Unit4 Identity Services 2.0.0.0 release notes

Released April 13th 2018

About this release

This release is version 2.0.0.0 of the Unit4 Identity Services (U4IDS), the second major release of the services. These release notes contain important information about U4IDS and provide an overview of features included in this release, important information, bug fixes and known issues.

Important: On premise installation of U4IDS is not supported

U4IDS is not available as an installable service. Unit4 only provides U4IDS as a multi-tenant cloud service. On-premise support was removed from U4IDS in version 1.3.0. Client applications can use IDS as a cloud service even if their application is installed on-premise.

Features included in this release

The following features are included in this release:

Administration Portal

The administration portal allows IDS administrators to configure tenants, scopes and clients with an easy-to-use graphical interface. The portal is an administrator's tool and delivered as a micro-service separately from the IDS core system and with a separate release cycle. Version 1.0 of the portal is released at the same time as Unit4 Identity Services 2.0. The same portal can be used to administer several IDS instances of different versions, but some features like audit history are only available for 2.0 instances and later.

Administration API v2

Identity Services 2.0 introduces a new administration API. This API has been separated from the core service and runs as a micro-service on a separate site. This separation improves security as it enables infrastructural differentiation between using the IDS runtime features versus changing the configuration. The administration API is rewritten with a new storage solution, stricter validation to avoid misconfiguration and to provide better guidance at configuration time. The new administration API only allows the more secure bearer token method of authentication, and applies end user authorization using either external roles or internal roles managed in the Access Management micro-service. Further, the administration API now tracks all changes done to the configuration. This makes it easier to troubleshoot errors introduced by configuration changes.

The API version 2 is not backwards compatible with the first version of the API. It is possible to upgrade an IDS from version 1.4 to 2.0 and keep using the original administration API, but we advise to migrate to the more secure 2.0 version in a timely fashion. When IDS is configured to use the new configuration stores managed by the new administration API, the existing /api endpoints are disabled and all configuration must be done through the new API site.

Administration SDK

A client side .NET library for programmatically configuring IDS is now available. It can be downloaded as NuGet packages from https://packages.u4pp.com/nuget U4.IdentityServices.AdminSdk. This is useful for all services that need self-provisioning features to Identity Services. The library can be used from both .NET Full and .NET Core. The SDK will auto discover what version of the administration API is used by the targeted IDS so programmers can make solutions that are version independent.

New Administration PowerShell Commandlets

New and improved PowerShell Commandlets for administering Identity Services has been made available. They can be installed from https://packages.u4pp.com/nuget U4.IdentityServices.PowerShell. The new PowerShell commandlets can be used towards both older versions of IDS as well as 2.0 instances using the secure administration interfaces.

The existing U4.IdentityServices.Admin.PSCmdlets only support version 1.4 and below because they can only connect to the older admin API interfaces. This PowerShell module is now considered obsolete. To avoid naming conflicts when installing the new PowerShell module, the new commandlets are prefixed with U4IDS instead of IdentityServices.

Partial login support

U4IDS will now provide a partial login experience when clients do not send acr_values. Only tenants that enroll / configure to participate in the partial login will be discoverable (AllowPartialLogin).

End users can now log on to the IDS https://myidsserver.com/identity/userpermissions?tenant=mytenantid to get an overview of what consents they have given to different client applications. Users also have a chance to revoke consents they have previously given. We recommend that clients include this link in an appropriate place in their user interface so users have easy access to the permission they have granted.

Claims upgrade flow

Support for a new custom grant flow called claims_upgrade has been added. This flow allows privileged clients to inject claims to an access token in a controlled and secure fashion. U¤IDS will take an existing access token, plus a set of new claims provided by the client, and issue a new signed access token having these claim values in addition. The intended use of this flow is to let information owning services, such as Unit4 Access Management, be able to securely amend defined types of identity claims, like u4_role, to access tokens. This pattern will reduce chattiness between validators of these claims and the owner service.

Verified IdPs

This version has been tested and verified with the following IdPs:

Note that this is not an exclusive list.

Bugs fixed in this release

Enhancements

Known issues