Underlying dependencies have been updated extensively. Local customizations may be affected.
OIDC improvement / updates
Correct behaviour in regards to "prompt=none"
When prompt=none is sent by the RP and the session is not authenticated the request is sent back in accordance to https://openid.net/specs/openid-connect-core-1_0.html#AuthError
When setting up an OIDC OP the scenario now produces a jwks_uri based on the defined authorization endpoint URL domain + tenantID. (Same pattern as token_endpoint) .
The kid param of the valve is now automatically set based on the selected keystore for the jwt signing.
Token endpoint is now constructed using tenant in URI. Previously the tenant was put as a parameter in the query string.
"userInfo" end point is now created at guide completion.
Scenario configurations creates a jwt with a proper "amr" configuration. Data type now is array.
JWKS response update
Removed “alg“ from jwks response. The parameter is optional. Sign algos should be configured in the “well-known/openid-configuration“ response. Currently defaults to RS256 which is the only alg supported.
OIDC discovery regularly updated
By default discovery URL's are re-discovered every 60 minutes.
New error handling for prompt_none - return with POST
When sending error response back when violating the promt=none request. The response must be sent back using HTTP - POST.
Changed behavior of OIDC scenarios
Most if the OIDC scenarios have been disabled for new creation. Already added scenarios remain and can be edited.
It is now recommended to use the OIDC->SAML Identity Provider scenario. Using this scenario provides accessibility to all authentication methods included in the platform. Using this scenario also makes it feasible to use already added SAML Identity Providers, both internal and external.
Added friendly name displaying SAML idp
When selecting an idp from a drop down the display name has bee added for clarity.
FrejaEIDSAML relying party id added
FrejaEIDSAML now support the property relyingPartyId facilitating MSP scenarions.
Compression added to some HTTP resources
Added support for Gzip compression when serving static files if user agent suports.
FidoAuthenticatorSAML added missing event
Events are now written on success and failure.
Disable logging for org.opensaml.xml in log4j2.xml
New default behaviour for open saml xml handling logging. Default now is OFF.
Fido authenticators events
Events written has been updated to better fit the usecase.
"Unlock" account in PSS
Faulty behaviour when unlocking account in AD fixed.
Language mix in PSS
Fixed mix of languages shown in PSS.
PSS customisation updates
For customizing UI in PSS follow instructions here:
Existing updates done may need to be verified.