It's now possible to configure how many attempts a user has to verify an attribute (phone number or email address) before the code is invalidated.
Now an admin can configure if an end-user should verify their email address via a link (current behaviour) or a six-digit code sent to the email address. The latter option is more suitable for omnichannel services or organizations that built their own dashboard.
We now ensure that a user, who authenticated but did not finish or cancel the post-login hook, that decides to navigate back to the login page, will return to the post-login hook.
It is now possible to send SMS messages via our internal Messaging Service. This service makes it possible to build an integration to connect to an external (non-natively supported) SMS gateway via an API.
We now support iDIN authentication using the iDIN Login product type. Previously the Onegini IdP was always using the iDIN Identify product type.
We added a feature toggle to show the existing waiting page template. It should be enabled to improve the user experience when a step in the login process (e.g. due to processing time of the PersonPreCreateExtension) takes longer to finish. The feature is disabled by default.
When automatic linking is enabled, and automatic sign-up is disabled, we now also call the PersonCreationPreProcessExtension. This makes it possible to match not only on a user's email address but also on other attributes.
It is now possible to provide a validity time value for a specific externally delivered code (for activation & step-up) via the extension, the validity time configured in via a property (for step-up) or the admin (for activation) are now both the default and the max.
We fixed an issue where the user's last login time was not updated during a SAML ECP login (used for the OIDC ROPC flow in Token Server).
We fixed a bug where the CredentialAPI returned an error for end-users without an (optional) mobile number when Mobile number verification required was enabled. Now, only if the user has a mobile number in their profile, it must be validated.
We improved the way an HTML form is submitted. We now prevent the same form from being submitted shortly after the initial submit (e.g. when the user is double-clicking), which caused an error in the logs.
We now support changing the initial (unverified) mobile phone number after a verification code is sent out, in the scenario where Allow to set initial step-up method, and Mobile number verification required are both enabled.
We no longer throw an exception when illegal characters are used in a language parameter.
When an exception occurred in the Post Login Hook, the Onegini IdP did not handle it correctly. As a result, the Post Login Hook was not entirely executed. In the new situation, when an error occurs (e.g. a status 500), the end-user is logged out and has the reauthenticate.
We fixed an issue with iDIN after migration to centralized session management.
We have fixed a bug in the email verification page where we did not show the result when an unauthenticated user used the email verification link for a second time.
In the scenario where the external IDP linking failed, e.g. when it was already linked to another account, we still synced some attributes. We now do that only after successful linking.
In some SAML scenarios, the user was redirected to the dashboard, while the expected behaviour was that the user should be redirected back to Service Provider. We now make sure the user is redirected to the service provider.
A dependency upgrade caused problems with sending emails. We fixed that in this version.
We added a new configuration option for SAML based Identity Providers to support the ForceAuthn attribute, which allows you to explicitly indicate that the end-user must authenticate (again) at the external Identity Provider.
Template handling is now more secure, but also more restrictive. This might have impact on existing templates that have been customised. For more information, please read the Thymeleaf documentation on this change.