We introduced a new hook action called STEP_UP for the Post Login Hook, which makes it possible to change the required Authentication Assurance Level (AAL). When no step-up methods are available, the user is prompted to enrol a method.
We introduced a new setting in the admin panel called Perform step up during mobile device registration. When this feature is on, the user's Authentication Assurance Level (AAL) increases after adding a new mobile device during step up. When this feature is off, the user needs to use the newly registered device (QR login or Push login) to increase the AAL to reach the desired level.
We introduced a new hook action called UPDATE_MOBILE_NUMBER for the Post Login Hook, which makes it possible to update and verify a mobile number.
The Username and Password migration Hook
will now return all validation errors at once. We now return a list of errors. Before, only one error at a time was returned.
The validation in the Username and Password migration Hook will also check for the validity of the mobile numbers. It will return an error if a mandatory mobile number is missing or if the provided mobile number format is invalid.
We have split the feature Automated external identity coupling enabled into two features, namely Automated external identity sign up enabled and Automated external identity linking enabled,
to support more scenarios when an external IDP is used. In order use the latter feature, automatic email verification needs to be enabled in the Identity Provider settings.
Extended the AuthenticationPostProcessExtension request object with the user's identity information containing; identity name, identity id, and external person id if it exists.
Added a link to the Delegated administration application on the user's dashboard for users with the policy role_superuser. It can be configured via the DABP-DASHBOARD-URL message key.
Fixed an issue where OpenAM acting as a SAML service provider rejected our SAML Artifact Binding response message.
In the non-happy flow of the password reset hook (e.g. API error), an end-user could get stuck with an error.
We fixed this by resetting the hook so that the user could retry the entire operation.
It is now possible to use QR device registration to enroll your mobile device as initial 2nd factor.
Fixed a security bug, where a user was able to use QR device registration to link a mobile device to an existing account without first performing step-up authentication.
When an end-user started an authentication request on a Service Provider and then navigated to the Self-registration page, some optional profile attributes
were treated as mandatory. It resulted with the inability to proceed with the sign-up. Now the optional attributes are actually optional.
Fixed an error while using additional_parameters in Invite API with extension email gateway.
We fixed an issue where the automatic linking of an external identity provider to an existing account would fail. Before, the Onegini IdP required
the email address to be unique, but this check was irrelevant in this scenario (where the pre-creation extension decided to link the identity).
When using an external identity provider and an LDAP identity provider with the feature Migration during sign up enabled, the external IDP was not
linked to the existing account when the PreLinkIDP hook was disabled. This is now fixed, an account is now linked regardless of active hooks.
Updated the new parameter in the Invite API, introduced in 7.48.0, to use the snake_case convention. The updated name is: "additional_parameters".
When using an external identity provider and an LDAP identity provider with the feature Migration during sign up enabled, the external IDP was not
linked to the existing account. When end-user logs in with the external identity provider, they end up on the migration page to log in with the existing
LDAP credentials. In this scenario, we now link the external IDP to the existing LDAP account.
Fixed an issue where an HTTP HEAD request to a reset password URL, which is executed by some SPAM filters, caused an Internal Server Error
We extended the Invite person API with additional parameters, so context about the invite can be
provided to the end-user e.g. who invited the end-user or why the end-user is invited. These parameters are available in the email template and
the "accept invite" template.
We extended the self signup and signup through an invite flows with the possibility to link an external Identity Provider during these flows.
The default key size for RSA Keys generated by the Onegini IdP is increased to 4096 bits.
Events that indicate that the user status has changed are now sent to OneEx. As a customer, you can consume these events sent to OneEx to get updates about a user status.
Insights and ERS did not load in the Onegini IdP admin anymore, we fixed that.
In some scenarios, the first request after a period of inactivity to an external service failed. This resulted, for example, in a failed request to
an external IdP, the first time per day the Onegini IdP was used. Now, the first request after a period of inactivity succeeds.
If a user revisits the email verification link, within the configured validity time, they will always see the same result, namely that the email is verified. Before this change, upon a revisit, an error was shown that the verification link was invalid.
We restart the migration hook when a user starts a new authentication request with an existing session, which can happen after not finishing the migration flow in another window.
We now clear the cached origin directly after a user is redirected to their origin for the first time.
This fix prevents users from getting redirected to the wrong page if they go back to the dashboard for the 2nd time.
We now convert all phone numbers to the E.164 formatting. Prior to this change a phone number with a 0 after the countrycode could cause undeliverable SMS messages in combination with certain SMS providers.
Added a Pre Link External Idp hook that allows you to execute custom business logic before a user can link an external IDP to its account.
Please see details here.
We extended Onegini Hooks to add a specific message when executing the HOOK_CANCEL, HOOK_COMPLETE, and HOOK_SKIP Action Type,
this message is available to show to the user.
Added additional cleanup of meta-data (e.g., password expiration date) upon person deletion.
After using an expired verification code on the mobile verification page, the user is no longer shown a page with a different layout.
When a mobile number is set to required during authentication, the user is requested to set and verify their number. If the user decides to skip this step,
the user is no longer redirected to the dashboard but to the SP with access denied status.
We fixed an issue where users did not see pages in the correct language, as only the browser's locale was taken into account.
This value can now be overwritten by the locale set in the URL or by the user's preferred locale set in their profile.
Fixed an issue where some email clients invalidated the verify email URL.
Authentication errors from external identity providers of the type OIDC are now shown on the login page;
this allows end-users to select another authentication method.
It's now possible to force users to verify their mobile number during registration and authentication.
Fixed an issue where some email clients invalidated the password reset URL in a user migration scenario.
We have fixed a security bug where, in a specific scenario, when two users use the same device within a 15 min timeframe, an external IDP could be linked to the wrong account.
We now support multiple Identity Providers of the type OIDC.
When creating an Identity Provider in the admin panel, you can now provide an alias;
a Service Provider can use this alias to request an authenticated user from that specific
Identity Provider.
It is now possible to use values that include a comma in the admin panel (e.g., for custom attribute mapping). Previously this was not possible because
this character is used internally to split values.
From now on, the /actuator/health endpoint should be used to check the health or state of the running application. The old /healthcheck endpoint
is deprecated and should no longer be used.
When resending the verification email on the 'email not verified'-page, we now provide feedback in the model map to show the user a proper notification.
Fixed the mapping between our internal profile attributes and the OIDC gender values
to be compliant with the specification.
Fixed the mapping between our internal profile attributes and the OIDC address claim
to be compliant with the specification.
Fixed the problem where a user was not redirected to the URL that was configured for Redirect to URL after sign-up when email verification was required
You can now collect all undeliverable (e.g., bounced) email messages in a separate mailbox without revealing the address of this mailbox to the end-user.
The validation of the profile is now part of the update action in the Post Login Hook.
Any custom attributes stored in an account can now be accessed on the dashboard page. This does require customization of the default dashboard template.
Increased the number of PBKDF2 iterations in our hashing algorithm for this year. This makes it harder to reverse engineer stored passwords. New users or existing users changing their password will use this new, stronger algorithm by default.
To make sure our application works always (e.g. also in an iframe) in all browsers, it now possible to set the SameSite flag for all cookies in
Onegini IdP through a property. The default value is set to None.
When the preferred step-up method is set to 'Strongest', users can now also use a fallback method if that method can deliver the required
Authentication Assurance Level.
The Person API now also includes information about the Identity Assurance Level (IAL) of a person.
You can now provide SAML metadata URI for identity and service providers in the admin panel.
When migrating from another solution to Onegini, you can now import the existing TOTP (e.g., Google Authenticator) secrets via our
Import API. After importing these secrets, users can use their current TOTP authenticator as a step-up method within the Onegini IdP.
Added QR Device Registration feature that aims to help the end-users with their mobile devices enrollment process. For more info check this topic guide.
For eIDAS (via eHerkenning) we have decoupled the keys used for decrypting the attributes and the PKI-O, as they both have a different lifetime. This way we have a better certificate rotation mechanism.
We now make sure the uploaded certificates are valid and if a public and private keypair match.
Added support for multi value SAML attributes that are returned to service provider in form of json.
When using the Onegini IdP in combination with Cloudflare we now store the actual client IP address in our Audit logs.
Fixed an issue with missing message in the model map from authentication extension.
Mobile number validation is also performed on person creation and update API calls when Mobile number validation for backend services
is checked in the Admin Panel.
Added missing UserIdQualifiers for eIDAS.
Static resources, fetched from the extension, were not properly cached. This has been fixed.
If a person has been created and updated before version 7.10.0 of Onegini IdP it was impossible to delete that person. This has been fixed.
Subject and HTML content can be attached to extension e-mail gateway request if configured with property
IDP_EXTENSION_EMAILGATEWAY_EXTENDEDREQUESTDTO_ENABLED.
Added information for the user on resending externally delivered activation code.
Added possibility to fetch and update redirections config via the Configuration API.
Added PersonCreationPreProcesSearch Extension Point logic to support tracking digital identity of users
Refer to Person search pre process for more information.
Added possibility to specify characters that cannot be used in first/last name in sign up forms.
Fields marked as editable are not treated as required anymore.
Displaying incorrect credential errors next to the password field.
When defining a mapping for IdPs, an attribute can be set to editable or not.
When it was set to editable, it was also treated as required. This has been fixed.
Fixed issue where mobile authentication could get stuck during authentication status fetching.
After a user accepted the invitation, the activation email was sent even though the Force activation after accepting invitation was unchecked.
This has been fixed.
Username and Password sign up page is not prefilled with data returned by external identity provider.
Added additional error message for Credentials API validate endpoint when incorrect password was provided too many times.
Fixed a problem with returning identifier of a person to service provider in cookie based authentication.
Fixed problem with changing profile attribute after authenticating in SAML passive method.
Twilio specific properties were still required even though a different SMS provider was used. This has been fixed.
User was allowed to complete invitation process despite being blocked. This has been fixed.
When a user logged in with a SAML external Identity Provider on an older iOS device, a SameSite bug in Safari browsers could cause
a redirect to an error page. This issue has been fixed.
Added an admin section under Smart Security that enables to set a CSP header for user pages.
Onegini IdP can now export security events to OneSee.
These events can be used by Security Information and Event Management (SIEM) systems.
From now on, the option Use stronger coupled Identity Provider is available under Step-up authentication. This option enables a user to use
Identity Providers to increase the authentication level during Step-up authentication.
Post login action redirect flow is now integrated with SAML. If a user enters Onegini IdP with SAML request, the redirection works correctly.
When a confirmation email was sent via a custom email gateway, the person identifier was not shared with the gateway. As a result the email could not
be marked as verified. This has been fixed.
SAML SLO is not executed for identity providers that don't have SingleLogoutService defined in metadata. Because of that change SAML Success response is returned to Service provider instead of PartialLogout after logging out the user.
Added logs for measuring metadata generation time
property name changed from IDP_ERS_ADMIN_API_BASE_URI to IDP_ERS_ADMIN_API_BASEURI
property name changed from IDP_ERS_ADMIN_INSTANCE_ID to IDP_ERS_ADMIN_INSTANCEID