UAA Release Notes 4.8.0

Do not use

This release introduces a performance issue related to concurrent requests timing out that is resolved in 4.8.1

Stories included in release

Features

• Minor library refresh

  • aspectJVersion = '1.8.12'
  • bcpkixVersion = '1.58'
  • bcprovVersion = '1.58'
  • cglibVersion = '3.2.5'
  • flywayVersion = '4.2.0'
  • jacksonVersion = '2.9.2'
  • jsonPathVersion = '2.4.0'
  • mariaDBClientVersion = '2.2.0'
  • scimSDKVersion = '1.8.18'
  • slf4jVersion = '1.7.25'
  • springVersion = '4.3.12.RELEASE'
  • springRetryVersion = '1.2.1.RELEASE'

• MySQL and DB Timeouts

• Skip SSL Validation on Identity Provider configurations should also skip SSL Hostname verification

• Don't let bcrypt hog all cpu

• cloudfoundry/uaa #714: use isBlank form apache instead of isEmpty for hsqldb

• Emit Audit Event for Token Revocation

• [cfid-4999] cloudfoundry/uaa #320: Setting UAA session timeout (backend) in config

• Send static claim assertions configured for SAML SP Providers as part of SAML assertions

• Allow operators to configure static claim assertions for SAML SP Provider configs

• Allow token revocation by providing UserID and ClientID

• Cross pair with sec-enablement on BPM

Backup and Restore

• Don't hard code "wait for route registrar" value

Metrics

• Measuring UAA Latency server-side
• Measuring UAA throughput server-side
• By default do not send metrics on every request

MFA (Currently still work-in progress)

• Get /mfa-providers
• Update of the MFA Provider - Google Authenticator
• Delete MFA provider
• Allow enabling/disabling MFA Provider - Google Authenticator on an Identity Zone
• Bootstrap MFA Providers through uaa.yml and uaa-release spec
• Prompt user MFA registration when MFA provider is enabled on an Identity Zone
• Update design for MFA verification page
• MFA login should honor original login landing page and application redirects
• Redesign MFA setup/registration page based upon design feedback
• Use issuer for Google Authenticator display
• Alphanumeric nature of MFA Provider name
• Don't allow update of MFA providers for Google Authenticator
• Remove MFA Provider "active" property
• MFA Provider names are unique
• Active MFA is configured by name
• Support /mfa-providers for uaa.admin on a user within the zone
• Create /mfa-provider - JSON vs. HTML errors - MFA-Provider
• TOTP mfa flow should not rely on Google APIs to generate QR code
• Error message shows incorrectly on MFA verify screen
• Clean up MFA provider registrations tied to user when MFA provider is deleted
• Fix documentation showing wrong scopes for MFA
• MFA overview description for API docs

Bug Fixes

• Updating zone fails without specifying zone id in the body

Documentation Updates

• cloudfoundry/uaa #705: API docs for Asymetric /token_key mismatch between doc and example
• Document Issuer as a value that can be configured in all values set UAA.yml and uaa-release spec
• Document how the bcrypt concurrency limiter works
• Remove the mention from Admin API endpoints for zones.zoneid.admin being a scope they could have for a non-admin user within the zone
• Update UAA API docs for Revoke all tokens for a user and client combination
• API Documentation improvements