
  • Added a link to the Delegated administration application on the user's dashboard for users with the policy role_superuser. It can be configured via the DABP-DASHBOARD-URL message key.

Bug fixes

  • Fixed an issue where OpenAM acting as a SAML service provider rejected our SAML Artifact Binding response message.
  • In the non-happy flow of the password reset hook (e.g. API error), an end-user could get stuck with an error. We fixed this by resetting the hook so that the user could retry the entire operation.
  • It is now possible to use QR device registration to enroll your mobile device as initial 2nd factor.
  • Fixed a security bug, where a user was able to use QR device registration to link a mobile device to an existing account without first performing step-up authentication.
  • When an end-user started an authentication request on a Service Provider and then navigated to the Self-registration page, some optional profile attributes were treated as mandatory. It resulted with the inability to proceed with the sign-up. Now the optional attributes are actually optional.

7.50.0

Improvements

  • When OneEx integration is disabled, the Onegini IdP will no longer log warnings.

Bug fixes

  • Fixed an error while using additional_parameters in Invite API with extension email gateway.
  • We fixed an issue where the automatic linking of an external identity provider to an existing account would fail. Before, the Onegini IdP required the email address to be unique, but this check was irrelevant in this scenario (where the pre-creation extension decided to link the identity).
  • When using an external identity provider and an LDAP identity provider with the feature Migration during sign up enabled, the external IDP was not linked to the existing account when the PreLinkIDP hook was disabled. This is now fixed, an account is now linked regardless of active hooks.

7.49.0

Bug fixes

  • Updated the new parameter in the Invite API, introduced in 7.48.0, to use the snake_case convention. The updated name is: "additional_parameters".
  • When using an external identity provider and an LDAP identity provider with the feature Migration during sign up enabled, the external IDP was not linked to the existing account. When end-user logs in with the external identity provider, they end up on the migration page to log in with the existing LDAP credentials. In this scenario, we now link the external IDP to the existing LDAP account.
  • Fixed an issue where an HTTP HEAD request to a reset password URL, which is executed by some SPAM filters, caused an Internal Server Error

7.48.0

Features

  • We extended the Invite person API with additional parameters, so context about the invite can be provided to the end-user e.g. who invited the end-user or why the end-user is invited. These parameters are available in the email template and the "accept invite" template.
  • We extended the self signup and signup through an invite flows with the possibility to link an external Identity Provider during these flows.
  • Extended the signup flow by adding the possibility to add a step up method during the sign up flow. The step up method can be either made mandatory or optional.

Improvements

  • The default key size for RSA Keys generated by the Onegini IdP is increased to 4096 bits.
  • Events that indicate that the user status has changed are now sent to OneEx. As a customer, you can consume these events sent to OneEx to get updates about a user status.

Bug fixes

  • Fixed an issue with mobile number input field that caused JavaScript errors in the browser console

7.47.1

Improvements

  • Updated the way we built our documentation to improve the search capabilities within one product.

Bug fixes

  • Insights and ERS did not load in the Onegini IdP admin anymore, we fixed that.
  • In some scenarios, the first request after a period of inactivity to an external service failed. This resulted, for example, in a failed request to an external IdP, the first time per day the Onegini IdP was used. Now, the first request after a period of inactivity succeeds.

7.46.0

Features

  • If a user revisits the email verification link, within the configured validity time, they will always see the same result, namely that the email is verified. Before this change, upon a revisit, an error was shown that the verification link was invalid.

Improvements

  • We restart the migration hook when a user starts a new authentication request with an existing session, which can happen after not finishing the migration flow in another window.

Bug fixes

  • We now clear the cached origin directly after a user is redirected to their origin for the first time. This fix prevents users from getting redirected to the wrong page if they go back to the dashboard for the 2nd time.
  • We now convert all phone numbers to the E.164 formatting. Prior to this change a phone number with a 0 after the countrycode could cause undeliverable SMS messages in combination with certain SMS providers.

7.45.0

Features

  • Added a Pre Link External Idp hook that allows you to execute custom business logic before a user can link an external IDP to its account. Please see details here.

Improvements

  • We extended Onegini Hooks to add a specific message when executing the HOOK_CANCEL, HOOK_COMPLETE, and HOOK_SKIP Action Type, this message is available to show to the user.
  • Added additional cleanup of meta-data (e.g., password expiration date) upon person deletion.
  • After using an expired verification code on the mobile verification page, the user is no longer shown a page with a different layout.
  • When a mobile number is set to required during authentication, the user is requested to set and verify their number. If the user decides to skip this step, the user is no longer redirected to the dashboard but to the SP with access denied status.

Bug fixes

  • Some links in the default translations where broken, we fixed that.

7.44.0

Improvements

  • We now also send a verification email if a user's email address is changed or added via the post login hook.

Bug fixes

  • We fixed an issue where users did not see pages in the correct language, as only the browser's locale was taken into account. This value can now be overwritten by the locale set in the URL or by the user's preferred locale set in their profile.
  • Fixed an issue where some email clients invalidated the verify email URL.

7.43.0

Features

  • Authentication errors from external identity providers of the type OIDC are now shown on the login page; this allows end-users to select another authentication method.
  • It's now possible to force users to verify their mobile number during registration and authentication.

Improvements

  • We now also send a welcome email after a user account is activated via an external delivery code.

Bug fixes

  • Some calls to the Person API resulted in errors when person_id in the request was uppercase. This has been fixed.

7.42.0

Features

  • It is now possible to update the Identity Assurance Level (IAL) via the Update Profile Attributes Extension Point.

Improvements

  • Updated the jQuery version included in the standard templates. This may require updates in custom templates.

Bug fixes

  • Fixed an issue where some email clients invalidated the password reset URL in a user migration scenario.
  • We have fixed a security bug where, in a specific scenario, when two users use the same device within a 15 min timeframe, an external IDP could be linked to the wrong account.

7.41.0

Features

  • We now support multiple Identity Providers of the type OIDC.
  • When creating an Identity Provider in the admin panel, you can now provide an alias; a Service Provider can use this alias to request an authenticated user from that specific Identity Provider.

Improvements

  • It is now possible to use values that include a comma in the admin panel (e.g., for custom attribute mapping). Previously this was not possible because this character is used internally to split values.
  • From now on, the /actuator/health endpoint should be used to check the health or state of the running application. The old /healthcheck endpoint is deprecated and should no longer be used.

Bug fixes

  • When resending the verification email on the 'email not verified'-page, we now provide feedback in the model map to show the user a proper notification.
  • Fixed the mapping between our internal profile attributes and the OIDC gender values to be compliant with the specification.
  • Fixed the mapping between our internal profile attributes and the OIDC address claim to be compliant with the specification.

7.40.0

Features

Improvements

  • Replaced our proprietary mobile number validation with an external library - libphonenumber, the de facto market standard.
  • It is now possible to communicate with the multi-tenant Token Server thanks to the possibility to pass the tenant-id value.

Bug fixes

  • Fixed the problem when a user was not redirected after sign up URL when email verification was required.
  • Fixed a bug where new Belgium mobile numbers were not validated correctly.

7.39.0

Bug fixes

  • Fixed the problem where a user was not redirected to the URL that was configured for Redirect to URL after sign-up when email verification was required

7.38.0

Improvements

Bug fixes

  • Prevent an API call to the Token Server when mobile device registration is not properly configured.

7.37.0

Features

  • Added the option to make an extension that checks the password age in forces the user to update their password.
  • On password change, a user can no longer use the same (their last) password.

Improvements

  • You can now collect all undeliverable (e.g., bounced) email messages in a separate mailbox without revealing the address of this mailbox to the end-user.

Bug fixes

  • Fixed the problem with editing existing Service Providers
  • The Person PreCreate extension point will now always receive information about which IDP was used for registration.
  • The extension is now able to overwrite the SAML velocity templates.

7.36.0

Features

  • Added Reset Password Hook. Please see details here.

Improvements

  • The validation of the profile is now part of the update action in the Post Login Hook.
  • Any custom attributes stored in an account can now be accessed on the dashboard page. This does require customization of the default dashboard template.
  • Increased the number of PBKDF2 iterations in our hashing algorithm for this year. This makes it harder to reverse engineer stored passwords. New users or existing users changing their password will use this new, stronger algorithm by default.

Bug fixes

  • Allow resending an externally delivered code when it expired
  • The locale is now resolved correctly on the IDP pages.

7.35.0

Features

  • To make sure our application works always (e.g. also in an iframe) in all browsers, it now possible to set the SameSite flag for all cookies in Onegini IdP through a property. The default value is set to None.

Improvements

  • When the preferred step-up method is set to 'Strongest', users can now also use a fallback method if that method can deliver the required Authentication Assurance Level.

Bug fixes

  • All occurred events are now stored in milliseconds. Previously, some were stored in seconds.

7.34.0

Bug fixes

  • Fixed the problem with deciding whether the Username and Password Migration Hook should be executed.
  • Onegini IdP no longer sends a request to a disabled LDAP IDP when a user logs in with unknown credentials.

7.33.0

Features

Improvements

  • The Username and Password Migration Hook now also verifies if the new password matches the password policy.
  • Removed the inline javascript in the SAML flow to comply with a stricter Content Security Policy, as required by DigiD.

Bugs

  • Fixed the scenario where the Digital Passport login failed when the access token was verified in the exact second it was created.
  • The Username and Password Migration Hook did not always provide information if a migration fails.

7.32.0

Features

  • The Person API now also includes information about the Identity Assurance Level (IAL) of a person.
  • You can now provide SAML metadata URI for identity and service providers in the admin panel.
  • When migrating from another solution to Onegini, you can now import the existing TOTP (e.g., Google Authenticator) secrets via our Import API. After importing these secrets, users can use their current TOTP authenticator as a step-up method within the Onegini IdP.
  • Added validation for existing email when using Username and Password Migration Hook

Improvements

  • We can now fetch the person report from the multi-tenant DABP application. To use this feature it is required to:
    • define a tenant id in the admin panel,
    • update the DABP URL to match the multi-tenant version (add /delegation to the context path).

Bug fixes

  • Coupling an external identity provider to a user via the dashboard is now also possible when a step-up is required.

7.31.0

Features

  • You now can clear all the CIM caches, including extensions, via the admin panel.
  • New hook type added that helps to migrate users via the Username and Password identity providers

Improvements

  • ERS integration documentation has been updated to reflect the latest requirements and deployment strategy

7.30.1

Bug fixes

  • When a Redirect to URL after login was set, the post login hook did not execute. This has been fixed.

7.30.0

Features

Bug fixes

  • The iDIN IDP stopped working in version 7.29.1, this is now fixed.

7.29.1

Features

  • Added QR Device Registration feature that aims to help the end-users with their mobile devices enrollment process. For more info check this topic guide.

Improvements

  • For eIDAS (via eHerkenning) we have decoupled the keys used for decrypting the attributes and the PKI-O, as they both have a different lifetime. This way we have a better certificate rotation mechanism.
  • We now make sure the uploaded certificates are valid and if a public and private keypair match.
  • Added support for multi value SAML attributes that are returned to service provider in form of json.
  • When using the Onegini IdP in combination with Cloudflare we now store the actual client IP address in our Audit logs.

Bug fixes

  • Fixed an issue that caused error when sending emails

7.28.0

Features

  • Added the Password Policy Configuration API.
  • Forcing password change when it no longer meets the password policy.
  • Added an API that allows to force a password change.
  • Extended post login hook by adding a new action that allows to ask a user to change the password.

Improvements

  • Added a possibility to override the GBG translations.

Bug fixes

  • Fixed an issue with missing message in the model map from authentication extension.
  • Mobile number validation is also performed on person creation and update API calls when Mobile number validation for backend services is checked in the Admin Panel.
  • Added missing UserIdQualifiers for eIDAS.
  • Static resources, fetched from the extension, were not properly cached. This has been fixed.
  • If a person has been created and updated before version 7.10.0 of Onegini IdP it was impossible to delete that person. This has been fixed.

7.27.0

Features

  • Subject and HTML content can be attached to extension e-mail gateway request if configured with property IDP_EXTENSION_EMAILGATEWAY_EXTENDEDREQUESTDTO_ENABLED.
  • Added information for the user on resending externally delivered activation code.

7.26.0

Features

  • Added possibility to request Identity Assurance Level via SAML Extension.
  • Added Post Login Hook. Please see details here.

Improvements

  • Additional events added to inform about DigiD flow
    • login canceled,
    • login failed,
    • login interrupted by Person Precreation extension point,
    • login not completed because of session timeout.

7.25.0

Features

  • Basic flows with Identity Assurance Level are available. For more info check this topic guide.

Improvements

  • Updated missing Person API documentation regarding illegal characters for name error

Bug fixes

  • Handling of an email address has been fixed in person search API

7.24.0

Bug fixes

  • Custom messages displayed in mobile login flow are no longer in single quotes.
  • Fixed passive login flow error with doubled redirects.
  • Operation status is updated for changing email and password actions.

7.23.1

Bug fixes

  • Phone number can now be assigned to user via Person API when mobile number is mandatory.
  • NameIdPolicy was null when the value should have been none. This has been fixed.

7.23.0

Features

  • Person API now also uses the illegal character validation for first name and last name.
  • Added checkbox for disabling illegal character validation.
  • Added a possibility to set the NameIdPolicy format in the configuration of external SAML IdPs.

Improvements

  • SAML passive flow has been improved.

Bug fixes

  • Fixed an issue with cache eviction when person's UnP identity is blocked.

7.22.0

Features

  • Added a possibility to fetch, via the API, available actions that can be performed for a person. Please refer to the Person API for more information.

Bug fixes

  • Fixed PreSearch query execution to avoid empty query select

7.21.0

Features

  • Added a possibility to send events to the AWS EventBridge.
  • Added a possibility to decouple a person from Identity provider based on person_id and identity_id. Refer to Person API for more information.
  • Added a possibility to resend verification code for both email and mobile phone via the API.

Improvements

  • Added new events: LoginStartedEvent and LoginSuccessfulEvent.

Bug fixes

  • Fixed a problem with updating some service providers.

7.20.0

Improvements

  • AuthnContext is now optional during passive authentication

7.19.0

Features

  • Added possibility to fetch and update redirections config via the Configuration API.
  • Added PersonCreationPreProcesSearch Extension Point logic to support tracking digital identity of users Refer to Person search pre process for more information.
  • Added possibility to specify characters that cannot be used in first/last name in sign up forms.

Improvements

  • Added more details about identity used to create an account to PersonCreationPreProcess extension point.

Bug fixes

  • Fixed automatic sign-up for accounts that provide required attributes in PersonCreationPreProcess.
  • Fixed an error when no NamePolicy format was specified for SAML Organization attributes.

7.18.0

Features

Improvements

  • OAuth Service Provider type has been removed.
  • Extended support for passive authentication for SAML identity provider by checking if active CIM session fulfills requirements.

Bug fixes

  • Fix problem with switching language on migration login page

7.17.0

Features

  • Added support for passive authentication for SAML identity provider.

Improvements

  • IDP_DATABASE_TYPE environment variable value is now case insensitive.
  • It is now possible to reset password with both username or email in the unauthenticated migration flow.

Bug fixes

  • Fixed profile attribute's database inconsistency in case of an already invited person signup.
  • Fixed a problem with logging in after cancelling step-up with requested authentication level higher that stored in the user's session.
  • Fixed showing phone number in step up with code view

7.16.0

Improvements

  • Added a possibility to get organisations in the Configuration API.
  • Onegini IdP shows the logins of the last 24 hours when Insights are disabled or fails to load with a link to contact support.
  • Improved events page in the Admin Panel.

Bug fixes

  • Fields marked as editable are not treated as required anymore.
  • Displaying incorrect credential errors next to the password field.
  • When defining a mapping for IdPs, an attribute can be set to editable or not. When it was set to editable, it was also treated as required. This has been fixed.

7.15.0

Features

  • Added possibility to set automatic email verification on trusted external identity providers.

Improvements

  • The nonce parameter is now automatically added to inline script tags when CSP is enabled.
  • Tag value is now mandatory to remove attribute via Person API for multi value attributes.
  • Job cleaning DomainEventEntry table is now deleting data in chunks.

Bug fixes

  • Fixed email verification problem with iDIN identity provider.
  • Primary email can no longer be removed from profile.
  • Fixed missing address and custom attributes on invitation sign up page when field validation returned error.

7.14.0

Features

  • Added a possibility to configure DigiD and SAML Identity Providers per partition.

Improvements

  • Number of failed login attempts before captcha appears is now configurable in Admin Panel.

7.13.0

Improvements

  • Added a possibility to customise login error messages.

Bug fixes

  • Cron jobs definitions are no longer lost on multi node setup.
  • Wrong default message has been shown on login page for blocked Username & Password identity. This has been fixed.

7.12.0

Features

  • Added direct support for externally delivered code activation type (no ui extension needed).

Improvements

  • Migration login updates attributes from original login method used for authentication.
  • Primary email can now be replaced in PersonCreationPreProcessExtension when it's provided in the response.

Bug fixes

  • Fixed issue where mobile authentication could get stuck during authentication status fetching.
  • After a user accepted the invitation, the activation email was sent even though the Force activation after accepting invitation was unchecked. This has been fixed.
  • Username and Password sign up page is not prefilled with data returned by external identity provider.
  • Added additional error message for Credentials API validate endpoint when incorrect password was provided too many times.
  • Fixed a problem with returning identifier of a person to service provider in cookie based authentication.
  • Fixed problem with changing profile attribute after authenticating in SAML passive method.
  • Twilio specific properties were still required even though a different SMS provider was used. This has been fixed.
  • User was allowed to complete invitation process despite being blocked. This has been fixed.

7.11.0

Features

  • Issuer can now be configured in Google Authenticator TOTP uri. Refer to Google authenticator for more information.

Improvements

  • Added possibility to configure Alphanumeric Sender ID on SMS messages

Bug fixes

  • Could not reset password when the JavaScript validation was turned off. This has been fixed.

7.10.0

Features

  • Update profile attributes extension point has been extended by possibility to delete profile attributes.

Improvements

  • Added information about user's address and custom attributes on invitation sign up page to model map.

Bug fixes

  • Fixed password reset username validation on web flow.

7.9.0

Features

  • Introduced new FlowContext type for all password reset flows.

7.8.1

Bug fixes

  • Admin console could not have been accessed when the idp partitioning was turned off. This has been fixed.

7.8.0

Features

Bug fixes

  • Configuration of attributes mapping for iDIN identity provider has been fixed.
  • Fixed an issue when user needed to double click login button after incorrectly typing password for the first time.
  • Fixed an issue where user's last identity could not be removed via API.
  • The removable flag is now respected when decoupling identity via API.
  • Mapping for custom attributes has been fixed in migration during signup flow.
  • Fixed HEAD requests for some links.
  • Enforced session creation in domain cookie controller.

7.7.0

Features

  • Added a possibility to configure Identity Providers per partition.
  • Extended LDAP IdP configuration allowing to specify which attributes will be requested when a user logs in.
  • Added a possibility to return attributes with authentication information to a Service Provider.
  • Added possibility to choose Name ID Format returned by Service Providers in the Organisation.

Improvements

  • Improved integration with password managers.
  • Added new events indicating failure during failed LDAP authentication.

7.6.1

Bug fixes

  • Fixed an issue with failing identity decoupling via API call.
  • Fixed an issue where mobile step up always failed when user logged in with an action token.
  • Verified flag from email address of newly migrated user was ignored. This has been fixed.

7.6.0

Features

  • Users can now be logged out of OpenID Connect Identity Providers in all logout flows. Refer to OIDC Logout for more information.
  • It is now possible to localize push message notifications for Step-up Authentication and Mobile Login.
  • The Configuration API is now extended with settings for a Content Security Policy (CSP).

Bug fixes

  • When a user logged in with a SAML external Identity Provider on an older iOS device, a SameSite bug in Safari browsers could cause a redirect to an error page. This issue has been fixed.

7.5.0

Features

  • Added an admin section under Smart Security that enables to set a CSP header for user pages.
  • Onegini IdP can now export security events to OneSee. These events can be used by Security Information and Event Management (SIEM) systems.
  • From now on, the option Use stronger coupled Identity Provider is available under Step-up authentication. This option enables a user to use Identity Providers to increase the authentication level during Step-up authentication.

Improvements

Bug fixes

  • Post login action redirect flow is now integrated with SAML. If a user enters Onegini IdP with SAML request, the redirection works correctly.
  • When a confirmation email was sent via a custom email gateway, the person identifier was not shared with the gateway. As a result the email could not be marked as verified. This has been fixed.

7.4.0

Features

  • Added partitionId information in PersonDetails object (Person API)
  • Added possibility to fetch login methods via Configuration API.

Improvements

  • Sign in with apple and other OIDC-flavored flows are adapted to work with a SameSite cookie flag
  • Implemented resiliency policy for the application
  • Added initial setup of the step-up method documentation
  • Made Configuration API V2 backwards compatible

Bug fixes

  • Fixed translation in Smart Security form
  • Fixed error with automatic signup when "Allow sign-up without invitation validation" is enabled
  • Fixed problem with returning attributes to service provider
  • Fixed issue where Force creating username & password during sign-up was not respected during automatic sign up

7.3.2

Bug fixes

  • Fixed release notes link.
  • Fixed upgrade instructions.

7.3.1

Bug fixes

  • User is redirected to service provider in case post login action is configured instead of being redirected to dashboard

7.3.0

Features

Improvements

  • SAML SLO is not executed for identity providers that don't have SingleLogoutService defined in metadata. Because of that change SAML Success response is returned to Service provider instead of PartialLogout after logging out the user.
  • Added logs for measuring metadata generation time
  • property name changed from IDP_ERS_ADMIN_API_BASE_URI to IDP_ERS_ADMIN_API_BASEURI
  • property name changed from IDP_ERS_ADMIN_INSTANCE_ID to IDP_ERS_ADMIN_INSTANCEID

Bug fixes

  • Fixed an issue where verified flag could be set to false on already verified email during sign up via API
  • Fixed an issue with creating additional UnP identity with id from external Identity Provider

7.2.0

Features

  • Added possibility to force activation via externally delivered code after accepting invitation
  • Added new idp AzureAD B2C
  • Allowing to setup a step up method for the first time even though authentication level is insufficient

Improvements

  • Sign up flow is now handled in one transaction to ensure data consistency
  • Added support for HTTP-Redirect binding used for SLO with external identity provider
  • Updated controls labels texts in Smart Config admin panel
  • The dashboard is hidden behind authentication level protection

7.1.0

Features

  • Introduced new BLOCK_LOGIN action in the AuthenticationPostProcessExtension extension point
  • Added ability to request a specific authentication method when logging in with an external SAML IdP.
  • Exposed new dialect for thymeleaf that allows to access flow context storage bean via #flowContext

Improvements

  • Added UI Extension to the Configuration API
  • Added new message personal.login.error.insufficientAuthLevel when external IDP returns insufficient authentication level
  • Redis cache prefix is generated on application startup (can be overridden by SPRING_CACHE_REDIS_KEYPREFIX environment variable)
  • Added new password encryption implementation examples in documentation

Bug fixes

  • Fixed problem associated with resolving resources from extension
  • Fixed check if action token feature is enabled when generating new token
  • Fixed SAML communication problem while exchanging data between CIM and external identity provider
  • Removed execution of migration logic from automated external identity coupling

7.0.0

Features

  • Password parameter is optional when creating activated person through the API
  • Added possibility to activate created person without any identity. See person api documentation for details.
  • Added ability to exclude attributes send to service provider when Include unmapped custom attributes within SAML Response is enabled.

Improvements

  • Action Token Login no longer requires user to have Username and Password identity
  • Removed support for oracle and sql server databases

Bug fixes

  • Fixed SAML SLO for external identity provider session overwritten by username and password session