Release notes
Overview
We are happy to announce the new PAS 5.1.0 which introduces several important improvements and bug fixes, listed below.
This is first large feature upgrade after the 5.0 technical upgrade end of 2023.
The new 5.1.0 version will be drastically easier to configure for administrators, due to a lot more built in support for SAML and OIDC protocols and enhanced guides.
1. New Authenticator architecture - with clear separation of protocols versus authentication methods, and new simplified configuration guides to support easier and faster configuration. Link to documentation here
2. OpenID Connect enhancements - significantly more OIDC functionality now available "out-of-the-box" in code instead of via manual configuration. Also some new OIDC support not previously possible, e.g Hybrid Flow support. Link to documentation here
3. Enable "Sign" transactions in BankID och Freja eID. Link to documentation for BankID here and Freja here
4. Other minor improvements
5. Defects fixed (see list below)
Important notes regarding new Authenticator architecture
We recommend using the new Authenticators for all new implementations.
Customers and partners who are already using legacy Authenticators, can continue to use these but are advised to gradually transition configurations to the new setup whenever suitable or possible.
Please read documentation under Authentication in PAS 5.1 and beyond to get more familiar with the new solution.
List of Defects fixed
PHX-3314 Sessioner/traceid mixed in logs
TraceID in logs are sometimes mixed between sessions. Issue resolved
PHX-3316 Redirect URI should not require port component for loopback redirects
Fix for adhering to OAuth 2.0 specification (port number should not be required in URI for loopback redirects)
PHX-3359 Myapps favicon are overwritten
Favicon for myapps is not the one stated in mods overlay. Issue resolved
PHX-3368 Incorect icon after new installation is completed
During installation process an old PhenixID logo is shown. Issue resolved
PHX-3390 Missing dependency: com.verisec:RelyingPartyApiClient cause FrejaEIDAuthenticatorSAML to not work
The jarfile RelyingPartyApiClient.jar is missing in the installation. Issue resolved
PHX-3393 OWASP: nimbus-jose-jwt-9.31.jar: CVE-2023-52428(7.5)
Vulnerability CVS-2023-52428 identified. Issue resolved
PHX-3420 SAML2SithsEID authenticator NullPointerException
SAML2SithsEID crashes when using SITHS EID in PAS 5.x. Issue resolved
PHX-3421 OWASP: postgresql-42.6.0.jar: CVE-2024-1597(10.0)
Vulnerability CVS-2024-1597 identified. Issue resolved
PHX-3428 Slow or hangning http-klient at reconf
HTTP client sometimes hangs after reconf. Issue resolved
PHX-3475 BankID: QR-codes go out of sync
Animated QR code could get out of synch if waiting too long. Issue resolved
PHX-3484 Freja dose not do a app switch after approval
After successful Freja eID identification, phone doesnt switch back to app initiating authorization. Issue resolved
PHX-3487 DestinationServiceName is being logged wrong in new authenticators
Log contains IdP name instead of SP name, OIDC OP instead of RP. Issur resolved
Full list of improvements
New Authenticator architecture
(General documentation: Authentication in PAS 5.1 and beyond )
PHX-3027 Simplify use of single/common SAML IDP
PHX-3177 Add protocol agnostic authenticator for OneTouch
PHX-3178 Add protocol agnostic authenticator for Freja eID
PHX-3179 Add OpenID Connect back channel logout
PHX-3192 Generic Authenticator to replace all "text entry authenticators" (more info: DynamicAuthenticator)
PHX-3194 Implement SAML Entrypoint+resultbuilder
PHX-3249 OIDC Rewrite: Add "headless" authenticator (more info: DynamicAuthenticator)
PHX-3283 Legacy tab in configuration manager for deprecated guides
PHX-3287 Add SP Broker as protocol agnostic authenticator (more info: SPBroker)
PHX-3290 AgnosticRequestAuthenticator to replace all "http request" authenticators (more info: DynamicAuthenticator)
PHX-3306 OIDC Rewrite: Custom state field for authenticators internal state
PHX-3308 Utilize internal authenticator state in new authenticators
PHX-3338 Implement PersistedAuthenticationAttributes (multitenant SSO and consent)
PHX-3347 Shared items for authenticator pipes in SequenceAuthenticator (more info: SequenceAuthenticator)
PHX-3348 Build AssignmentAgnostic authenticator for OneTouch with a fix username (more info: AssignmentAgnostic)
PHX-3366 Improve logging for protocol agnostic authenticators
PHX-3367 Improve error handling in protocol agnostic authenticators
PHX-3370 Refactor AgnosticAuthSelector and update configuration (more info: AgnosticAuthSelector)
PHX-3436 Let AgnosticDispatcher look at item attributes if used within SequenceAuthenticator (more info: AgnosticDispatcher)
PHX-3441 Redo configuration scheme for internal authentication in new architecture
OpenID Connect enhancement
(Link to documentation: OpenID Provider in PAS 5.1 and beyond)
PHX-3044 Add proper support for post_logout_redirect_uri in OIDC RP initiated logout.
PHX-3055 OIDC: Move functionality from pipes to authenticator(s)
PHX-3174 Core rewrite of OpenID Connect, new architecture, protocol agnostic authenticators
PHX-3175 OpenID Client authentication via client_secret_jwt
PHX-3176 OpenID Client authentication via private_key_jwt
PHX-3180 Implement OIDC Implicit flow
PHX-3181 Implement OIDC Hybrid flow
PHX-3182 Remake OIDC guides in the Configuration Manager
PHX-3267 Add possibility to bind session alias to a specific TTL, and implement token lifetimes this way
PHX-3364 Add support for "id_token_hint" in OIDC RP initiated logout
PHX-3365 Trigger an OIDC Back channel logout when RP initiates a logout
Enable "Sign" transactions in BankID och Freja eID
(Link to documentation for BankID here and Freja here)
PHX-3417 Enable SAMLServiceProviderAuthn (and SPBroker) to send SignMessage in their SAML AuthnRequest
PHX-3418 Make BankIDAuthenticator and FrejaAuthenticator able to handle "Sign"-transactions
PHX-3419 Refine how entrypoints deal with "Sign"-requests
Other minor improvements
PHX-3309 Logging: Base class written out instead of implementation, makes logs hard to interpret
PHX-3337 FileTimeGeneratorValve, src does not support property expansion (config documentation here)
PHX-3415 Signing the Windows executables using Digicert One (Cloud) instead of using p12 certificate
PHX-3430 Add -XX:-OmitStackTraceInFastThrow to vmoptions (avoid empty stacktraces in logs)