Skip to content

Release Notes#

Notice#

This document, also known as the Gluu Release Note, relates to the Gluu Server Release versioned 4.0. The work is licensed under “The MIT License” allowing the use, copy, modify, merge, publish, distribute, sub-license and sale without limitation and liability. This document extends only to the aforementioned release version in the heading.

UNLESS IT HAS BEEN EXPRESSLY AGREED UPON BY ANY WRITTEN AGREEMENT BEFOREHAND, THE WORK/RELEASE IS PROVIDED “AS IS”, WITHOUT ANY WARRANTY OR GUARANTEE OF ANY KIND EXPRESS OR IMPLIED. UNDER NO CIRCUMSTANCE, THE AUTHOR, OR GLUU SHALL BE LIABLE FOR ANY CLAIMS OR DAMAGES CAUSED DIRECTLY OR INDIRECTLY TO ANY PROPERTY OR LIFE WHILE INSTALLING OR USING THE RELEASE.

Purpose#

The document is released with the Version 4.0 of the Gluu Software. The purpose of this document is to provide the changes made/new features included in this release of the Gluu Software. The list is not exhaustive and there might be some omission of negligible issues, but the noteworthy features, enhancements and fixes are covered.

Background#

The Gluu Server is a free open source identity and access management (IAM) platform. The Gluu Server is a container distribution composed of software written by Gluu and incorporated from other open source projects.

The most common use cases for the Gluu Server include single sign-on (SSO), mobile authentication, API access management, two-factor authentication, customer identity and access management (CIAM) and identity federation.

Documentation#

Please visit the Gluu Documentation Page for the complete documentation and administrative guide.

Available components in Gluu Server 4.0#

  • oxAuth, oxTrust, oxCore v4.0
  • Gluu OpenDJ v3.0.1
  • Shibboleth v3.4.4
  • Passport v4.0
  • Java v1.8.0_112
  • Node.js v9.9.0
  • Jetty-distribution-9.4.12.v20180830
  • Jython v2.7.2a
  • Weld 3.0.0
  • FluentD 3.5
  • Redis

New features#

Fixes / Enhancements#

GluuFederation/oxTrust#

  • #1860 Prefill issuer field in passport provider form

  • #1858 Some of extra attributes are not imported when importing users via oxTrust

  • #1854 Display simple_password_auth if LDAP authentication configuration is not enabled

  • #1841 Federation TR gets broken if oxTrust tries to parse invalid metadata file

  • #1837 Regular SAML TRs are treated as federation TRs by web UI

  • #1828 Boolean and numeric values inserted as string in user profile

  • #1795 Add custom property to user registration script for post-registration redirect URI

  • #1794 Remove validation for any info from identity registration page

  • #1735 Support for urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • #1732 During user import if user status is not set, the default should be set to Inactive

  • #1731 Support for nameIDFormatPrecedence Setting in TR Config (extension of #1723)

  • #1727 Read IDP *.vm tempalates from war

  • #1726 Add Support to Edit Supported ACRs via GUI (for TR)

  • #1723 Support for Default NameID Setting in TR Config

  • #1722 Support for Default ACR (AuthnContextClassRef) Setting in TR Config

  • #1721 IDP configuration generation part produces empty files

  • #1712 Logo and favicon customization in oxTrust

  • #1707 Remove Name field from nameid screen

  • #1688 Support additional OIDC params in idp-initiated passport form

  • #1687 Prompt for confirmation before deleting auth method from user profile

  • #1671 Unified and externalize logo and favicon

  • #1670 Fix scim filter grammar defect

  • #1664 SAML NameID Updates - should be applied without idp and identity services restart (when on same host & non cluster/container mode)

  • #1655 Remove usage of codehaus serialization in SCIM and associated resteasy provider

  • #1654 Display FIDO2 credentials in users profile form

  • #1651 Gluu Server SAML NameID enhancement

  • #1639 Review and fix breadcrumb in all pages

  • #1638 Synchronized selected page with selected menu

  • #1637 Gluu Radius oxTrust Integration

  • #1625 Enhance/fix gluu logo/favicon change feature

  • #1620 Add SAML acr field to person authentication script form

  • #1616 Adapt oxTrust to oxAuth scope changes

  • #1612 Calendar popup for Date type attributes

  • #1605 oxTrust RS code (passport, scim, oxtrust-api) must set scopes for protection

  • #1600 Error showing certificates list

  • #1599 OIDC revamp

  • #1597 viewing new client opens to last tab viewed of previous client

  • #1596 OIDC client view screen squished with long redirect URIs

  • #1595 Display SCIM attribute name (if applicable) in attributes form

  • #1590 Introduce tree view for interception scripts (with common scripts support)

  • #1582 Email Validation Wrong Message Displayed

  • #1576 Add new clean configuration properties to oxTrust

  • #1573 Oops error when showing a Uma resource with associated client deleted.

  • #1562 Move some log line from INFO level to DEBUG level

  • #1560 Old configuration properties clean up

  • #1558 Merge some 3.1.6 commit manually into master

  • #1552 Remove Asimba GUI and API

  • #1534 Add form for IDP-initiated flow configuration

  • #1533 Revamp form for providers management configuration

  • #1532 Add form for passport configuration management

  • #1531 Create passport forms as needed

  • #1526 Add support for fido 2 devices in SCIM API

  • #1512 Client : add ability to specify client attributes as JSON

  • #1510 Fix compilation error on Jenkins build

  • #1490 Improvements in sector identifier and redirect uri assignment in oxTrust UI

  • #1481 Move to Java 1.8

  • #1468 Error while adding TR

  • #1466 Regular expression never evaluate on attribute named userPassword

  • #1461 couchebase with multiple buckets

  • #1380 Generate swagger.json from api's documentation

  • #1341 Api documentation with Swagger

  • #1332 allow localhost as redirect uri for clients

  • #1291 Show All attributes show error page

  • #1289 Impossible to add New user

  • #1106 OpenID Client Auto-Generated Password Is Not Cryptographically Strong

  • #1088 SMTP Server Configuration Are Not Saved

  • #935 Server Log API

  • #934 Server Status API

  • #933 OxAuth configuration API

  • #932 OxTrust configuration API

  • #931 Registration API

  • #930 Custom Scripts API

  • #929 Certificates API

  • #928 Attributes API

  • #927 Authentication Method API

  • #926 Organization profile API

  • #925 Personal profile API

  • #924 Users API - People

  • #923 Users API - Groups

  • #922 CAS API

  • #921 UMA API

  • #920 OpenID Connect API

  • #919 SAML - Asimba API

  • #918 SAML - TrustRelationship API

  • #815 Show Modality accordign to requirement

  • #803 Protect oxTrust apis by UMA

  • #783 Prepare client/server code to protect oxTrust API endpoints using UMA

  • #758 Couchbase Support

  • #551 Remove ou=appliances

GluuFederation/oxAuth#

  • #1158 PKCE : If code_challenge_method is not set it should fall back to plain value during validation

  • #1153 allowPostLogoutRedirectWithoutValidation oxAuth feature doesn't work

  • #1152 Public and private parts of oxAuth keys don't match

  • #1147 Use new delete with filter method in clean up jobs

  • #1145 Locale cookie is missing security based flag

  • #1144 NATIVE cache increase gluu bucket load and led to 4% errors in jmeter benchmarking test

  • #1141 Reduce number of user load from DB

  • #1138 Use internal authenticator "simple_password_auth" if either auth server or oxAuthenticationMode not specified

  • #1132 Don't call default client authentication if there is enabled RO script

  • #1131 BUG : we got failure during RPT upgrade

  • #1128 Key rotation stops to work during logging of expired key.

  • #1118 Update labels in fido 2 custom page

  • #1116 Logo and favicon customization in oxAuth

  • #1115 Show response_modes_supported metadata in the Configuration Endpoint

  • #1114 Adjust fido2 domain verifier to better handle origin

  • #1112 Prevent oxauth crash due to increasing size of oxauth-keys.jks

  • #1109 oxauth does not take care requested scopes while creating client dynamically

  • #1106 Store tokens under ou=tokens

  • #1098 Run introspection script before access token as JWT is created and transfer claims

  • #1093 Passport login page not populating the configured providers

  • #1088 id_token contains wrong hash of access_token for RS512 (and possibly other algorithms)

  • #1083 invalidateSessionCookiesAfterAuthorizationFlow=true leads to authorization failure

  • #1082 Update JS libs

  • #1081 Review error messages which application show but this not led to any errors

  • #1078 Check expiration of JWT encoded profile used in passport flows

  • #1071 Userinfo - Expired token must return 401 instead of 400 error code

  • #1063 Add a config value to allow to share the same sub between two Clients with the same sector identifier

  • #1058 URL-Encoding problem when retrieving value of custom param of authz request?

  • #1057 Reported by GG: No permissions associated with ticket

  • #1056 Multi value character attribute should be serialized as JSON array, not string

  • #1055 Allow to update key generateor interval without server restart

  • #1052 Resource Owner Password Credential Grant Interception Script Buggy Logic

  • #1049 oxAuth should load JKS on first access only

  • #1047 KeyGenerator should allow to specify expiration in hours instead of days

  • #1044 Remove usages of Filter.create to create string-based filters

  • #1043 Show error message when passport scripts suspect about impersonation attempt

  • #1040 Double anchor tag in footer of oxAuth login form

  • #1033 Change oxauth persistence model : Drop oxAuthGrant objects from persistence and reduce load on 30%.

  • #1031 Server does not track client's that take part in SSO if ACR is changed (flow 4, 4.0).

  • #1029 Blank login page during simultaneous login to many RPs (flow 5)

  • #1021 Move attributes mapping logic out of passport scripts

  • #1020 Adjust passport scripts to conform to new configuration structure

  • #999 Handle logout when user can use many RP applications

  • #983 Prepare successful 4.0 oxauth build before go on with new features

  • #982 OB : OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens

  • #957 Remove completely authorization by access_token from Authorization Endpoint

  • #950 Align claims in id_token and Userinfo

  • #947 Sign token introspection response

  • #946 Support OAuth MTLS Client Authentication and Certificate Bound Access Tokens

  • #894 'loginPage' value

  • #884 Don't return refresh token if client doesn't have refresh_token grant

  • #855 Provide errors with exact explanation what is wrong.

  • #813 CleanupTimer has to run in own connection pool to not effect oxauth performance

  • #811 Upgrade to Jackson 2.x (from current Jackson 1.x)

  • #784 Add support for Token Revocation

  • #767 Could you add these authorization code request and response sections in a future version of oxauth-rp

  • #756 OAuth Scope Refactoring

  • #748 UMA RPT Policy evaluator : if no policies it grants access. We have to make it configurable (e.g. deny instead of grant)

  • #734 uniqueIdentifier removal in replicated server / clustered Gluu Server

  • #678 Couchbase Support

  • #602 Update client resets grant-types if it has no value

  • #548 Add s_hash to id_Token

  • #480 acr_values router script.

  • #413 Increase size of oxAuth-rp text areas

  • #313 Support Proof of Possession Tokens

  • #308 Support JWT Token Revocation

  • #296 [Feature Request] Please add RADIUS as GLUU custom authentication script

  • #267 IDP Initiated Authentication Script

  • #207 User Review of Persistent Client Scope Authorizations

GluuFederation/gluu-passport#

  • #62 Verify linkedIn integration is working properly

  • #61 Add console log mode for starting passport configuration

  • #60 Add a cache provider when inResponseTo validation is used in a clustered environment

  • #56 Enhance IDP-initiated inbound flow

  • #46 More Verbose And Explicit Error Message Than "Go back and register!" On Failures

  • #19 Passport should support dynamic mapping

GluuFederation/community-edition-setup#

  • #588 Issue random inum for admin user

  • #583 Datatype inconsistencies when using CouchBase

  • #581 Create new indexes for CB

  • #577 Reduce Couchbase Token/Cache OC metadata size

  • #576 Setup should use mapping to reduce Couhbase metadata size

  • #575 Package manger should do upgrade without CE data loss

  • #571 Failed to install CE 4.0 beta3 if selected passport to install

  • #570 Setup should be deployed as setup.zip

  • #569 Create context xml file for each jetty base folder to allow customize classpath

  • #561 Migrate to Amazon Corretto 8

  • #550 Minimize information exposed in token endpoint error message

  • #535 Move generic propertis to gluu.propertis

  • #533 Include RADIUS server as optional component during setup.py

  • #532 Move all service startup scripts to systemd on CentOS7

  • #528 UMA org units must be created during installation

  • #526 Ubuntu 16 uninstall - apt purge removing opt directory

  • #525 Replace python 2.7 with python 3.x

  • #522 Remove orgInum, applianceInum and Inum from RDN

  • #519 Remove Asimba and OpenLDAP support

  • #518 LDAP schema is broken

  • #512 Create the passport configuration upon installation only?

  • #511 Move passport configuration to LDAP

  • #508 Implement systemctl scripts for CentOS 7

  • #507 Migrate gluu-server startup scripts to systemctl

  • #501 Modification in 101-ox.ldif schema for birthdate

  • #489 Create Static Inum's

  • #483 Typo when restarting the Gluu Server

  • #462 Support Ubuntu 18.04.1 and deprecate 14.04 support

  • #457 Gluu is vulnerable to BEAST

  • #453 Remove Asimba From Options Dialogue

  • #446 Apt-get Remove Gluu Server Leaves Residual Scripts

  • #445 IDP Script Runs Before OpenDJ Causing Issues

  • #441 'identity' phase timing out in AWS based installation

  • #438 OpenLdap replication in Gluu 3.1.3 is taking too much time to sync changes

  • #431 Authentication scripts' levels need to be updated

  • #423 3.0.2 --> 3.1.2 upgrade / custom branding for login not working

  • #361 Upgrade: ldap data import too slow

  • #360 In setup script: allow selection of LDAP or Couchbase as the database

  • #358 Getting 404 for '.well-known/simple-web-discovery' endpoint

  • #275 Configure firewall on host to open https port after installing CE

GluuFederation/SCIM-Client#

  • #62 Add support for boolean custom attributes

  • #61 Migrate to com.fasterxml jackson serialization library

  • #60 Service metadata endpoints must reject the presence of filter query param

  • #59 Wrong modeling of SearchRequest and its schema

  • #57 Bugs in filter functionality

  • #56 Refactor Bulk Operation service code

  • #54 Move SCIM-related oxtrust.properties inside the "ScimProperties" object

  • #53 cases 10.2/10.3, Delete a user with If-Match etag

  • #52 cases 7.2/7.3, Retrieve a user with If-None-Match etag

  • #51 cases 5.13/5.14, Update a user with If-Match etag header

  • #49 case 6.3, Add a value to a multi-valued attribute with PATCH

  • #48 case 6.2, Update a multi-valued attribute with PATCH

  • #47 case 6.1, Update a simple attribute with PATCH

  • #45 cases 11.1/11.2, Searching with POST /.search

  • #44 cases 4.4/5.4/5.5/5.6, Handling of immutable attribute

  • #43 Groups endpoint allows writing non-existing members

  • #42 Group assignment for users should be done at /Group not through /Users endpoint

  • #41 Adjust /Schemas endpoint impl to pick attributes characteristics automatically

  • #40 cases 8.11/8.12, Retrieve a list of users with attributes query param (POST)

  • #39 Replace deprecated ProxyFactory usage in client code

  • #38 cases 7.4/7.5, Retrieve a user with attributes query param

  • #37 cases 8.3/8.4, Retrieve a list of users with attributes query param

  • #36 cases 5.8/5.9, Update a user with attributes query param

  • #35 cases 4.5/4.6, Create a user with attributes query param

  • #34 Remove hard-coded list of ISO3166 countries

  • #33 Enhance ResourceTypes endpoint

  • #32 Add a logging framework

  • #31 Remove redundant code in authorization check for SCIM service

  • #30 Service does not handle properly the attributes/excludedAttributes parameters

  • #29 Add support for PATCH verb to service

  • #28 In user retrieval JSON response has the type attribute malformed for certain multi-valued attributes

  • #27 Creating and retrieval operations return unexpected attributes

  • #26 Validate locale attribute

  • #25 Validate timezone attribute

GluuFederation/oxcore#

  • #152 Support multi valued caustom attributes with single value

  • #151 Usage of IN produces inaccurate queries

  • #143 Support hardcoded LDAP attribute mapping to Couchbase attributes

  • #142 Add method to support delete by filter command with count parameter

  • #140 Couchbase : shortcut our existing keys to increase performance and save space

  • #136 Hybrid ldap layer

  • #131 Show Key/N1QL instead of DN/Filter in Couchbase Entry Manager

  • #128 NPE when modifying users entry via scim

  • #126 Add LDAP filter parsing support into Couchbase module

  • #123 LDAP layer should do recursive remove if request with remove tree contrl throw error

  • #122 Add cluster connection support to redis (using jedis client)

  • #121 Remove oxGwt from oxcore

  • #119 Change the LdapoxpassportConfiguration class that matches need schema structure

  • #115 Implement Gybrid Persitent provider

  • #111 Log all Couchbase operation time to separate log

  • #110 Implement count method when calculste count without result entries load

  • #108 Move to java 1.8

  • #85 Use JSON data types to store in Couchabse entries

  • #80 Ldap persistence mechanism should support encryption methods which LDAP server doesn't support

  • #79 Update oxAuth/oxTrust to use oxLdap/oxCouchbase

  • #78 oxCouchbase should use SSL trust cert to check server authority

  • #77 oxCouchbase should support LDAP CRYPT and SHA authentication mechanism

  • #74 findEntriesVirtualListView throwing exception if search takes longer than certain threshold

  • #67 Remove ou=appliances, o=orgInum and replace orgInum/appliacne Inum with UUID

  • #57 Support Couchbase

  • #44 Enable style checker maven plugin

  • #28 Create generic CacheService (without dependencies to ehcache)

GluuFederation/oxShibboleth#

  • #65 IDP throws exception after CE install

  • #60 Update to latest IDP 3.4.4 and generate patches with our changes

  • #59 Couchbase Support

  • #53 Enable IDP in CE 4.0 with Couchbase

  • #51 Add support for folder with cusomized *.vm views

  • #35 Create authentication flow to replace RemoteUser flow

  • #30 SAML metadata is not processing properly

  • #25 Don't show stacktrace... ever

  • #24 SLO binding links are breaking IDP metadata

  • #16 /opt/shibboleth-idp/metadata/idp-metadata.xml (No such file or directory)

  • #5 Override Logout Functionality