UAA 3.10.0 Release

Major Features

External User Claims via UserInfo Endpoint

This feature enables User Attributes (including custom attributes) and Group Memberships from LDAP, SAML and OpenID Connect providers to be exposed via the UserInfo endpoint of UAA in addition to propagating them via OpenID Connect id_token. This is an optional feature per external identity provider and is turned on by setting the config.storeCustomAttributes flag in the Identity Provider json. The token must contain user_attributes and/or roles scopes for retrieving the custom attributes and roles from the /userinfo endpoint.

• Ability to retrieve the custom user attributes from the OpenID Connect userinfo endpoint External OIDC
• Ability to retrieve the roles from the OpenID Connect userinfo endpoint - All Providers

Force User Password Change for UAA Internal Users

This feature allows the administrator to force all users to change their password at next login time. This can be enforced on an individual user basis. This feature is multi-tenant and can be enabled per Identity Zone.

• Add support for User Force Password Change at next login
• Provide ability to force password change for all users in the system
• Update the Login UI to honor Force Password Change

SAML Bearer Token support

This feature enables SAML assertions to be exchanged for access tokens. This feature has been contributed by SAP. The documentation can be found here.

• Feature: Add saml2 bearer grant

SQL Server Support

In addition to PostGres and MySQL , UAA now supports SQL Server as a backend. This feature has been contributed by Microsoft.

• Microsoft SQL Server Support as a backend

Breaking Changes

With this release we have redacted the SAML Service Provider Key and OAuth Token Signing Keys from the Identity Zone GET API Response. The POST and PUT API's functionality stays intact in terms of allowing Zone Administrators to create and update SAML and OAuth Token Keys as part of the Identity Zone configuration. Please refer to the API docs for more details.

Minor Features

• Expose last_logon_time as a SCIM user property
• Track Last Log-On Time for Fed Customers Compliance
• Support multiple token keys for external OAuth/OIDC IDP
• Feature request to use wildcard or some matching expression to import the groups from an external identity provider in Group Whitelist
• Add Discovery Support for Relying Party OIDC Configuration
• Increase one-time code length for SSH code to ensure more entropy
• Use standard JWA algorithm names in /token_key(s)
• Provide the ability to associate a resource owner for any client created in UAA
• .well-known/openid-configuration should list newly supported scopes
• Fixed UAA_CONFIG_FILE property
• Enable logout redirect feature by default or provide a way to add your url to the redirect urls whitelist
• Audit events should log minimal data
• Perform code validation after password reset - invitation flow
• Perform code validation after password validation

Bug Fixes

• SAML initialization is not complete until /saml/metadata has been accessed
• UAA still not sending stack traces to syslog correctly
• OIDC Signature verification is skipped if token keys cannot be downloaded
• UAA is allowing users to be created with empty password but they can't login
• ResetPassword email missing username/email
• 500 errors when no intersecting scopes
• PUT on /identity-providers/{id} returns internal server error when called with incorrect payload (ex: missing config)
• userid should not passed be passed as part of the custom_attributes json
• UAA is still using the users.authorities column