Unit4 Identity Services 3.1.0 release notes
Released December 18th 2018
About this release
This release is version 3.1.0 of the Unit4 Identity Services (U4IDS). These release notes contain important information about U4IDS and provide an overview of features included in this release, important information, bug fixes and known issues.
Features included in this release
The following features are included in this release:
Consent, Idp selection and partial login screens are now localized based on browser settings.
Localized scope text
IDS 3.1.0 supports setting up multiple localized scope texts.
It is now possible to localize the display name and the description of standard or custom scopes. Translations can be added, maintained or removed in the IDS Portal or by using the IDS Admin Api directly. Standard scopes have a default translation for certain languages, but these can be overridden if required.
Showing last used
You can now see when Scopes and Clients where last used. Either directly in the IDS Api or in the IDS Portal.
In 3.1.0 the portal web app only supports adding one IDS in Application settings. Additional IDS Instances can be added in the new IDS configuration wizard and will be stored in the portal.
You can now add localized texts for Scopes from Scope details.
You can also check when a Scope or Client where last used by checking Last used in the details.
You can now get last used information for scopes and clients. Append /lastused to your path for getting a Scope or Client, e.g.:
Localized text for scopes
The Administration API now contains endpoints to support the configuration of multiple localized texts for scopes. You find an overview of all endpoints for scopes here: Scope endpoints
Authorization now takes into account the differences between a tenant administrator and a traditional IDS administrator and their rights according to their roles. Unless you are a tenant administrator, you only have access to clients that you own, and scopes that has the flag AllowedForTenantSpecificClients set to true.
Secrets are no longer separate entities in the audits table. Any change to a secret is logged as an update of the client/scope it belongs to.
Since we are storing the complete entity (serialized json text) every time an entity is changed/added/deleted, the audits table quickly became very large. We are now storing audits in a compressed format.
You can get the size of the Audits table from the following endpoint:
You can purge the audits table if you have administrator rights. You do this using the api/v3/admin/audits/purge endpoint (see U4IDS Admin API)
It is now possible to store the audit entities in Azure Blob Storage. This is not recommended though, since it has an huge performance impact. Also, since we are using compression, it should probably not be necessary. However, if you want to use this feature, add a new Connection string to your appsettings called "AuditStore", with the connection to your blob storage. If this connection string exists, the AdminAPI will use Blob storage for audits. You can stop using blob storage by setting this parameter to an empty string, or removing it.
We created a new NuGet (U4.IdentityServices.EF) for accessing the configuration database. It is intended for internal use. In the AdminAPI, all the code for accessing the database is removed, and we are using this NuGet instead.
Stopped support for v1
Note: Administration API 3.1 no longer supports v1 administration interfaces.
Migrating from 3.0 to 3.1
Migration of the database is done when the AdminAPI app service starts up. If you have a large Audits table, this can take a long time, and you might get a timeout error. There are two ways of handling it:
- Empty the Audits table before migrating
- Set the app setting EntityFramework:CommandTimeout (seconds) to a suitable value
We recommend the first option. The best way to empty the table, is using the command:
truncate table Audits
If you want to keep the last 5 entries for each entity, you can use this command:
DELETE FROM Audits WHERE AuditId NOT IN (SELECT AuditId FROM (SELECT EntityId, AuditId, Row_Number() OVER (PARTITION BY EntityId ORDER BY LastUpdate DESC) AS Cnt FROM Audits) all_audits WHERE all_audits.Cnt <= 5 )
If your table is 1Gb or larger, copying or deleting might take a long time, and require a large log. The truncate command doesn't log, so it's much faster.
In 3.1.0 the Administration SDK has gotten support for configuring multiple localized texts for scopes. The SDK is backwards compatible with older versions of IDS. Older SDK's are forward compatible with IDS 3.1, but cannot be used to configure localized texts for scopes.
In previous versions changing tenant parameter in requests while still having a valid session did not change tenant in
id token. Now the change is discovered and
prompt=login parameter is added to reauthenticate the user.
Better error reporting
In 3.1.0. tenant configuration mismatch ended up in a blank screen. Missing access privileges were reported as "Maybe you are using a bookmarked login page". Now it has been improved.
Bugs fixed in this release
- Fixed: IDS portal no longer have problems adding multiple claims in IE 11.
- Fixed: IDS portal no longer shows secret in uri when creating new client.
- Fixed: IDS Api allows contributors to delete Scopes, Clients and Tenants.
- Fixed: Redis connection error forces a reconnect, see configuration description.
- Fixed: Discovery requests will execute faster - unnecessary warm-up of cache removed.
- U4IDS does not have a feature to store SAML IdP metadata. IdP metadata must be accessible publicly on the provider site, or placed on a publically available place (e.g. DropBox, Azure Storage, OneDrive or similar).
- IDS 3.1.0 no longer supports the v1 administration interfaces
- Migration from v1 administration interfaces must be done on IDS 2.1 first. There is no migration solution from 1.x directly to 3.1.0.
- There are no Powershell scripts to update Localized scope texts.
- Migrating from 3.0 to 3.1 can take a long time if the Audits table is large (see section about migration further up)