Table of Contents

5.1.2

PAS 5.1.2 is a minor release that focuses on the following areas:

  • Microsoft Entra ID EAM integration
  • BankID risk indication (IMPORTANT: if you use an external database to log events, see necessary alterations below)
  • Migration features from old authenticators to new
  • SAML Assertion Profiles
  • Improvements in PDF signing
  • Bug fixes and other minor improvements

Microsoft Entra ID EAM

This release contains new functionality necessary to perform a complete integration with Microsoft Entra IDs new feature External Authentication Methods (EAM). It is a way to authenticate with Microsoft Entra ID as IdP, but with an external MFA provider. PAS can now act as an external MFA provider in this scenario.

BankID Risk Indication

BankID recently introduced additional parameters to their v6.0 API, specifically for the purpose of risk indication and management. You can read more about the features here. All PAS BankID integration now support the new features:

  • Specifying a "hard-coded" returnUrl that cannot be overriden by the app launching the BankID app
  • Specifying a minimum acceptable risk level via requirements
  • Sending additional information about the client via the web and app parameters
  • The risk returned by the BankID transaction is now available in the responses, accessible in pipes, and so on
  • BankID success event logs now also contain riskLevel for easy traceability -- this requires database changes described below

Database Changes Necessary For Using BankID in PAS 5.1.2

The introduction of the riskLevel parameter in the BankID event logs means that, if you use an external database for your event logging, you will need to alter your event table to add the riskLevel column.

This can be done by executing the following SQL script:

ALTER TABLE event ADD riskLevel varchar(255);

An example of how the new event log looks can be seen below:

2024-08-28 09:13:28,717 [EVENT] INFO: 2024-08-28T09:13:28+02:00 my-node.local CEF:0|PhenixID|PAS|5.1.2|EVT_004800|Successfully authenticated with Swedish BankID TEST|2|destinationServiceName=some_service duser=202401012394 phenixIDTraceId=#2zOeY52MR5g8dDPq riskLevel=low src=0:0:0:0:0:0:0:1

The only difference is the addition of the riskLevel-parameter.

Migration features to new authenticator architecture

When you already have a SAML or OIDC federation active but want to migrate from the old authenticators to the protocol agnostic system, there is now an easy migration feature that allows you to configure both side-by-side and configure a migration strategy. This allows for requests directed towards the old authenticators to be instead pointed at the newly configured ones. You may configure this such that this redirection is only done under specific circumstances, or for specific service providers. Read more here.

SAML Assertion Profiles

PAS 5.1.2 takes another step forward in reducing configuration bloat for standard configurations such as providing SAML Assertions upon successful authentication. The new protocol agnostic system introduced in PAS 5.1.0 allowed for the SAML IdP to run its own pipe after the authentication was performed, specifically for the purpose of running an AssertionProvider. While this is still possible to do in PAS 5.1.2, an even easier to configure it has been introduced, Assertion Profiles. It is a way to - in the IDP configuration object - configure what a resulting assertion should look like, and under which circumstances which profile should be used. For example, you may configure that service providers X, Y, and Z should receive attributes A, B, and C and use encrypted assertions, while other providers should only get attribute B. Read more on how to use Assertion Profiles here and here.

Improvements

  • PHX-3297 Ability to configure friendlyName for SAML attributes. With the new Assertion Profile system, you may also configure an attributes friendlyName.
  • PHX-3410 Add option to remove background image to visual sign. Administrators can now choose to not use a background image in their visual representation of the digital signature which means more visual representations can fit into one page. Read more here
  • PHX-3560 SPBroker needs to add valves to copy values from session to item. AssertionConsumer can now be configured to add values directly to the item instead of the session. This is now what the standard configuration of SPBroker will do.
  • PHX-3561 SPBroker IdP dropdown list difficult to use in large federations. The IdP dropdown list in the SPBroker guide now uses a string input with an autocomplete feature.
  • PHX-3594 Add support for multivalue claims in new OIDC. If a property has multiple values (or if the claim type array is used), the claim value will be an array.
  • PHX-3604 Make logout HTTP method a configurable option. Added a configuration property to authentication module : onlyAllowLogoutViaHttpPost which, if set, will return an HTTP 405 Method Not Allowed if the logout endpoint is accessed via another method than POST.
  • PHX-3608 Add support for response_mode: form_post in OIDC. OIDC will now return responses via a form autopost instead of HTTP redirect if the parameter response_mode is set to form_post.
  • PHX-3611 Add key ID in JWT header. OIDC will now add the ID of the keystore used to sign the JWT to the header.
  • PHX-3645 Create bridge from old authentication architecture to new. Added option to configure routing such that requests may be internally redirected. Read more here.
  • PHX-3696 Implement BankID Risk indication. Added possibility to configure BankID integrations to fit BankID API v6 new parameters for risk indication.
  • PHX-3697 Implement BankID ReturnURL. Added possibility to configure BankID integrations to use hard-coded returnUrl according to the new API parameter.
  • PHX-3709 Create configurable assertion profiles at SAML IDP. Added ability to configure assertion profiles, eliminating the need for any AssertionProvider-valve. Read more here and here.
  • PHX-3721 Add support for property expansion in JsonMapFileInputValve on path property. Added support for property expansion on path property in JsonMapFileInputValve.
  • PHX-3761 Add OIDC scope parameter to Authentication Context. Added the authorized scope to the authentication context such that it can easily be used to direct authentication flow.

Bug fixes

  • PHX-3114 French login MFA Admin -- Misspelling. Corrected a spelling error in french MFA Admin.
  • PHX-3552 Keystore loading will not retry if failed on startup. Keystore loading will now retry before failing completely.
  • PHX-3602 AssertionProvider config parameter authMetod is misspelled. Corrected spelling of config parameter, keeping backwards compatibility. Both will work but authMethod will take precedence, it is now the documented parameter name.
  • PHX-3617 SAML IdP / OIDC OP id resolving can cause errors for some IDs. Resolved an issue where some IDs could cause errors upon authentication.
  • PHX-3618 Entering illegal characters can break IDP / OP guide scenarios. Added validation to make sure no illegal, URL-breaking characters may be used in those guide scenarios.
  • PHX-3652 OIDC Logout endpoint crashes if session expired. Resolved an issue where the OIDC logout endpoint could crash if no session was present.
  • PHX-3653 PipeExecutorValve enable_multi_value is read as boolean instead of string. Resolved an issue introduced in PAS 5.1.1, where enable_multi_value would be parsed as a boolean instead of string. Now reverted back to a string parameter as before.
  • PHX-3655 Default configuration from SithsEIDAuthenticator guide scenario uses the wrong search filter. Resolved an issue where request.username was being used in the search filters instead of request.userPersonalNumber.
  • PHX-3686 Issue when PDF is narrower than regular A4. Resolved an issue where when a non-A4 PDF was uploaded, the calculation for whether or not a visual signature could fit into the trail page was incorrect.
  • PHX-3695 Internal Authentication Endpoints uses different URL scheme than OIDC / SAML, causing issues for rerouting. Changed the url scheme for internal authentication endpoints to now end with /login (like SAML and OIDC does). If the old url scheme is used requests are redirected to the new.
  • PHX-3703 HTTP 2.0 Requests missing Host-header causes log errors Resolved an issue where a missing Host-header would cause errors in logging, now uses a fallback instead.

Vulnerabilities mitigated

  • PHX-3481 Outdated/vulnerable third party libraries jQuery/Lodash. Updated third party libraries jQuery/Lodash, resolving the following vulnerabilities: CVE-2020-23064,CVE-2020-11022,CVE-2020-11023,CVE-2019-11358,CVE-2021-23337, and CVE-2020-28500.
  • PHX-3674 PDF vulnerabilities related to pdf.js / pdf.worker.js Updated third party libraries pdf.js and pdf.worker.js to resolve vulnerabilities CVE-2024-34342, CVE-2024-4367.