Release notes 7.x
To make sure our application works always (e.g. also in an iframe) in all browsers, it now possible to set the
SameSite flag for all cookies in
Onegini IdP through a property. The default value is set to
When the preferred step-up method is set to 'Strongest', users can now also use a fallback method if that method can deliver the required
Authentication Assurance Level.
All occurred events are now stored in milliseconds. Previously, some were stored in seconds.
Fixed the scenario where the Digital Passport login failed when the access token was verified in the exact second it was created.
Username and Password Migration Hook did not always provide information if a migration fails. 7.32.0
Person API now also includes information about the Identity Assurance Level (IAL) of a person. You can now provide SAML metadata URI for identity and service providers in the admin panel.
When migrating from another solution to Onegini, you can now import the existing TOTP (e.g., Google Authenticator) secrets via our
Import API. After importing these secrets, users can use their current TOTP authenticator as a step-up method within the Onegini IdP. Added validation for existing email when using
Username and Password Migration Hook Improvements
We can now fetch the person report from the multi-tenant DABP application.
To use this feature it is required to:
tenant id in the admin panel,
update the DABP URL to match the multi-tenant version (add
/delegation to the context path).
Coupling an external identity provider to a user via the dashboard is now also possible when a step-up is required.
You now can clear all the CIM caches, including extensions, via the admin panel.
New hook type added that helps to migrate users via the Username and Password identity providers Improvements
ERS integration documentation has been updated to reflect the latest requirements and deployment strategy
Redirect to URL after login was set, the
post login hook did not execute. This has been fixed. 7.30.0
The iDIN IDP stopped working in version 7.29.1, this is now fixed.
Added QR Device Registration feature that aims to help the end-users with their mobile devices enrollment process. For more info check
this topic guide. Improvements
For eIDAS (via eHerkenning) we have decoupled the keys used for decrypting the attributes and the PKI-O, as they both have a different lifetime. This way we have a better certificate rotation mechanism.
We now make sure the uploaded certificates are valid and if a public and private keypair match.
Added support for multi value SAML attributes that are returned to service provider in form of json.
When using the Onegini IdP in combination with Cloudflare we now store the actual client IP address in our Audit logs.
Fixed an issue that caused error when sending emails
Password Policy Configuration API. Forcing password change when it no longer meets the password policy.
API that allows to force a password change. Extended post login hook by adding a new action that allows to ask a user to change the password.
Added a possibility to override the GBG translations.
Fixed an issue with missing message in the model map from authentication extension.
Mobile number validation is also performed on person creation and update API calls when
Mobile number validation for backend services
is checked in the Admin Panel.
UserIdQualifiers for eIDAS.
Static resources, fetched from the extension, were not properly cached. This has been fixed.
If a person has been created and updated before version
7.10.0 of Onegini IdP it was impossible to delete that person. This has been fixed.
Subject and HTML content can be attached to extension e-mail gateway request if configured with property
Added information for the user on resending externally delivered activation code.
Added possibility to request Identity Assurance Level via SAML Extension.
Added Post Login Hook. Please see details
Additional events added to inform about DigiD flow
login interrupted by Person Precreation extension point,
login not completed because of session timeout.
Basic flows with Identity Assurance Level are available. For more info check
this topic guide. Improvements
Updated missing Person API documentation regarding illegal characters for name error
Handling of an email address has been fixed in person search API
Custom messages displayed in mobile login flow are no longer in single quotes.
Fixed passive login flow error with doubled redirects.
Operation status is updated for changing email and password actions.
Phone number can now be assigned to user via Person API when mobile number is mandatory.
null when the value should have been
none. This has been fixed.
Person API now also uses the illegal character validation for first name and last name.
Added checkbox for disabling illegal character validation.
Added a possibility to set the
NameIdPolicy format in the configuration of external SAML IdPs.
SAML passive flow has been improved.
Fixed an issue with cache eviction when person's UnP identity is blocked.
Added a possibility to fetch, via the API, available actions that can be performed for a person. Please refer to the
Person API for more information. Bug fixes
Fixed PreSearch query execution to avoid empty query select
Added a possibility to send events to the AWS EventBridge.
Added a possibility to decouple a person from Identity provider based on
identity_id. Refer to
Person API for more information. Added a possibility to resend verification code for both email and mobile phone via the API.
Added new events:
Fixed a problem with updating some service providers.
AuthnContext is now optional during passive authentication
Added possibility to fetch and update redirections config via the
Configuration API. Added
PersonCreationPreProcesSearch Extension Point logic to support tracking digital identity of users
Person search pre process for more information. Added possibility to specify characters that cannot be used in first/last name in sign up forms.
Added more details about identity used to create an account to PersonCreationPreProcess extension point.
Fixed automatic sign-up for accounts that provide required attributes in PersonCreationPreProcess.
Fixed an error when no
NamePolicy format was specified for SAML Organization attributes.
OAuth Service Provider type has been removed.
Extended support for passive authentication for SAML identity provider by checking if active CIM session fulfills requirements.
Fix problem with switching language on migration login page
Added support for passive authentication for SAML identity provider.
IDP_DATABASE_TYPE environment variable value is now case insensitive.
It is now possible to reset password with both username or email in the unauthenticated migration flow.
Fixed profile attribute's database inconsistency in case of an already invited person signup.
Fixed a problem with logging in after cancelling step-up with requested authentication level higher that stored in the user's session.
Fixed showing phone number in step up with code view
Added a possibility to get organisations in the
Configuration API. Onegini IdP shows the logins of the last 24 hours when Insights are disabled or fails to load with a link to contact support.
Improved events page in the Admin Panel.
Fields marked as editable are not treated as required anymore.
Displaying incorrect credential errors next to the
When defining a mapping for IdPs, an attribute can be set to editable or not.
When it was set to editable, it was also treated as required. This has been fixed.
Added possibility to set automatic email verification on trusted external identity providers.
nonce parameter is now automatically added to inline
script tags when CSP is enabled.
Tag value is now mandatory to remove attribute via Person API for multi value attributes.
DomainEventEntry table is now deleting data in chunks.
Fixed email verification problem with iDIN identity provider.
Primary email can no longer be removed from profile.
Fixed missing address and custom attributes on invitation sign up page when field validation
Added a possibility to configure DigiD and SAML Identity Providers per partition.
Number of failed login attempts before captcha appears is now configurable in Admin Panel.
Added a possibility to customise login error messages.
Cron jobs definitions are no longer lost on multi node setup.
Wrong default message has been shown on login page for blocked Username & Password identity. This has been fixed.
Added direct support for externally delivered code activation type (no ui extension needed).
Migration login updates attributes from original login method used for authentication.
Primary email can now be replaced in
PersonCreationPreProcessExtension when it's provided in the response.
Fixed issue where mobile authentication could get stuck during authentication status fetching.
After a user accepted the invitation, the activation email was sent even though the
Force activation after accepting invitation was unchecked.
This has been fixed.
Username and Password sign up page is not prefilled with data returned by external identity provider.
Added additional error message for Credentials API validate endpoint when incorrect password was provided too many times.
Fixed a problem with returning identifier of a person to service provider in cookie based authentication.
Fixed problem with changing profile attribute after authenticating in SAML passive method.
Twilio specific properties were still required even though a different SMS provider was used. This has been fixed.
User was allowed to complete invitation process despite being blocked. This has been fixed.
Issuer can now be configured in Google Authenticator TOTP uri.
Google authenticator for more information. Improvements
Added possibility to configure Alphanumeric Sender ID on SMS messages
Update profile attributes extension point has been extended by possibility to delete profile attributes.
Added information about user's address and custom attributes on invitation sign up page to model map.
Fixed password reset username validation on web flow.
Introduced new FlowContext type for all password reset flows.
Admin console could not have been accessed when the idp partitioning was turned off. This has been fixed.
Configuration of attributes mapping for iDIN identity provider has been fixed.
Fixed an issue when user needed to double click login button after incorrectly typing password for the first time.
Fixed an issue where user's last identity could not be removed via API.
removable flag is now respected when decoupling identity via API.
Mapping for custom attributes has been fixed in migration during signup flow.
Fixed HEAD requests for some links.
Enforced session creation in domain cookie controller.
Added a possibility to configure Identity Providers per partition.
Extended LDAP IdP configuration allowing to specify which attributes will be requested when a user logs in.
Added a possibility to return attributes with authentication information to a Service Provider.
Added possibility to choose Name ID Format returned by Service Providers in the Organisation.
Improved integration with password managers.
Added new events indicating failure during failed LDAP authentication.
Fixed an issue with failing identity decoupling via API call.
Fixed an issue where mobile step up always failed when user logged in with an action token.
Verified flag from email address of newly migrated user was ignored. This has been fixed.
Users can now be logged out of OpenID Connect Identity Providers in all logout flows.
OIDC Logout for more information. It is now possible to localize push message notifications for Step-up Authentication and Mobile Login.
Configuration API is now extended with settings for
a Content Security Policy (CSP). Bug fixes
When a user logged in with a SAML external Identity Provider on an older iOS device, a SameSite bug in Safari browsers could cause
a redirect to an error page. This issue has been fixed.
Added an admin section under
Smart Security that enables to set a CSP header for user pages.
Onegini IdP can now export security events to OneSee.
These events can be used by Security Information and Event Management (SIEM) systems.
From now on, the option
Use stronger coupled Identity Provider is available under
Step-up authentication. This option enables a user to use
Identity Providers to increase the authentication level during
Step-up authentication. Improvements
Improved and updated the documentation on the following topics:
Post login action redirect flow is now integrated with SAML. If a user enters Onegini IdP with SAML request, the redirection works correctly.
When a confirmation email was sent via a custom email gateway, the person identifier was not shared with the gateway. As a result the email could not
be marked as verified. This has been fixed.
Added partitionId information in
PersonDetails object (Person API)
Added possibility to fetch login methods via
Configuration API. Improvements
Sign in with apple and other OIDC-flavored flows are adapted to work with a SameSite cookie flag
Implemented resiliency policy for the application
Added initial setup of the step-up method documentation
Configuration API V2 backwards compatible Bug fixes
Fixed translation in Smart Security form
Fixed error with automatic signup when "Allow sign-up without invitation validation" is enabled
Fixed problem with returning attributes to service provider
Fixed issue where
Force creating username & password during sign-up was not respected during automatic sign up
Fixed release notes link.
Fixed upgrade instructions.
User is redirected to service provider in case post login action is configured instead of being redirected to dashboard
SAML SLO is not executed for identity providers that don't have
SingleLogoutService defined in metadata. Because of that change SAML
Success response is returned to Service provider instead of
PartialLogout after logging out the user.
Added logs for measuring metadata generation time
property name changed from
property name changed from
Fixed an issue where verified flag could be set to false on already verified email during sign up via API
Fixed an issue with creating additional UnP identity with id from external Identity Provider
Added possibility to force activation via externally delivered code after accepting invitation
Added new idp AzureAD B2C
Allowing to setup a step up method for the first time even though authentication level is insufficient
Sign up flow is now handled in one transaction to ensure data consistency
Added support for HTTP-Redirect binding used for SLO with external identity provider
Updated controls labels texts in Smart Config admin panel
The dashboard is hidden behind authentication level protection
BLOCK_LOGIN action in the
AuthenticationPostProcessExtension extension point
Added ability to request a specific authentication method when logging in with an external SAML IdP.
Exposed new dialect for thymeleaf that allows to access flow context storage bean via
Added UI Extension to the
Configuration API Added new message
personal.login.error.insufficientAuthLevel when external IDP returns insufficient authentication level
Redis cache prefix is generated on application startup (can be overridden by
SPRING_CACHE_REDIS_KEYPREFIX environment variable)
Added new password encryption implementation examples in documentation
Fixed problem associated with resolving resources from extension
Fixed check if action token feature is enabled when generating new token
Fixed SAML communication problem while exchanging data between CIM and external identity provider
Removed execution of migration logic from automated external identity coupling
Password parameter is optional when creating activated person through the API
Added possibility to activate created person without any identity. See
person api documentation for details. Added ability to exclude attributes send to service provider when
Include unmapped custom attributes within SAML Response is enabled.
Action Token Login no longer requires user to have Username and Password identity
Removed support for oracle and sql server databases
Fixed SAML SLO for external identity provider session overwritten by username and password session