Unit4 Identity Services 1.3.1 release notes

Released 9th June 2017

About this release

This release is version 1.3.1 of the Unit4 Identity Services (U4IDS). These release notes contain important information about U4IDS and provides an overview of features included in this release, important information, bug fixes and known issues.

Features included in this release

The following features are included in this release:

User permission screen

The permission screen was available in release 1.3.0, but was only accessible for users that were already logged in. New in this release is that it is possible to login to the permission screen if you provide the tenant.

Configurable OpenID Connect (OIDC) options for a tenants

The default authentication flow supported for the tenants using the OpenID Connect protocol is hybrid flow (response_type is code id_token). To support more OIDC providers administrators can now change the following OIDC options on the tenant (new config property openIDConnectOptions):

• response_type: Override this if the Identity Provider does not support default response_type. Default response_type is code id_token
• scope: Override this if the Identity Provider does not accept the default scopes. Default scope is openid profile email offline_access. Note that offline_access is not requested externally unless the requesting client is.

It is not possible to override response_mode through configuration. IDS will always request form_post. Identity providers could disregard this and still use query. See next feature.

Support for OpenID Connect IdPs that use Auth Code flow

Earlier versions of IDS required IODC providers to support Hybrid flow with refresh tokens. This release provides support for IdPs that support simpler flows.

• AuthCode flow (response_type code).
• AuthCode flow (response_mode query). Note that IDS will only accept response_mode query in combination with response_type code. For response_type code id_token or similar, response_mode form_post must be used. IDS will block passing tokens with response_mode query for security reasons.
• AuthCode flow without refresh_token. When no refresh_token is sent by the identity provider IDS will still log in the user. Note that IDS will not be able to link internal refresh tokens to external when this is the case.

The above features are implemented by the callback on the IDS. The handling will be done based on the parameters to the callback endpoint and unrelated to the optionally configured overrides in openIDConnectOptions.

Verified IdPs

This version has been tested and verified with the following IdPs:

• SURFConext (SAML and IODC)
• Google (SAML and OIDC)
• SSO Circle (SAML)
• PingOne (SAML)
• ADFS (WS-FED)
• AAD 1.0 (OIDC)
• AAD 2.0 (OIDC)

Note that this is not an excluding list.

Bugs fixed in this release

• Fixed: When having several tenants with saml2 as protocol, IDS could redirect to the wrong SAML idp.
• Fixed: IDS in some configuration error conditions showed a crash screen (Yellow Screen of Death).
• Fixed: Powershell commandlets sometimes failed when updating collections.

Enhancements

• Consent screen: Scopes that require consent are no longer pre-ticked.
• IDS landing page: Landing pager redirects to API explorer (Swagger UI). When Swagger UI is disabled it would show an 404 not found page. This is now showing a blank page.
• Upgraded thirdparty libraries: Microsoft.Owin 1.3.0 and Kentor AuthServices 0.21.2

Known issues

• IDS does not have a feature to store SAML idp metadata. Idp metadata must be accessible publically on the provider site, or placed on a publically available place (e.g. DropBox, Azure Storage, OneDrive or similar).
• IDS can only act as a single SAML SP (system configured), but have many tenants with different IdPs.
• IDS does not expose SAML SP metadata. When this is needed, you can use a generator like provided by SSO circle
• IDS does not support single logout towards Google as it has a custom logout page. IDS only support protocol logout (when described in the OIDC provider's metadata)
• When setting client config allowAccessAllScopes to false using powershell, the registration changes it to true. To set to false, omit the parameter as the default is false.
• Powershell commandlets not updated to support the new openIDConnectOptions tenant configuration yet.