2.4.X RELEASE

THE LATEST RELEASE

2.4.2 was published on 04.03.2018

DOCUMENTATION OF THE RELEASE

can be read from:

IMPORTANT NOTE ON OPENJDK

with introduction of latest Jetty HTTP server (used by Unity) it was observed that Firefox browser have troubles connecting to Unity launched on some of the OpenJDK distributions (e.g. Fedora). This is due to disabling EC TLS ciphers in affected OpenJDK. In case of troubles please use Oracle Java RE.

GENERAL INFORMATION ABOUT THE RELEASE

There are two distribution formats:

tar.gz bundle which can be unpacked and this way installed in a single directory,
rpm which can be installed system-wide in the Linux standard locations.

The rpm is build and tested on Centos 7, noarch. It should work flawlessly also on SL7 and recent Fedora distributions. We may build packages for other distributions in future, however the tar.gz format should be fully portable. Java 8 JRE is the primary installation prerequisite. For more detailed installation information please check the Unity manual.

2.4.X RELEASE SERIES

Release 2.4.0 brings many significant new features. The main theme was to allow for quicker and easier setup in case of typical authentication integration scenarios.

The highlights are:

Unity now contains two predefined attribute type sets: common and eduPerson. The common set includes nearly 50 attribute types which should completely fulfill needs of majority of deployments. The set includes attributes with sensible settings which are counterparts of all commonly found user attributes. This set is loaded by default (via configuration module). The eduPerson set is not loaded by default. It includes couple of attributes of the eduPerson schema which are not found in the common set. You can freely edit and/or remove those standard attributes from AdminUI. What is more it is now possible to export and import attribute types to/from JSON, as well as (re-)import attribute types from the always available predefined sets described above.
For each supported external OAuth identity provider (e.g. Dropbox, Facebook, GitHub, Google, …) a complete mapping of attributes to Unity standard attributes is now provided as a ready to use system input translation profile. Thanks to it the configuration of those providers requires only 3 parameters: type, client id and client secret. We have cleaned the providers, updated them to use current APIs. And LinkedIn was added to the set of supported providers together with… Unity – so that one Unity instance can be easily configured to use other one.
There is also a symmetric change: Unity offers ready to use output profiles which translates the Unity attributes to the naming and syntax used by a protocol. For instance there is a default OpenIdConnect output profile which makes Unity returning standard OIDC attributes without any additional configuration effort.
Of course not always default mappings (both in and out) are fully sufficient. We have enhanced the translation profiles subsystem so now one profile may include (and optionally overwrite) definitions of other profile. This is especially useful to create a customized/enhanced version of any of the standard profiles.
Most of the development time in this release was spent on something bringing a little value: update to the new major release of Vaadin 8 – a web UI foundation used by Unity. This change enables many further planned developments, but already now you should be able to see some difference:
- all icons were unified to font ones from a single set,
- ‘hamburger menus’ are used in few places to hide rarely used operation icons,
- the translation profile edit screen was improved: is using dense formatting and rules can be dragged to easily control their order.
Unity now ships with a default, system password credential with reasonable security settings. It is used as a default credential for the initial admin user and always when creating admin user in emergency (lost admin account). There are also default system credential requirements provided.
Date & time attribute syntax were added.
User import functionality which so far was only possible on 3rd party query SAML/SOAP endpoint now is available on all IdP like endpoint (SAML, OAuth). It can be plugged just before output profile execution to import additional information about the user by a query to external system. Currently local OS users store and LDAP are supported, but we may add more providers in future.
There were few enhancements in the output profiles:
- OAuth client’s attributes can be used in expressions
- it is possible to redirect the user to external URL instead of completing the regular protocol flow.

There were also many other, smaller improvements including: attribute values are never cut on UI, it is possible to configure Unity to be invisible login proxy (no UI presented), confirmation link validity is configurable now.

Note we also added a new – SMS – notification channel. It is not very useful so far (one can use it for sending registration request related notifications) but will be fundamental element of the features coming in the next release.

DETAILED LIST OF CHANGES

RELEASE 2.4.2

New features:

UY-641 Update Orcid OAuth config type and profile fetcher to 2.0 version

Bugs fixed:

UY-682 Cannot add output profile create attribute action with attribute name with ‘-‘ char.
UY-684 Using multiple trusted federations in SAML authenticator doesn’t work
UY-685 Confirming unset eamils throws NPE
UY-686 Concurrent modification in JSON parser
UY-687 Creating new output translation profile in UI is not possible without using mandatory checkbox

RELEASE 2.4.1

New features:

Bugs fixed:

UY-653 SAML IdP should add Destination attribute to signed responses
UY-663 Attribute statement UI doesn’t allow for equal instances
UY-675 LDAP password verification eats exception details
UY-676 It is possible to add attribute type with incorrect syntax configuration
UY-677 Cannot add attribute type with string value in UI.

RELEASE 2.4.0

New features:

UY-546 Last authN option used cookie should be per endpoint
UY-579 Integration with Vaadin 8
UY-601 Always allow to see the complete value of attribute
UY-624 Possibility to pre-select an IdP with queryParam
UY-640 Create new OAuth provider type for Linkedin
UY-645 Date and dateTime attribute type syntax
UY-647 Registration forms: control whther admin gets copies of user-focussed messages
UY-650 Option to activate login through a single remote IdP
UY-655 Resolve attr from OAuth to flat attributes
UY-657 Support for anonymous (no binding) use of LDAP server
UY-659 Allow for enabling user import on any IdP-like endpoint
UY-660 Add possibility to redirect the user in effect of output translation profile execution
UY-662 Make confirmation validity time configurable
UY-665 Expose requester’s attributes in output profile
UY-618 SMS notification channel
UY-627 Implement proper default credentials and cred reqs in default configuration module
UY-628 Possibility to include in one translation profile an another
UY-629 Make sure that profile won’t fail if Unity attribute is missing
UY-630 Define default set of attribute types
UY-631 Prepare default translation profiles
UY-632 Selective loading of predefined attribute type sets
UY-633 Make input translation profiles optional for authenticators
UY-634 Prepare default system output profiles
UY-635 Default output profiles on IdP endpoints
UY-636 Compact translation profile editor
UY-613 Default, available out-of-the-box setup

Bugs fixed:

UY-652 Invalid expression in group attribute statement breaks UI
UY-654 Email attribute values should be exposed in MVEL context as external strings
UY-656 Removal of attribute type can make attribute statements crashing
UY-661 SAML request processing fails on dynamic attribute with disabled consent and user preferences
UY-664 LDAP attribute type options are dropped
UY-668 Update JNA to latest

OLDER REVISIONS

Here you can download previous versions from the series and read their documentation:

RELEASE 2.4.1: DOWNLOAD DOCUMENTATION

RELEASE 2.4.0: DOWNLOAD DOCUMENTATION