What's new in Gluu Server v3#
Gluu Server 126.96.36.199#
Code White Patch#
In August 2018, a critical vulnerability was discovered in the Jboss Richfaces library, and our team immediately released a patch. Version 188.8.131.52 comes with that patch pre-implemented, but is otherwise identical to 3.1.3.
Gluu Server 3.1.3#
Upgraded system components and libraries#
We've upgraded many dependencies and system components to their latest versions to remediate known vulnerabilities.
Easier inbound identity#
In 3.1.3 you can expect better usability and quicker integrations with external identity providers. Make sure to install Passport.js during Gluu installation to take advantage of the improved functionality.
3.1.3 includes a number of UMA related updates, including added support for sending extra parameters during UMA permission ticket requests #664, and the RPT introspection endpoint now returns in its response all claims stored in the persisted claims token (PCT) #687.
More SCIM server features and a new SCIM client.#
Gluu 3.1.3 includes updates and new features to its SCIM server, as well as a completely re-written SCIM client.
Custom message properties in oxAuth & oxTrust#
The text for oxAuth and oxTrust is now stored in the following dedicated file: /opt/gluu/jetty/oxauth|identity/custom/i18n, making it easier to update and manage. #735.
Better interception script debugging in oxTrust#
Custom scripts are now checked for syntax and errors in the UI itself rather than waiting several seconds for an exception to appear in the oxauth_scripts log. #821
Automatically restore interception script parameters#
We’ve updated the custom scripts controller to restore script variables from a session automatically before calling the next script method. #675
Improved interception scripts#
We’ve reviewed scripts for stability, updated dependencies, and have also added support for combining multiple existing scripts, for instance our new CAS + Duo Security script.
Remotely debug interception scripts#
Custom scripts can be tricky to write and test. In 3.1.3, we've added documentation to help you remotely debug your custom scripts.
Improved upgrade scripts#
We are working hard to make upgrading Gluu easier and faster. Some of the improvements we've made include:
- A new progress bar
- Export data without stopping Gluu
- Faster importing and exporting of data
- Custom OpenDJ schema files are automatically backed up during migration to a new installation
- Migration of custom pages have been disabled due to incompatibility across Gluu Server versions
- Upon migration, AuthenticationMode will be set to auth_ldap_server to reduce the chance of lockout.
Gluu Server 3.1.x#
Gluu Sever 3.1.x offers improved performance and functionality.
OpenID Connect Provider Re-certification#
Gluu Server 3.1.x is certified for all five OpenID Connect Provider flows: Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP.
Gluu 3.1.x is the first commercially supported IAM server to implement the UMA 2.0 specification. UMA now aligns completely with OAuth 2.0. It also re-defines the claims gathering flow, enabling developers to implement multi-step consent, user-interactions, and stepped-up authentication flows.
Super Gluu out-of-the-box#
The Gluu Server 3.1.x supports push notifications for our free and secure two-factor authentication (2FA) mobile app, Super Gluu, out-of-the-box. Simply follow the docs to enable Super Gluu authentication.
2FA Credential Management#
Gluu Server 3.1.x includes support for a new open source web application called Credential Manager. Credential Manager is a user facing app that enables people to register and delete ("self-service") 2FA credentials, including U2F secrurity keys, Super Gluu devices, OTP app (like Google Authenticator), SMS phone numbers, and even change their password (if passwords are stored in the local Gluu LDAP).
To improve performance, the Gluu Server now caches short-lived objects, like the code in the authorization code flow. This reduces the number of writes to the LDAP database, increasing the performance of your underlying directory services.
From Seam to Weld#
The Jboss Seam J2EE framework was EOL. We updated to the Weld framework, which resulted in some of the URL's changing (now shorter and more clear). Clients that use the discovery endpoint (i.e.
https://<hostname>/.well-known/openid-configuration) should be ok. But watch out for any clients that may have hard coded endpoints.
The Gluu Server 3.1.x includes language packs. To learn more, or to contribute translations back to the project, check the localization docs.
Gluu Server 3.x#
Gluu Sever 3.x is more modern, faster, and easier to manage.
Jetty replaces Tomcat as servlet container#
Here are some of the reasons we made this change:
- Memory management: easier to allocate memory per app.
- Restart: Easier to restart individual components without affecting others. For example, Asimba requires more restarts when certain configuration is updated.
wrapper.logwas getting too busy. It's better to have the top-level log smaller. See logs management for more informatoin.
- Network: oxAuth is Internet facing; oxTrust is an admin application which may be internal facing only.
- Docker: Deploying each application in it's own servlet container aligns with our strategy to deploy each application in its own container.
Added support for OpenLDAP#
The Gluu Server uses LDAP for persistence. The Gluu Server will continue to support several LDAP servers (including OpenDJ), but will now offer support for OpenLDAP. Below are a few reasons we like OpenLDAP.
- OpenLDAP has a better license, and Symas (the company behind OpenLDAP), has a clear commitment to free open source software.
- OpenLDAP's LMDB backend is fast and crash-resistant.
- Affordable support options from Symas.
- Proxy Capabilities: using OpenLDAP Gold, which is a commercial distribution from Symas, data can be organized into different replicated topologies, and the proxy can be used to route operations. This strategy can increase the write performance of the LDAP service.
Shibboleth IDP version 3#
- Re-architected to use Spring
- Version 2.0 was end of life
- For more information, see the Release Notes
- Passport.js makes it easy to offer your users social login at more than 300 websites and consumer IDPs. See the Passport docs for more information.
- One-Time Password (OTP) authentication: You asked for it! Now it's easy to authenticate users with any standard HOTP or TOTP OATH software, like Google Authenticator. Read the docs.
- Centralized logging--useful for clustered deployments.
- Improved audit logging capabilities for OAuth 2.0
- External Logging is made easy using FluentD 3.5
- Migrated Weld 3.0.0