Release 3.1.0

View Diff

• Use saml-libs release that removes eIDAS code
• Pull dependencies for public builds from Maven Central.
• Update logback library to version 1.2.9
• Upgrade to Dropwizard 2

Zip file should have the following checksum:

$ shasum -1 256 /tmp/verify-service-provider-3.1.0.zip
25099bcdcfa154bf4236fcd0f8b954778a2e75ea937f0f40fb986f9ee8b9868f  /tmp/verify-service-provider-3.1.0.zip

Release 3.0.0

View Diff

• Removed processing of assertions received from EU Member States. The configuration parameter europeanIdentity, if present, and child elements must be removed in order for the VSP to start.

Zip file should have the following checksum:

$ shasum -a 256 /tmp/verify-service-provider-3.0.0.zip
6db309bfc34a006ab853cf15fc91df2c533fd6cc58f3bbdbfd8f62a5cf8b0ae4  /tmp/verify-service-provider-3.0.0.zip

Release 2.2.0

View Diff

Update truststores with new CAs

The production truststores now contain the new G3 CAs. The test truststores include the new test G3 CAs as well as the long lived dev-pki CAs.

Allow empty truststore configuration

It's now possible to have an empty truststore section in the config template if the environment is provided. Previously the app would fail to initialise even if valid config was provided with environment set but empty truststore section.

Updated Compliance Tool's URL address

The Compliance Tool has started using the new URL address https://compliance-tool-integration.cloudapps.digital instead of the old URL address https://compliance-tool-reference.ida.digital.cabinet-office.gov.uk. This is to ensure that Verify Service Provider can continue to access the Compliance Tool.

Zip file should have the following checksum:

$ shasum -a 256 /tmp/verify-service-provider-2.2.0.zip
02c35bf6c6bcd985431301ca032e289fb1124020ca2ab7cff9adc6f8460ed4f2  /tmp/verify-service-provider-2.2.0.zip

Release 2.1.0

View Diff

Accept identities from more European countries

The eIDAS specification does not require assertions to be signed, whereas the Verify specification does. This release adds the ability to for the VSP to accept these unsigned assertions in a secure manner.

This is achieved by validating the signature of the original eIDAS SAML Response from the country which is now passed through to the VSP. Signed eIDAS and Verify assertions are still verified as before.

Configuration Changes

• Configuration parameter hubConnectorEntityId in the europeanIdentity section is now optional and can be removed from the configuration file.
• Configuration parameters europeanIdentity and msaMetadata are now mutually exclusive. The VSP's eIDAS support is only available when it operates without an MSA.

Zip file should have the following checksum:

$ shasum -a 256 /tmp/verify-service-provider-2.1.0.zip
826f83fea88f097738cb6bae318ce8767c630e06bd13424f868a4d89f2459a58  /tmp/verify-service-provider-2.1.0.zip

Release 2.0.0

View Diff

Connect to GOV.UK Verify using only the VSP

This release adds the ability to connect to GOV.UK Verify using only the Verify Service Provider (VSP). This means services can connect without needing to host a Matching Service Adapter (MSA). If needed, services can then implement matching independently from their connection to GOV.UK Verify.

Using only the VSP makes it easier to connect to GOV.UK Verify and reduces maintenance tasks once connected.

When used alone, the VSP provides the required MSA functionality. It will:

• implement security features to the same level as the MSA
• handle both GOV.UK Verify and European identities
• do Personal Identifier (PID) hashing

If you are already connected to GOV.UK Verify and are running an MSA, you can upgrade to VSP 2.0.0 without needing to do any configuration changes.

If you want to switch off your Matching Service Adapter and only use the Verify Service Provider to connect to GOV.UK Verify, contact the GOV.UK Verify Team.

Improved command line interface

You can use the VSP's new development command when setting up your own client for the VSP.
Find out more about the development command and its options.

Updated technical documentation

We published updated technical documentation on setting up the VSP.

Follow the step-by-step guides in the 'Get started' section to make sure your service correctly uses the VSP to handle:

• successful verification responses
• possible failure scenarios

If your service needs to match user information from GOV.UK Verify with data you already hold, there is guidance on what you should consider when setting up matching.

Metadata health check changes

Changed metadata health check names to use the URI of the metadata they are trying to resolve. For example, the healthcheck title that used to be hubMetadata is now https://signin.service.gov.uk. If you are using a Matching Service Adapter, the healthcheck title msaMetadata becomes your metadata URI, for example https://msa.govservice.internal.

Dropwizard version

This release uses Dropwizard 1.3.9.

Zip file should have the following checksum:

$ shasum -a 256 /tmp/verify-service-provider-2.0.0.zip
9c4e10fb28de1a8422824b8f5900ca7c763025e1ead81a27d8dc67d7fefa7717  /tmp/verify-service-provider-2.0.0.zip

Release 1.0.0

View Diff

• Change trust store configuration schema to match MSA
• Make the banner that prints on startup less wide

Configuration Changes:

• If using a custom file-based trust store configuration, replace:

- trustStorePath: /path/to/file
- trustStorePassword: foobar

+ trustStore:
+   path: /path/to/file
+   password: foobar

Zip file should have the following checksum:

$ shasum -a 256 verify-service-provider-1.0.0.zip
5b25ed27423b2afe1414ae43c8bc58769e7060efeae114826f67d038b632fafe  verify-service-provider-1.0.0.zip

Release 0.4.0

• Add support for the Address History user account creation attribute
• Add ENVIRONMENT configuration option to replace hubSsoLocation and metadataUrl.
• Send version number to hub
• Support multitenancy
• Improve documentation
• Improve healthcheck logging

Configuration Changes:

When using environment variables:

• Replace SERVICE_ENTITY_ID with SERVICE_ENTITY_IDS, which is a JSON string array containing the entity id of the service (or services) using the Verify Service Provider (e.g. '["http://entity-id"]')
• Remove HUB_METADATA_URL and HUB_SSO_LOCATION
• Add VERIFY_ENVIRONMENT, specifying the environment of the Verify Hub to run against. Valid values are PRODUCTION, INTEGRATION, or COMPLIANCE_TOOL.

When using a yaml file:

• Replace serviceEntityId with serviceEntityIds, which is a list containing the entity id (or ids) as above
• Remove hubSsoLocation and verifyHubMetadata
• Add verifyHubConfiguration as below. This will contain an environment option specifying which hub environment to use, removing the need to specify the hubSsoLocation or metadata url.

verifyHubConfiguration:
  environment: \\ PRODUCTION, INTEGRATION or COMPLIANCE_TOOL

Zip file should have the following checksum:

$ shasum -a 256 verify-service-provider-0.4.0.zip
46e423bd67c4f411a9b700a2e7b4a5949f8f9c5559a45b47f439f56abe7a9d5b  verify-service-provider-0.4.0.zip

Release 0.3.0

Fixes a bug with expected names and date formats in user account creation attributes.

Zip file should have the following checksum:

```
$ shasum -a 256 verify-service-provider-0.3.0-77.zip
ac0463a4315861e613e2ffdd2cf663544d3e19776d9309bc7378430dbf5df15b  verify-service-provider-0.3.0-77.zip
```