1.4.0 RELEASE

THE RELEASE

The release 1.4.0  was published on 08.12.2014

DOWNLOAD

DOCUMENTATION OF THE RELEASE:

Read documentation of 1.4.0 release:

READ

GENERAL INFORMATION ABOUT RELEASE

There are two distribution formats:

  • tar.gz bundle which can be unpacked and this way installed in a single directory,
  • rpm which can be installed system-wide in the Linux standard locations.

The rpm is build and tested on Centos 6, noarch. It should work flawlessly also on SL6 and recent Fedora distributions. We may build packages for other distributions in future, however the tar.gz format should be fully portable. Java 8 JRE is the primary installation prerequisite. For more detailed installation information please check the Unity manual.

Java 8 JRE is the primary installation prerequisite. For more detailed installation information please check the Unity manual.

1.4.X RELEASE SERIES

Unity 1.4.0 is so far the biggest update, with exactly 200 commits, 47 solved tickets and several big features.

The release highlights are:

  • OAuth2 & OpenID Connect endpoint is now available, i.e. Unity can act as a standalone OAuth 2 Authorization Server with support for OpenID Connect specification. The current implementation is fully functional, however its configuration requires some manual work in Admin UI (setting attributes, adding clients to groups) as there is no dedicated OAuth management UI. This will be improved in future.
  • The SAML subsystem received all the most important missing features:
    • support for encryption (and decryption) of assertions
    • SAML IdP can be configured with SAML metadata in the similar way as it was already possible to configure SAMl authenticator. The trusted SPs are can be automaticly extracted from the federation’s metadata and updated at runtime.
    • SAML Single Logout protocol is fully supported. This is a giant feature, as Unity can now logout all session participants: the upstream SAML IdP (if was used) and the SPs logged via Unity SAML IdP endpoint. The logout can be initiated via HTTP POST, Redirect and SOAP bindings, as well as by logging out from any of the Unity web UIs. As Single Logout may bring some problems level of its implementation is configurable. See the SAML Howto for details.
  • LDAP authenticator was greatly enhanced:
    • it is possible to use a predefined system user to obtain information about logged user
    • it is possible to define custom, additional searches
  • There is a new OAuth authenticator available, where Unity takes OAuth Resource Server role, checking provided OAuth Access Token against a configured 3rd party OAuth AS.
  • Unity was subject to an extensive security audit. Implementation of audit recommendations hardened Unity’s security.

Big thanks to all our contributors, testers and auditors (in alphabetical order, people first): Bernd, Piotr, Rafał, Roman Krysiński, Shiraz, ICM, Wrocław Center For Networking and Supercomputing, ICM and PL-Grid guys!

Unfortunately one of big planned features – translation profile wizard and debugger – is not included in this release due to one lately found issue. This great feature will be made available in the next release.

DETAILED LIST OF CHANGES

RELEASE 1.4.0

Bugs fixed:
  • Prevent session fixation attack
  • Fix for the poodle vulnerability
  • It is possible to insert rogue XML when trust model is set to all
  • Remove AttributeParamValue class
  • Login with local credential disabled by credential requirement change is possible
  • Mysql backend can fail to update endpoint and to properly expire tokens
  • Authorization Exception while viewing targeted identities
  •  SAML SP config messes up SAMLSP config metadata
  • Unity SAML IdP fails on non-latin characters in assertions when a non UTF-8 locale is used
  • Cancel doesn’t work in the UNICORE web IDP
  • Registration form with automatic and mandatory parameters causes AuthenticationException in admin enpoint
  • NPE after registration request submit
  • SSO doesn’t work in some cases
  • SAML and OAuth response handlers do not lock session object
  • New attribute type edit dialog does not show description widget
  • Input translation profile wrongly processes group mappings
  • Elimiate potential priviliges escalation via XSS
  • Prevent LDAP injection attacks
  • Enum attribute editor fails on empty set of allowed values
  • Gently handle Subject without nameId
New features:
  • AuthZ downgrade for get all groups operation
  • Optimization of Vaadin-based authentication screen
  • Allow to make copy of existing Registration Forms
  • Add support for default preferences, for arbitrary SP
  • Allow for empty credential requirement
  • mapGroup action should allow for dynamic group creation
  • Support for automated testing on selectable DBMS engine
  • Common and more user friendly consent UI for IdPs
  • Check the current credential in the credential change UI
  • Registration forms should allow for optional retrieve of information
  • Update translation profile documentation
  • External OAuth authorization should allow for selecting TLS settings
  • Secure cookies with httpOnly
  • Add a possibility to enable HSTS
  • Allow for clickjacking protection with X-Frame-Options
  • Hide HTTP server version details