Unit4 Identity Services 2.0.0.0 release notes
Released April 13th 2018
About this release
This release is version 2.0.0.0 of the Unit4 Identity Services (U4IDS), the second major release of the services. These release notes contain important information about U4IDS and provide an overview of features included in this release, important information, bug fixes and known issues.
Important: On premise installation of U4IDS is not supported
U4IDS is not available as an installable service. Unit4 only provides U4IDS as a multi-tenant cloud service. On-premise support was removed from U4IDS in version 1.3.0. Client applications can use IDS as a cloud service even if their application is installed on-premise.
Features included in this release
The following features are included in this release:
Administration Portal
The administration portal allows IDS administrators to configure tenants, scopes and clients with an easy-to-use graphical interface. The portal is an administrator's tool and delivered as a micro-service separately from the IDS core system and with a separate release cycle. Version 1.0 of the portal is released at the same time as Unit4 Identity Services 2.0. The same portal can be used to administer several IDS instances of different versions, but some features like audit history are only available for 2.0 instances and later.
Administration API v2
Identity Services 2.0 introduces a new administration API. This API has been separated from the core service and runs as a micro-service on a separate site. This separation improves security as it enables infrastructural differentiation between using the IDS runtime features versus changing the configuration. The administration API is rewritten with a new storage solution, stricter validation to avoid misconfiguration and to provide better guidance at configuration time. The new administration API only allows the more secure bearer token method of authentication, and applies end user authorization using either external roles or internal roles managed in the Access Management micro-service. Further, the administration API now tracks all changes done to the configuration. This makes it easier to troubleshoot errors introduced by configuration changes.
The API version 2 is not backwards compatible with the first version of the API. It is possible to upgrade an IDS from version 1.4 to 2.0 and keep using the original administration API, but we advise to migrate to the more secure 2.0 version in a timely fashion. When IDS is configured to use the new configuration stores managed by the new administration API, the existing /api endpoints are disabled and all configuration must be done through the new API site.
Administration SDK
A client side .NET library for programmatically configuring IDS is now available. It can be downloaded as NuGet packages from https://packages.u4pp.com/nuget U4.IdentityServices.AdminSdk. This is useful for all services that need self-provisioning features to Identity Services. The library can be used from both .NET Full and .NET Core. The SDK will auto discover what version of the administration API is used by the targeted IDS so programmers can make solutions that are version independent.
New Administration PowerShell Commandlets
New and improved PowerShell Commandlets for administering Identity Services has been made available. They can be installed from https://packages.u4pp.com/nuget U4.IdentityServices.PowerShell. The new PowerShell commandlets can be used towards both older versions of IDS as well as 2.0 instances using the secure administration interfaces.
The existing U4.IdentityServices.Admin.PSCmdlets only support version 1.4 and below because they can only connect to the older admin API interfaces. This PowerShell module is now considered obsolete. To avoid naming conflicts when installing the new PowerShell module, the new commandlets are prefixed with U4IDS instead of IdentityServices.
Partial login support
U4IDS will now provide a partial login experience when clients do not send acr_values. Only tenants that enroll / configure to participate in the partial login will be discoverable (AllowPartialLogin).
End user access to consent overview
End users can now log on to the IDS https://myidsserver.com/identity/userpermissions?tenant=mytenantid to get an overview of what consents they have given to different client applications. Users also have a chance to revoke consents they have previously given. We recommend that clients include this link in an appropriate place in their user interface so users have easy access to the permission they have granted.
Claims upgrade flow
Support for a new custom grant flow called claims_upgrade has been added. This flow allows privileged clients to inject claims to an access token in a controlled and secure fashion. U¤IDS will take an existing access token, plus a set of new claims provided by the client, and issue a new signed access token having these claim values in addition. The intended use of this flow is to let information owning services, such as Unit4 Access Management, be able to securely amend defined types of identity claims, like u4_role, to access tokens. This pattern will reduce chattiness between validators of these claims and the owner service.
Verified IdPs
This version has been tested and verified with the following IdPs:
- SURFConext (SAML and IODC)
- Google (SAML and OIDC)
- SSO Circle (SAML)
- PingOne (SAML)
- FEIDE (SAML)
- ADFS (WS-FED)
- AAD 1.0 (OIDC)
- AAD 2.0 (OIDC)
- OKTA (OIDC)
Note that this is not an exclusive list.
Bugs fixed in this release
- Fixed: Case insensitive tenant id. Earlier tenant acr_value had to be passed exactly like it was originally stored. acr_value tenant is now treated case insensitive.
Enhancements
- Improved runtime errors: IDS 2.0 will, for some configuration related errors, have more understandable messages displayed instead of only "Please contact your system administrator".
Known issues
- U4IDS does not have a feature to store SAML idp metadata. Idp metadata must be accessible publicly on the provider site, or placed on a publicly available place (e.g. DropBox, Azure Storage, OneDrive or similar).
- U4.IdentityServices.Admin.PSCmdlets will not work against IDS 2.0 that uses the new administration API. Upgrade scripts to use the U4.IdentityServices.PowerShell module.
- U4IDS does not support login_hint. This is planned for the next minor update.
- U4IDS no longer automatically redirect to OpenAPI documentation for API v1 in development mode. This is intentional.