Release notes

Dependency updates

Underlying dependencies have been updated extensively.  Local customizations may be affected.

OIDC improvement / updates

Correct behaviour in regards to "prompt=none"

When prompt=none  is sent by the RP and the session is not authenticated the request is sent back in accordance to

Guide update

When setting up an OIDC OP  the scenario now produces a jwks_uri based on the defined authorization endpoint URL domain + tenantID. (Same pattern as token_endpoint) . 

Guide update

The kid param of the valve is now automatically set based on the selected keystore for the jwt signing.

Guide update

Token endpoint is now constructed using tenant in URI. Previously the tenant was put as a parameter in the query string.

Guide update

"userInfo" end point  is now created at guide completion.

Guide update

Scenario configurations  creates a jwt with a proper "amr" configuration. Data type now is array.

JWKS response update

Removed “alg“ from jwks response. The parameter is optional. Sign algos should be configured in the “well-known/openid-configuration“ response. Currently defaults to RS256 which is the only alg supported.

OIDC discovery regularly updated

By default discovery URL's are re-discovered every 60 minutes.

New error handling for prompt_none - return with POST

When sending error response back when violating the  promt=none request. The response must be sent back using HTTP - POST.

Changed behavior of OIDC scenarios

Most if the OIDC scenarios have been disabled for new creation. Already added scenarios remain and can be edited.

It is now recommended to use the OIDC->SAML Identity Provider scenario. Using this scenario provides accessibility to all authentication methods included in the platform. Using this scenario also makes it feasible to use already added SAML Identity Providers, both internal and external.

Added friendly name displaying SAML idp

When selecting an idp from a drop down the display name has bee added for clarity.

FrejaEIDSAML relying party id added

FrejaEIDSAML now support the property relyingPartyId facilitating MSP scenarions.

Compression added to some HTTP resources

Added support for Gzip compression when serving static files if user agent suports.

FidoAuthenticatorSAML added missing event

Events are now written on success and failure.

Disable logging for org.opensaml.xml in log4j2.xml

New default behaviour  for open saml xml handling logging. Default now is OFF.

Bug fixes

Fido authenticators events

Events written has been updated to better fit the usecase.

"Unlock" account in PSS

Faulty behaviour when unlocking account in AD fixed.

Language mix in PSS

Fixed mix of languages shown in PSS.

PSS customisation updates

For customizing UI in PSS follow instructions here:

Existing updates done may need to be verified.