Backport of a performance related fix:

• MySQL and DB Timeouts

Fixes a performance issue found with 4.8.0 related to concurrent requests timing out.

Do not use

This release introduces a performance issue related to concurrent requests timing out that is resolved in 4.8.1

Stories included in release

Features

• Minor library refresh

  • aspectJVersion = '1.8.12'
  • bcpkixVersion = '1.58'
  • bcprovVersion = '1.58'
  • cglibVersion = '3.2.5'
  • flywayVersion = '4.2.0'
  • jacksonVersion = '2.9.2'
  • jsonPathVersion = '2.4.0'
  • mariaDBClientVersion = '2.2.0'
  • scimSDKVersion = '1.8.18'
  • slf4jVersion = '1.7.25'
  • springVersion = '4.3.12.RELEASE'
  • springRetryVersion = '1.2.1.RELEASE'

• MySQL and DB Timeouts

• Skip SSL Validation on Identity Provider configurations should also skip SSL Hostname verification

• Don't let bcrypt hog all cpu

• cloudfoundry/uaa #714: use isBlank form apache instead of isEmpty for hsqldb

• Emit Audit Event for Token Revocation

• [cfid-4999] cloudfoundry/uaa #320: Setting UAA session timeout (backend) in config

• Send static claim assertions configured for SAML SP Providers as part of SAML assertions

• Allow operators to configure static claim assertions for SAML SP Provider configs

• Allow token revocation by providing UserID and ClientID

• Cross pair with sec-enablement on BPM

Backup and Restore

• Don't hard code "wait for route registrar" value

Metrics

• Measuring UAA Latency server-side
• Measuring UAA throughput server-side
• By default do not send metrics on every request

MFA (Currently still work-in progress)

• Get /mfa-providers
• Update of the MFA Provider - Google Authenticator
• Delete MFA provider
• Allow enabling/disabling MFA Provider - Google Authenticator on an Identity Zone
• Bootstrap MFA Providers through uaa.yml and uaa-release spec
• Prompt user MFA registration when MFA provider is enabled on an Identity Zone
• Update design for MFA verification page
• MFA login should honor original login landing page and application redirects
• Redesign MFA setup/registration page based upon design feedback
• Use issuer for Google Authenticator display
• Alphanumeric nature of MFA Provider name
• Don't allow update of MFA providers for Google Authenticator
• Remove MFA Provider "active" property
• MFA Provider names are unique
• Active MFA is configured by name
• Support /mfa-providers for uaa.admin on a user within the zone
• Create /mfa-provider - JSON vs. HTML errors - MFA-Provider
• TOTP mfa flow should not rely on Google APIs to generate QR code
• Error message shows incorrectly on MFA verify screen
• Clean up MFA provider registrations tied to user when MFA provider is deleted
• Fix documentation showing wrong scopes for MFA
• MFA overview description for API docs

Bug Fixes

• Updating zone fails without specifying zone id in the body

Documentation Updates

• cloudfoundry/uaa #705: API docs for Asymetric /token_key mismatch between doc and example
• Document Issuer as a value that can be configured in all values set UAA.yml and uaa-release spec
• Document how the bcrypt concurrency limiter works
• Remove the mention from Admin API endpoints for zones.zoneid.admin being a scope they could have for a non-admin user within the zone
• Update UAA API docs for Revoke all tokens for a user and client combination
• API Documentation improvements

This release addresses the breaking change around SSL hostname verification for self-signed SAML and OIDC connections introduced in UAA 4.7.1.
Please use this release instead of 4.7.1

Known Issue

This release introduces a breaking change around SSL hostname verification for self-signed SAML and OIDC connections that has been addressed in 4.7.2

The update of the httpclient dependency introduced SSL hostname verification which checks alternative names or the certificate CN to prevent man-in-the-middle attacks. This affects the following identity provider configurations, which will require the target to have a self-signed certificate with valid alternative names or certificate CN:

• OIDC identity providers during the login flow
• SAML identity providers during the SAML metadata exchange, where the metadata location is provided as an URL and not uploaded as a file

In addition, MySQL JBDC connections will now perform SSL Hostname Verification when SSL is enabled. The driver checks against the server's identity as presented in the server's certificate (checking alternative names or the certificate CN) to prevent man-in-the-middle attacks. Valid certificates will not be affected.

Notes

This is a security release addressing the following issues:

• CVE-2017-8031: UAA Denial of Service through client token revocation endpoint

Additionally, UAA dependencies have been updated:

• tomcat and tomcat jdbc pool to 8.5.23
• Spring Security LDAP 2.3.2
• commons fileupload to 1.3.3
• antisamy to 1.5.7
• Apache Velocity to 2.0
• xalan to 2.7.2
• beanutils 1.9.3
• Spring Framework 4.3.11
• httpclient to 4.5.3

This is a security release addressing the following issues:

• CVE-2017-8031: UAA Denial of Service through client token revocation endpoint

This is a security release addressing the following issues:

• CVE-2017-8031: UAA Denial of Service through client token revocation endpoint

Stories included in release

Features

Backup and Restore

• Expose flag for setting UAA in read-only mode via the UAA Bosh Release manifest

Metrics

• Add statsd as a gradle module under UAA
• statsd to emit uaa.requests.global.completed.count
• Implement URL endpoint tolerance configuration
• statsd to emit uaa.database.global.unhealthy.time
• statsd to emit uaa.database.global.unhealthy.count
  
• Vital JVM metrics
• Vital VM metrics
• statsd to emit uaa.requests.global.completed.time
• statsd to emit uaa.database.global.completed.count
  
• statsd to emit uaa.database.global.completed.time
• statsd to emit uaa.server.idle.time
• statsd to emit uaa.server.up.time
• statsd to emit uaa.requests.global.status_4xx.count
• statsd to emit uaa.requests.global.status_5xx.count
  
• statsd to emit uaa.requests.global.unhealthy.count
• statsd to emit uaa.requests.global.unhealthy.time
• Place audit metrics in the current namespace
• Metrics filter should be disabled in 4.6.x release tree
• Fix memory metrics

Documentation

• Add script that generates docs for multiple versions of UAA
• UAA API Docs UI for selecting versions
• Remove link to property mappings from the live UAA API references
• uaa-docs release-candidate and latest link in dropdown 404
• API Docs say "Version local" instead of specifying the version the user is currently browsing
• UAA API Docs' links in the version dropdown do not target the right places.
• Fix the /userinfo docs
• Bring back link to property mappings from the live UAA API Docs
• Document the custom attribute and external group mapping configurations for Identity Providers in UAA API Reference

Misc.

• Remove disable flag for logout redirect
• Allow administrators to configure Google Authenticator as an MFA Provider via API in a Identity Zone
• cloudfoundry/uaa #695: Feature/uaa read only
• IdP metadata should honor identity zone entityID value
• Remove Skip Discovery Link

Bug Fixes

• cloudfoundry/uaa #704: Slowdown with /Users queries
• Product logo for identity zone configurations is not showing up on Discovery login page

This release fixes a performance issue with /Users endpoint

This is a critical release which addresses a memory leak issue introduced in UAA 4.6.0.
Please use this release instead of 4.6.0

Please use 4.5.2 instead

Do-Not-Use

This release introduces a memory leak that has been addressed in 4.6.1

Breaking Changes

cloudfoundry/uaa #657: [OIDC] XOAuthAuthenticationManager username/external_id handling violates OIDC spec

The default mapping for deriving username from external OIDC has been switched from preferred_username to sub to maintain compliance with the spec. If you have an explicit mapping in place for username, you are not affected. However, if you are relying on the default, it will lead to creation of a new external user (aka shadow user in UAA).

The best approach is to create an explicit mapping for username and perform a one time database change on each external OIDC account in UAA to update to the right username

Features

UAA as a SAML IDP Enhancements

• Support IdP-initiated SAML Federation when UAA is the IdP
• Allow sending additional assertions for user attributes when UAA is the IdP
• Allow configuring attribute mappings on SP configurations through APIs for user attributes to be sent in SAML assertions when UAA is the IdP

Facebook as an Identity Provider

• cloudfoundry/uaa #630: Initial support for Facebook external IdP using signed_request (develop)

Dockerized UAA

• cloudfoundry/uaa #673: Feature/dockerize uaa

Client Secret Policy

• cloudfoundry/uaa #534: Feature/client secret policy

UAA Login Page Branding - Configurable Banner Image & Text

• Allow configuring message of the day banner configurations through uaa.yml for system zone
• Allow configuring message of the day banner configurations through uaa-release spec for system zone
• Allow configuring message of the day banner configurations through UAA APIs for identity zones
• Fix banner logo image to scale for mobile
• Show message of the day banner on top of login page

Other Miscellaneous Features

• Allow the IDP Discovery page to take input as a username
• Display username instead of email when user is resetting their password
• download metadata should have correctly named files
• User/Client with uaa.admin scope should be allowed to manage zones
• Create performance indicator scale based on available metrics from statsd
• Remove "group roles" - they are not used
• Ability to specify multiple SAML Keys with an active key id
• Update UAA API Reference Document with fixes including upgrading Slate and Deploy Latest to Cloud Foundry
• [cfid-4825] Add support to cache token keys
• Misleading parameter name metaDataLocation for IDP
• Stop logging configuration error
• Fix FacebookLoginIT on Travis
• Remove Skip Discovery Link

PRs

• cloudfoundry/uaa #656: Add support for HTTP Redirect binding for UAA as SAML IDP
• cloudfoundry/uaa #663: Fix: Remove the SAML Artifact Binding Support for all saml profiles
• cloudfoundry/uaa #676: Add form_redirect_uri to login page during reload
• cloudfoundry/uaa #603: Fix/multiple instance startup
• cloudfoundry/uaa #638: fix groups updates to only modify changed members
• cloudfoundry/uaa #581: Use entityID from zone configuration
• cloudfoundry/uaa #529: Fix circular view path errors on login
• cloudfoundry/uaa #598: Adding oidc idp non-custom attribute mapping (e.g. given name, email)
• cloudfoundry/uaa #662: OIDC token endpoint needs to support client authorization in either POST body or Basic auth
• cloudfoundry/uaa #674: Pass user object as parameter for refresh token
• cloudfoundry/uaa #669: ScimUserBootstrap: Selective Update on Groups
• cloudfoundry/uaa #658: update jackson
• cloudfoundry/uaa #594: Switch reset password flow to use username instead of email as username
• cloudfoundry/uaa #672: Fix OIDC well-known endpoint to be in compliance with spec
• cloudfoundry/uaa #633: RelayState with IDP initiated SSO not supported
• cloudfoundry/uaa #644: Reload login when CSRF token expires
• cloudfoundry/uaa #585: Unable to map external group from uaa.yml if external group contains a space character
• cloudfoundry/uaa #664: Missing index on table group_membership for postgres (2)
• cloudfoundry/uaa #647: Missing index on table group_membership for postgres
• cloudfoundry/uaa #612: Fix/error page branding
• cloudfoundry/uaa #655: BUG: unsychronized usage of static SimpleDateFormat in JsonDateDeserializer
• cloudfoundry/uaa #654: [question] ZONE_SWITCH_SCOPES do not include idps.write, sps.read, sps.write (similar of UAA_SCOPES)

Bug Fixes

• cloudfoundry/uaa #605: Invalid Saved Account Cookie (including bad json) causes uaa to throw 500
• External Group Mapping for OIDC is not working
• PUT /Users let's the request through

Stories included in release

Breaking Changes

Starting with UAA bosh release v43 the following Default Authorities will be set by default for all new identity zones:

• openid
• password.write
• uaa.user
• approvals.me
• profile
• roles
• user_attributes
• uaa.offline_token

The following Default Authorities will be set by default for the system zone:

• scim.me
• cloud_controller.read
• cloud_controller.write
• cloud_controller_service_permissions.read
• oauth.approvals
• notification_preferences.read
• notification_preferences.write

These values can be changed via the UAA Bosh release manifest or UAA identity zone APIs.

Features

• Make User Default Authorities Zone Specific and allow setting them via API
• Page that documents prop mapping
• Better default for storeCustomAttributes
• Update the API docs for required_user_groups
• JWT Bearer Token Exchange support external OIDC
• Provide the ability to register a client with jwt-bearer grant type
• Support for UAA id_token to be exchanged for Access Token via JWT Bearer
• All password changes should throw audit events
• Validation for Clients of Type jwt-bearer
• JWT token authentication - username allowed to be null and fail
• Refactor DAO objects to always take zone-id parameter
• Fix example for getting token from local UAA on the Github UAA readme
• support id_token exchange for an access token within the same identity zone
• Enable audience check for JWT Bearer Token Exchange
• cloudfoundry/uaa #639: When acting as a SAML SP allow configuration of RequestedAuthnContext

Bug Fixes

• cloudfoundry/uaa #611: Update approvals in profile deletes approvals for other client ids
• Passing in ID token for check token endpoint returns 500 error
• Handle null app launch URL causing NullPointerException on UAA home page
• Race condition on OIDC/Oauth authentication
• Documentation update for /password endpoint
• cloudfoundry/uaa #628: UserInfo endpoint under .well-known/openid-configuration not correct
• idp_discovery not working for OIDC with only discoveryUrl
• password_resets documentation bug
• cloudfoundry/uaa #640: Nullpointer exception in UAA
• Missing documentation for GET /Users
• Client secret can't be set to empty via yml
• UAA incorrectly parses private keys created with openssl req

Other Updates

The following dependencies have been updated:

• Updated hibernate-validator to 4.3.2
• Updated thymeleaf to 3.0.6 and ognl to 3.1.12
• Updated owasp-esapi-java to 2.1.0.1
• Updated spring-security-jwt to 1.0.8
• Updated commons-collections to 3.2.2
• Updated not-yet-commons-ssl to 0.3.17

This is a security release addressing the following issues:

• CVE-2017-8032: UAA Identity Zone Admin Privilege Escalation

This is a security release addressing the following issues:

• CVE-2017-8032: UAA Identity Zone Admin Privilege Escalation

This is a security release addressing the following issues:

• CVE-2017-8032: UAA Identity Zone Admin Privilege Escalation

Fixed Old SAML Identity Provider Metadata being cached on certain nodes in a HA deployment of UAA which causes SAML Authentication failure

Exposed the OpenID Connect Discovery Endpoint. Details can be found here

This is a security release addressing the following issues:

• CVE-2017-8032: UAA Identity Zone Admin Privilege Escalation

This is a security release addressing the following issues

• CVE-2017-4972: Blind SQL Injection in UAA (high severity)
• CVE-2017-4973: Privilege Escalation in UAA (high severity)