JOSSO EE 2.4

TIP

Downloads portal: https://josso-resources.atricore.com

v.2.4.4

Changelog

v.2.4.4 Update #58

• UPD: Add kid attribute to JWT Headers when using RSA signature

• NEW: Disable appliance build upon JOSSO startup using a configuration property

• FIX: SLO issue when triggering SLO from an SP that uses an IDP that overrides the SP channel settings

• FIX: Virtual Providers do not required an identity source

• FIX: Error when using constants in attribute mapping. Constant value last character is truncated.

• FIX: Error after login-logout-login on some JOSSO agents

• NEW: form_post support in OpenID

• FIX: Reported port in HTTP Content security headers when using HTTPs for OPenID URLs.

• FIX: When using IDP initiated, and IDP requires signing authn request, signature is now properly validated.

• UPD: Prefer configured encryption method for assertion when SP supports it.

v.2.4.4 Update #54

• FIX: OIDC slo post logout URL must not be also listed in client URIs.

• UPD: OIDC Attribute profiles for non-overridden channels

v.2.4.4 Update #53

• NEW: OIDC Support for CORS pre-flight requests using OPTIONS

v.2.4.4 Update #52

• FIX: OIDC nonce missing in ID token

• NEW: OIDC support for attribute mapping profiles

• FIX: new JOSSO 2.5 branding adjustments

• FIX: OIDC front-channel logout NPE when id token hint was not provided.

v.2.4.4 Update #50

• NEW: JOSSO 2.5 Branding

• NEW: Processing UI

• NEW: OIDC Support for iframe session check

• NEW: OIDC CORS support for back channel endpoints

• UPD: OIDC Fixes

v.2.4.4 Update #47

• NEW: JDBC Identity store connection pooling added

• UPD: Improvements to account link emitters. SP/VP user ip address now available while emitting.

• NEW: Identity mapping extension points allows to use custom user keys to load users based on context information (Only when using an SP/VP identity store.

• FIX: OIDC OP Metadata improvements

v.2.4.4 Update #45

• FIX: Custom authenticator / LDAP Store using OSGi services

• FIX: XML Parsing security (update #44-ebf)

v.2.4.4 Update #44-ebf

• FIX: XML Parsing security

v.2.4.4 Update #42

• NEW: Virtual Provider support for OIDC

v.2.4.4 Update #31

• UPD: OIDC fix for token refresh

v.2.4.4 Update #39

• UPD: OIDC Improvements, including JWT token claims and SLO

• NEW: Passwordless authentication using OAuth2

• UPD: OAuth2 .Net client support for passwordless authentication

v.2.4.4 Update #33

• NEW: Attribute profile allows for expressions to map values

• NEW: OIDC UserInfo endpoint

v.2.4.4 Update #31

• FIX: Serialization error when enabling copyOnRead property on EH-Cache stores.

• UPD: SLO requests uses requested name identifier instead of unspecified.

• NEW: OIDC Tokens TTL configurable

• UPD: OIDC Signature / Encryption improvements

• FIX: Signature validation only for bindings that support it

v.2.4.4 Update #28

• FIX: Weblogic agent does not report an error when the authentication is not targeted to JOSSO, but to other provider.

• FIX: Weblogic provider version updated to match JOSSO agent version

• UPD: OpenID Connect improvements: Implicit flow, Metadata endpoint, Jason Web Key Set (JWKS) endpoint.

• FIX: SAML Signature validation only to supporting bindings

• FIX: User entity selector issue after SLO

v.2.4.4 Update #25

• FIX: Signature NPE error when signing SAML query strings introduced in update #24.

v.2.4.4 Update #24

• FIX: Default to a valid hash algorithm for appliances imported from older version.

v.2.4.4 Update #23

• FIX: Added missing bcrypt artifact for systems without internet access.

v.2.4.4 Update #22

• NEW: BCrypt hashing support for basic authentication

v.2.4.4 Update #21

• FIX: Error when using upper case names in Virtual Providers and Encrypted assertions

v.2.4.4 Update #20

• FIX: Authentication Service Priority

v.2.4.4 Update #19

• FIX: OpenID Connect SLO support

v.2.4.4 Update #18

• FIX: OpenID Connect authentication failure

v.2.4.4 Update #17

• FIX: Error when building appliance that uses external properties (due to spring upgrade).

• NEW: Custom token support for pre-authentication. JOSSO can collect a custom token from a header/cookie/request parameter.

• NEW: Weblogic execution environment supports customizing location element.

• UPD: Improved SSO policies report upon authenticatoin failure. (failed attempts/remaining attempts, account locked/expired, etc).

• FIX: KeyInfo element may be present without a key.

• FIX: KeyInfo element may not be present.

• FIX: SAML Response using HTTP-Redirect binding honors configured SAML Signature options.

v.2.4.4 Update #11

• UPD: Improved Authentication policy reporting

v.2.4.4 Update #10

• NEW: Custom pre-authentication support, includes custom HTTP headers and parameters

v.2.4.4 Update #09

• FIX: Workaround for JDK deflater reporting invalid state. This caused some threads to get into an infinite loop.

v.2.4.4 Update #08

• UPD: Configurable email attribute name for User identifier

• UPD: User columns alias when defining properties in DB identity store

• UPD: Improved SLO error when no SLO endpoint is available for an SP

v.2.4.4 Update #07

• UPD: SAML 2 Signature/Encryption improvements

• NEW: Jasper Server support

v.2.4.4 Update #06

• NEW: Custom Authenticator / 2FA Authenticator improvements

v.2.4.4 Update #02

• UPD: Merged 2.4.3 #27

v.2.4.3

Changelog

v.2.4.3 Update #32

• FIX: Weblogic 12 agent failed to resolve roles/groups

v.2.4.3 Update #31

• FIX: Workaround for JDK deflater reporting invalid state. This caused some threads to get into an infinite loop.

v.2.4.3 Update #30

• FIX: SLO Issuer when using Virtual Providers is now correctly set.

• FIX: SLO Signature (HTTP-Redirect) is now included when using VP.

v.2.4.3 Update #29

• UPD: Cross Scripting / clickjack prevention support

v.2.4.3 Update #27

• UPD: SAML 2.0 XML Signature verification does not require KeyInfo element.

• FIX: OpenID Connect exp claim validation fixes

• UPD: OpenID Connect exp claim validation tolerance

• NEW: CSA authentication extension point

• UPD: CSA CLR verification improved with new CRL configuration options

v.2.4.3 Update #25

• UPD: Client Certificate authentication improvements, including CRL support

• FIX: SSL Support for trusted certificate store configuration

• FIX: SAML Certificate date verification issues for JOSSO managed SPs

• UPD: Improved logging, including OIDC wire logging

• UPD: Social services token resolution retries to avoid network issues

v.2.4.3 Update #22

• UPD: WebLogic agent improvements

• UPD: Wire logging format

• FIX: SLO fix when using overridden IDP channel between VP and IDP

v.2.4.3 Update #16

• NEW: WeChat improvements for account linkage

• FIX: Updating Liferay elements fixes

• UPD: Spring framework

v.2.4.3 Update #09

• FIX: HA / EHCache integration (memory leaks fixed)

v.2.4.3 Update #07

• UPD: WeChat improvements

• UPD: JIT-SCIM Support for non-integer error codes

• NEW: User-Agent propagated to mediation components

• NEW: HTTP Follow redirect improvements (aliases and multi-domains supported)

• NEW: ERROR Binding using HTTP GET

• UPD: Proxy error propagation improvements

• UPD: WeChat login

• FIX: Some OSGi bundle configurations

• UPD: Removed default setup, plugin-bundles should create specific instances.

• UPD: Improved the documentation and logging

• NEW: SCIM Connector

• UPD: New windows authn ctx class support

• UPD: Account Expiration date enabled

• UPD: Do not add empty claims to a token (reduces token size).

• FIX: Default IDs to be XML friendly

• UPD: Transaction management for batch operations

• UPD: New update/remove batch operations

• UPD: Modify total number of sessions stats

• UPD: Support for backslash (\\) in the username

• NEW: External attribute permission

• NEW: Support for different credential types during basic authentication (email, username, etc.)

• NEW: More built-in user attributes

• FIX: Pre-authentication URL may contain request parameters

v.2.4.2

Changelog

v.2.4.2 Update #35

• FIX: XML Parsing security

v.2.4.2 Update #34

• NEW: Cross Scripting / clickjack prevention support

• UPD: Scala version

v.2.4.2 Update #33

• FIX: HA / EHCache integration (memory leaks fixed)

v.2.4.2 Update #31

• FIX: Oauth2 token generation in HA environments

v.2.4.2 Update #30

• FIX: Appliance export command

• FIX: Oauth2 token generation

v.2.4.2 Update #29

• UPD: Total number of sessions statistics calculation changes

• FIX: ID generation compliant with XML standard

• NEW: Support Windows authentication context class reported by ADFS

• FIX: OAuth2 authentication support now creates services even if no pre-authnentication URL is configured.

v.2.4.2 Update #27

• NEW: Last authentication timestamp on built-in users support

• FIX: Force UTF-8 support in OAuth2 clients

• NEW: Async email sending support

• UPD: Default Artifact Queue Manager builder configuration for HA environments

• FIX: Removing all groups from a user

• FIX: Transaction rollback management when operations fail to better error logging.

v.2.4.2 Update #25

• NEW: Virtual SP OpenID Connect support

• UPD: Fixes to default UI skin

• NEW: X-IdBus-Node HTTP header, useful for HTTP loadbalancers

• UPD: OpenID Connect examples

v.2.4.2 Update #24

• UPD: OpenID Connect improvements

• NEW: EHCache Message Queue Manager configuration support

v.2.4.2 Update #23

• NEW: Atricore Web console footer branding

• UPD: User search improvements (paging, search options)

• UPD: SPML Protocol improvements

• NEW: EHCache transaction store for self-services, useful in HA environments.

• NEW: Oracle Wallet v11R2 support

• NEW: SSO UI Locale and i18n improvements

• NEW: EHCache Message Queue Manager support, useful in HA environments.

• NEW: Inform SSO Session count as user property when using pre-authentication.

• NEW: systemd service file for Unix systems

• NEW: SSO Session Manager extension point, including SSOSessionContext with subject and context information to use during session creation (i.e. establish timeout, etc.)

v.2.4.2 Update #20

• NEW: OAuth2 client reports authentication failure errors as policy statements.

• NEW: New disable debug information for Jetty errors (hides stack trace)

• NEW: Support for configurable password policies (length, reg-exp, etc.)

• UPD: ISAPI Agent configuration is case insensitive for application IDs.

• FIX: ISAPI Agent error when no application ID is detected

v.2.4.2 Update #19

• FIX: PHP Agent SOAP warning message

• FIX: Servlet Agent keeps track of original requested resource when starting login process.

• NEW: Command line user management can now disable accounts with user modify command (new command option).

• NEW: SSO Session Manager extension point (see atricore idbus examples)

• NEW: Subject Authentication Policy extension point to allow users to create custom authentication verification policies (see atricore idbus examples).

• FIX: SQLServer support as external database for product persistence (System Settings, Persistence)

• NEW: Disable admin account creation option

• NEW: Auditing information in user management operations

• NEW: Spring boot partner application example

• NEW: Oracle Webcenter Sites agent

v.2.4.2 Update #18

• NEW: Support for custom JOSSO 1 Agents using WWW Execution environment definition

• Requires Update #11 or above installed

v.2.4.2 Update #17

• FIX: Oracle JDBC Driver support for system persistence

• FIX: Multiple OAuth2 bindings, to work with JavaScript and standard HTTP redirects

• Requires Update #11 or above installed

v.2.4.2 Update #16

• FIX: Concurrency error when using SAML Providers metadata service

• FIX: Minor UI issues

• Requires Update #11 or above installed

v.2.4.2 Update #15

• FIX: Reported Service Provider alias to pre-authentication applications when using Virtual Provider.

• Requires Update #11 or above installed

v.2.4.2 Update #14

• New clustering discover support mechanisms when MULTICAS is not an option.

• Improved SAML2 Assertion encryption support

• Requires Update #11 or above installed

v.2.4.2 Update #13

• Updated built-in certificate/key pair used during development

• Improved JOSSO Agent protocols, force_authn and authn_ctx_class now supported

• LDAP Support improved, special characters in usernames now properly escaped

• Fixed Maximum number of logins per user when using Virtual Providers

• Requires Update #11 or above installed

v.2.4.2 Update #12

• FIX: Reported Authentication Context Class when using Remember Me (OAuth2)

• FIX: Passive Authentication support when non is specified by Service Providers

• Requires Update #11 or above installed

v.2.4.2 Update #11

• FIX: Issue with remember me token persistance using new IDs

• Improved default session cookies length

• New dynamic peer discovery option for clustered environments

• New command to allow to remove social IdPs from command line

• FIX: reported authnCtxClass when using Virtual Providers

  *Recommended fresh install
  

TIP

Make sure to export all your identity appliances, back up and delete the folder $JOSSO2_HOME/data/derby and restart JOSSO. You can import your appliances after that.

v.2.4.2 Update #10

• Bugfixes

• OpenID Connect new features

• Improved ID generation for critical artifacts

v.2.4.2 Update #09

• Identity Appliance commands improvements

• Requires Update #8 or above installed

v.2.4.2 Update #08

• Improved Unix scripts

• Do not delete the OSGi cache when restarting (unix)

• Upgraded to JOSSO 1.8.11 agents

• Support for JOSSO 1.8.11 agents using force authentication options

• New identity appliance command line management tools

• Improved LDAP Password Policy extensions support

• Include simple password reset support (LDAP only)

• Virtual Provider fixes when overriding federated connections

• New built-in attributes available when defining custom attribute profiles: idp alias, authentication context.

• Tool to create ID Vault extension projects

TIP

If you have made changes to startup scripts located in the $JOSSO_HOME/bin folder, please make sure to back up those files and reapply the changes to the new set of scripts.

v.2.4.2 Update #06

• SAML 2.0 Assertion Encryption Options

• User Identifier configuration support for IDPs

• Improved auditing properties, added federated provider information

• Adds 2.4.1 general availability version

  *Requires a fresh install, appliances must be re-created manually.
  

v.2.4.2 Update #05

• Adds 2.4.1 Update #25 to #31

  *This update requires 2.4.2 Update #1 already installed
  

v.2.4.2 Update #04

• SAML 2.0 Assertion Encryption Options

• Password Management Improvements

  *This update requires 2.4.2 Update #1 already installed
  

v.2.4.2 Update #03

• SPs locale selection when requesting authentication: The locale is propagated to the UI (wicket), and to SPs. When using custom attributes, the "userLocale" property must be mapped.

• Password Policy Enforcement UI fixes: A new page object was added.

• Protocol Pages Title branding: Property: idbus.protocol.page.title, you can add it to $JOSSO2_HOME/etc/org.atricore.idbus.kernel.main.cfg

  *This update Requires 2.4.2 Update #1 already installed
  

v.2.4.2 Update #02

• LDAP Policy Management options

  *This update Requires 2.4.2 Update #1 already installed
  

v.2.4.2 Update #01

• Includes 2.4.1 Update #24

• SAML 2.0 Custom Attribute Profiles Management

• Twitter Sign-In improvements

• JIRA 6.x Support

• Latest JOSSO 1.8.10-SNAPSHOT

v.2.4.2 Initial

• Twitter Sign-In support

• SAML 2.0 Attributes Profile improvements

• Certus Ultra Sonic Authentication

v.2.4.1

Changelog

v.2.4.1 Update #37

• NEW: Cross Scripting / clickjack prevention support

v.2.4.1 Update #36

• FIX: IdP selection strategy

If you haven’t applied update #35 follow instructions for that update.

v.2.4.1 Update #35

• FIX: JDK8 Support for Atricore Console launcher (avoids JSP error)

In case you are updating an older 2.4.1 version (Update #24 or below) you need to apply this update:

features

Properties you may also want to set:

Basic Authentication (Identity Provider): Reported SAML 2.0 Authentication Context

Directory Bind Authentication: Reported SAML 2.0 Authentication Context

Directory Bind Authentication: Referral

LDAP Identity Source: Referral

v.2.4.1 Update #33

• Includes latest 1.8.10 improvements

• Fixed invalidate exceeding SSO when using Virtual Providers

• Fixed NPE error when SSO session expires using Virtual Providers

• Includes 2.4.1 general availability version

  *Requires Update #25 or above installed
  

v.2.4.1 Update #32

• External error/warning dashboard support (JSON)

• FIX Basic Authentication salt prefix support

  *Requires Update #25 or above installed
  

v.2.4.1 Update #31

• Pre-Authentication Fixes

• New identity store monitoring metrics

• Session Hear-Beat support for proxied IdPs

• Requires Update #25 or above installed

v.2.4.1 Update #30

• New Salt prefix/suffix support for Basic Authentication

• Ws-Federation STS fixes

• ISAPI Agent support for IIS 8.x

• ISAPI Agent inlcudes latest OpenSSL version 1.0.2d, with new SSL/TLS protocol support, security improvements and bug-fixes.

• ISAPI Agent support for multiple virtual hosts

  *Requires Update #25 or above installed
  

v.2.4.1 Update #29

• Basic Authentication SHA-512 Support

• Remember Me support for Internet Explorer 11

• Requires Update #25 or above installed

v.2.4.1 Update #28

• SLO Fixes

• Remember Me improvements

• Requires Update #25 or above installed

v.2.4.1 Update #27

• Facebook for Business Support

• Facebook 2.4 API support

• OAuth2.0 Pre-Authenticated request proxy support

• OAuth2.0 Remember Me improvements

• Requires Update #25 or above installed

v.2.4.1 Update #26

• OpenID 1.0 Configuration Improvements

• Requires Update #25 installed

v.2.4.1 Update #24

• JIRA 6.x Support

• Latest JOSSO 1.8.10-SNAPSHOT

v.2.4.1 Update #24

• SAML 2.0 Front Channel SLO Support

• OpenID Connect 1.0 Provider

• OAuth 2.0 Tokens Lifetime Configuration

• Updated Facebook API to v2.3

v.2.4.1 Update #23

• Fix NPE issue on some SAML 2.0 configurations with SOAP

• Weblogic 11, 12 JOSSO Agents

v.2.4.1 Update #22

• Remember Me working when Pre-Authentication is configured

• SMAL 2.0 Metadata Service support

• HTTP timeout settings for internally proxied requests

• LDAP (JNDI) referrals configuration option in Directory components (store and authentication)

• New custom features file descriptor for customers extensions

Update Instructions

JOSSO Administrators must edit current identity appliances, and verify LDAP component setups. Save, rebuild, redeploy and restart Identity Appliance.

v.2.4.1 Update #19

• IdP SSO Session provided as attribute to applications

• Disabled redirects generated by Apache Wicket that caused problems when reverse proxies are used.

• IdP/SP proxy support improvements

• Cross Origin Resource Sharing support

• Improved logger configuration

• Ws-Federation SLO Improvements (wreply support)

• SLO Location for agent based applications (redirect the user to that URL upon logout)

• Identity Appliance Import options to update locations automatically (facilitates promoting applinaces from one environment to another)

v.2.4.1 Initial

• Google Sign-In support

• Facebook Sign-In support

• OpenID Connect support, as relaying party

• JDK 7, JDK 8 support

• Dot Net OAuth 2.0 APIs

• Auditing Module

• Virtual Provider Support (VSP)

• External Authentication UI (pre-authentication) support

• Tomcat 8 JOSSO Agent

• Agents use JAXWS when possible

• SAML 2.0 Improvements

• Performance improvements