Unit4 Identity Services 4.2.0 release notes
*Release 2020-10-05
About this release
This release is version 4.2.0 of the Unit4 Identity Services (U4IDS). These release notes contain important information about U4IDS and provides an overview of features included in this release, important information, bug fixes and known issues.
About Unit4 Identity Services
U4IDS is the single Identity Solution and architecture for the Unit4 eco-system, allowing users to have one single identity for log on across multiple applications.
- It provides as a federation gateway to the each customer organization’s Identity Provider or identity solution
- It standardizes on OpenID Connect for authentication
- It supports multi-tenant applications
- It supports the following external identity provider protocols:
- SAML 2.0 protocols
- WS-Federation
- OpenID Connect
- It allows web API and Powershell based administration of tenants, clients and scopes
- It allows external claims transformation/harmonization and introduces Unit4 Identity claim
- It supports native clients and browser-based clients (through Implicit flow and Hybrid flow)
- It enables secure machine-to-machine communication between services (through Client Credentials flow)
- It supports cloud deployment only
IdentityServices 4 builds on asp.net core 3.X and extends IdentityServer 4. More about IdentityServer 4 can be found here: https://identityserver4.readthedocs.io/en/latest/ More about Asp.net core can be found here: https://docs.microsoft.com/en-us/aspnet/core/?view=aspnetcore-3.1
Features included in this release
- Security fixes for issues discovered in the Pen test
- Allow checksession calls from different origin.
- Allow iframe calls to origins specified in the client allowed origins settings.
- Improved error handling and logging.
- Filtering of Tenants in partial login.
Bugs fixed in this release
- You where able to create secrets for identity scopes
- You had to select a single Tenant on partial login
- You could not get end session endpoint from tenant openid configuration if it exists.
- You got an exception for invalid identity provider before our logic was initiated and settings where updated.
- Metadata was loaded automatically when location was entered leading to multiple loads.
- Login_hint was not handled correctly.
- We got duplicated Tenants when reading from acr values. (Rolled back)
Known issues
- U4IDS does not have a feature to store SAML IdP metadata. IdP metadata must be accessible publicly on the provider site or placed on a publicly available place (e.g. DropBox, Azure Storage, OneDrive or similar).
- From 4.1.13 existing data protection key in Redis is replaced with new data protection key in database. Users that are already logged in may get an error when logging out. After reconnecting there should be no more problems.
Note
- Admin api version 2 endpoints are obsolete and will be removed in the future.
- Scope settings AlwaysIncludeInIdToken and IncludeAllClaimsForUser is not supported in IdentityServer4. Instead you can add the claims you want in the identity token in requested identity scopes and the claims you want in the access token in requested resource scopes. However, we recommend using the user-info-endpoint instead, to keep the tokens small.
Patches
Authentication service
- 4.2.1 Roll back of bug fix with duplicate idp in acr_values. Failed to handle double html encoding.
- 4.2.2 Created health check endpoint.
- Remove logins after 7 days instead of 180 to prevent data overload.
- Added index on ExternalUserProfileId to ExternalUserClaims to improve performance.
- SAML metadata error handling was looping on reconnect to metadata endpoint.
- Partial login did not handle removing characters in the filter.
- Trimming email address on Partial login to prevent errors that was hard to catch.
- An exception occurred if requested client did not exist.
- Secret added to PKCE client was not verified.
- 4.2.3 Missing validation of return url in the Challenge endpoint.
Administration API
- 4.2.2 Dont autocreate secrets for PKCE clients
- Wrong username in audits on delete.
- Return API version in health check.
Administration Portal
- 4.2.2 PKCE is the default choice for creating a user centric flow
- Tab text should be IDS Portal and ids name if connected
- Possible to specify sp(x) for Saml2 protocol. (Saml2-sp1) Default 1 to 5 but its configurable.
- Possible to configure sending mail address for invites, approvals and rejects. Default is noone@noreply.com
- Showing the path in illegal discovery path exception.
- 4.2.2.1 Client secret missing after create.
Powershell cmdlets
- 4.2.2 Username was not provided from user centric login.
- There will be a warning when you are using the old Tenant commands. Should be TenantEx.