What's new in Gluu Server v3#
Gluu Server 3.1.6.sp1#
Removed oxTrust unauthorized access vulnerability#
In CE 3.1.6.sp1 and future versions, the finishlogin.xhtml page has been removed, preventing the security vulnerability addressed in the May 2019 security patch. Read the docs.
Gluu Server 3.1.6#
Support for Gluu Casa#
CE 3.1.6 includes several optimizations to support Casa, a new application we wrote to help organizations using the Gluu Server roll out 2FA. Learn more.
SAML Single Logout improvements#
Administrators can now enable SAML single logout (SLO) using the Shibboleth SSO logout profile. Read the docs.
SAML Force Authentication#
Gluu now supports the SAML
forceAuthn parameter. When an RP sets this flag, users will be sent to the IDP for authentication even if they already have a pre-existing session in the server. Read the docs.
Better handling of cache#
In CE 3.1.6, unused and expired cache and session related entries are periodically removed by a “cleaningJob”, reducing unnecessary data in LDAP and improving the servers performance.
Minor bug fixes and feature improvements#
A variety of bug fixes and UX improvements are included with the latest release. See our complete release notes.
Gluu Server 3.1.5#
FIDO 2.0 is now supported! Simply enable the new interception script and endpoints in oxTrust. Read the docs.
oxTrust UX improvements for OpenID Connect clients#
When configuring an OpenID Connect client in oxTrust, a default ACR can now be selected from a prepopulated list. In addition, a one-page summary for OpenID Connect clients is now available and can be exported in Markdown with one click. Read the docs here and here.
Easier certificate management#
Commonly used certificates with shorter expiration times are now accessible from oxTrust, sparing you the trouble of accessing the Chroot. Read the docs.
Two new logs have been added to the Gluu Server: one for the Apache Velocity template engine, and another for the oxTrust Clean-Up tool. Log levels in oxTrust have also been re-worked to be more intuitive. Read the docs here and here.
Minor bug fixes and UX improvements#
A variety of bug fixes and feature enhancements are present in the latest release. See our complete release notes.
Gluu Server 3.1.4#
3.1.x to 3.1.4 in-place upgrades#
Our upgrade script now supports "in place" upgrades from Gluu 3.1.x to 3.1.4: it will update necessary LDAP entries, change configuration files, and replace war files for installed services. Read the docs.
More inbound identity improvements#
Gluu 3.1.4 supports inbound OpenID Connect (i.e. allowing users to authenticate at external OpenID Providers), account linking via user email, and multi-valued attributes in user profiles. In addition, configuring Passport and adding or changing strategies no longer requires service restarts. Read the docs.
We've added: an
authenticationProtectionConfiguration setting to help protect against brute force attacks; client-side checks to prevent possible signing of expired JKS keys; many minor authentication script UI and code fixes; support for LDAP caching; and more precise polling interval options to improve the efficiency of LDAP connection pool checks.
Client secrets are now auto-generated by default, the password reset flow has been improved, user imports now supports custom attributes, and more.
Logging now happens daily instead of hourly, unnecessary logs have been removed, and log levels are now a configurable parameter. In addition, we added a new
oxtrust_audit.log which gathers information about which user did what, when, and where in oxTrust. Read the docs.
LDAP password migrations from BCRYPT to SSHA#
Our Gluu OpenDJ LDAP server now supports BCRYPT password hashing, making it easier to migrate data between OpenLDAP and OpenDJ as needed.
New Shibboleth IDP3 extension#
Gluu 3.1.4 now leverages the Shibboleth IDP as an extension, enabling authentication requests to be sent directly to oxAuth without calling an intermediary like
JWT Access Tokens#
oxAuth can now be configured to return a signed JWT access token from the
/token endpoint on a per client basis. Read the docs.
Support for Token Binding#
Gluu 3.1.4 running in Ubuntu 18 now supports Token Binding. Read the docs.
Close browser to kill session#
For shared computer access situations it can be handy to kill a user’s session when a browser is closed. In 3.1.4, instead of waiting for a set amount of time to kill a session, you can set
-1 to kill the session in the OP when the the browser is closed. Read the docs.
Gluu Server 3.1.3#
Upgraded system components and libraries#
We've upgraded many dependencies and system components to their latest versions to remediate known vulnerabilities.
Easier inbound identity#
In 3.1.3 you can expect better usability and quicker integrations with external identity providers. Make sure to install Passport.js during Gluu installation to take advantage of the improved functionality.
3.1.3 includes a number of UMA related updates, including added support for sending extra parameters during UMA permission ticket requests #664, and the RPT introspection endpoint now returns in its response all claims stored in the persisted claims token (PCT) #687.
More SCIM server features and a new SCIM client.#
Gluu 3.1.3 includes updates and new features to its SCIM server, as well as a completely re-written SCIM client.
Custom message properties in oxAuth & oxTrust#
The text for oxAuth and oxTrust is now stored in the following dedicated file: /opt/gluu/jetty/oxauth|identity/custom/i18n, making it easier to update and manage. #735.
Better interception script debugging in oxTrust#
Custom scripts are now checked for syntax and errors in the UI itself rather than waiting several seconds for an exception to appear in the oxauth_scripts log. #821
Automatically restore interception script parameters#
We’ve updated the custom scripts controller to restore script variables from a session automatically before calling the next script method. #675
Improved interception scripts#
We’ve reviewed scripts for stability, updated dependencies, and have also added support for combining multiple existing scripts, for instance our new CAS + Duo Security script.
Remotely debug interception scripts#
Custom scripts can be tricky to write and test. In 3.1.3, we've added documentation to help you remotely debug your custom scripts.
Improved upgrade scripts#
We are working hard to make upgrading Gluu easier and faster. Some of the improvements we've made include:
- A new progress bar
- Export data without stopping Gluu
- Faster importing and exporting of data
- Custom OpenDJ schema files are automatically backed up during migration to a new installation
- Migration of custom pages have been disabled due to incompatibility across Gluu Server versions
- Upon migration, AuthenticationMode will be set to auth_ldap_server to reduce the chance of lockout.
Gluu Server 3.1.x#
Gluu Sever 3.1.x offers improved performance and functionality.
OpenID Connect Provider Re-certification#
Gluu Server 3.1.x is certified for all five OpenID Connect Provider flows: Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP.
Gluu 3.1.x is the first commercially supported IAM server to implement the UMA 2.0 specification. UMA now aligns completely with OAuth 2.0. It also re-defines the claims gathering flow, enabling developers to implement multi-step consent, user-interactions, and stepped-up authentication flows.
Super Gluu out-of-the-box#
The Gluu Server 3.1.x supports push notifications for our free and secure two-factor authentication (2FA) mobile app, Super Gluu, out-of-the-box. Simply follow the docs to enable Super Gluu authentication.
2FA Credential Management#
Gluu Server 3.1.x includes support for a new open source web application called Credential Manager. Credential Manager is a user facing app that enables people to register and delete ("self-service") 2FA credentials, including U2F secrurity keys, Super Gluu devices, OTP app (like Google Authenticator), SMS phone numbers, and even change their password (if passwords are stored in the local Gluu LDAP).
To improve performance, the Gluu Server now caches short-lived objects, like the code in the authorization code flow. This reduces the number of writes to the LDAP database, increasing the performance of your underlying directory services.
From Seam to Weld#
The Jboss Seam J2EE framework was EOL. We updated to the Weld framework, which resulted in some of the URL's changing (now shorter and more clear). Clients that use the discovery endpoint (i.e.
https://<hostname>/.well-known/openid-configuration) should be ok. But watch out for any clients that may have hard coded endpoints.
The Gluu Server 3.1.x includes language packs. To learn more, or to contribute translations back to the project, check the localization docs.
Gluu Server 3.x#
Gluu Sever 3.x is more modern, faster, and easier to manage.
Jetty replaces Tomcat as servlet container#
Here are some of the reasons we made this change:
- Memory management: easier to allocate memory per app.
- Restart: Easier to restart individual components without affecting others. For example, Asimba requires more restarts when certain configuration is updated.
wrapper.logwas getting too busy. It's better to have the top-level log smaller. See logs management for more informatoin.
- Network: oxAuth is Internet facing; oxTrust is an admin application which may be internal facing only.
- Docker: Deploying each application in it's own servlet container aligns with our strategy to deploy each application in its own container.
Added support for OpenLDAP#
The Gluu Server uses LDAP for persistence. The Gluu Server will continue to support several LDAP servers (including OpenDJ), but will now offer support for OpenLDAP. Below are a few reasons we like OpenLDAP.
- OpenLDAP has a better license, and Symas (the company behind OpenLDAP), has a clear commitment to free open source software.
- OpenLDAP's LMDB backend is fast and crash-resistant.
- Affordable support options from Symas.
- Proxy Capabilities: using OpenLDAP Gold, which is a commercial distribution from Symas, data can be organized into different replicated topologies, and the proxy can be used to route operations. This strategy can increase the write performance of the LDAP service.
Shibboleth IDP version 3#
- Re-architected to use Spring
- Version 2.0 was end of life
- For more information, see the Release Notes
- Passport.js makes it easy to offer your users social login at more than 300 websites and consumer IDPs. See the Passport docs for more information.
- One-Time Password (OTP) authentication: You asked for it! Now it's easy to authenticate users with any standard HOTP or TOTP OATH software, like Google Authenticator. Read the docs.
- Centralized logging--useful for clustered deployments.
- Improved audit logging capabilities for OAuth 2.0
- External Logging is made easy using FluentD 3.5
- Migrated Weld 3.0.0