release pipeline testing in progress

Stories included in release

Features

• Allow branding consent text and link via uaa.yml and uaa release
• Agree to box on registration and invitation accept screens
• Agree to box on registration and invitation accept screens - Part 2
• login hint for /authorize endpoint
• Login hint error when origin is invalid should be more meaningful

Bug Fixes

• Introduce timeouts to identity provider URL fetching

Documentation

• Document the logout.do in our UAA API docs
• Publish 4.13.0 UAA API Docs with MFA warnings removed
• Document introspection endpoint was added in UAA version 4.9.0

This is a security release addressing the following issues:

• CVE-2018-1262: UAA privilege escalation across identity zones

This is a security release addressing the following issues:

• CVE-2018-1262: UAA privilege escalation across identity zones

Do not use

Please use 4.13.4

Features

Stories included in release

Breaking Change

As of UAA 4.13.0, UAA will require an active encryption passphrase to be defined in order to start-up.

Encryption key pass-phrases can be set via the BOSH manifest. Multiple keys can be specified, and can be any value greater than or equal to 8 characters. One specified key must be set as the active key.

An example property would look like below:

encryption:
  active_key_label: key-1
  encryption_keys:
  - label: key-1
    passphrase: CHANGE-ME-DO-NOT-USE-1
  - label: key-2
    passphrase: CHANGE-ME-DO-NOT-USE-2
  - label: key-3
    passphrase: CHANGE-ME-DO-NOT-USE-3

Known Issue

Monit health check and route registrar break if uaa.port is set to -1 to disable HTTP traffic.

Features

• As a security administrator, I want MFA credentials stored in the database to be encrypted
• As an operator, I want to be able to rotate the encryption key for MFA without impacting end users
• UAA enforces encryption key required to start UAA
• login hint support for /token endpoint
• Refreshing browser state on prompt=none call sets Current-User cookie

Bug Fixes

• Duplicate encryption keys in uaa.yml and required properties

Do not use

Please use 4.12.2

Features

Fixes an issue found with 4.12.0 related to large numbers of authorization requests being issued when used in conjunction with UAA Singular.

Do not use

This release introduces an issue when used in conjunction with UAA Singular that causes a large number of authorization requests to be issued, which is resolved in 4.12.1

Informational Notes

• Older database migrations have been updated to introduce primary keys to tables without primary keys. Users deploying UAA using the uaa bosh release should not be impacted by this change. If you were performing custom verification of flyaway migrations, you may encounter errors related to checksums during verification.
• Account Chooser cookies will no longer set cookies when account chooser is disabled. Users can be instructed to clear their browser cookies.

Stories included in release

Features

• cloudfoundry/uaa #775: missing cookie switch
• cloudfoundry/uaa #748: User issuer.uri from zone configuration
• cloudfoundry/uaa #776: Saml Provider: ensure username update
• cloudfoundry/uaa #763: Fix the problem with WAS (IBM WebSphere) 9
• cloudfoundry/uaa #733: Extend interface UaaTokenEnhancer
• cloudfoundry/uaa #767: Extend interface UaaTokenEnhancer with a generic enhance
• cloudfoundry/uaa #768: Refactor token enhancer call
• cloudfoundry/uaa #786: Add and update migrations to ensure all tables have a primary key
• cloudfoundry/uaa #769: resolve lower hostnames only
• cloudfoundry/uaa #687: route all errors not explicitly mapped to the sad cloud error page to hide tomcat server information
• Limit count parameter to /Groups endpoint to avoid OOM
• Limit count parameter to /Clients endpoint to avoid OOM
• Limit count parameter to /Users endpoint to avoid OOM
• Invitations should not set verified to true for external users (origin not uaa)
• Request with prompt=login should ask user to re-authenticate
• Requesting ID Token with max_age=1 seconds restriction should enforce max_age parameter
• Updated Spring to 4.3.15
• Updated jackson to 2.9.5

Bug Fixes

• cloudfoundry/uaa #750: Inconsistent terminology for passcode: "One Time Code" and "Temporary Authentication Code"
• cloudfoundry/uaa #726: many SQL requests to identity_provider table
• cloudfoundry/uaa #738: user delete in other zone does not remove members correctly
• authenticationType is part of all log event messages now

Documentation

• cloudfoundry/uaa #707: Correct Markdown headers
• cloudfoundry/uaa #795: fix typo
• cloudfoundry/uaa #791: Updates the meaning of SCIM

Stories included in release

Features

• Upgrade to Spring Security SAML 1.0.4.RELEASE
• Propagate response type error message in query parameters for missing response_type parameter
• Authorization request missing the response_type parameter returns error
• cloudfoundry/uaa #772: UaaTokenStore: Don't fall over when failing to expire oauth codes
• Add email_verified mapping documentation for IDPs
• Expose email_verified as a claim in the id_token and /userinfo endpoint
• Support MFA through CLIs as part of password grant type
• Enable passcode prompt for MFA login through SSO
• Allow mapping for email_verified claim - LDAP
• Allow mapping for email_verified claim - SAML
• Allow mapping for email_verified claim - OIDC
• Adapt implementation of MfaAuthenticationSuccess/FailureEvent
• Allow UAA user attributes to be sent in SAML Assertion
• Information for CF Security for Export Compliance
• cloudfoundry/uaa #767: Extend interface UaaTokenEnhancer with a generic enhance
• Updated Java JDK to 8u162

Bug Fixes

• /Users?attributes never return groups or approvals
• Password Grant with MFA is not marked as not yet ready for production use
• MFA registration back button (which just uses logout.do) no longer works
• Unable to change user's password because current password is not being accepted when username exists for multiple origins
• cloudfoundry/uaa #749: omit not needed libs
• IdentityProviderAuthenticationSuccess events show unknown authentication type
• UAA CSRF token under /login context path prevents users from logging in
• Changing username while MFA is enabled breaks login if you are already authenticated
• mfaprovider issuer field cannot contain colons

Stories included in release

Features

• Convert request count gauges to counters
• UAA check session iframe endpoint calculates session state
• Log IdentityProviderAuthenticationFailedEvent UAA/LDAP
• Allow custom redirect uri's for OAuth Clients
• Updated dependencies
  • Jackson Databind to 2.9.4
  • Apache Santuario (Java) to 1.5.8
  • Spring Security to 4.2.4

Documentation Updates

• Identity Zone Authorization API doc information is incorrect
• Identity Provider UAA API Docs don't mention X-Identity-Zone-Subdomain header
• SAML and OIDC identity provider in UAA API docs mention config.addShadowUserOnLogin twice

This is a security release addressing the following issues:

• CVE-2018-1192: UAA SessionID present in Audit Event Logs

This is a security release addressing the following issues:

• CVE-2018-1192: UAA SessionID present in Audit Event Logs

This is a security release addressing the following issues:

• CVE-2018-1192: UAA SessionID present in Audit Event Logs

This is a security release addressing the following issues:

• CVE-2018-1192: UAA SessionID present in Audit Event Logs

This is a security release addressing the following issues:

• CVE-2018-1192: UAA SessionID present in Audit Event Logs

Stories included in release

Breaking Changes

Manage Identity Providers via API for UAA Default Zone

UAA now allows operators to manage identity providers via APIs for the default system identity zone, which changes how UAA manifest values for identity providers behave. Previously UAA would disable any API made changes made by an operator on restart even though operators were able to make create and update identity providers using UAA’s API.

• Do not disable UAA identity providers that are not in the UAA manifest for the default zone on restarts
• Operators should be able to specify that an UAA identity provider in the manifest is a source of truth for the default zone
• Operators should be able to delete identity providers using the manifest as part of managing UAA identity providers via APIs for default zone

As a result, identity providers removed from the manifest must now also be explicitly deleted via manifest configuration (delete.identityProviders) or disabled/deleted via the UAA APIs.

• For SAML and OIDC identity providers, the delete.identityProviders has been added to allow deletion of these identity providers from the manifest using the origin key.
• For LDAP, the identity provider should only be disabled.

In addition, SAML, OIDC, and LDAP providers now have an override flag that defaults to true which specifics the manifest properties should overwrite any changes made via API. This value can be set to false to allow API updates of your existing manifest identity providers.

Features

Multifactor Authentication (Available for Preview Use)

• Allow enabling/disabling MFA Provider - Google Authenticator on system zone via uaa.yml and uaa-release spec
• Allow user to register MFA manually for Google Authenticator
• Update design for MFA verification page
• Redesign MFA setup/registration page based upon design feedback
• Allow administrator to unregister MFA for a user via API
• Remove non-configurable options and use defaults for Google Authenticator
• Enable MFA on LDAP Chained Authentication
• /change_email & /change_password endpoints should not use a separate security filter
• Force Password Change should happen after MFA login passes
• Refactor force password change to be an authorization step
• Remove autologin flow for verify flow
• Remove autologin flow for reset password
• Remove autologin flow for invite users
• Remove autologin for verify_email after changing email flow
• Disable autologin endpoint for basic auth when MFA is enabled
• Only generate UserAuthenticationSuccess Event when user authenticates successfully for both Password and MFA when MFA is enabled
• PasswordVerificationSuccess event on successful password authentication
• PasswordVerificationFailure event on failed password authentication
• PasswordAuthenticationSuccessEvent rename documentation
• MFAVerificationSuccess event when MFA passes
• MFAVerificationFailure event when MFA fails

Misc.

• UAA to send session_state for ID Token authentication response according to the standard
• DIsable LowConcurrencyPasswordEncoder and create a v53.1 release
• CI tests for UAA DB TLS?
• cloudfoundry/uaa #716: UAA check_token is not working with spring-security-oauth2 since 2.1.0.RELEASE
• Add logging to SAML group mapping - currently none
• cloudfoundry/uaa #759: Remove token values from Exceptions
• cloudfoundry/uaa #736: add lower index for postgresql only, because there the select is done
• cloudfoundry/uaa #729: Fix type for claim az_attr

Bug Fixes

• _ should be allowed in the redirect uri for OAuth clients
• cloudfoundry/uaa #762: Concurrency issue in time based expiration map
• change password behavior is broken
• Silent authentication should honor ant pattern matching
• Refactored MFA filters do not properly implement security handling for SAML when UAA is the identity provider
• QR code should not change when navigating Back
• Fix token/list documentation
• MFA enabled does not publish authentication success audit event

This is a security release addressing the following issues:

• CVE-2018-1190: XSS on UAA OpenID Connect check session iframe endpoint

Backport of a performance related fix:

• MySQL and DB Timeouts