Release Highlights

The 3.13.0 release brings implementation of several OSS community requests. The main development effort was on technical debt reduction, and at the same time preparation for the changes planned in Unity 4. Effects of that work are not visible today, will add a value upon the next major release.

Registration form information for remote signup

Registration forms can have a separate 2nd stage form information. This information is shown, together with separately configured title after returning from remote IdP, during signup with remote identity.

Support for Unity certificate rollover for SAML IdP and SP

Unity SAML IdP allows for configuring additional credential. This credential is advertised in generated metadata as another certificate. It is useful for IdP certificate roll-over, when, for a short time, service providers in federation should learn a new certificate, and prepare to accept it.

Similar, but more complex, feature was added to SAML authenticator (an SP in SAML nomenclature). It is possible to configure additional credential which can be used to decrypt incoming messages (typically authentication or attribute assertions), as an alternative to the main credential. What is more it is possible to control, whether this alternative credential is included in generated SAML metadata or not.

Configuration in the case of SP is more complex as the certificate rollover process is also more involving. Typically admin want to first advertise a new certificate in metadata, and be ready to accept message encrypted with it (step 1). Next the credentials are swapped and the old credential is removed from metadata, however decryption with it is still possible (step 2).

User attributes as claims in OAuth JWT tokens

OAuth clients may requests putting user claims in OAuth access token (if is issued as JWT) and/or in OIDC id token.

Other improvements

  • Update of realm is automatically picked by endpoints using it. Before the endpoints had to be manually reloaded.
  • For certain 2nd facto credentials like OTP, invalid try to provide it is not resulting in reset of the whole authentication and return to the first factor. Instead it is possible to provide the 2nd factor credential again.
  • UpMan invitations grid won’t crash, when some invitations has not been sent yet

Upgrade from 3.12.x

Version 3.13 includes a significant re-write of the database access code. This change is the last preparation step for the 4.0 major release.

While we put great effort to ensure that DB access was not changed in any way, it is advised to test the new release before putting it into production.

No database migration was included in this release.