IDP Broker v1.0.8-beta

Identity Broker v1.0.7 Beta - Release Notes

Breaking Through Microsoft Entra ID Limitations

The Problem Microsoft Can't Solve

Microsoft Entra External ID currently does not support configuring other Microsoft Entra tenants as external identity providers:

"Configuring other Microsoft Entra tenants as an external identity provider is currently not supported. So, the microsoftonline.com domain in the issuer URI isn't accepted."

— Microsoft Learn: Custom OIDC Federation

Identity Broker solves this. Deploy a lightweight, enterprise-ready OIDC broker that enables seamless federation across:

• Multiple Microsoft Entra ID tenants
• Google Workspace
• Okta
• Auth0
• Azure AD B2C
• Any OIDC-compliant identity provider

What's New in v1.0.7 Beta

New Features

1. Advanced Branding Customization

• Custom Login Experience: Fully customizable Home Realm Discovery (HRD) page
• Logo Upload: Support for custom logos with size presets (small, medium, large)
• Background Options:
  • Solid colors with color picker
  • Linear gradients with direction control
  • Custom background images
• Button & Card Styling: Customize colors to match your brand identity
• Live Preview: See changes in real-time before applying

2. Comprehensive Audit Logging

• Dual Logging Strategy: Database + file-based logging
• Sign-In Event Tracking:
  • User email and selected identity provider
  • Success/failure status with error details
  • IP address detection (proxy-aware for X-Forwarded-For)
  • User agent tracking
  • Session correlation
• Admin Dashboard:
  • Real-time statistics (24h, 7d, total, unique users)
  • Filter by email and status
  • Download log files for SIEM integration
• Configurable Log Directory: Supports both local development and production paths

3. Enhanced Security Configuration

• Static Resource Protection: Improved Spring Security configuration for uploaded assets
• Dynamic Icon System: Context-aware UI icons based on current admin page

Improvements

• Better error handling in OAuth2 callback flows
• Optimized database queries for sign-in log retrieval
• Enhanced IP address extraction for load-balanced environments
• Improved file upload validation (2MB limit, image type checking)

Bug Fixes

• Fixed Thymeleaf SpEL parsing errors in HRD template
• Resolved 404 errors for uploaded branding assets
• Fixed JPA enum comparison in audit log queries
• Corrected Alpine.js data binding for dynamic header icons

Core Features

1. OpenID Connect (OIDC) Broker

Identity Broker acts as a standards-compliant OIDC Provider that federates authentication to upstream identity providers:

• Dynamic Provider Selection: Automatically routes users to their organization's IdP
• Token Translation: Converts upstream tokens to your application's token format
• Claims Mapping: Flexible attribute mapping from any IdP to your applications

2. Home Realm Discovery (HRD)

Intelligent user routing based on email domain:

• Email-Based Routing: Enter email once, automatically redirect to correct IdP
• Multi-Domain Support: Single IdP can handle multiple email domains
• Domain Hints: Optional domain_hint parameter for direct IdP selection
• Custom Branding: Fully white-labeled login experience

3. Multi-Tenant Microsoft Entra ID Federation

The feature Microsoft doesn't support:

• Federate users from multiple Microsoft Entra ID tenants (Tenant A, B, C, etc.)
• Each tenant configured as a separate OIDC connection
• Domain-based routing (e.g., user@companya.com → Tenant A, user@companyb.com → Tenant B)
• Seamless user experience with automatic tenant detection

4. Universal Identity Provider Support

Connect any OIDC/OAuth2 provider:

• Microsoft: Entra ID, Azure AD B2C
• Google: Google Workspace, Gmail
• Enterprise: Okta, Auth0, Ping Identity, ForgeRock
• Social: Facebook, GitHub, GitLab
• Custom: Any OIDC-compliant provider

5. Advanced Multi-Domain Mapping

• Single IdP configuration can serve multiple email domains
• Domain-to-IdP mapping stored in database
• Dynamic configuration without application restart
• Admin UI for easy domain management

6. Enterprise Secret Management

Securely store client secrets with multiple backend options:

• Local: AES-256 encrypted secrets with configurable encryption key
• HashiCorp Vault: Transit engine for encryption-as-a-service
• AWS Secrets Manager: Native AWS integration
• Azure Key Vault: Managed secrets in Azure cloud
• Rotation Support: Update secrets without downtime

7. Comprehensive Audit & Monitoring

• Sign-In Logs: Track every authentication attempt with full context
• Admin Activity Logs: Record all configuration changes
• Statistics Dashboard: Real-time metrics and insights
• Export Capabilities: Download logs for external analysis
• SIEM Integration: File-based logs compatible with log shippers

8. Admin Console

Full-featured administrative interface:

• IdP Configuration Wizard: Step-by-step setup for new providers
• Domain Management: Map domains to identity providers
• Branding Customization: White-label the login experience
• Audit Log Viewer: Search and filter authentication events
• RP Client Management: Configure relying party applications
• Dashboard: System health and usage statistics

9. Production-Ready Architecture

• SQLite Database: Zero-configuration, file-based persistence
• Optional Redis: Session storage for horizontal scaling
• JWT Signing: RSA key pairs with JWKS endpoint
• Health Checks: Actuator endpoints for monitoring
• Configurable Issuer: Static or dynamic URL detection
• Session Management: Configurable timeouts and tracking

Architecture Overview

┌─────────────────┐
│   Application   │
│ (Relying Party) │
└────────┬────────┘
         │ OIDC
         │
    ┌────▼─────────────────────────┐
    │   Identity Broker (v1.0.7)   │
    │  ┌─────────────────────────┐ │
    │  │  Home Realm Discovery   │ │
    │  └─────────────────────────┘ │
    │  ┌─────────────────────────┐ │
    │  │  OIDC Provider Engine   │ │
    │  └─────────────────────────┘ │
    │  ┌─────────────────────────┐ │
    │  │   Audit & Logging       │ │
    │  └─────────────────────────┘ │
    └───┬────────┬────────┬────────┘
        │        │        │
   ┌────▼───┐ ┌─▼──────┐ ┌▼────────┐
   │ Entra  │ │ Google │ │  Okta   │
   │Tenant A│ │Workspace│ │Enterprise│
   └────────┘ └────────┘ └─────────┘
   ┌────────┐ ┌────────┐ ┌─────────┐
   │ Entra  │ │ Auth0  │ │  Custom │
   │Tenant B│ │        │ │  OIDC   │
   └────────┘ └────────┘ └─────────┘

Use Cases

1. Multi-Tenant SaaS Applications

Your SaaS serves enterprise customers, each with their own Microsoft Entra ID tenant:

• Customer A (tenant: contoso.com)
• Customer B (tenant: fabrikam.com)
• Customer C (tenant: woodgrove.com)

Without Identity Broker: You can't federate to multiple Entra ID tenants (Microsoft limitation)

With Identity Broker:

1. Configure each tenant as a separate OIDC connection
2. Map domains: *@contoso.com → Tenant A, *@fabrikam.com → Tenant B
3. Users enter email, automatically routed to their corporate IdP
4. Single OIDC integration in your application

2. Merger & Acquisition Scenarios

Company acquired multiple organizations, each with different identity systems:

• Legacy employees: Google Workspace
• Acquired Company A: Microsoft Entra ID
• Acquired Company B: Okta
• Contractors: Auth0

Solution: Identity Broker provides single sign-on experience across all identity systems while you migrate to unified directory.

3. Partner/Customer Portal

B2B application needs to support customer authentication:

• Internal employees: Your corporate Entra ID
• Partner A employees: Their Entra ID tenant
• Partner B employees: Their Google Workspace
• Individual customers: Social login (Google, Facebook)

Solution: Configure all upstream IdPs in Identity Broker, enable domain-based routing, provide single login URL to all users.

4. Development/Staging/Production Isolation

Separate Entra ID tenants for each environment:

• dev.yourcompany.com → Dev Tenant
• staging.yourcompany.com → Staging Tenant
• yourcompany.com → Production Tenant

Solution: Identity Broker routes developers to appropriate tenant based on email domain.

Deployment Options

Option 1: Virtual Machine (VM) Deployment

System Requirements

• OS: Linux (Ubuntu 22.04 LTS, RHEL 8+, Amazon Linux 2023) or Windows Server 2019+
• Java: OpenJDK 21 or higher
• Memory: Minimum 512MB RAM, Recommended 1GB+
• Storage: 2GB minimum (for application + logs + database)
• Network: Ports 8080 (HTTP) or 443 (HTTPS with reverse proxy)

Installation Steps

# 1. Install Java 21
sudo apt update
sudo apt install openjdk-21-jre-headless -y

# Verify installation
java -version

# 2. Create application directory
sudo mkdir -p /opt/idp-broker
sudo mkdir -p /opt/idp-broker/data
sudo mkdir -p /opt/idp-broker/logs

# 3. Download the WAR file
cd /opt/idp-broker
sudo wget https://github.com/adroitts/idp-broker/releases/download/v1.0.7-beta/idp-broker-1.0.7-beta.war

# 4. Create application user (security best practice)
sudo useradd -r -s /bin/false idpbroker
sudo chown -R idpbroker:idpbroker /opt/idp-broker

# 5. Create environment configuration
sudo tee /opt/idp-broker/application.env > /dev/null <<EOF
# Broker Configuration
BROKER_ISSUER=https://idp.yourdomain.com
BROKER_ISSUER_DYNAMIC=false

# Database Path
DB_PATH=/opt/idp-broker/data/id...

IDP Broker

Full Changelog: https://github.com/adroitts/identix/commits/v1.0.7-beta

Identity Broker v1.0.7 Beta - Release Notes

Breaking Through Microsoft Entra ID Limitations

The Problem Microsoft Can't Solve

Microsoft Entra External ID currently does not support configuring other Microsoft Entra tenants as external identity providers:

"Configuring other Microsoft Entra tenants as an external identity provider is currently not supported. So, the microsoftonline.com domain in the issuer URI isn't accepted."

— Microsoft Learn: Custom OIDC Federation

Identity Broker solves this. Deploy a lightweight, enterprise-ready OIDC broker that enables seamless federation across:

• Multiple Microsoft Entra ID tenants
• Google Workspace
• Okta
• Auth0
• Azure AD B2C
• Any OIDC-compliant identity provider

What's New in v1.0.7 Beta

New Features

1. Advanced Branding Customization

• Custom Login Experience: Fully customizable Home Realm Discovery (HRD) page
• Logo Upload: Support for custom logos with size presets (small, medium, large)
• Background Options:
  • Solid colors with color picker
  • Linear gradients with direction control
  • Custom background images
• Button & Card Styling: Customize colors to match your brand identity
• Live Preview: See changes in real-time before applying

2. Comprehensive Audit Logging

• Dual Logging Strategy: Database + file-based logging
• Sign-In Event Tracking:
  • User email and selected identity provider
  • Success/failure status with error details
  • IP address detection (proxy-aware for X-Forwarded-For)
  • User agent tracking
  • Session correlation
• Admin Dashboard:
  • Real-time statistics (24h, 7d, total, unique users)
  • Filter by email and status
  • Download log files for SIEM integration
• Configurable Log Directory: Supports both local development and production paths

3. Enhanced Security Configuration

• Static Resource Protection: Improved Spring Security configuration for uploaded assets
• Dynamic Icon System: Context-aware UI icons based on current admin page

Improvements

• Better error handling in OAuth2 callback flows
• Optimized database queries for sign-in log retrieval
• Enhanced IP address extraction for load-balanced environments
• Improved file upload validation (2MB limit, image type checking)

Bug Fixes

• Fixed Thymeleaf SpEL parsing errors in HRD template
• Resolved 404 errors for uploaded branding assets
• Fixed JPA enum comparison in audit log queries
• Corrected Alpine.js data binding for dynamic header icons

Core Features

1. OpenID Connect (OIDC) Broker

Identity Broker acts as a standards-compliant OIDC Provider that federates authentication to upstream identity providers:

• Dynamic Provider Selection: Automatically routes users to their organization's IdP
• Token Translation: Converts upstream tokens to your application's token format
• Claims Mapping: Flexible attribute mapping from any IdP to your applications

2. Home Realm Discovery (HRD)

Intelligent user routing based on email domain:

• Email-Based Routing: Enter email once, automatically redirect to correct IdP
• Multi-Domain Support: Single IdP can handle multiple email domains
• Domain Hints: Optional domain_hint parameter for direct IdP selection
• Custom Branding: Fully white-labeled login experience

3. Multi-Tenant Microsoft Entra ID Federation

The feature Microsoft doesn't support:

• Federate users from multiple Microsoft Entra ID tenants (Tenant A, B, C, etc.)
• Each tenant configured as a separate OIDC connection
• Domain-based routing (e.g., user@companya.com → Tenant A, user@companyb.com → Tenant B)
• Seamless user experience with automatic tenant detection

4. Universal Identity Provider Support

Connect any OIDC/OAuth2 provider:

• Microsoft: Entra ID, Azure AD B2C
• Google: Google Workspace, Gmail
• Enterprise: Okta, Auth0, Ping Identity, ForgeRock
• Social: Facebook, GitHub, GitLab
• Custom: Any OIDC-compliant provider

5. Advanced Multi-Domain Mapping

• Single IdP configuration can serve multiple email domains
• Domain-to-IdP mapping stored in database
• Dynamic configuration without application restart
• Admin UI for easy domain management

6. Enterprise Secret Management

Securely store client secrets with multiple backend options:

• Local: AES-256 encrypted secrets with configurable encryption key
• HashiCorp Vault: Transit engine for encryption-as-a-service
• AWS Secrets Manager: Native AWS integration
• Azure Key Vault: Managed secrets in Azure cloud
• Rotation Support: Update secrets without downtime

7. Comprehensive Audit & Monitoring

• Sign-In Logs: Track every authentication attempt with full context
• Admin Activity Logs: Record all configuration changes
• Statistics Dashboard: Real-time metrics and insights
• Export Capabilities: Download logs for external analysis
• SIEM Integration: File-based logs compatible with log shippers

8. Admin Console

Full-featured administrative interface:

• IdP Configuration Wizard: Step-by-step setup for new providers
• Domain Management: Map domains to identity providers
• Branding Customization: White-label the login experience
• Audit Log Viewer: Search and filter authentication events
• RP Client Management: Configure relying party applications
• Dashboard: System health and usage statistics

9. Production-Ready Architecture

• SQLite Database: Zero-configuration, file-based persistence
• Optional Redis: Session storage for horizontal scaling
• JWT Signing: RSA key pairs with JWKS endpoint
• Health Checks: Actuator endpoints for monitoring
• Configurable Issuer: Static or dynamic URL detection
• Session Management: Configurable timeouts and tracking

Architecture Overview

┌─────────────────┐
│   Application   │
│ (Relying Party) │
└────────┬────────┘
         │ OIDC
         │
    ┌────▼─────────────────────────┐
    │   Identity Broker (v1.0.7)   │
    │  ┌─────────────────────────┐ │
    │  │  Home Realm Discovery   │ │
    │  └─────────────────────────┘ │
    │  ┌─────────────────────────┐ │
    │  │  OIDC Provider Engine   │ │
    │  └─────────────────────────┘ │
    │  ┌─────────────────────────┐ │
    │  │   Audit & Logging       │ │
    │  └─────────────────────────┘ │
    └───┬────────┬────────┬────────┘
        │        │        │
   ┌────▼───┐ ┌─▼──────┐ ┌▼────────┐
   │ Entra  │ │ Google │ │  Okta   │
   │Tenant A│ │Workspace│ │Enterprise│
   └────────┘ └────────┘ └─────────┘
   ┌────────┐ ┌────────┐ ┌─────────┐
   │ Entra  │ │ Auth0  │ │  Custom │
   │Tenant B│ │        │ │  OIDC   │
   └────────┘ └────────┘ └─────────┘

Use Cases

1. Multi-Tenant SaaS Applications

Your SaaS serves enterprise customers, each with their own Microsoft Entra ID tenant:

• Customer A (tenant: contoso.com)
• Customer B (tenant: fabrikam.com)
• Customer C (tenant: woodgrove.com)

Without Identity Broker: You can't federate to multiple Entra ID tenants (Microsoft limitation)

With Identity Broker:

1. Configure each tenant as a separate OIDC connection
2. Map domains: *@contoso.com → Tenant A, *@fabrikam.com → Tenant B
3. Users enter email, automatically routed to their corporate IdP
4. Single OIDC integration in your application

2. Merger & Acquisition Scenarios

Company acquired multiple organizations, each with different identity systems:

• Legacy employees: Google Workspace
• Acquired Company A: Microsoft Entra ID
• Acquired Company B: Okta
• Contractors: Auth0

Solution: Identity Broker provides single sign-on experience across all identity systems while you migrate to unified directory.

3. Partner/Customer Portal

B2B application needs to support customer authentication:

• Internal employees: Your corporate Entra ID
• Partner A employees: Their Entra ID tenant
• Partner B employees: Their Google Workspace
• Individual customers: Social login (Google, Facebook)

Solution: Configure all upstream IdPs in Identity Broker, enable domain-based routing, provide single login URL to all users.

4. Development/Staging/Production Isolation

Separate Entra ID tenants for each environment:

• dev.yourcompany.com → Dev Tenant
• staging.yourcompany.com → Staging Tenant
• yourcompany.com → Production Tenant

Solution: Identity Broker routes developers to appropriate tenant based on email domain.

Deployment Options

Option 1: Virtual Machine (VM) Deployment

System Requirements

• OS: Linux (Ubuntu 22.04 LTS, RHEL 8+, Amazon Linux 2023) or Windows Server 2019+
• Java: OpenJDK 21 or higher
• Memory: Minimum 512MB RAM, Recommended 1GB+
• Storage: 2GB minimum (for application + logs + database)
• Network: Ports 8080 (HTTP) or 443 (HTTPS with reverse proxy)

Installation Steps

# 1. Install Java 21
sudo apt update
sudo apt install openjdk-21-jre-headless -y

# Verify installation
java -version

# 2. Create application directory
sudo mkdir -p /opt/idp-broker
sudo mkdir -p /opt/idp-broker/data
sudo mkdir -p /opt/idp-broker/logs

# 3. Download the WAR file
cd /opt/idp-broker
sudo wget https://github.com/adroitts/identix/releases/download/v1.0.7-beta/idp-broker-1.0.7-beta.war

# 4. Create application user (security best practice)
sudo useradd -...

IDP Broker main-3189

Release Notes for

• Release Date: June 13, 2026
• Artifact: idp-broker.war
• SHA256: 3fb7b4edda5c31caa51989d74377d4b317970537c7fdc96573c4cc8eed181cd7
• Download Link

IDP Broker main-3179

Release Notes for

• Release Date: June 11, 2026
• Artifact: idp-broker.war
• SHA256: 2733311b8b39204f2093dcad474c060beeab3584b56617e2fc57d60b60399809
• Download Link

IDP Broker main-3177

Release Notes for

• Release Date: June 10, 2026
• Artifact: idp-broker.war
• SHA256: 8e6860afba3c89386ad3e8339e7d038a46694bc161681775d03ae8dc2d641f66
• Download Link

IDP Broker main

Release Notes for

• Release Date: June 09, 2026
• Artifact: idp-broker.war
• SHA256: 1aaaa6eaf8996b115cee79c3174c735a6f7f59d9ba0bd6be55c0eef5d6548be1
• Download Link