Unit4 Identity Services 3.1.0 release notes

Released December 18th 2018

About this release

This release is version 3.1.0 of the Unit4 Identity Services (U4IDS). These release notes contain important information about U4IDS and provide an overview of features included in this release, important information, bug fixes and known issues.

Features included in this release

The following features are included in this release:

Localized screens

Consent, Idp selection and partial login screens are now localized based on browser settings.

Localized scope text

IDS 3.1.0 supports setting up multiple localized scope texts.

It is now possible to localize the display name and the description of standard or custom scopes. Translations can be added, maintained or removed in the IDS Portal or by using the IDS Admin Api directly. Standard scopes have a default translation for certain languages, but these can be overridden if required.

Showing last used

You can now see when Scopes and Clients where last used. Either directly in the IDS Api or in the IDS Portal.

Administration Portal

In 3.1.0 the portal web app only supports adding one IDS in Application settings. Additional IDS Instances can be added in the new IDS configuration wizard and will be stored in the portal.

You can now add localized texts for Scopes from Scope details.

You can also check when a Scope or Client where last used by checking Last used in the details.

Administration API

LastUsed Endpoints

You can now get last used information for scopes and clients. Append /lastused to your path for getting a Scope or Client, e.g.:

/api/v3/clients/my_client/lastused

Localized text for scopes

The Administration API now contains endpoints to support the configuration of multiple localized texts for scopes. You find an overview of all endpoints for scopes here: Scope endpoints

Tenant Authorization

Authorization now takes into account the differences between a tenant administrator and a traditional IDS administrator and their rights according to their roles. Unless you are a tenant administrator, you only have access to clients that you own, and scopes that has the flag AllowedForTenantSpecificClients set to true.

Audit changes

Secrets are no longer separate entities in the audits table. Any change to a secret is logged as an update of the client/scope it belongs to.

Since we are storing the complete entity (serialized json text) every time an entity is changed/added/deleted, the audits table quickly became very large. We are now storing audits in a compressed format.

You can get the size of the Audits table from the following endpoint:

/api/v3/admin/audits/statistics

You can purge the audits table if you have administrator rights. You do this using the api/v3/admin/audits/purge endpoint (see U4IDS Admin API)

It is now possible to store the audit entities in Azure Blob Storage. This is not recommended though, since it has an huge performance impact. Also, since we are using compression, it should probably not be necessary. However, if you want to use this feature, add a new Connection string to your appsettings called "AuditStore", with the connection to your blob storage. If this connection string exists, the AdminAPI will use Blob storage for audits. You can stop using blob storage by setting this parameter to an empty string, or removing it.

U4.IdentityServices.EF NuGet

We created a new NuGet (U4.IdentityServices.EF) for accessing the configuration database. It is intended for internal use. In the AdminAPI, all the code for accessing the database is removed, and we are using this NuGet instead.

Stopped support for v1

Note: Administration API 3.1 no longer supports v1 administration interfaces.

Migrating from 3.0 to 3.1

Migration of the database is done when the AdminAPI app service starts up. If you have a large Audits table, this can take a long time, and you might get a timeout error. There are two ways of handling it:

  1. Empty the Audits table before migrating
  2. Set the app setting EntityFramework:CommandTimeout (seconds) to a suitable value

We recommend the first option. The best way to empty the table, is using the command:

truncate table Audits

If you want to keep the last 5 entries for each entity, you can use this command:

DELETE FROM Audits
WHERE AuditId NOT IN 
  (SELECT AuditId FROM 
    (SELECT EntityId, AuditId, Row_Number() 
      OVER (PARTITION BY EntityId ORDER BY LastUpdate DESC) AS Cnt 
     FROM Audits) all_audits 
   WHERE all_audits.Cnt <= 5 
  )

If your table is 1Gb or larger, copying or deleting might take a long time, and require a large log. The truncate command doesn't log, so it's much faster.

Administration SDK

In 3.1.0 the Administration SDK has gotten support for configuring multiple localized texts for scopes. The SDK is backwards compatible with older versions of IDS. Older SDK's are forward compatible with IDS 3.1, but cannot be used to configure localized texts for scopes.

Forced prompt=login

In previous versions changing tenant parameter in requests while still having a valid session did not change tenant in id token. Now the change is discovered and prompt=login parameter is added to reauthenticate the user.

Better error reporting

In 3.1.0. tenant configuration mismatch ended up in a blank screen. Missing access privileges were reported as "Maybe you are using a bookmarked login page". Now it has been improved.

Bugs fixed in this release

Known issues