v53 - UAA 4.8.0

Do not use

This release introduces a performance issue related to concurrent requests timing out that is resolved in v53.1

Stories included in release

Features

• Minor library refresh
  • aspectJVersion = '1.8.12'
  • bcpkixVersion = '1.58'
  • bcprovVersion = '1.58'
  • cglibVersion = '3.2.5'
  • flywayVersion = '4.2.0'
  • jacksonVersion = '2.9.2'
  • jsonPathVersion = '2.4.0'
  • mariaDBClientVersion = '2.2.0'
  • scimSDKVersion = '1.8.18'
  • slf4jVersion = '1.7.25'
  • springVersion = '4.3.12.RELEASE'
  • springRetryVersion = '1.2.1.RELEASE'
• MySQL and DB Timeouts
• Skip SSL Validation on Identity Provider configurations should also skip SSL Hostname verification
• Provide Skip SSL validation for SSL/TLS DB configuration for developers in UAA YAML and UAA release
• CI tests for UAA DB TLS?
• Don't let bcrypt hog all cpu
• cloudfoundry/uaa #714: use isBlank form apache instead of isEmpty for hsqldb
• Emit Audit Event for Token Revocation
• [cfid-4999] cloudfoundry/uaa #320: Setting UAA session timeout (backend) in config
• Send static claim assertions configured for SAML SP Providers as part of SAML assertions
• Allow operators to configure static claim assertions for SAML SP Provider configs
• Allow token revocation by providing UserID and ClientID
• Cross pair with sec-enablement on BPM
• [oss uaa-release] Low default ulimit on stemcell

Backup and Restore

• bbr_uaadb must work without links
• BBR restore should sleep 40 seconds
• Don't hard code "wait for route registrar" value

Metrics

• Measuring UAA Latency server-side
• Measuring UAA throughput server-side
• By default do not send metrics on every request

MFA (Currently still work-in progress)

• Get /mfa-providers
• Update of the MFA Provider - Google Authenticator
• Delete MFA provider
• Allow enabling/disabling MFA Provider - Google Authenticator on an Identity Zone
• Bootstrap MFA Providers through uaa.yml and uaa-release spec
• Prompt user MFA registration when MFA provider is enabled on an Identity Zone
• Update design for MFA verification page
• MFA login should honor original login landing page and application redirects
• Redesign MFA setup/registration page based upon design feedback
• Use issuer for Google Authenticator display
• Alphanumeric nature of MFA Provider name
• Don't allow update of MFA providers for Google Authenticator
• Remove MFA Provider "active" property
• MFA Provider names are unique
• Active MFA is configured by name
• Support /mfa-providers for uaa.admin on a user within the zone
• Create /mfa-provider - JSON vs. HTML errors - MFA-Provider
• TOTP mfa flow should not rely on Google APIs to generate QR code
• Error message shows incorrectly on MFA verify screen
• Clean up MFA provider registrations tied to user when MFA provider is deleted
• Fix documentation showing wrong scopes for MFA
• MFA overview description for API docs

Bug Fixes

• Updating zone fails without specifying zone id in the body
• BPM prevents self-signed certificates from being added to Java Keystore

Documentation Updates

• cloudfoundry/uaa #705: API docs for Asymetric /token_key mismatch between doc and example
• Document Issuer as a value that can be configured in all values set UAA.yml and uaa-release spec
• Document how the bcrypt concurrency limiter works
• Remove the mention from Admin API endpoints for zones.zoneid.admin being a scope they could have for a non-admin user within the zone
• Update UAA API docs for Revoke all tokens for a user and client combination
• API Documentation improvements