2.4.2 was published on 04.03.2018


can be read from:


with introduction of latest Jetty HTTP server (used by Unity) it was observed that Firefox browser have troubles connecting to Unity launched on some of the OpenJDK distributions (e.g. Fedora). This is due to disabling EC TLS ciphers in affected OpenJDK. In case of troubles please use Oracle Java RE.


There are two distribution formats:

  • tar.gz bundle which can be unpacked and this way installed in a single directory,
  • rpm which can be installed system-wide in the Linux standard locations.

The rpm is build and tested on Centos 7, noarch. It should work flawlessly also on SL7 and recent Fedora distributions. We may build packages for other distributions in future, however the tar.gz format should be fully portable. Java 8 JRE is the primary installation prerequisite. For more detailed installation information please check the Unity manual.


Release 2.4.0 brings many significant new features. The main theme was to allow for quicker and easier setup in case of typical authentication integration scenarios.

The highlights are:

  • Unity now contains two predefined attribute type sets: common and eduPerson. The common set includes nearly 50 attribute types which should completely fulfill needs of majority of deployments. The set includes attributes with sensible settings which are counterparts of all commonly found user attributes. This set is loaded by default (via configuration module). The eduPerson set is not loaded by default. It includes couple of attributes of the eduPerson schema which are not found in the common set. You can freely edit and/or remove those standard attributes from AdminUI. What is more it is now possible to export and import attribute types to/from JSON, as well as (re-)import attribute types from the always available predefined sets described above.
  • For each supported external OAuth identity provider (e.g. Dropbox, Facebook, GitHub, Google, …) a complete mapping of attributes to Unity standard attributes is now provided as a ready to use system input translation profile. Thanks to it the configuration of those providers requires only 3 parameters: type, client id and client secret. We have cleaned the providers, updated them to use current APIs. And LinkedIn was added to the set of supported providers together with… Unity – so that one Unity instance can be easily configured to use other one.
  • There is also a symmetric change: Unity offers ready to use output profiles which translates the Unity attributes to the naming and syntax used by a protocol. For instance there is a default OpenIdConnect output profile which makes Unity returning standard OIDC attributes without any additional configuration effort.
  • Of course not always default mappings (both in and out) are fully sufficient. We have enhanced the translation profiles subsystem so now one profile may include (and optionally overwrite) definitions of other profile. This is especially useful to create a customized/enhanced version of any of the standard profiles.
  • Most of the development time in this release was spent on something bringing a little value: update to the new major release of Vaadin 8 – a web UI foundation used by Unity. This change enables many further planned developments, but already now you should be able to see some difference:
    • all icons were unified to font ones from a single set,
    • ‘hamburger menus’ are used in few places to hide rarely used operation icons,
    • the translation profile edit screen was improved: is using dense formatting and rules can be dragged to easily control their order.
  • Unity now ships with a default, system password credential with reasonable security settings. It is used as a default credential for the initial admin user and always when creating admin user in emergency (lost admin account). There are also default system credential requirements provided.
  • Date & time attribute syntax were added.
  • User import functionality which so far was only possible on 3rd party query SAML/SOAP endpoint now is available on all IdP like endpoint (SAML, OAuth). It can be plugged just before output profile execution to import additional information about the user by a query to external system. Currently local OS users store and LDAP are supported, but we may add more providers in future.
  • There were few enhancements in the output profiles:
    • OAuth client’s attributes can be used in expressions
    • it is possible to redirect the user to external URL instead of completing the regular protocol flow.

There were also many other, smaller improvements including: attribute values are never cut on UI, it is possible to configure Unity to be invisible login proxy (no UI presented), confirmation link validity is configurable now.

Note we also added a new – SMS – notification channel. It is not very useful so far (one can use it for sending registration request related notifications) but will be fundamental element of the features coming in the next release.


New features:
  • UY-641 Update Orcid OAuth config type and profile fetcher to 2.0 version
Bugs fixed:
  • UY-682 Cannot add output profile create attribute action with attribute name with ‘-‘ char.
  • UY-684 Using multiple trusted federations in SAML authenticator doesn’t work
  • UY-685 Confirming unset eamils throws NPE
  • UY-686 Concurrent modification in JSON parser
  • UY-687 Creating new output translation profile in UI is not possible without using mandatory checkbox
New features:
Bugs fixed:
  • UY-653 SAML IdP should add Destination attribute to signed responses
  • UY-663 Attribute statement UI doesn’t allow for equal instances
  • UY-675 LDAP password verification eats exception details
  • UY-676 It is possible to add attribute type with incorrect syntax configuration
  • UY-677 Cannot add attribute type with string value in UI.
New features:
  • UY-546 Last authN option used cookie should be per endpoint
  • UY-579 Integration with Vaadin 8
  • UY-601 Always allow to see the complete value of attribute
  • UY-624 Possibility to pre-select an IdP with queryParam
  • UY-640 Create new OAuth provider type for Linkedin
  • UY-645 Date and dateTime attribute type syntax
  • UY-647 Registration forms: control whther admin gets copies of user-focussed messages
  • UY-650 Option to activate login through a single remote IdP
  • UY-655 Resolve attr from OAuth to flat attributes
  • UY-657 Support for anonymous (no binding) use of LDAP server
  • UY-659 Allow for enabling user import on any IdP-like endpoint
  • UY-660 Add possibility to redirect the user in effect of output translation profile execution
  • UY-662 Make confirmation validity time configurable
  • UY-665 Expose requester’s attributes in output profile
  • UY-618 SMS notification channel
  • UY-627 Implement proper default credentials and cred reqs in default configuration module
  • UY-628 Possibility to include in one translation profile an another
  • UY-629 Make sure that profile won’t fail if Unity attribute is missing
  • UY-630 Define default set of attribute types
  • UY-631 Prepare default translation profiles
  • UY-632 Selective loading of predefined attribute type sets
  • UY-633 Make input translation profiles optional for authenticators
  • UY-634 Prepare default system output profiles
  • UY-635 Default output profiles on IdP endpoints
  • UY-636 Compact translation profile editor
  • UY-613 Default, available out-of-the-box setup
Bugs fixed:
  • UY-652 Invalid expression in group attribute statement breaks UI
  • UY-654 Email attribute values should be exposed in MVEL context as external strings
  • UY-656 Removal of attribute type can make attribute statements crashing
  • UY-661 SAML request processing fails on dynamic attribute with disabled consent and user preferences
  • UY-664 LDAP attribute type options are dropped
  • UY-668 Update JNA to latest


Here you can download previous versions from the series and read their documentation: