Release notes
Dependency updates
Underlying dependencies have been updated extensively. Local customizations may be affected.
FIDO2 support
Enrollment of FIDO2 Tokens
New enrolment application allowing for endusers to activate their FIDO2 tokens.
FIDO2 token login
Support for FIDO2 token logins using SAML or internal authentications. Support for OIDC is achieved through existing brokering.
Hazelcast upgrade
New version is 4.11. Upgrades will require manual handling in regards to hazelcast configuration.
Overlay for logout template
Logout template now supports overlay pattern
Metadata loading improvement
SAML metadata loading has been improved. When consumed from a URL, data is cached. The cached data is used as fallback if url target is unreachable.
SLO requests using HTTP Get
Incoming SAML single logout requests now supports HTTP GET.
Freja e-ID organization id is now supported
Organization id is supported through new Freja e-ID authenticator and valves.
Simplified UI customizations PocketPass enrollment
Overlay pattern is now supported.
Simplified UI customizations OneTouch enrollment
Overlay pattern is now supported.
WCAG updates for all authenticator templates
Improved functionality in regards to the WCAG (Web Content Accessibility Guidelines).
WCAG updates PSS UI
Improved functionality in regards to the WCAG (Web Content Accessibility Guidelines).
PSS updates
- UI updates
- Option to show two password fields for onscreen exact comparison.
Updates may affect local customizations.
SAML IDP using multiple sign certificates
SAML certificate rollover is supported on the IDP sign certificate.
One Touch quick mode
Allows for user to confirm/reject a One Touch login using Apple Watch or equivalent.
More information here.
CertificateValidatorValve – updated
OCSP request can now be signed.
PDFSignatureStatusValve improved signature verification
Time stamp authority signatures now are validated.
PDFSignatureStatusValve customize trusted CA's
Trust is now based on a custom trust/keystore.
OIDC OP guide updates
token_type=Bearer is now returned by default.
kid claim is now added by default to the header part of the jwt token.
New valve PropertyURLDecoderValve
Allows for url decoding of item properties.
Updated behavior SAMLAnonymousAssignmentAuthenticator
QR is showed instantly. Additional configuration is available.
Added missing traceid for authenticators
Affects authenticators:
- SAMLNias
- SAMLWindowsSSO
- DefaultInternalAuthenticator
Admin UI presentation of nodes is updated
Only the current node is displayed.
For windows, added default custom options file - customer customizations
Used for customizations not being overwritten at upgrade.
Token imports are now done using a separate tool
Hardware tokens is now imported using the bundled Test Tool.
More information can be found here.
Internal database schema update
Token serial is now required to be unique, to avoid duplicates. For external databases this must be applied manually.
More information here.
New Freja e-ID valves
Allows for authentication or signing through API. Valves are:
- FrejaEIDAuthRequestValve
- FrejaEIDAuthStatusValve
- FrejaEIDSignRequestValve
- FrejaEIDSignStatusValve
New SITHS saml authenticator
Allows for authentication using SITHS mobile.
Authenticator name is SAML2SithsEID.
New valve PDFAValidatorValve
Validates that the PDF document fulfils the PDF/A-1A contract.
HYPR added as a method of authentication
SAML authentication now can be done using HYPR.
https://www.hypr.com/
New SITHS valves
Allows for authentication through API.
Valves are:
- SithsEidAuthenticateValve
- SithsEidCollectAuthenticationStatusValve
SAMLNias update
SAMLNias authenticator now includes user certificate in the pipe request issuing the SAML assertion.
BUG fixes
Fixed bug in OIDC HTTP redirect scenarios
Double URL encoding issue fixed.
Bug in BankID proxy module when running with old freja authenticator
Linkage error fixed.
Bug in IDPDiscovery authenticator fixed regarding favicon & custom CSS
Follows same pattern as other authenticators regarding custom css and favicon.
PADESSignVisibleSignatureValve
Fixed bug when calculating location of signature visualisation.
PIPES, wrong trace id
Wrong trace id was logged. This is now fixed.
Outbound HTTP module custom timeout
Bug when overriding the system timeout fixed.