Unit4 Identity Services 4.1.0 release notes

*Release 2020-03-20

About this release

This release is version 4.1.0 of the Unit4 Identity Services (U4IDS). These release notes contain important information about U4IDS and provides an overview of features included in this release, important information, bug fixes and known issues.

About Unit4 Identity Services

U4IDS is the single Identity Solution and architecture for the Unit4 eco-system, allowing users to have one single identity for log on across multiple applications.

It provides as a federation gateway to the each customer organization’s Identity Provider or identity solution
It standardizes on OpenID Connect for authentication
It supports multi-tenant applications
It supports the following external identity provider protocols:
- SAML 2.0 protocols
- WS-Federation
- OpenID Connect
It allows web API and Powershell based administration of tenants, clients and scopes
It allows external claims transformation/harmonization and introduces Unit4 Identity claim
It supports native clients and browser-based clients (through Implicit flow and Hybrid flow)
It enables secure machine-to-machine communication between services (through Client Credentials flow)
It supports cloud deployment only

Features included in this release

This is a rewrite of the functionallity to support upgrades in dependent software that we need to support. IdentityServices 3.x builds on Identity Server 3.x, by Thinktecture. IdentityServer 3 has been upgraded to IdentityServer 4, that is a major rewrite and build on Asp.net core. IdentityServices 4 builds on asp.net core 3.1 and extends IdentityServer 4. More about IdentityServer 4 can be found here: https://identityserver4.readthedocs.io/en/latest/ More about Asp.net core can be found here: https://docs.microsoft.com/en-us/aspnet/core/?view=aspnetcore-3.1

Bugs fixed in this release

There are currently two buggs that we have not managed to fix in IdentityServer 3.x

There is a hang in WsFederation that makes IDS unresponsive. This was due to the famous deadlock bug in the Katana (ws-fed) middleware. In IdentityServices4 we are no longer dependent on this middleware.
Redirect to the wrong Tenant on logout. This is fixed by having an extra session cookie that keeps track of the user session.

## Known issues

U4IDS does not have a feature to store SAML IdP metadata. IdP metadata must be accessible publicly on the provider site or placed on a publically available place (e.g. DropBox, Azure Storage, OneDrive or similar).
Refresh tokens are not migrated after upgrade. So all logged in user have to sign in again.
Consent must also be entered again for all users after upgrade.

## Note

Admin api version 2 endpoints are obsolete and will be removed in the future.
Scope settings AlwaysIncludeInIdToken and IncludeAllClaimsForUser is not supported in IdentityServer4. Instead you can add the claims you want in the identity token in requested identity scopes and the claims you want in the access token in requested resource scopes. However, we recommend using the user-info-endpoint instead, to keep the tokens small.

## Patches

Authentication service

4.1.1 No validation on identity token lifetime for client credentials clients.
4.1.2 Allow http head requests. Better mapping of upn claim from external identity provider.
4.1.3 All supported languages are added.
- Oid and upn could not be mapped to unit4_id.
- Email input dialog appears multiple times during partial login.
- Null reference exception on create new login.
4.1.4 SignoutCallbackPath was set to "/postlogoutcallback", which is the same as IDS3 (we hadn't set it, so it was the default "signout-callback-oidc")
- We now handle the following exceptions:
  - acr_values is empty
  - Exceptions during OIDC event handling, like:
    - MessageReceived could not get login
    - Authority was not found in MessageReceived
    - Can't get Login info when SignOut from IdentityProvider
  - Scope not found
  - Violation of PRIMARY KEY constraint 'PK_ExternalUserProfiles'
4.1.5 Fixed primary key contraint exception for external user profiles.
- All requested identity scope claims will be in identity token.
- Redirecting the old jwks path to the new. Temporary fix to give people time to change it.
- More exception suppressions.
4.1.6 Implement two layer cache for clients and scopes to improve performance.
4.1.7 Make cache configuration visible in the log and configurable.
4.1.8 Update security headers.
- Removed the startpage on root to prevent different uris in discovery document
4.1.9 After session timeout, request without tenant gets random tenant.
- Incorrect EntityId in SAML provider.
- Could not map winaccountname to unit4id.
- ~~Exception when trying to add large id_token to LoginData table.~~ (actually done in AdminAPI 4.1.2)
4.1.10 WS-Federation error handling redirected to last WS-Federation login.
4.1.11 Improved session handling for WS-Federation login and logout.
- Configuration for length of redirect Uri. IdentityServerOptions:InputLengthRestrictions:RedirectUri:1000 (Default value)
4.1.12 Fixed bugg when logging out from google account.
- It is now possible to turn off redis cache.
- Sanity check for correct data when caching openid connect and ws federation configuration for external idp. Improved logging.
4.1.13 Don't set 'X-Frame-Options' to 'SAMEORIGIN' for the checksession endpoint.
- The login_hint query parameter was not working.
- Save data protection key in database and not in Redis.

## NOTE From 4.1.13 existing data protection key in Redis is replaced with new data protection key in database. Users that are already logged in may get an error when logging out. After reconnecting there should be no more problems.

Administration Api

4.1.1 Fixed path on scopes with secrets that led to not being able to update some scopes in the portal.
4.1.2 Exception when trying to add large id_token to LoginData table.
- Better Scope validation
4.1.3 Save data protection key in database.

Administration Portal

4.0.1 Adjusted security headers.
4.1.2 Add csp security header.