What's new in Gluu Server v4#
Version 4.2#
OpenID Connect FAPI Certification#
Financial-grade APIs are REST APIs that provide JSON data representing sensitive data. These APIs are protected by the OAuth 2.0 Authorization Framework. Start in Version 4.2, the Gluu Server supports FAPI and has been certified by OpenID. See more information in the docs and the spec.
Client Initiated Backchannel Authentication#
The Gluu Server now supports CIBA. OpenID Connect Client Initiated Backchannel Authentication Flow is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is direct Relying Party to OpenID Provider communication without redirects through the user's browser. CIBA enables a Client to initiate the authentication of an end-user by means of out-of-band mechanisms. For more information, check the docs and the spec.
Support for OpenID Back-Channel Logout#
The Gluu Server now supports back-channel logout, using direct back-channel communication betweeh the OP and RPs being logged out without requiring input from the User Agent. See the docs and spec.
New Interception Scripts#
In 4.2, we've introduced new interception scripts for Post-Authentication Authorization (more details), UMA2 RPT claims (more details), and application session management (more details).
Deployment Changes#
SCIM is now a separate component in the Gluu Server#
Starting in Version 4.2, SCIM has been separated into its own Gluu Server component. Installation is now optional when setting up a new server. See the docs for more information.
Jackrabbit Support for Kubernetes Deployments#
The Kubernetes deployment of the Gluu Server 4.2 now includes support for the Jackrabbit Java Content Repository for persistence of oxAuth custom files, oxShibboleth IDP files, Casa and oxTrust custom files. This is most useful in larger deployments. See the docs for more information.
FIDO U2F and FIDO 2 Security Key Consolidation#
The FIDO2 Interception Script now handles both U2F and FIDO2 keys using a separate component in the Gluu Server. The U2F script is still available, but will be deprecated in future versions. See the docs for more information.
Non-Backwards-Compatible Changes#
New JSON Properties#
The following properties were implemented in 4.2 to help upgrading customers maintain past behavior:
| New Behavior | Issue Number | JSON Property |
|---|---|---|
response_type and grant type are no longer added to client by default |
#1252 | clientRegDefaultToCodeFlowWithRefresh |
client_secret is no longer returned on client read |
#1053 | returnClientSecretOnRead |
The offline_access scope is now required to use the refresh_token grant type |
#1172 | forceOfflineAccessScopeToEnableRefreshToken |
The Authorization endpoint no longer uses session_id by default |
#1195 | sessionIdRequestParameterEnabled |
The reason field is no longer returned in error responses by default |
#1344 | errorReasonEnable |
Version 4.1#
OIDC client creation improvements#
In version 4.1, we fixed several issues with OpenID Connect clients that were causing early expiration and errors with attributes.
Shibboleth IDP cache support#
Shibboleth IDP user sessions are now cached similarly to other services, allowing them to survive server restarts and be more easily replicated in a clustered environment. See more details in the IDP documentation
Casa and oxd added to installation script#
For convenience, Casa and oxd can now be installed with the standard Community Edition setup script! See all the options in the setup script documentation.
Minor bug fixes and feature improvements#
A variety of bug fixes and UX improvements are included with the latest release. See our complete release notes.
Version 4.0#
Persistence redesign#
In 4.0, the Gluu Server persistence layer is more modular. Previously LDAP was tightly bundled. Now, any persistence mechanism can be supported with a jar file that implements the base Persistence API. The desired mechanism can then be specifed in gluu.properties. Learn more.
Support for Couchbase#
Couchbase Enterprise Edition (EE) is now supported as a persistence mechanism, enabling hyper-scalable authentication and authorization. Learn more.
Extensive Passport redesign#
New UI's in 4.0 enable simpler configuration of inbound identity workflows and improved support for external OpenID Connect Providers ("inbound OpenID"). Read the docs.
No version numbers in packages#
Previously, the version number was included in the Gluu Server package, e.g. gluu-server-3.1.6. Starting in 4.0, the latest stable Gluu Server package name is simply gluu-server. This simplifies version upgrades, server operations, and improves interoperability between Gluu products.
More SAML IDP features#
NameIDs can now be configured inside oxTrust, and SAML ACRS parameters are now supported, which, when used in conjunction with force authentication, enables stepped-up authentication for SAML SPs.
Support for RADIUS authentication#
The Gluu Server now supports two options for RADIUS authentication to enable SSO and 2FA to non-web applications like SSH, VPN, and Wi-Fi:
-
Gluu RADIUS: a free, single-threaded RADIUS implementation based on the TinyRADIUS server; and...
-
Radiator: a robust, commercial AAA server built for ISPs and carriers.
Improved clean up service#
Introduced in CE 3.1.6, cleanService is now more configurable. This service periodically removes unused and expired cache and session-related database entries to improve server performance. Read the docs.
Updated libraries and components#
4.0 includes the latest version of Shibboleth, updated Java libraries and Jetty, and Oracle JDK has been replaced with Amazon Corretto, an open source, production-ready distribution of OpenJDK.
Minor bug fixes and feature improvements#
A variety of bug fixes and UX improvements are included with the latest release. See our complete release notes.