Unit4 Identity Services 2.1.0.0 release notes

Released June 1st 2018

About this release

This release is version 2.1.0.0 of the Unit4 Identity Services (U4IDS). These release notes contain important information about U4IDS and provides an overview of features included in this release, important information, bug fixes and known issues.

Important: On premise installation of U4IDS is not supported

Unit4 Identity Services is not available as an installable service. Unit4 only provides U4IDS as a multi-tenant cloud service. On premise support was removed from U4IDS in version 1.3.0. Client applications can use IDS as a cloud service even if their application is installed on-premise.

Features included in this release

The following features are included in this release:

Administration Portal

The administration portal allows IDS administrators to configure tenants, scopes and clients with an easy to use graphical interface. The portal is an administrator's tool, and delivered as a micro-service separate from the IDS core system and with a separate release cycle. Version 1.0 of the portal is released at the same time as Identity Services 2.0. The same portal can be used to administer several IDS instances of different versions, but some features like audit history is only available for 2.0 instances and later.

In 2.1.0 the portal has been redesigned.

Administration API v2

Identity Services 2.0 introduced a new administration API. This API was separated from the core service and runs as a micro-service on a separate site. Read more about the portal in the 2.0 release notes.

In 2.1.0 the migration has been improved and powershell tools are available to switch to the v2 admin interfaces on an upgraded IDS.

Administration SDK

A client side .NET library for programmatically configuring IDS was made available at the same time as IDS 2.0. It can be downloaded as NuGet packages from https://packages.u4pp.com/nuget U4.IdentityServices.AdminSdk. This is useful for all services that need self-provisioning features to Identity Services. The library can be used from both .NET Full and .NET Core. The SDK will auto discover what version of the administration API is used by the targeted IDS so programmers can make solutions that are version independent.

In 2.1.0 the Administration SDK has gotten support for maintaining the partial login part and openid connect options.

New Administration PowerShell Commandlets

In 2.0 new and improved PowerShell Commandlets for administering Identity Services has been made available. They can be installed from https://packages.u4pp.com/nuget U4.IdentityServices.PowerShell. The new PowerShell commandlets can be used towards both older versions of IDS as well as 2.0 instances using the secure administration interfaces.

In 2.1.0 the admin powershells have gotten minor updates based on user feedback.

Verified IdPs

This version has been tested and verified with the following IdPs:

• SURFConext (SAML and IODC)
• Google (SAML and OIDC)
• SSO Circle (SAML)
• PingOne (SAML)
• FEIDE (SAML)
• ADFS (WS-FED)
• AAD 1.0 (OIDC)
• AAD 2.0 (OIDC)
• OKTA (OIDC)

Note that this is not an excluding list.

Bugs fixed in this release

• Fixed: Partial login first searched domain, then company name and last tenant description. The new allowPartialLogin parameter must be true for a tenant to be discoverable.
• Fixed: Default expiry of auto generated or programmatically added secrets is "never expires". The default expiry of secrets manually added through the portal is two years.

Enhancements

• login_hint: Clients can now use the openid connect parameter login_hint to indicate domain for partial login. The login_hint is also forwarded externally to an openid connect IdP for handling there.
• allowPartialLogin: Tenant configuration now includes an allowPartialLogin parameter, which is default false. If true the tenant is searchable in a partial login experience.

Known issues

• The U4IDS Administration API is not accepting 'Reference' type authorization tokens. The issue has been identified and a fix will be issued. Use AccessTokenType 'Jwt' until this is fixed.
• U4IDS does not have a feature to store SAML IdP metadata. IdP metadata must be accessible publicly on the provider site, or placed on a publically available place (e.g. DropBox, Azure Storage, OneDrive or similar).
• U4.IdentityServices.Admin.PSCmdlets will not work against IDS 2.0 that uses the new administration API. Upgrade scripts to use the U4.IdentityServices.PowerShell module.
• U4IDS no longer automatically redirect to OpenAPI documentation for API v1 in development mode. This is intentional.