Unit4 Identity Services 4.5.0 release notes

*Release 2021-09-03

About this release

This release is version 4.5.0 of the Unit4 Identity Services (U4IDS). These release notes contain important information about U4IDS and provides an overview of features included in this release, important information, bug fixes and known issues.

About Unit4 Identity Services

U4IDS is the single Identity Solution and architecture for the Unit4 eco-system​, allowing users to have one single identity for log on across multiple applications.

  • It provides as a federation gateway​ to each customer organization’s Identity Provider or identity solution
  • It standardizes on OpenID Connect for authentication​
  • It supports multi-tenant applications
  • It supports the following external identity provider protocols:
    • SAML 2.0 protocols
    • WS-Federation
    • OpenID Connect
  • It allows web API and Powershell based administration of tenants, clients and scopes
  • It allows external claims transformation/harmonization and introduces Unit4 Identity claim​
  • It supports native clients and browser-based clients (through Implicit flow and Hybrid flow​)
  • It enables secure machine-to-machine communication between services (through Client Credentials flow)
  • It supports cloud deployment only

IdentityServices 4 builds on asp.net core 3.X and extends IdentityServer 4. More about IdentityServer 4 can be found here: https://identityserver4.readthedocs.io/en/latest/ More about Asp.net core can be found here: https://docs.microsoft.com/en-us/aspnet/core/?view=aspnetcore-3.1

Features included in this release

  • Removal of v2 in Admin API
  • Removal of the old Tenant endpoint in Admin API and the Tenant object Powershell and SDK. TenantEx should be used instead.
  • Portal - Replaced the dropdown of available Tenants with a Text box.
  • Portal - The delete action is moved to the edit screen and the warning is a bit harsher.
  • Portal - If you are logged is as an owner in the Admin Tenant you will no longer see users in other Tenants by default. You need to check the "Include all Tenants" check box and search to see them.

Bugs fixed in this release

  • IDS - Global variable containing default scopes is changed.
  • Portal should not crash if initially configured IDS is unavailable when accessing other instances.
  • Portal - You can no longer delete Tenant in Tenant specific login.

Known issues

  • From 4.1.13 existing data protection key in Redis is replaced with new data protection key in database. Users that are already logged in may get an error when logging out. After reconnecting there should be no more problems.

Note

  • Scope settings AlwaysIncludeInIdToken and IncludeAllClaimsForUser is not supported in IdentityServer4. Instead you can add the claims you want in the identity token in requested identity scopes and the claims you want in the access token in requested resource scopes. However, we recommend using the user-info-endpoint instead, to keep the tokens small.

Patches

Authentication service

  • 4.5.1 Was using .Result on asynchronous methods in two places. Now replaced with awaits.
    • 4.5.1.1 Bug - Prefix sometimes get duplicated while getting wsfed or openid metdata from redis, leading to cache miss.
  • 4.5.2 Implement ignoring disabled Tenants and IDPs.
  • 4.5.4 Bug - WS Federation specific. If the external idp for the user becomes unavailable after successful login, the system will try to continue to connect to that idp before redirecting to any other Tenant. Making it impossible to login.
  • 4.5.5 Make health endpoint work for dashboard
  • 4.5.6 Bug - Resource scope claims default turned off in consent screen.
    • Improve Iframe handling
  • 4.5.6.1 Bug - Missing "fnutt" on frame-ancestor directive 'self'

Administration API

  • 4.5.1 Added new index on expired column on the ExternalPersistedGrants table. Suggested by azure performance.
    • Introspection bug when accessing the IDS API with a reference token.
    • Will not allow creating a secret that is already expired.
  • 4.5.5 Validate that client claims for Tenant always will be current Tenant if Tenant is not Admin Tenant.
    • The health endpoint api/health has been removed. You can now use /health/ready, and health/live (no api in the path). The first one does a thorough check. The second is just checking if the service is up.

Administration Portal

  • 4.5.1 Restrictions on how many idps, clients and client claims you can create on tenant specific login. Can be overridden.
    • Dont allow tenant claim with other value than owner tenant on tenant specific clients.
    • New ERPx client credentials client create step to make it easier to create new m2m ERPx clients
    • Some small fixes to make the IDS portal more suitable for external customer login.
  • 4.5.2 Possible to enable or disable Tenants and IDPs
    • Possible to see, resend and delete sent invites.
    • A M2M client create step for U4 Financials
    • A new screen that reminds you to copy the secret when a new client or scope secret is created.
    • For Tenant specific login you will be forced to enter all parts of the client id naming convention.
    • You will not be able skip default client claims when creating ERPx and U4 Financials M2M clients.
  • 4.5.3 Bug - Lists of redirect uris, post logout uris, cors origins for clients and unit4 id claim types for Tenants got erased after a server side validation error in the screen. Only the first item was left.
    • Bug - Managed to save an invalid email when inviting users. Then the invite management crashed.
    • Separate buttons on Tenant for creating OIDC, Saml-2 and ws-fed IDP with only relevant fields available.
    • Export and import of Tenants, Clients and Scopes as JSON. Any item can be exported to file from the detail screen. That file could then be imported from the "create" screen.
  • 4.5.3.1 Bug - Not possible to add claims for clients and scopes.
  • 4.5.4 Check for source system id and tenant in access management while using the add IDS wizard and adding them if they do not exist. Also, possible to configure a user as owner.
    • Added three new steps to create clients. Create Desktop client, Create Report Engine client and Create Native Mobile application client.
  • 4.5.5 Added context help to guide configuration of idp for Tenant.
    • Added test button for idp authorize endpoint.
    • Added warning message when Tenant is created without using GUID as Tenant id.
    • Added loading indication dialog.
    • Show result of health check on landingpage.
    • Bug - Better error handling on new create client steps.

PowerShell cmdlets

  • 4.5.2 Possible to enable or disable Tenants and IDPs
  • 4.5.3 Simplified the creation of custom clients by adding a custom grant type directive to the New-U4IDSClien command.