uaa

This is a security release addressing the following issues

• CVE-2017-4972: Blind SQL Injection in UAA (high severity)
• CVE-2017-4973: Privilege Escalation in UAA (high severity)

This is a security release addressing the following issues

• CVE-2017-4972: Blind SQL Injection in UAA (high severity)
• CVE-2017-4973: Privilege Escalation in UAA (high severity)

This is a security release addressing the following issues

• CVE-2017-4972: Blind SQL Injection in UAA (high severity)
• CVE-2017-4973: Privilege Escalation in UAA (high severity)

This release fixes a database migration issue that was introduced in UAA 3.13.0 & addresses a critical issue with UAADB increased CPU utilization

DO NOT USE
Please use 3.14.0 Instead

This release addresses a critical issue with UAADB increased CPU utilization

This release addresses an issue with setting of session cookie with external SAML and OIDC authenitication

This release addresses an issue with setting of session cookie with external SAML and OIDC authenitication

This release re-introduces the JWT based Refresh Tokens. Refresh tokens are no longer opaque and revocable by default. This has been done to take care of the revocable_tokens table filling up with large deployments of UAA.

The format of the refresh token can now be set at an Identity Zone level via the API and can be boot strapped from the UAA.yml file for the default zone.

#    refresh:
#      unique: false ("If true, uaa will only issue one refresh token per client_id/user_id combination")
#      format: jwt 

Breaking Changes

With this release we have redacted the SAML Service Provider Key and OAuth Token Signing Keys from the Identity Zone GET API Response. The POST and PUT API's functionality stays intact in terms of allowing Zone Administrators to create and update SAML and OAuth Token Keys as part of the Identity Zone configuration. Please refer to the API docs for more details.

New Features

• Wildcard support for group whitelisting on Identity Providers
  • * translates to all groups
  • *pattern* Contains Pattern
  • pattern* Starts with Pattern
  • *pattern Ends with Pattern

Bug Fixes

• SAML initialization is not complete until /saml/metadata has been accessed

Breaking Changes

With this release we have redacted the SAML Service Provider Key and OAuth Token Signing Keys from the Identity Zone GET API Response. The POST and PUT API's functionality stays intact in terms of allowing Zone Administrators to create and update SAML and OAuth Token Keys as part of the Identity Zone configuration. Please refer to the API docs for more details.

New Features

• Wildcard support for group whitelisting on Identity Providers
  • * translates to all groups
  • *pattern* Contains Pattern
  • pattern* Starts with Pattern
  • *pattern Ends with Pattern

Bug Fixes

• SAML initialization is not complete until /saml/metadata has been accessed

This is a security release which addresses

• CVE-2017-4960 UAA OAuth DOS via lockout feature

This release also re-introduces the JWT based Refresh Tokens. Refresh tokens are no longer opaque and revocable by default. This has been done to take care of the revocable_tokens table filling up with large deployments of UAA.

The format of the refresh token can now be set at an Identity Zone level via the API and can be boot strapped from the UAA.yml file for the default zone.

#    refresh:
#      unique: false ("If true, uaa will only issue one refresh token per client_id/user_id combination")
#      format: jwt 

This is a security release which addresses

• CVE-2017-4960 UAA OAuth DOS via lockout feature

Major Features

External User Claims via UserInfo Endpoint

This feature enables User Attributes (including custom attributes) and Group Memberships from LDAP, SAML and OpenID Connect providers to be exposed via the UserInfo endpoint of UAA in addition to propagating them via OpenID Connect id_token. This is an optional feature per external identity provider and is turned on by setting the config.storeCustomAttributes flag in the Identity Provider json. The token must contain user_attributes and/or roles scopes for retrieving the custom attributes and roles from the /userinfo endpoint.

• Ability to retrieve the custom user attributes from the OpenID Connect userinfo endpoint External OIDC
• Ability to retrieve the roles from the OpenID Connect userinfo endpoint - All Providers

Force User Password Change for UAA Internal Users

This feature allows the administrator to force all users to change their password at next login time. This can be enforced on an individual user basis. This feature is multi-tenant and can be enabled per Identity Zone.

• Add support for User Force Password Change at next login
• Provide ability to force password change for all users in the system
• Update the Login UI to honor Force Password Change

SAML Bearer Token support

This feature enables SAML assertions to be exchanged for access tokens. This feature has been contributed by SAP. The documentation can be found here.

• Feature: Add saml2 bearer grant

SQL Server Support

In addition to PostGres and MySQL , UAA now supports SQL Server as a backend. This feature has been contributed by Microsoft.

• Microsoft SQL Server Support as a backend

Breaking Changes

With this release we have redacted the SAML Service Provider Key and OAuth Token Signing Keys from the Identity Zone GET API Response. The POST and PUT API's functionality stays intact in terms of allowing Zone Administrators to create and update SAML and OAuth Token Keys as part of the Identity Zone configuration. Please refer to the API docs for more details.

Minor Features

• Expose last_logon_time as a SCIM user property
• Track Last Log-On Time for Fed Customers Compliance
• Support multiple token keys for external OAuth/OIDC IDP
• Feature request to use wildcard or some matching expression to import the groups from an external identity provider in Group Whitelist
• Add Discovery Support for Relying Party OIDC Configuration
• Increase one-time code length for SSH code to ensure more entropy
• Use standard JWA algorithm names in /token_key(s)
• Provide the ability to associate a resource owner for any client created in UAA
• .well-known/openid-configuration should list newly supported scopes
• Fixed UAA_CONFIG_FILE property
• Enable logout redirect feature by default or provide a way to add your url to the redirect urls whitelist
• Audit events should log minimal data
• Perform code validation after password reset - invitation flow
• Perform code validation after password validation

Bug Fixes

• SAML initialization is not complete until /saml/metadata has been accessed
• UAA still not sending stack traces to syslog correctly
• OIDC Signature verification is skipped if token keys cannot be downloaded
• UAA is allowing users to be created with empty password but they can't login
• ResetPassword email missing username/email
• 500 errors when no intersecting scopes
• PUT on /identity-providers/{id} returns internal server error when called with incorrect payload (ex: missing config)
• userid should not passed be passed as part of the custom_attributes json
• UAA is still using the users.authorities column

This is a security release which addresses

• CVE-2016-6659 UAA Privilege Escalation

This is a security release which addresses

• CVE-2016-6659 UAA Privilege Escalation

This is a security release which addresses

• CVE-2016-6659 UAA Privilege Escalation