Table of Contents

5.1.3

Note

If you use an external database make sure to update your database according to the upgrade notes. A new addition has been added to support FIDO2 passkeys.

Also, if you are using a reverse proxy you may need to whitelist a new URL -- read more in the upgrade notes.

In PAS 5.1.3 we can finally announce several new major features we've been working on since the release of the new authentication architecture in PAS 5.1.0 earlier this year. Among tons of improvements, bugfixes and vulnerability mitigations, the main new features are:

  • A completely new web frontend for the authentication module, with strong defaults, easy customization, custom error handling, and full WCAG support out of the box.
  • Operations monitoring via metrics available through Prometheus or Elasticsearch
  • A containerized delivery of PAS with capabilities to mount a read-only configuration where you may inject resource files or environment variables

New web frontend

The authentication module now offers a completely new web frontend, with full support for custom themes, translations, languages, error handling, and forms with full WCAG support, responsiveness and enhanced security. Using any of the new authenticators introduced since PAS 5.1 will make use of this frontend, and if you create new authenticators via our guide scenarios they will be set up with configurations that fit the new frontend. Configurations from PAS 5.1.0-5.1.2 may need to be slightly adapted (most notably, adding a localizationKey to your DynamicAuthenticators).

In addition to providing a much more user-friendly design, this web app comes with a completely new API between the backend and frontend, meaning we have improved many interactions and removed old bugs in this process. Some new features previously not possible are:

  • A back-button allowing for remaking choices in a selector, or going back steps in a sequence authentication
  • Completely customizable form design in DynamicAuthenticator, allowing for complex registration forms, option selection, OTP resending, and so on.
  • Dynamic option selection, for example if multiple identities are returned from an authentication (where a user has several roles within an organization, for example).

The new frontend also allows for very easy theme and language management. Read more on how to configure themes, languages and appearance profiles.

Operations monitoring

A long awaited feature for PAS has been a way to monitor the status of a PAS deployment, if everything is healthy, and other metrics that might alert an administrator before potential problems may occur. PAS 5.1.3 introduces a way to do this via metrics provided via Prometheus or Elasticsearch. For example, you may view extensive metrics on SAML metadata, expiration times of certificates, response times of requests, and much more. You can read more on how to enable this here and available metrics for each module can be viewed in detail in the module subdirectory.

Containerized delivery

PAS 5.1.3 comes not only in the form of Linux/Windows installers, but also as a Docker image. To allow for easy deployment of this container some new features have been added. For example, you may mount a container_overlay such that you can use a READONLY-configuration. Doing this also allows for your configuration file to contain placeholders that are replaced by either resource files (like keystores) or environment variables. That way, you can pre-configure your PAS and then deploy it with certain variables and files that you may wish to keep hidden, or easily swap out. Read more about PAS as a container here.

Other major new features

Other major new features that are available in PAS 5.1.3 are:

  • MFA Sequence guide scenarios -- Select a primary authenticator and then choose an MFA preset for simple MFA like SMS OTP, Mail OTP, or OneTouch. These come pre-configured with a nice UI that allows for e.g. OTP resending.
  • Authenticator pre-pipes -- You may configure a pre-pipe that will execute before the authenticator is executed, either every time a request arrives or when the initial authenticator state is loaded. This is useful in for example OTP flows where you may want to resend OTPs.
  • Custom app schemes for mobile authenticators -- If you launch PAS authentication from within a native app you may with to adjust the return URL passed on mobile apps (for example BankID) so that you are returned back to your native app after authentication. This is now easily configurable via Custom App Schemes, read more here.
  • FIDO2 passkeys -- Usernameless authentication IMPORTANT: Needs database update, read upgrade notes here.
  • WindowsSSO as protocol-agnostic authenticator

Improvements

  • PHX-3400 - Add entirely new web app frontend to authentication module. Described in detail above.
  • PHX-3346 - Add operations monitoring / metrics. Described in detail above.
  • PHX-3562 - Add containerized delivery of PAS. Described in detail above.
  • PHX-3200 - Add protocol agnostic Windows SSO Authenticator. A port of the old WindowsSSO authenticator to the new architecture. Read more here.
  • PHX-3213 - Implement OAuth Token introspection in new OpenID Provider An OAuth 2.0 token introspection endpoint according to RFC 7662 has been added to the new OpenID Providers.
  • PHX-3527 - Provide dynamic selection of options in a sequence. As a part of the improvements added to the new DynamicAuthenticator, you may now configure dynamic selection of options in a sequence, read more here.
  • PHX-3557 - Support FIDO2 Passkeys in new FIDO2 authenticator. You may now configure FIDO2 authentication flows that do not prompt for a username, read more about passkeys here.
  • PHX-3635 - Return custom error code in FlowFailValve. FlowFailValve now supports failing with a custom error code, which may be used to present an error message to the user.
  • PHX-3682 - Allow log levels to be set from env variables. You may now set log levels via environment variables, particularly useful in container deployment. Read more here.
  • PHX-3734 - Simplify configuration for SMS/Mail OTPs. The new MFA Sequence guide scenario allows for very simple SMS/Mail-OTP, OneTouch or custom MFA to be set up.
  • PHX-3738 - Implement OAuth token revocation in new OpenID Provider. An OAuth 2.0 token revocation endpoint according to RFC 7009 has been added to the new OpenID Providers.
  • PHX-3744 - Access token as JWT in new OpenID Provider. An option has been added to the new OpenID Providers whether an access token should be issued as a JWT (according to RFC 9068) or opaque string.
  • PHX-3746 - Implement full SAML SLO in new IDP. The new SAML IDPs will now keep track of all SP sessions and perform a full SAML SLO if available, upon logout.
  • PHX-3759 - Add an information display option to DynamicAuthenticator. DynamicAuthenticator may now also be used as an information display, prior to the execution of the authenticator. This is mainly used for otherwise headless authentications, like reminding users to insert smartcarts before mutual TLS authentication etc.
  • PHX-3764 - Add "includeQueryString" parameter to internal authentication endpoints. An option to include the initial query string when redirecting to success URL has been added to internal authentication endpoints. This is a useful tool for setting up SiteMinder integration for example.
  • PHX-3776 - Move Keystore from Federation to System in config GUI. Guide scenario "Keystore" has been moved to System as it is relevant in many more scenarios than federation.
  • PHX-3777 - Rename Federation to SAML in config GUI.
  • PHX-3788 - Allow custom app schemes in return_urls for mobile authenticators. Return urls may now be freely overrided in mobile authenticators, read more here.
  • PHX-3813 - Add prePipe option to new authenticators. Protocol agnostic authenticators may now execute a prePipe, described in more detail above.
  • PHX-3819 - Add configuration option to OTPGeneratorValve to only generate a new OTP if time has passed a threshold. OTPGeneratorValve now has a config option that allows for OTPs to be reused if a new one is requested after only a short time. Read more here.

Bug fixes

  • PHX-3614 - Agnostic auth selector uses cookie to remember selection, user is unable to revert this. You may now always revert an auth selector decision by using the back button in the new GUI. This will also remove the cookie.
  • PHX-3708 - MySQL occasionally times out and requires restart. Continuation fix of an old bug. Will now ensure that there are periodic keep-alive calls to external database when idling to prevent and detect broken database connections early.
  • PHX-3778 - BasicParserPool log errors on deflated SAMLRequest. Initial request parsing will cause a harmless error log if request is deflated. Log is now ignored in the default log configuration.
  • PHX-3779 - Expressions are case sensitive and HTTP headers in 1.1 / 2.0 can have different casings. Fix such that HTTP headers may always be accessed in a case-insensitive manner.
  • PHX-3786 - You cannot use an expired certificate in the new OpenID Providers. Fix such that it is now possible, but not recommended (a warning log will show) to use expired certificates in the new OpenID Providers.
  • PHX-3796 - Some valves (for example GetMiuForPersonValve and GetHsaPersonValve) takes forever to timeout and causes freeze due to blocking operation. Many fixes added to valves to make operations non-blocking, timeouts added to GetMiuForPersonValve / GetHsaPersonValve. Worker thread count for pipes set to 8. Shutdown dedicated worker pools on reconfiguration.
  • PHX-3805 - Many links in the product refer to the old documentation site. Links now refer to this site, https://docs.phenixid.se instead of the legacy one at https://document.phenixid.net.
  • PHX-3837 - OIDC Implicit flow and hybrid flow uses response mode query by default. Corrected this behavior such that implicit and hybrid flows use response mode fragment by default, as per the specification.
  • PHX-3849 - NEOTPListener did not work correctly and caused runtime errors when clients connected. The configuration of the underlaying socket has now been corrected.
  • PHX-3858 - SAML LogoutRequest detached signature validation only works for uppercase URL encoding. Resolved it such that both upper and lowercase URL encoding is acceptable for detached signatures.

Vulnerabilities mitigated

  • PHX-3707 - VULN: Blast-RADIUS - CVE-2024-3596. All RADIUS interactions (both as client and server) will now add Message-Authenticator to their packets. You may also enforce whether incoming requests/responses need to contain Message-Authenticator. Read more here.
  • PHX-3794 - VULN: CVE-2024-8391. Update vert.x from 4.5.7 to 4.5.10 to mitigate vulnerability CVE-2024-8391.
  • PHX-3823 - VULN: CVE-2024-7254. Update protobuf-java to version 4.28.2 to mitigate vulnerability CVE-2024-7254.
  • PHX-3854 - VULN: CVE-2024-47554. Update commons-io and velocity-engine-core to mitigate vulnerability CVE-2024-47554.