Unit4 Identity Services 4.3.0 release notes
*Release 2021-03-23
About this release
This release is version 4.3.0 of the Unit4 Identity Services (U4IDS). These release notes contain important information about U4IDS and provides an overview of features included in this release, important information, bug fixes and known issues.
About Unit4 Identity Services
U4IDS is the single Identity Solution and architecture for the Unit4 eco-system, allowing users to have one single identity for log on across multiple applications.
- It provides as a federation gateway to each customer organization’s Identity Provider or identity solution
- It standardizes on OpenID Connect for authentication
- It supports multi-tenant applications
- It supports the following external identity provider protocols:
- SAML 2.0 protocols
- WS-Federation
- OpenID Connect
- It allows web API and Powershell based administration of tenants, clients and scopes
- It allows external claims transformation/harmonization and introduces Unit4 Identity claim
- It supports native clients and browser-based clients (through Implicit flow and Hybrid flow)
- It enables secure machine-to-machine communication between services (through Client Credentials flow)
- It supports cloud deployment only
IdentityServices 4 builds on asp.net core 3.X and extends IdentityServer 4. More about IdentityServer 4 can be found here: https://identityserver4.readthedocs.io/en/latest/ More about Asp.net core can be found here: https://docs.microsoft.com/en-us/aspnet/core/?view=aspnetcore-3.1
Features included in this release
- New Saml Metadata repository is now supported by IDS.
- Support prompt login to external IDP
- Security fix - JQuery and Bootstrap are updated to secure versions.
- Change powershell interactive login from implicit to PKCE
- Mark old Tenant model and basic authentication as obsolete to give heads up before removing them.
- Checksession header validation is relaxed to support PKCE login.
- A new property was introduced for log-entries in Application Insight: U4CorrelationId. The purpose of this property is to correlate log entries for requests related to a session (e.g. the authorize request, login request, challenge request, endsession request, etc.). Hence you can search for logs related to a user’s login and corresponding logout events.
Bugs fixed in this release
- Challenge endpoint had vulnerable returnUrl.
- User history was not saved.
- Portal always approved pending user if user was changed.
- Powershell and API. Prefix client claims should be default false.
Known issues
- From 4.1.13 existing data protection key in Redis is replaced with new data protection key in database. Users that are already logged in may get an error when logging out. After reconnecting there should be no more problems.
Note
- Admin api version 2 endpoints are obsolete and will be removed in the future.
- Scope settings AlwaysIncludeInIdToken and IncludeAllClaimsForUser is not supported in IdentityServer4. Instead you can add the claims you want in the identity token in requested identity scopes and the claims you want in the access token in requested resource scopes. However, we recommend using the user-info-endpoint instead, to keep the tokens small.