2.8.2 was published on 30.05.2019


can be read from:


with introduction of latest Jetty HTTP server (used by Unity) it was observed that Firefox browser have troubles connecting to Unity launched on some of the OpenJDK distributions (e.g. Fedora). This is due to disabling EC TLS ciphers in affected OpenJDK. In case of troubles please use Oracle Java RE.


There are two distribution formats:

  • tar.gz bundle which can be unpacked and this way installed in a single directory,
  • rpm which can be installed system-wide in the Linux standard locations.

The rpm is build and tested on Centos 7, noarch. It should work flawlessly also on SL7 and recent Fedora distributions. We may build packages for other distributions in future, however the tar.gz format should be fully portable. Java 8 JRE is the primary installation prerequisite. For more detailed installation information please check the Unity manual.


Release 2.8.0 brings a lot of enhancements in functionality related with communication with existing users (enquiries), proper support for native clients, but most importandly a new web endpoint – UpMan – allowing for delegating group management to restricted users.

When installing this release as an update a migration will be performed and some configuration changes are mandatory. Make sure to make backup and read update instructions in the documentation!

Binding agnostic authenticators

configuration update required

So far configuration of authenticators in Unity was quite challenging. Each authenticator was configured as a pair of credential verificator and credential retrieval, and each authenticator was specific to a single binding: REST, WS/SOAP or web. This required complex configuration and a lot of internal knowledge.

With Unity 2.8.0 release this was simplified. Authenticators are not binding-specific anymore, the concepts of credential verificator and retrieval are used only under the hood and so administrator need not to even know them. For those admins who will upgrade the types of new authenticators are the same as former verificators, and (internally) Unity selects an appropriate retrieval automatically, depending on the type of endpoint on which authenticator is installed.

This change requires a significant amount of changes in configuration. While this may sound disturbing, the good aspect is that those changes will simplify your configuration, in some cases significantly. Upgrade documentation contains a detailed instruction with examples.


By far the biggest addition to Unity in this release is a new endpoint: Unity Project Management, UpMan. This endpoint addresses a frequently asked problem of delegation of particular Unity group management to a group-administrator, who otherwise has no full Unity admin rights. UpMan, besides providing a complex workaround around authorization issues, also exposes a user firendly UI, simple and task-focussed. Project manager is not bothered with Unity specific terms and difficult pipelines; instead simple tasks are just simple.

Currently the v1 of UpMan is naturally limited — we would love to hear your thoughts!

Form enhancements

  • Sticky enquiry: a new type of enquiry is introduced, which is intended for repeatable user updates. Sticky forms can be filled multiple times, and are not “pushed” to the users at login. Instead user may fill it by entering form’s link on its own, or one of the following two features can be used:
  • Sticky enquiries on HomeUI: HomeUI can be configured to display sticky enquiry forms. If one of the forms is applicable to the user it will be available on the web interface
  • Invitations to enquiries: existing Unity users may be invited to fill an enquiry in the same way as prospective user can be invited to register with a registration form. This is especially useful in case of sticky enquiries.
  • Grid widget & search for remote registration: so far it was only possible to create a form allowing for remote registration with one of few enumerated remote IdPs. Now even a huge SAML federation can be exposed on registration form, as IdPs can be presented in grid widget with search. Forms now have similar capabilities as the authentication screen.
  • It is possible to filter allowed groups when creating an invitation to a form.
  • Flexible control of users for whom enquiry is applicable: so far enquiries were applicable to members of one or more groups. Now additional, more complex rules can be created. Enquiry can have an MVEL expression set, more precisely targeting users. E.g. it is possible to create an enquiry for all users who are not a member of a given group, or, not possessing a given attribute.

Public and native OAuth clients

Support for public and native OAuth clients, including PKCE is added. RFC 7636 is supported now, along with the key guidelines for authenticating native clients from RFC 8252. This feature is controlled by a new OAuth client’s attribute, specifying client type to confidential or public. The only limitation is that public clients still need some password (even though not a secure one).

Other notable changes

  • Support of PNG and GIF images in attributes. Thanks to Remek, our new contributor, Unity has a new attribute syntax: ‘image’. It is a replacement of the legacy (but still supported for backwards compatibility) jpegImage. The new syntax supports not only JPEG images, but also GIFs and PNGs. What is more it is preserving the original quality of the JPEG image, what was not the case in the legacy jpegImage.
  • experimantal Open & private groups. Unity groups can be marked as ‘public’. Doing this alone has no practical effect, but there is additional feature which can be found on enquiry and registration forms: group enrollment in a form can be limited to public, or non-public (private) groups only. This feature allows for creating autoaccepted forms for less not restricted groups, while keeping remaining groups regularly secured. Important note: this feature is experimantal and may quite likely may evolve, becoming for instance group tagging feature.
  • Historical passwords (used for checking recent passwords) are removed when password hashing policy is changed.
  • After modification of local credential config, authenticators using it are automatically refreshed. Up to now this had to be done manually.
  • Larger default and in general configurable limit of maximum attribute size (was around 60kB) is now available.


New features:
  • UY-543 Plain HTTP mode for starting Unity behind an SSL proxy
  • UY-887 Allow for killing in-progress external authN on demand
  • UY-900 Support XFF header for deployments behind proxy
Bugs fixed:
  • UY-871 Invalid email causes 500 when querying admin endpoint.
  • UY-881 Entity’s displayed name is not shown if defined by dynamic attribute
  • UY-886 Recreation of original URL fails when mandatory to encode characters used in URL
  • UY-894 Block invitations of existing members in Upman
  • UY-895 Proper mime type for oauth keys resource
  • UY-896 Support of external-only signup
  • UY-899 Improper empty enquiry behaviour
New features:
  • UY-869 Improve authN and consent screen rendering on mobile devices
Bugs fixed:
  • UY-865 CORS not working
  • UY-866 Session cleaning thread can be killed in case of DB connection problem
  • UY-867 Unity endpoint name change not taken when reloading an endpoint
  • UY-870 Invalid docs and defaults of user’s home endpoint disabling UI parts
  • UY-875 LDAP password authenticator may be broken for bindings supporting cert authn
New features:
  • UY-343 Support all web usable image formats
  • UY-776 server-web-admin should not depend on engine, but on engine-api
  • UY-796 Sticky Enquiry
  • UY-797 Federation choice widget for registration
  • UY-798 AdminUI: configuration of managed groups
  • UY-799 Filter allowed groups in invitations
  • UY-800 Invitations to enquiries
  • UY-801 Open groups support in forms
  • UY-802 DelegatedGroupManager
  • UY-803 Group management UI: core
  • UY-804 Group management UI: members
  • UY-805 Group management UI: groups
  • UY-806 Group management UI: invitations
  • UY-807 Group management UI: requests
  • UY-808 Wire group management UI in HomeUI
  • UY-825 Do not store password history entries with outdated hash
  • UY-828 Make max accepted attribute size configurable
  • UY-831 Binding agnostic authenticators
  • UY-840 When local credential is updated authenticators using it should be refreshed
  • UY-845 Support OAuth native clients using PKCE
  • UY-849 Generation and validation of forms for easier group delegation config
  • UY-850 Flexible control of users for whom enquiry is applicable
  • UY-811 Read only, selected attributes support for group man UI
Bugs fixed:
  • UY-832 Creating invitation with empty expiration date causes NPE
  • UY-846 Registration form does not adjust form information


Here you can download previous versions from the series and read their documentation: