4.6.0
Do-Not-Use
This release introduces a memory leak that has been addressed in 4.6.1
Breaking Changes
The default mapping for deriving username from external OIDC has been switched from preferred_username to sub to maintain compliance with the spec. If you have an explicit mapping in place for username, you are not affected. However, if you are relying on the default, it will lead to creation of a new external user (aka shadow user in UAA).
The best approach is to create an explicit mapping for username and perform a one time database change on each external OIDC account in UAA to update to the right username
Features
UAA as a SAML IDP Enhancements
- Support IdP-initiated SAML Federation when UAA is the IdP
- Allow sending additional assertions for user attributes when UAA is the IdP
- Allow configuring attribute mappings on SP configurations through APIs for user attributes to be sent in SAML assertions when UAA is the IdP
Facebook as an Identity Provider
Dockerized UAA
Client Secret Policy
UAA Login Page Branding - Configurable Banner Image & Text
- Allow configuring message of the day banner configurations through uaa.yml for system zone
- Allow configuring message of the day banner configurations through uaa-release spec for system zone
- Allow configuring message of the day banner configurations through UAA APIs for identity zones
- Fix banner logo image to scale for mobile
- Show message of the day banner on top of login page
Other Miscellaneous Features
- Allow the IDP Discovery page to take input as a username
- Display username instead of email when user is resetting their password
- download metadata should have correctly named files
- User/Client with uaa.admin scope should be allowed to manage zones
- Create performance indicator scale based on available metrics from statsd
- Remove "group roles" - they are not used
- Ability to specify multiple SAML Keys with an active key id
- Update UAA API Reference Document with fixes including upgrading Slate and Deploy Latest to Cloud Foundry
- [cfid-4825] Add support to cache token keys
- Misleading parameter name metaDataLocation for IDP
- Stop logging configuration error
- Fix FacebookLoginIT on Travis
- Remove Skip Discovery Link
PRs
- cloudfoundry/uaa #656: Add support for HTTP Redirect binding for UAA as SAML IDP
- cloudfoundry/uaa #663: Fix: Remove the SAML Artifact Binding Support for all saml profiles
- cloudfoundry/uaa #676: Add form_redirect_uri to login page during reload
- cloudfoundry/uaa #603: Fix/multiple instance startup
- cloudfoundry/uaa #638: fix groups updates to only modify changed members
- cloudfoundry/uaa #581: Use entityID from zone configuration
- cloudfoundry/uaa #529: Fix circular view path errors on login
- cloudfoundry/uaa #598: Adding oidc idp non-custom attribute mapping (e.g. given name, email)
- cloudfoundry/uaa #662: OIDC token endpoint needs to support client authorization in either POST body or Basic auth
- cloudfoundry/uaa #674: Pass user object as parameter for refresh token
- cloudfoundry/uaa #669: ScimUserBootstrap: Selective Update on Groups
- cloudfoundry/uaa #658: update jackson
- cloudfoundry/uaa #594: Switch reset password flow to use username instead of email as username
- cloudfoundry/uaa #672: Fix OIDC well-known endpoint to be in compliance with spec
- cloudfoundry/uaa #633: RelayState with IDP initiated SSO not supported
- cloudfoundry/uaa #644: Reload login when CSRF token expires
- cloudfoundry/uaa #585: Unable to map external group from uaa.yml if external group contains a space character
- cloudfoundry/uaa #664: Missing index on table group_membership for postgres (2)
- cloudfoundry/uaa #647: Missing index on table group_membership for postgres
- cloudfoundry/uaa #612: Fix/error page branding
- cloudfoundry/uaa #655: BUG: unsychronized usage of static SimpleDateFormat in JsonDateDeserializer
- cloudfoundry/uaa #654: [question] ZONE_SWITCH_SCOPES do not include idps.write, sps.read, sps.write (similar of UAA_SCOPES)