Unit4 Identity Services 1.4.0.0 release notes

Released January 29th 2018

About this release

This release is version 1.4.0.0 of the Unit4 Identity Services (U4IDS). These release notes contain important information about U4IDS and provides an overview of features included in this release, important information, bug fixes and known issues.

Important: On premise installation of U4IDS is not supported

Unit4 Identity Services is not available as an installable service. Unit4 only provides U4IDS as a multi-tenant cloud service. On premise support has been removed from U4IDS.

Features included in this release

The following features are included in this release:

Support for multiple SAML-SP Identities

U4IDS can now be configured to have multiple SAML-SP identities. This is useful when several tenants use SAML against the same SAML-IDP federation, and each have to be configured separately on the IDP side. Tenants can be assigned to one of the additional SAML-SP entities using 'saml2-sp1', 'saml2-sp2' and so on in the protocol setting of their tenant configuration.

Send id_token_hint to external OIDC providers at logout

U4IDS will now keep external id_tokens encrypted in the database, and pass them as id_token_hint to the external provider at logout. This makes U4IDS support logout from OIDC providers like OKTA that operate with id_token_hint as a mandatory parameter.

Support for discovery when clients do not send tenant id to authorize endpoint

U4IDS will now provide a partial login experience when clients do not send acr_values. Only tenants that enroll / configure to participate in the partial login will be discoverable (AllowPartialLogin).

Verified IdPs

This version has been tested and verified with the following IdPs:

• SURFConext (SAML and IODC)
• Google (SAML and OIDC)
• SSO Circle (SAML)
• PingOne (SAML)
• FEIDE (SAML)
• ADFS (WS-FED)
• AAD 1.0 (OIDC)
• AAD 2.0 (OIDC)
• OKTA (OIDC)

Note that this is not an excluding list.

Bugs fixed in this release

• Fixed: PUT on Admin API could remove existing client/scope secrets, causing hard to find bugs to appear in client applications. PUT now never touches any existing secrets.
• Fixed: It was possible to use disabled clients against authorize and token endpoints.
• Fixed: Powershell commandlets sometimes failed when updating collections.

Enhancements

• Upgraded thirdparty libraries: IdentityServer3 2.6.1
• SAML-SP metadata: U4IDS serves SAML-SP metadata (identity/AuthServices for the default SP or identity/AuthServices-sp1 and so on for additional SP entities).
• Client claims for all flows: Client configuration can now use the AlwaysSendClientClaims flag. This enables fixed client claims for all flows, not only ClientCredentials flow.
• Custom logout endpoints: Custom logout endpoint can be configured for tenants that use OpenID Connect. This enables for instance logout from Google.
• Secure API Config: Guide for secure configuration of IDS admin API (bearer token authentication) has been improved and standard naming for clients and scopes here has been standardized.
• Logging: Improved information in certain logging texts.
• Application Insights: Tested support for tracing to Application Insights in SaaS environments.

Known issues

• U4IDS does not have a feature to store SAML idp metadata. Idp metadata must be accessible publicly on the provider site, or placed on a publicly available place (e.g. DropBox, Azure Storage, OneDrive or similar).
• Powershell commandlets not updated to support the new openIDConnectOptions tenant configuration yet.