Table of Contents

5.1.4

In PAS 5.1.4 we introduce not only multiple improvements and bugfixes building upon the new features released in 5.1.3, but several new major features as well:

  • Backend support for the soon-to-be-released OneTouch v2.0
  • Built-in reCAPTCHA v3 support
  • A new authenticator for delegating authentication to another device via a QR code
  • Performance and under the hood improvements (new JS engine, and more)
  • Multiple SAML improvements (new configuration parameters, an improved transition guide)
  • Multiple OIDC / OAuth improvements
  • Pipe import/export tool

We have also update our heap size recommendation as well as the default heap size to 4GB. Read more about hardware recommendations here, and how to configure memory usage here.

OneTouch v2.0

We are soon getting ready to release our new version of the OneTouch mobile app, which has numerous improvements to the UI/UX of the app, security improvements, and configurability. The main differences can be experienced in the mobile app, but the configuration in the PAS backend is slightly different. See the OneTouch v2 upgrade guide for instructions on how to enable it. Unless specifically configured otherwise, your OneTouch will continue to work as before the upgrade.

reCAPTCHA v3

A requested feature in our new authenticator frontend from version 5.1.3 is the support of reCAPTCHA v3, and this is one of the new features available in DynamicAuthenticator. A great thing about v3 is that it does not require any specific user interaction (no selecting boxes in an image or similar), so you can include this in your login flows without interrupting the user experience too much. You may include it either together with input elements, or completely standalone as a part of your authentication sequence. Read more on how reCAPTCHA v3 works here, and how to configure it in PAS here.

New authenticator -- RelayAuthenticator

An entirely new authenticator is available in PAS 5.1.4 -- the RelayAuthenticator. Its purpose is to delegate the authentication to another device via a QR code, which makes it suitable for limited input devices like kiosks. Its flow is simple, you just configure which authenticator should be used for the subsequent authentication, and then upon login you will be met with a QR code and texts explaining to the user what they need to do. Before the scanning device is met with the second authenticator, it needs to verify its intent by inputting a two digit code now displayed instead of the now scanned QR code.

The RelayAuthenticator will reuse active SSO Groups on the scanning device so you may easily just keep a single device which you use to SSO onto other services seamlessly. If you wish to enable a QR-based login method like BankID or OneTouch but use other authentication methods that do not explicitly offer a QR-solution, this is the authenticator for you.

Under the hood improvements

We are continuously making under the hood improvement to PAS to enhance its performance and resolve technical debt. In PAS 5.1.4 we are taking a big step in this category by replacing the Nashorn JavaScript engine that comes with Java 11. We have opted to replace this with GraalVM's JS engine, and see a noticable performance increase. By making this change, our measured server startup times reduced by about 25%, and individual requests in the config GUI had their response times reduced by up to 40%.

In addition to replacing the JS engine, we are also in the process of improving some other technical debt allowing for more new features in e.g. SAML, as seen below.

New SAML Features

In PAS 5.1.2 we introduced AssertionProfiles as it felt like a more natural fit with the new agnostic authenticators. The AssertionProvider valve can still be used instead of AssertionProfiles but is much more limited in terms of functionality. Going forward, Assertion Profiles is going to be the way to utilize the new SAML features we introduce. Version 5.1.4 has several improvements to Assertion Profiles, you may now also configure:

  • Which Keystore ID should be used for signatures
  • Which signature algorithm should be used
  • Attribute NameFormat
  • If an attribute should be scoped or not

You can read more about the new possible configuration parameters here.

We have also introduced a new feature that will enable for easier transition from the legacy SAML IdPs to the new ones, particularly when transitioning from a configuration with several SAML IdPs that you want to transition into a single IdP. You can read more on how to do this here.

New OIDC / OAuth Features

You may now add the grant type client_credentials to grant_types_supported in your OpenID Provider (OP) configuration. This grant type is an OAuth flow that will, to allowed RPs, grant an access token for the desired scope. This will not give access to the OIDC userinfo endpoint like the other grant types, as this is not an OIDC flow. It can however be used in combination with either the "Access Token as JWT"-feature or the token introspection feature to give an RP access to a third party API where the third party trusts PAS access tokens.

In combination with this we are adding more granular permissions to OIDC / OAuth Relying Parties (RPs). You may now configure allowed_scopes and allow_client_credentials_grant_type at your RPs to control permissions better. We are also adding a completely customizable way to authorize clients in OIDC / OAuth by executing a "client authorization pipe". This way you may configure your own access rules (like "Enforce PKCE for RP X if auth method Y is used") and have it entirely customizable. Read more on how to do that here.

Pipe import/export tool

The Pipe view in the configuration GUI now has tools for exporting and importing pipes. This can be used to easily take a pipe from one environment to another without having to manually dig around in the valve configurations at all.

Improvements

  • PHX-4001 - Make LDAPModifyValve non-blocking and asynchronous. LDAPModifyValve will now run in an asynchronous and non-blocking way, improving performance and responsiveness.
  • PHX-3976 - RelyingPartyID config parameter is missing from FrejaAuthenticator. Added relyingPartyId as a config parameter for FrejaAuthenticator.
  • PHX-3971 - Make it possible to opt in to SAML SLO Standard instead of having it as default. Default behavior since 5.1.3 has been changed, you may now opt in to global SAML SLO instead of simply logging out at the requesting SP, read more here.
  • PHX-3969 - Control logo size in theme. You may now control your logo size in theme.json, read more here.
  • PHX-3968 - Set domain for session cookie. Added ability to set the domain property on cookies, optionally grouping them by parent domain(s), in order to aid ex. scenarios with optional mTLS authenticaton. Read more here.
  • PHX-3962 - Allow multiple SSO states per SSO Group. Multiple SSO States are now supported so that you may have several different flows at the same IDP which can separately keep an SSO state.
  • PHX-3961 - Allow more custom control if SSO flows. A config parameter called "metaAttributes" have been added to authenticators which will set attributes upon successful authentication. These parameters may then be used in successive authentication via the context api, and this can be used to control the sso flows better. Read more here.
  • PHX-3952 - Make it possible to use wildcard in JsonMapFileInputValve. You may now use wildcard searches in JsonMapFileInputValve. Read more here.
  • PHX-3947 - Allow/deny scope for specific RP. You may now configure allowed_scopes on OIDC RPs. Read more above.
  • PHX-3945 - Scope should be expandable in RPBroker. Scope is now an expandable attribute in RPBroker.
  • PHX-3929 - Remake internal authentication for PRISM modules. The configuration pattern for internal authentication has been improved. Read more on how to configure it here.
  • PHX-3914 - Generic logout endpoint still uses old logout template. The new logout view is now used instead of the old one.
  • PHX-3904 - Add readonly and preset value to inputElements for DynamicAuthenticator. Input elements in DynamicAuthenticator may now have preset values and readonly status if desired, read more here.
  • PHX-3900 - Improve standard texts in new auth frontend. Changed some standard texts to be more appropriate for the end user audience.
  • PHX-3885 - New authenticator, delegated through QR-code. Added RelayAuthenticator, described above.
  • PHX-3876 - New valve to sort items. Added new valve: SortItemsValve which may be used to sort items based on one or several attributes, or by custom expression. Read more here.
  • PHX-3868 - Make it possible to configure localizationKey from the GUI. Added configuration option in the GUI for localizationKey for select authenticators.
  • PHX-3866 - Labels are hard to see in dark mode when focused. Improved the visibility of focused labels in dark mode in the new authenticator front end.
  • PHX-3865 - Autofocus fields in new authenticator front end. Added autofocus where appropriate.
  • PHX-3863 - Auth frontend: add more icons Added 4 more icons, see the full list of available icons here.
  • PHX-3847 - Show a detailed error view when unsolicited SAML is not supported. SAML IdP will now show a detailed error view when no SAML Request is present at the login endpoint, and unsolicited SAML is unsupported by the IdP.
  • PHX-3844 - Support OneTouch v2.0. Described in detail above.
  • PHX-3836 - Make it possible to configure assertion profiles from GUI. Config GUI now supports configuration of assertion profiles.
  • PHX-3835 - Make it possible to configure claims on OIDC OP from GUI. Config GUI now supports configuration of scopes and claims, with automatic updates to the supported claims/scopes in the discovery document.
  • PHX-3824 - Add the possibility to migrate many IdPs to one. Described in more detail here.
  • PHX-3812 - Improve logout handling from password self service. Now added option for both automatic logout and a central logout button in password self service. Read more here.
  • PHX-3748 - Add support for reCAPTCHA in new auth frontend. Read more above.
  • PHX-3743 - Implement export/import for pipes. Read more above.
  • PHX-3724 - Improve handling of CRL in CertificateValidatorValve. An error log is now present if CRL verification fails, and if there is an error in fetching the CRL a one minute cache is used to see if the problem resolves itself, before failing completely.
  • PHX-3593 - Add support for OAuth client credential flow in new OpenID Provider. Read more above.
  • PHX-3548 - Add support for multiple audienceRestriction. You may now use multiple audienceRestrictions in SAML when using assertion profiles by configuring them comma-separated.
  • PHX-3434 - Set signature algorithm per assertion profile. Read more above.
  • PHX-3395 - Change JavaScript engine from Nashorn to GraalVM. Read more above.

Bug fixes

  • PHX-3986 - Problems launching BankID for some users. Resolved an issue where auto opening of BankID on the same device would cause errors for some users. This may be due to deep link settings enforced by Apple and iOS. Users will now be prompted to click a button to open BankID or mobile apps on the same device. Also resolved an issue where BankID would not launch on Android for other browsers than Chrome.
  • PHX-3982 - SAML Logout fails if there are no SingleLogoutService in metadata. Resolved an issue where PAS would attempt to send a LogoutRequest to SPs without support for SLO.
  • PHX-3964 - Not possible to change the default error on headless dynamic auth. Resolved an issue where the correct error code was sometimes not shown when using a headless dynamic authenticator.
  • PHX-3963 - No back button if headless dynamic auth fails. Resolved an issue where the back button was sometimes not visible when using a headless dynamic authenticator.
  • PHX-3951 - HSMStore.java returns exception for working alias. Resolved an issue where metrics would cause errors when trying to read certificates from a HSM.
  • PHX-3940 - AssertionProfiles crash if multi property. Resolved an issue where Assertion Profiles would crash if a property had multiple values. Will now work as AssertionProvider valve does.
  • PHX-3907 - New Auth frontend: No default error message. Resolved an issue where no default error message would be shown in the error view.
  • PHX-3902 - AssertionProfiles crash if attribute is not present. Resolved an attribute where Assertion Profiles would crash if an attribute is not present in the item. Now will just ignore the property.
  • PHX-3888 - MFA flows from guides have no localizationKeys. Resolved an issue where MFA sequences from guides would not have any localizationKeys. Will now use localizationKeys based on the MFA method selected.
  • PHX-3887 - Prometheus HTTP connection is dependent on other modules using the connection. Resolved an issue where the Prometheus Metrics would not start its own HTTP Server if it was the only one configured to use a specific HTTP Configuration.
  • PHX-3881 - QR code for SITHs eID is not working. Resolved an issue where the QR code for the SITHs eID authenticator would be incorrect.
  • PHX-3879 - Automatic return_url includes query parameters causing restart of login state. Resolved an issue where mobile authenticators using a return url property would restart a login state when using SAML redirect binding or OIDC when returning from a same-device authentication.
  • PHX-3875 - New frontend is not working in internet explorer. The new auth frontend uses modern JavaScript and is thus not compatible with IE11 and very old embedded browsers, however this is now solved via a relayed login solution like the QR code authenticator described above, so that old browsers may still authenticate, albeit via a different browser as a relay.
  • PHX-3872 - Default font for new auth frontend is not available in firefox. Resolved an issue where the default font was not available for firefox.
  • PHX-3869 - Logout from Office365 via SAML SLO does not work. Resolved an issue where SAML SLO flow would require the session cookie to be present, causing iframe based logouts to fail. Will now resolve session from a valid SLO request, if present.
  • PHX-3864 - ssoGroupId bug with OIDC in 5.1.3. Resolved an issue where ssoGroupId would have to be configured in two places to work for OIDC in 5.1.3.
  • PHX-3853 - Problem signing fillable PDFs. Resolved an issue where an OutOfBoundsException could be triggered on fillable PDFs and some other types of PDFs causing the PDF to be unsignable.
  • PHX-3806 - Wrong default hazelcast version in cluster.xml. Resolved an issue where cluster.xml had the wrong default version for hazelcast.
  • PHX-3642 - SAML metadata disappeared when upgrading. Resolved an issue where configuration could, in rare cases, disappear when upgrading.

Vulnerabilities mitigated

  • PHX-3960 - Vulnerability in dependency ipaddress (5.3.3 => 5.5.0). Vulnerability with ID CVE-2023-50570 has been mitigated with this dependency upgrade.