Unit4 Identity Services 3.0.0 release notes

Released September 28th 2018

About this release

This release is version 3.0.0 of the Unit4 Identity Services (U4IDS). These release notes contain important information about U4IDS and provides an overview of features included in this release, important information, bug fixes and known issues.

Features included in this release

The following features are included in this release:

Multiple Identity Providers per tenant

IDS 3.0 supports setting up multiple identity providers (IdPs) per tenant. Users logging in to such a tenant will be presented with a choice of what idp to log in with. This enables organizations to allow users from different sources to log in to their systems.

A new claim login_idp is added to access and identity tokens, that clients can use to identify what IdP was used during authentication. One idp is designated as the default IdP, for configuration backwards compatibility. Clients can now send an acr_value of login_idp to optionally override and only allow one of the tenant's IdPs to be used.

Note: IDS does not attempt to identify or link users as the same person across the tenant's identity Providers. The user's subject and configured unit4_id is still used as a unique identifier and comes from the chosen idp.

Partial login

Partial login is now enabled by default. The user experience has been updated and minor improvements made to the flow. Tenants still need to opt in to allow partial login for them.

Consent screen and user permissions screen has been redesigned. On the user permissions screen users can now revoke individual consents per client. Client applications can link directly to only the consents granted to their applications by including a clientid in the /userpermissions link.

Administration Portal

In 3.0.0 the administration portal supports the notion of tenant administrators. A tenant administrator can view or edit their own tenant configuration and add tenant specific clients, but cannot access global configuration, add new tenants or scopes. The tenant administrator persona is a system administrator at a Unit4 customer. The feature is introduced to allow for a higher degree of self service of changes to the tenant's IdP trust relationships and the provisioning of clients to access the customer's Unit4 resources.

The administrator portal supports the new feature of setting up multiple IdPs per tenant. The portal will light up with this feature when the administrator is working against a 3.0 or higher IDS.

Access Management is used to differenciate between a user's affinity to their tenant and whether she is a tenant administrator or an IDS administrator. One tenant per IDS is designated as the IDS administration tenant. Users that log on with that tenant and have appropriate rights can manage the global setup, add tenants, scopes and clients like before.

Note: External IDS admin role is regarded as a deprecated feature and will be removed in future versions of IDS

Administration API

In 3.0.0 the Administration API contains v3 endpoints, to support the configuration of multiple IdPs per tenant. Authorization now takes into account the differences between a tenant administrator and a traditional IDS administrator and their rights according to their roles.

Note: IDS 3.0.0 is the last release that support optionally running the deprecated v1 administration interfaces.

Administration SDK

In 3.0.0 the Administration SDK has gotten support for configuring multiple IdPs per tenant. The SDK is backwards compatible with older versions of IDS. Older SDK's are forward compatible with IDS 3.0.0, but cannot be used to configure multiple idps per tenant.

Note: When using older SDKs towards tenant configuration, it is the default identity provider that is changed.

Administration PowerShell Commandlets

In 3.0.0 the PowerShell commandlets can be used to configure multiple IdPs per tenant. The commandlets are backwards compatible with older versions of IDS. We reccomend to update commandlets to the latest version.

Verified IdPs

This version has been tested and verified with the following IdPs:

Note that this is not an excluding list.

Bugs fixed in this release


Known issues