UAA Release Notes 4.9.0
Stories included in release
Breaking Changes
Manage Identity Providers via API for UAA Default Zone
UAA now allows operators to manage identity providers via APIs for the default system identity zone, which changes how UAA manifest values for identity providers behave. Previously UAA would disable any API made changes made by an operator on restart even though operators were able to make create and update identity providers using UAA’s API.
- Do not disable UAA identity providers that are not in the UAA manifest for the default zone on restarts
- Operators should be able to specify that an UAA identity provider in the manifest is a source of truth for the default zone
- Operators should be able to delete identity providers using the manifest as part of managing UAA identity providers via APIs for default zone
As a result, identity providers removed from the manifest must now also be explicitly deleted via manifest configuration (delete.identityProviders) or disabled/deleted via the UAA APIs.
- For SAML and OIDC identity providers, the
delete.identityProvidershas been added to allow deletion of these identity providers from the manifest using the origin key. - For LDAP, the identity provider should only be disabled.
In addition, SAML, OIDC, and LDAP providers now have an override flag that defaults to true which specifics the manifest properties should overwrite any changes made via API. This value can be set to false to allow API updates of your existing manifest identity providers.
Features
Multifactor Authentication (Available for Preview Use)
- Allow enabling/disabling MFA Provider - Google Authenticator on system zone via uaa.yml and uaa-release spec
- Allow user to register MFA manually for Google Authenticator
- Update design for MFA verification page
- Redesign MFA setup/registration page based upon design feedback
- Allow administrator to unregister MFA for a user via API
- Remove non-configurable options and use defaults for Google Authenticator
- Enable MFA on LDAP Chained Authentication
- /change_email & /change_password endpoints should not use a separate security filter
- Force Password Change should happen after MFA login passes
- Refactor
force password changeto be an authorization step - Remove autologin flow for verify flow
- Remove autologin flow for reset password
- Remove autologin flow for invite users
- Remove autologin for verify_email after changing email flow
- Disable autologin endpoint for basic auth when MFA is enabled
- Only generate UserAuthenticationSuccess Event when user authenticates successfully for both Password and MFA when MFA is enabled
- PasswordVerificationSuccess event on successful password authentication
- PasswordVerificationFailure event on failed password authentication
- PasswordAuthenticationSuccessEvent rename documentation
- MFAVerificationSuccess event when MFA passes
- MFAVerificationFailure event when MFA fails
Misc.
- UAA to send session_state for ID Token authentication response according to the standard
- DIsable LowConcurrencyPasswordEncoder and create a v53.1 release
- CI tests for UAA DB TLS?
- cloudfoundry/uaa #716: UAA check_token is not working with spring-security-oauth2 since 2.1.0.RELEASE
- Add logging to SAML group mapping - currently none
- cloudfoundry/uaa #759: Remove token values from Exceptions
- cloudfoundry/uaa #736: add lower index for postgresql only, because there the select is done
- cloudfoundry/uaa #729: Fix type for claim az_attr
Bug Fixes
- _ should be allowed in the redirect uri for OAuth clients
- cloudfoundry/uaa #762: Concurrency issue in time based expiration map
- change password behavior is broken
- Silent authentication should honor ant pattern matching
- Refactored MFA filters do not properly implement security handling for SAML when UAA is the identity provider
- QR code should not change when navigating Back
- Fix token/list documentation
- MFA enabled does not publish authentication success audit event