Skip to content

Release notes 8.x

8.51.0

Improvements

  • We no longer set the legacy_SESSION cookie, as all modern browsers now support the more secure SameSite cookie. If the legacy cookie is still required for a specific setup, we can re-activate it on a per-environment basis.
  • Dependency updates.

8.50.0

Bugs

  • It is now possible to overwrite the user's language on the password reset page with the language parameter in the URL.

8.49.0

Improvements

  • Dependency updates release.

8.48.0

Bugs

  • We have fixed an issue where the legacy Action Token login endpoint (/login/token) was malformed and non-functional. The endpoint now works correctly, ensuring backward compatibility.

8.47.0

Features

  • Introduces a new core property that can be set to prefix session cookies with __Secure- or __Host-.

Improvements

  • We improved how custom templates are loaded; the connection to self-styling is more reliable.

8.46.0

Improvements

Onegini IdP now serves jquery.validate-1.19.5.js instead of jquery.validate-1.11.1.js. This means that, for customers who maintain their own templates, all the extensions' templates must be checked for references to jquery.validate-1.11.1.js. Those should replaced with jquery.validate-1.19.5.js.

For example:

<script src="../../../static/js/plugins/jquery.validate-1.11.1.js" ...></script>

change to:

<script src="../../../static/js/plugins/jquery.validate-1.19.5.js" ...></script>

8.45.0

Features

  • Added support for non-persistent session cookies. This means that an SSO session ends when the browser window is closed. Activating this feature requires specific configuration steps beyond what's available in the admin panel. Please reach out to our support team to enable this functionality.

Improvements

  • Removed a third-party library that is no longer actively supported from the end-user-facing templates.

Bugs

  • Fixed several extension points to make them aware of the person partition.

8.44.0

Improvements

  • The idp_session_magmt_token cookie is now only created if the Session API is enabled.

Bugs

  • Content pages now fallback to the end users' locale when a requested language is not supported.
  • End users are now redirected to the login page when a (non-passive) authentication login flow is initiated and no session cookie is available.

8.43.0

Bugs

  • Missing Customer parameters in the authentication request could cause issues in the templates that loop through the whole set of attributes.

8.42.0

Bugs

  • Fixed an issue where the link in the password reset email was invalidated by the client, before an end-user could visit the page. We now invalidate the link, after a new password is set.
  • The performance for the Delete a person endpoint in the Person API is improved.

8.41.0

Bugs

  • It is now possible to filter on more Events in the Admin panel.
  • The UPDATE_PROFILE action in the Post Login Hook now also forces phone number validation if this is mandatory phone number validation is enabled.

8.40.0

Bugs

  • The performance improvement for the Create signed-up person endpoint, introduced in 8.38.0, now also works in combination with partitions
  • While creating a new person via the Person API, you can now specify a higher IAL than the default of the IdP.
  • The context parameters are also available in the extension while using the X-Onegini-Flow-Context-Params header with the Import API.

8.39.0

Bugs

  • We fixed a bug in the data cleaning procedure where the Synchronise Axon snapshots step did not work.

8.38.0

Improvements

  • We improved the performance of the Create signed-up person endpoint in the Person API.

8.37.0

Bugs

  • We fixed a bug where the DABP permission GROUP_RESOURCE_MANAGE was unsupported, resulting in an error for a user with such permission.

8.36.0

Improvements

8.35.0

Improvements

  • We improved our caching mechanism for when the SAML Artifact binding is used.

Bugs

  • We fixed a bug in the "Clear all CIM caches" feature.

8.34.0

Improvements

  • The "Clear all CIM caches" feature in the admin panel now clears even more caches e.g. we also clear the SAML metadata fetched from an URL.

8.33.0

Improvements

  • We improved the invitation process by enhancing the handling of mobile number verification. If users haven't made any changes to their mobile number during sign-up, they will no longer be prompted for re-verification.
  • We improved the error message when SMS code has expired in the Invitation Confirmation flow.

8.31.0

Features

Improvements

  • We improved the way SMS messages are sent. The request is now async, so there is no delay when other steps need to be executed during a step-up.

Bugs

  • We fixed a bug where user would get mobile number verification code before activating an account.
  • We fixed a bug in the attribute mapping of the Itsme external identity provider.
  • We fixed a bug that allowed a user to access the wrong invitation verification method.

8.30.0

Bugs

  • TOTP (Google authenticator) values that started with a 0 and contained an 8 or a 9 failed to validate. This has been resolved.
  • In some cases, when the event table was populated with many events, the Events page in the admin console failed to load. We optimized the queries used to select the Events. As a result, we no longer show how many events there are in total.
  • When an error occurred during migration process, it was always displayed in English. Now the correct translation is used based on user's locale.
  • We fixed a bug where Cookie based authentication did not work together with Action Token login

8.29.0

Features

Improvements

  • When a Single-logout endpoint is defined in the eHerkenning SAML metadata, and a single-logout request is initiated to the Onegini IdP, the end-user will see a confirmation page. After confirmation, the logout request to eHerkenning is opened in a new tab.

8.28.0

Features

  • We introduced a feature toggle to invalidate all sessions for a user when they change their password.

Improvements

  • It now possible to define the maxAge TTL value for cookies per customer. The default value remains unchanged at six months.
  • The PersonStatusUpdatedExtension now receives information to distinguish a newly activated account from an unblocked account.

Bugs

  • The user's status was not always respected in a password migration scenario. This is now fixed.
  • Fixed the issue where the invitation email was not sent due to missing country_code attribute in an addresses.

8.27.0

Improvements

  • The redirect URI for Action Tokens now also supports custom schemes.

8.26.0

Bugs

  • We fixed a bug where the Single Logout Request to eHerkenning failed.

8.25.1

Improvements

Bugs

  • Fixed an issue where custom attributes (mapped from an external identity provider) were not removed upon instructions from the "Profile attributes update" extension point.

8.25.0

Features

  • Adds a new endpoint to the PersonAPI for the deletion of profile attributes. This endpoint supports the date_of_birth and gender attributes

Improvements

  • Improved the data storage of custom attributes

Bugs

  • The invitation parameters provided in the Invite person API were not available on the "accept invite" template. We have added those.

8.24.0

Features

  • The ImportAPI now also supports coupling an account with an external IDP.
  • The Post Login Hook now also has information about the used login method, including action tokens. This allows implementors to take actions (e.g. STEP_UP) in the hook based on the loginMethodType used by the end-user.
  • We removed support for document-centric Identity Proofing via GBG.

Improvements

  • We now also take a "Trusted Device" into consideration when a STEP_UP-action is executed in the Post Login Hook.

Bugs

  • On the dashboard, the link to the Delegated Administration UI was never shown. We now show it for users with a policy: role_superuser.

8.23.0

Features

  • To prevent disclosing if an account exists based on the Username and Password validation response time, we introduced a new configuration to set a minimum response time. When set, all log-in attempts take at least that time.
  • To prevent disclosing if an account exists based on the "Forgot Password"-flow response time, we introduced a new configuration to set a minimum response time. When set, all password resets take at least that time.
  • We added an optional feature that, when active, will not disclose that an account already exists during sign-up. This increases security but might reduce user-friendliness when a person tries to create an account with an email address already used by another account.

Bug fixes

  • We added support for the ?language= parameter on the QR login page.
  • Fixed a bug that made it impossible to save the Email notifications configuration when unchecking All operations (except notifications on API calls).
  • Fixed an issue where invites weren't sent while using the InviteAPI in combination with an additional_parameters with a null value.

8.22.0

Features

  • We now allow the Identity Assurance Level (IAL) to be updated manually via the PersonAPI

Bug fixes

  • We fixed an issue where we logged-out users that used a web2app action token if they already had an active session. We now ensure that users that use a web2app action token will end up logged in for the user referenced in the action token.

8.21.0

Improvements

  • We extended the UserInfoExtension to include the personId. This makes it possible for partners to implement a password reset that can be triggered with the old username or any verified email address for non-migrated users.
  • Specifying a specific error message on the login page when a user cancels an iDIN transaction is now possible. The message key is: personal.login.cancelled.user.message.

8.20.0

Features

  • We now clear all the internal technical events which contain personal information when a user is deleted from the Onegini IdP. The functional events remain as they do not contain personal information and or are required for audit purposes.
  • The Post Login Hook now also has access to the SAML Custom Parameters. This allows us to take actions in the hook based on the provided parameters in the Authentication Request.

Improvements

  • We improved how the validity time for a specific externally delivered code (for activation & step-up) is stored.

8.19.0

Features

  • The Post Login Hook now also has access to the IP address of the user that initiated the request. This allows us to take actions in the hook based on the user's IP address.
  • The Post Login Hook is now triggered after the user reaches the required authentication level, while before, it was triggered after the first factor was successful.
  • We now allow more IdP types from Token Server/Access for mobile app enrolment.

8.18.0

Bug fixes

  • We adjusted the PersonAPI to match our documentation, all address fields are now optional. We removed the validation that ensured some fields had to be provided as a set.
  • When an email address is removed in the Post Login Hook we now also remove that attribute as a username.

8.17.0

Improvements

  • We introduced a generic approach for all emails to prevent URLs to be invalidated by some email clients and/or anti-spam software.
  • A user will be logged out of their account and redirected to the login page when they use a wrong password too many times while changing their password via the dashboard.

Bug

  • On the change password page, we now indicate that the user is using the wrong old password when they try to update their password with the incorrect "old password" while setting their current password as the new one.

8.16.0

Improvements

  • We enriched the Events API response with person's partition_id.

Bug fixes

  • We fixed an issue where a Username and Password Identity Provider added on a partition prevented a password from getting blocked (after X failed attempts).
  • We fixed an issue where it was impossible to reset a password if a Username and Password Identity Provider was configured on a partition.
  • We fixed an issue where the email address or mobile number was not completely verified, when creating or updating these attributes via the Person API or Import API with "verified" : true. This caused an Attribute verified event during the first successful step-up. This event is now triggered directly after the attributes are modified via the API.

8.15.0

Bug fixes

  • Fixed a bug in the Import API so that it also works correctly for accounts with multiple email addresses.

8.14.0

Features

  • We added Friendly Captcha as a GDPR-friendly alternative for Google reCAPTCHA.

Bug fixes

  • Fixed a bug where iDIN identification did not work correctly when a user omitted email and/or phone attributes at the iDIN issuer.
  • In the specific scenario where the user starts authentication via an external IDP at the Identity Provider page and is redirected to the Service Provider (SP), the SP may try to execute a passive authentication request. If this request failed, the Single Logout feature did not work correctly.

8.13.0

Improvements

  • It's now possible to use the sms.sender.id custom message to change the (alphanumeric) sender of SMS messages per language variant (used for person partitioning).
  • We added the user's anonymized email address to the verify-email page, which can be displayed on this page for every scenario.

Bug fixes

  • We now invalidate the code in the reset password SMS after a user successfully uses it. This results in a SmsPasswordResetCodeBlockedEvent event on the timeline.
  • Error messages weren’t available on the next screen if a user encountered a redirect. We now carry these messages over to the next page.

8.12.0

Features

  • It is now possible to use an externally delivered code as an alternative step-up authentication method. This enables users to regain access to their account, especially when they lost access to their primary 2nd factor. The externally delivered code requires an extension that has a way to deliver the code to a user (e.g. via a letter).
  • The Externally Delivered Code Step-Up method is now set as the preferred one when there is a code active.

Improvements

  • Externally delivered step-up code has its own expiration time attribute now. Previously it used the one from Person Activation settings. This attribute is configurable in the admin panel and via the Configuration API.
  • In the Configuration API, the externally delivered step-up code feature flag is now deprecated. The feature flag should now be set in a newly introduced nested object. See the Configuration API / ExternallyDeliveredCodeStepUp for more details.
  • We changed the user flow for SAML authentication requests (initiated by a customer portal). If the authentication with an external IDP fails, users are redirected to the login page with an error message.
  • We made changes to our cache storage to improve performance.

8.11.0

Features

  • We now allow end-users to delete their own account via the dashboard. This feature is off by default but can be activated (it requires a new template). This feature is required if you have an iOS app that offers account creation.

Improvements

  • We now ensure a user completes the authentication (incl 2nd factor) before showing the email verification page for users that don't have a verified email address.
  • We made the activation URL for the Google Authenticator brand (partition) aware. Before, we showed the same issuer for all partitions, but now it can be configured per partition. We also added the user's email address, which provides the end-user with more information on the accounts they added to their authenticator.
  • The full user profile (not only the custom attributes) of the user are now also available in the DeliverExternalCodeExtension. For example, this extension is used to send an activation code via a letter or alternative email gateway.

Bug fixes

  • Active users can no longer visit the activation page by manually entering the URL.
  • Users are now redirected to the login page, when doing a submit on the Mobile number verification page while the user's session is expired.

8.10.0

Features

  • In the authentication response, we now indicate which external IDP was used by the end-user to authenticate. E.g. when a user uses DigiD, we fill the <AuthenticatingAuthority> field with urn:com:onegini:saml:idp-alias:digid

Improvements

  • It is now possible to break off the sign-up process by returning an error in the pre-creation extension point, even if the Force creating username & password during sign-up feature is enabled. For example, we use this process to make sure only existing (offline) customers can create an online account through an external IDP (e.g., DigiD).
  • The initials of a newly created account are now also available in the PersonCreationPreProcessExtension. For example, we use this to ensure an online customer is already known in an existing data store (e.g., CRM).

8.9.1

Bug fixes

  • We fixed an issue that prevented some users from successfully authenticating.

8.9.0

Features

  • We added a new API to verify email and phone numbers, enabling our customers to build their own dashboard while relying on our validation.
  • It's now possible to configure how many attempts a user has to verify an attribute (phone number or email address) before the code is invalidated.
  • Now an admin can configure if an end-user should verify their email address via a link (current behaviour) or a six-digit code sent to the email address. The latter option is more suitable for omnichannel services or organizations that built their own dashboard.

Improvements

  • We now ensure that a user, who authenticated but did not finish or cancel the post-login hook, that decides to navigate back to the login page, will return to the post-login hook.
  • When using the Email gateway extension point, in combination with Persons partitioning we now also provide the partition_id to the extension. This makes it possible for our partners to customize the sender or template based on the person's partition.

Bug fixes

  • For some events, the client's IP address was missing. We fixed that, so it should be available for all events now.

8.8.0

Features

  • It is now possible to send SMS messages via our internal Messaging Service. This service makes it possible to build an integration to connect to an external (non-natively supported) SMS gateway via an API.

8.7.1 (hotfix, final fix in 8.14.0)

Bug fixes

  • Fixed a bug where iDIN identification did not work correctly when a user omitted email and/or phone attributes at the iDIN issuer.

8.7.0

Improvements

  • We no longer throw an exception when illegal characters are used in a language parameter (we cover more scenarios compared to the change in v8.4.0).

8.6.2

Bug fixes

  • We fixed an issue with an error during a device registration via QR code.

8.6.1

Bug fixes

  • We fixed an issue with a warning being logged due to a removed field.

8.6.0

Improvements

  • We now support iDIN authentication using the iDIN Login product type. Previously the Onegini IdP was always using the iDIN Identify product type.
  • We added a feature toggle to show the existing waiting page template. It should be enabled to improve the user experience when a step in the login process (e.g. due to processing time of the PersonPreCreateExtension) takes longer to finish. The feature is disabled by default.
  • When automatic linking is enabled, and automatic sign-up is disabled, we now also call the PersonCreationPreProcessExtension. This makes it possible to match not only on a user's email address but also on other attributes.
  • It is now possible to provide a validity time value for a specific externally delivered code (for activation & step-up) via the extension, the validity time configured in via a property (for step-up) or the admin (for activation) are now both the default and the max.

8.5.1

Bug fixes

  • We fixed an issue with an error during a device registration via QR code.

8.5.0

Bug fixes

  • We fixed an issue where the user's last login time was not updated during a SAML ECP login (used for the OIDC ROPC flow in Token Server).
  • We fixed a bug where the CredentialAPI returned an error for end-users without an (optional) mobile number when Mobile number verification required was enabled. Now, only if the user has a mobile number in their profile, it must be validated.

8.4.0

Improvements

  • We improved the way an HTML form is submitted. We now prevent the same form from being submitted shortly after the initial submit (e.g. when the user is double-clicking), which caused an error in the logs.
  • We now support changing the initial (unverified) mobile phone number after a verification code is sent out, in the scenario where Allow to set initial step-up method, and Mobile number verification required are both enabled.
  • We no longer throw an exception when illegal characters are used in a language parameter.

Bug fixes

  • When an exception occurred in the Post Login Hook, the Onegini IdP did not handle it correctly. As a result, the Post Login Hook was not entirely executed. In the new situation, when an error occurs (e.g. a status 500), the end-user is logged out and has the reauthenticate.

8.3.0

Improvements

  • We introduced two new events: EmailUpdatedEvent and PhoneNumberUpdatedEvent; both are triggered after users update their profiles.

Bug fixes

  • When mobile number validation is turned off, the Onegini IdP will no longer return an error when the mobile number for a user is updated via the API.

8.2.0

Bug fixes

  • We fixed an issue with iDIN after migration to centralized session management.
  • We have fixed a bug in the email verification page where we did not show the result when an unauthenticated user used the email verification link for a second time.

8.1.1

Bug fixes

  • Incomplete DigiD logins were not properly logged due to an error. This has been fixed.

8.1.0

Improvements

  • We removed Frontend styling and Insights from the Onegini IdP admin, as these features are now available via the OneWelcome console.

Bug fixes

  • In the scenario where the external IDP linking failed, e.g. when it was already linked to another account, we still synced some attributes. We now do that only after successful linking.

8.0.1

Bug fixes

  • In some SAML scenarios, the user was redirected to the dashboard, while the expected behaviour was that the user should be redirected back to Service Provider. We now make sure the user is redirected to the service provider.
  • A dependency upgrade caused problems with sending emails. We fixed that in this version.

8.0.0

Features

  • We added a new configuration option for SAML based Identity Providers to support the ForceAuthn attribute, which allows you to explicitly indicate that the end-user must authenticate (again) at the external Identity Provider.

Improvements

  • Template handling is now more secure, but also more restrictive. This might have impact on existing templates that have been customised. For more information, please read the Thymeleaf documentation on this change.