2.7.3 Release Notes

This release fixes a backwards incompatibility issue with the allowUnverifiedUsers flag. As part of the previous release, unverified users in any zone other than the default (uaa) zone would not be allowed to log in irrespective of what the flag was set to. This change has now been reverted and the allowUnverifiedUsers applies to all zones again.

UAA 2.7.2

Features

• The password_resets endpoint now takes optional client_id and redirect_uri parameters and returns the user id and verification code in the response.
• SAML authentication failures now show error messages instead of losing all context.
• UAA SAML Auth now supports NameIDs other than email.
• LDAP role/group memberships exposed in OpenID Connect JWT.
  • attributeMappings (map UAA scopes to LDAP roles) and externalGroupsWhitelist (external groups allowed to populate token) properties added
• allowUnverifiedUsers flag only affects default zone. Other zones do not allow unverified users and are not affected by the flag.
• Retain client context when user clicks on "Reset password", as long as their browser session remains intact.
• /password_change endpoint now returns an autologin code. This code can be used to hit /autologin which logs the user in and redirects to the saved request (if any).
• Introduced a uaa.jwt.claims.exclude property that allows excluding claims from the JWT obtained via client credentials.
• Users in the default zone can manage other zones using the subdomain, using the X-Identity-Zone-Subdomain header.
• The /check_token endpoint now makes sure that the scopes and authorities in the token are still valid.
• Add support for inviting users whose username is not the same as their email in an external user store.
  • SAML
  • LDAP
• UAA doesn't require SAML cert and key if SAML is not being used.
• Access token and refresh token expiry configurable globally per zone.
  • will be used if client does not have these properties set
• requestsSigned and wantAssertionSigned SAML properties exposed per zone in SamlConfig.

Bug Fixes

• Hitting the /password_change API endpoint with an invalid/expired code now returns an error message instead of a 500.
• If an unverified user tries to log in and unverified users are not allowed, a verification email is not resent. Instead, users are expected to create a new account or reset their password.
• Token permissions are now validated by checking the scopes instead of authorities.
  • Note: uaa.admin or clients.admin scope must be requested if clients wish to be able to change other client's secrets.

Backwards Incompatible

• Disabling self-service links doesn't remove links from /info or /login JSON responses.
  • /info endpoint now returns Map<String,String[]> prompt instead of List<Map<String,String[]>>

UAA 2.7.1

Features

• CORS Filter improvements - do not enforce on same origin requests
• Store SAML user information in UAA shadow account
• Store LDAP user information in UAA shadow account
• OpenID Connect token can contain external SAML user groups when using roles scope
• Add ability to map SAML groups to UAA scopes
• Serialize authentication origin details during authorization_code/implicit flow
• Populate id_token with custom user claims
• Update user attributes when SAML/LDAP users authenticate
• Support LDAP referrals and don't throw exception during partial results
• Add API for user verification link generation
• Store all zone subdomains as lowercase, and subdomains are case insensitive
• Add ability to map LDAP attributes to custom claims in id_token

Bug Fixes

• Remove unused invitations response segment
• Autlogin uses context sensitive redirect to avoid domain name change
• Zone resolver should not throw an error if zone is not found

Misc

• Upgrade Flyway plugin in Gradle build
• Clarify external config file usage
• Refactor the UAA zone LDAP provider to be identical configuration as any other zone LDAP IDP

UAA 2.7.0.3 Release Notes

This release adds support for Client IDs longer than 36 Characters.

UaaTokenStore doesn't support client_ids longer than 36 chars

UAA Release 2.7.0.2

Backwards Compatibility for ID_Token Response

During the invocation of the /oauth/authorize URL, the normal process is to specify response_type=code
Some libraries have been specifying response_type=code+id_token
This is a OpenID Connect extension. Previously the UAA ignored the id_token response_type, but now we have added support. This changes the response of the /oauth/authorize. The main change is that the Location header will have a Fragment (#) and not a Query String (?)

This is a hot-fix release which addresses the backwards compatibility issue with handling of id_token in response.
The properties is exposed in the UAA YML:
oauth:
id_token:
disable:

UAA 2.7.0 Release Notes

Features

• Support for OpenID hybrid flow code + id_token response type
• Add the ability to disable authenticating against internal user store
• Filter the user results from the ids/users endpoint based on active identity providers
• Expose Logout Redirect URI per client

Bug Fixes

• CORS filter blocks same origin requests

UAA 2.6.2 Release Notes

Non-Browser Authorization Code Flow Support

Authorize endpoint now supports token based authentication in addition to the regular web based authentication flow. API Details can be found here

UAA 2.6.1 Release Notes

Features

• Moved UAA to Java 8 only support
• Work in Progress - Support for Allowed Domains on Identity Providers to enable discovery
  • Associate an Identity Provider with One or More allowed domains via YML/Manifest
  • Allow one or more email domains to be associated with an Identity provider via API
• Enable log rotation for UAA Logs via Bosh
• Respect nonce authorization
• Added origin in JWT token and refresh token.
• New "token_keys" endpoint (JWKS Set Format)

Bug Fixes

• Users who haven't modified their password see the sad cloud page after login.
• Inviting an existing user causes "Uh oh Something went amiss"
• Zone users can't see the groups they create
• Reject duplicate entityID when creating SAML providers
• Migration logic to zonefied groups

UAA 2.5.1 Release Notes

Features

• Added multi-tenant support for scim groups, group memberships and external group mappings
  • SCIM Groups should be zone aware
• Enable scopes for finer grained administration of Identity Providers, Users, Groups & Clients in an Identity Zone
  • Expose new scope for reading identity providers in a zone
  • Add finer grained scope for reading a single identity zone
  • Extend /Groups/zones endpoint to allow zone management scopes
  • Add an endpoint for deleting members from zone management groups.
• Support for email notifications to be sent out via the notification service for user creation, password management & account management for users in an identity zone.
  • Use the emails endpoint for sending all UAA email notifications
• Modified CORS filter so that allowed headers for XHR requests is configurable

Bug Fixes

• When creating a Zone specific User Account, Pivotal ID Branding is being displayed
• Email for Zone Specific Create Account shows Pivotal ID wording and branding
• Invitations flow requires a user to be logged in when accepting invite

UAA 2.4.1 Release Notes

Features

• Update the Identity Provider End Point to save and retrieve Lockout policy per zone
• Show relevant message after user lockout
• Updated SAML identity provider configuration to accept an addShadowUser property to govern shadow account creating during SAML Authentication
• Expose Managing /Users & /Groups to a Zone Admin
• New Scope for Creating Clients in a Zone
• Allow to build uaa with Java 8

Bug Fixes

• UAADB Housekeeping: Clean up unused/expired oauth_codes and one time passcodes
• Querying users with pagination will return duplicate users
• Serialization/deserialization issues of Java Objects stored in UAADB