Release notes 10.x versions

10.3.12

Bug fixes

• Loading the error template caused a Hibernate lazy initialization exception in some cases.

10.3.11

Improvements

• The Onegini Token Server sets cookies for the authorization flow when it redirects to a SAML or OAuth identity provider to sign in. Some browsers do not store these cookies during the redirect. Without cookies the customer cannot sign in. The Onegini Token Server can now show a page to set the cookies. This page will send the customer automatically to the login page, but it can and probably will be visible for a short period. This step was introduced to ensure that the cookies for the Onegini Token Server will be set correctly. This page is optional and is disabled by default. Enable this page with the environment variable AUTHENTICATION_FLOW_RENDER_PAGE_BEFORE_REDIRECT_TO_IDP=true.

10.3.10

Improvements

• With some SAML identity providers login could fail, because there was no support for the element NameIDPolicy. This has been improved. From now on, the optional element NamedIDPolicy will be included in authentication requests towards SAML identity providers depending on conditions in the SAML identity provider configuration.

10.3.9

Bug fixes

• In authentication requests towards SAML identity providers, the element NameIDPolicy contained an attribute SPNameQualifier. Login failed with some SAML identity providers because this attribute should not be present for requests from the Onegini Token Server. This problem has been solved: the attribute SPNameQualifier is no longer sent with SAML authentication requests.

10.3.8

Improvements

• Added backwards compatibility support for the browsers that are not handling the SameSite cookies (e.g. Safari running on iOS 12).

Bug fixes

• The Onegini Token Server will prevent access tokens from being removed right after they have been created to allow potentially queued requests to complete successfully. The length of the period can be configured via application property, please refer to the OAuth section in the configuration properties for more details.

10.3.6

Bug fixes

• Make SameSite=None the default for all cookies

10.3.5

Bug fixes

• Add an index for Microsoft SQL Server database type to enhance performance.

10.3.4

Improvements

• Improved monitoring of the application status.
• Modified the default timeout settings for connections to Redis. Refer to the changed defaults for Redis timeouts for the new default values.

10.3.3

Bug fixes

• Added missing database indexes for Microsoft SQL Server database type.

10.3.2

Improvements

• New configuration options to close http connections when calling external APIs that take too long to respond. Please check the upgrade instructions since the defaults have been updated.

Bug fix

• Pagination has been fixed when a filter on event types is applied in the Activity section of the admin console

10.3.1

Improvement

• Return scopes in the JWT Access Token as specified in the latest draft of the Token exchange response specification.

Bug fix

• Make error handling more robust in the App to Web SSO flow.

10.3.0

Feature

• Tighter integration between the Mobile SDK and Consumer Identity Manager: the configured external identity providers in the Onegini Identity provider (e.g. Sign in with Apple, Facebook, DigiD) can be exposed to the Onegini Mobile SDK.

Improvements

• Custom parameters can be sent to the Consumer Identity Manager for use in Thymeleaf templates and Session API
• Deleting certain entities in the Admin console gives a a confirm with more detailed information about their usage.

Bug fixes

• The OpenID Connect End Session endpoint combined with SAML Single Logout is now fixed when the Consumer Identity Manager and the Onegini Token Server are deployed on different domains. The user is now correctly sent to the Post logout URL of the Relying Party after successful logout.
• SAML Single Logout combined with unique entity id per client is fixed. The user is now correctly redirected back to the SAML identity provider.

10.2.0

Feature

• Ability to report security issues directly to Onegini via the Responsible disclosure policy.

Bug fixes

• Fixed a typo in the OpenID Connect Discovery API for the key id_token_signing_alg_values.
• The openid scope can no longer be edited or deleted via the Admin console.

10.1.1

Improvement

• An API client can be bootstrapped via environment variables to further automate deployments.

Bug fix

• Fixed a race condition that could occur during the start up of the Admin console.

10.1.0

Features

• Applications can preselect an external identity provider in Onegini CIM for authentication.
• The Token Server communicates to Onegini CIM that the login flow is triggered by the mobile app.

Improvement

• App to Web SSO uses the new dedicated App to Web action token in Onegini CIM.

Bug fixes

• Fix compatibility issues with the APNs push library.
• Upgrade third party libraries with known vulnerabilities.

10.0.1

Improvements

• Give the ability to skip cache when using Token Introspection and User info endpoints.
• Added Public Base Uri configuration for the Onegini Identity provider.

Bug fixes

• Fixed configuration issue with in-memory password authentication after Spring Boot 2 upgrade.

10.0.0

Features

• New identity provider type: Onegini Identity provider for easier integration with Onegini CIM.
• App to Web SSO functionality for mobile devices.
• SAML SP binding order can be rearranged.
• Geolocation data is available when using Mobile Authentication with Push or One Time Password (OTP).
• New API to manage Application versions.
• Ability to use JSON Web Tokens (JWT) as Access tokens for Web clients.
• OpenID Connect: encrypt ID Tokens.
• Events API delivers details about operations executed within the Onegini Token Server.

Improvements

• Zip archives loaded into the system are checked against most common vulnerabilities.
• SAML signature and encryption can be configured with PEM encoded PKCS #8 RSA keys.
• Added support for PEM encoded PKCS #8 RSA keys in the certificate configuration of a SAML Identity provider.
• SAML IdP Metadata URI cache TTL can be configured.
• The Application identifier is added to the response for available authentication options for a user .
• Token Introspection will include updated Person API details if the User Info endpoint is configured.
• Added bulk delete support to the Device API when using a list of device identifiers.
• Templates have been migrated to ThymeLeaf 3.0.
• Locale can be passed to Onegini CIM.
• Upgraded to Spring Boot 2.
• Switched to OpenJDK 11 in Docker images.
• UX improvements in the Admin console.
• Application Property changes via the Admin console no longer require the Onegini Token Server(s) to restart for changes to take effect.
• Some of the caches can be cleared from the Admin console.
• Added support for acr_values with OpenID Connect.

Bug fixes

• Specifying an Identity Provider (IdP) in the Authorization flow now works as expected.
• SAML SP will check with the IdP's capabilities when choosing the binding protocol.
• Admin/Config API list response is aligned with the documentation.
• Authentication Level is properly passed back in user details when using the ROPC grant type.
• Mobile Auth v4 with push allows for SMS fallback when no device_id is provided.
• API exceptions will no longer return HTML in some situations.
• Minor JavaScript issues have been fixed in the Admin console.
• Refresh Token exchange is more reliable for mobile applications.