v50 - UAA 4.6.0

Do not use

This release introduces a memory leak that has been addressed in UAA Release 51

Stories included in release

Breaking Changes

cloudfoundry/uaa #657: [OIDC] XOAuthAuthenticationManager username/external_id handling violates OIDC spec

The default mapping for deriving username from external OIDC has been switched from preferred_username to sub to maintain compliance with the spec. If you have an explicit mapping in place for username, you are not affected. However, if you are relying on the default, it will lead to creation of a new external user (aka shadow user in UAA).

The best approach is to create an explicit mapping for username and perform a one time database change on each external OIDC account in UAA to update to the right username

Spec Additions

 uaa.client.secret.policy:
   description: "The client secret policy for clients in the default zone."
   example:
     uaa:
       client:
         secret:
           policy:
             minLength: 0
             maxLength: 255
             requireUpperCaseCharacter: 0
             requireLowerCaseCharacter: 0
             requireDigit: 0
             requireSpecialCharacter: 

login.branding.banner.logo:
    description: This is a base64 encoded PNG image which will be used as the banner on the UAA discovery login page
  login.branding.banner.text:
    description: This is text that will be used in the banner area on the UAA discovery login page if no banner logo is configured
  login.branding.banner.textColor:
    description: This is the color to be used for banner text if banner text is defined to be used on the UAA discovery login page
  login.branding.banner.backgroundColor:
    description: This is the color to be used for the background of the banner area on the UAA discovery login page
  login.branding.banner.link:
    description: This is the link to be used for the banner logo or banner text on the UAA discovery login page
  login.asset_base_url:
    description: "Deprecated in favor of branding properties. Base url for static assets, allows custom styling of the login server.  Use '/resources/pivotal' for Pivotal style."
    default: /resources/oss

Features

UAA as a SAML IDP Enhancements

• Support IdP-initiated SAML Federation when UAA is the IdP
• Allow sending additional assertions for user attributes when UAA is the IdP
• Allow configuring attribute mappings on SP configurations through APIs for user attributes to be sent in SAML assertions when UAA is the IdP

Facebook as an Identity Provider

• cloudfoundry/uaa #630: Initial support for Facebook external IdP using signed_request (develop)

Dockerized UAA

• cloudfoundry/uaa #673: Feature/dockerize uaa

Client Secret Policy

• cloudfoundry/uaa #534: Feature/client secret policy

UAA Login Page Branding - Configurable Banner Image & Text

• Allow configuring message of the day banner configurations through uaa.yml for system zone
• Allow configuring message of the day banner configurations through uaa-release spec for system zone
• Allow configuring message of the day banner configurations through UAA APIs for identity zones
• Fix banner logo image to scale for mobile
• Show message of the day banner on top of login page

Other Miscellaneous Features

• Allow the IDP Discovery page to take input as a username
• Display username instead of email when user is resetting their password
• download metadata should have correctly named files
• User/Client with uaa.admin scope should be allowed to manage zones
• Create performance indicator scale based on available metrics from statsd
• Remove "group roles" - they are not used
• Ability to specify multiple SAML Keys with an active key id
• Update UAA API Reference Document with fixes including upgrading Slate and Deploy Latest to Cloud Foundry
• [cfid-4825] Add support to cache token keys
• Misleading parameter name metaDataLocation for IDP
• Stop logging configuration error
• Fix FacebookLoginIT on Travis
• Remove Skip Discovery Link

PRs

• cloudfoundry/uaa #656: Add support for HTTP Redirect binding for UAA as SAML IDP
• cloudfoundry/uaa #663: Fix: Remove the SAML Artifact Binding Support for all saml profiles
• cloudfoundry/uaa #676: Add form_redirect_uri to login page during reload
• cloudfoundry/uaa #603: Fix/multiple instance startup
• cloudfoundry/uaa #638: fix groups updates to only modify changed members
• cloudfoundry/uaa #581: Use entityID from zone configuration
• cloudfoundry/uaa #529: Fix circular view path errors on login
• cloudfoundry/uaa #598: Adding oidc idp non-custom attribute mapping (e.g. given name, email)
• cloudfoundry/uaa #662: OIDC token endpoint needs to support client authorization in either POST body or Basic auth
• cloudfoundry/uaa #674: Pass user object as parameter for refresh token
• cloudfoundry/uaa #669: ScimUserBootstrap: Selective Update on Groups
• cloudfoundry/uaa #658: update jackson
• cloudfoundry/uaa #594: Switch reset password flow to use username instead of email as username
• cloudfoundry/uaa #672: Fix OIDC well-known endpoint to be in compliance with spec
• cloudfoundry/uaa #633: RelayState with IDP initiated SSO not supported
• cloudfoundry/uaa #644: Reload login when CSRF token expires
• cloudfoundry/uaa #585: Unable to map external group from uaa.yml if external group contains a space character
• cloudfoundry/uaa #664: Missing index on table group_membership for postgres (2)
• cloudfoundry/uaa #647: Missing index on table group_membership for postgres
• cloudfoundry/uaa #612: Fix/error page branding
• cloudfoundry/uaa #655: BUG: unsychronized usage of static SimpleDateFormat in JsonDateDeserializer
• cloudfoundry/uaa #654: [question] ZONE_SWITCH_SCOPES do not include idps.write, sps.read, sps.write (similar of UAA_SCOPES)

Bug Fixes

• cloudfoundry/uaa #605: Invalid Saved Account Cookie (including bad json) causes uaa to throw 500
• External Group Mapping for OIDC is not working
• PUT /Users let's the request through