5.1.0

Overview

We are happy to announce the new PAS 5.1.0 which introduces several important improvements and bug fixes, listed below.

This is first large feature upgrade after the 5.0 technical upgrade end of 2023. The new 5.1.0 version will be drastically easier to configure for administrators, due to a lot more built in support for SAML and OIDC protocols and enhanced guides.

1. New Authenticator architecture - with clear separation of protocols versus authentication methods, and new simplified configuration guides to support easier and faster configuration.
2. OpenID Connect enhancements - significantly more OIDC functionality now available "out-of-the-box" in code instead of via manual configuration. Also some new OIDC support not previously possible, e.g Hybrid Flow support.
3. Enable "Sign" transactions in BankID and Freja eID.
4. Other minor improvements
5. Defects fixed (see list below)

Important notes regarding new Authenticator architecture

We recommend using the new Authenticators for all new implementations.

Customers and partners who are already using the legacy Authenticators, can continue to use these but are advised to gradually transition configurations to the new authenticators whenever suitable or possible.

Please read the introduction to the new authentication architecture to get more familiar with the new solution.

Full list of improvements

New Authenticator architecture

(General documentation: Introduction to the new authentication architecture)

• PHX-3027 Simplify use of single/common SAML IDP
• PHX-3177 Add protocol agnostic authenticator for OneTouch
• PHX-3178 Add protocol agnostic authenticator for Freja eID
• PHX-3179 Add OpenID Connect back channel logout
• PHX-3192 Generic Authenticator to replace all "text entry authenticators" (more info: DynamicAuthenticator)
• PHX-3194 Implement SAML Entrypoint+resultbuilder
• PHX-3249 OIDC Rewrite: Add "headless" authenticator (more info: DynamicAuthenticator)
• PHX-3283 Legacy tab in configuration manager for deprecated guides
• PHX-3287 Add SP Broker as protocol agnostic authenticator (more info: SPBroker)
• PHX-3290 AgnosticRequestAuthenticator to replace all "http request" authenticators (more info: DynamicAuthenticator)
• PHX-3306 OIDC Rewrite: Custom state field for authenticators internal state
• PHX-3308 Utilize internal authenticator state in new authenticators
• PHX-3338 Implement PersistedAuthenticationAttributes (multitenant SSO and consent)
• PHX-3347 Shared items for authenticator pipes in SequenceAuthenticator (more info: SequenceAuthenticator)
• PHX-3348 Build AssignmentAgnostic authenticator for OneTouch with a fix username (more info: AssignmentAgnostic)
• PHX-3366 Improve logging for protocol agnostic authenticators
• PHX-3367 Improve error handling in protocol agnostic authenticators
• PHX-3370 Refactor AgnosticAuthSelector and update configuration (more info: AgnosticAuthSelector)
• PHX-3436 Let AgnosticDispatcher look at item attributes if used within SequenceAuthenticator (more info: AgnosticDispatcher)
• PHX-3441 Redo configuration scheme for internal authentication in new architecture

OpenID Connect enhancement

OpenID Provider

• PHX-3044 Add proper support for post_logout_redirect_uri in OIDC RP initiated logout.
• PHX-3055 OIDC: Move functionality from pipes to authenticator(s)
• PHX-3174 Core rewrite of OpenID Connect, new architecture, protocol agnostic authenticators
• PHX-3175 OpenID Client authentication via client_secret_jwt
• PHX-3176 OpenID Client authentication via private_key_jwt
• PHX-3180 Implement OIDC Implicit flow
• PHX-3181 Implement OIDC Hybrid flow
• PHX-3182 Remake OIDC guides in the Configuration Manager
• PHX-3267 Add possibility to bind session alias to a specific TTL, and implement token lifetimes this way
• PHX-3364 Add support for "id_token_hint" in OIDC RP initiated logout
• PHX-3365 Trigger an OIDC Back channel logout when RP initiates a logout

Enable "Sign" transactions in BankID och Freja eID

Documentation: BankID and Freja eID

• PHX-3417 Enable SAMLServiceProviderAuthn (and SPBroker) to send SignMessage in their SAML AuthnRequest
• PHX-3418 Make BankIDAuthenticator and FrejaAuthenticator able to handle "Sign"-transactions
• PHX-3419 Refine how entrypoints deal with "Sign"-requests

Other minor improvements

• PHX-3309 Logging: Base class written out instead of implementation, makes logs hard to interpret
• PHX-3337 FileTimeGeneratorValve, src does not support property expansion (config documentation here)
• PHX-3415 Signing the Windows executables using Digicert One (Cloud) instead of using p12 certificate
• PHX-3430 Add -XX:-OmitStackTraceInFastThrow to vmoptions (avoid empty stacktraces in logs)

Fixed defects

• PHX-3314 Sessions/traceid mixed in logs

  TraceID in logs are sometimes mixed between sessions. Issue resolved

• PHX-3316 Redirect URI should not require port component for loopback redirects

  Fix for adhering to OAuth 2.0 specification (port number should not be required in URI for loopback redirects)

• PHX-3359 Myapps favicon are overwritten

  Favicon for myapps is not the one stated in mods overlay. Issue resolved

• PHX-3368 Incorrect icon after new installation is completed

  During installation process an old PhenixID logo is shown. Issue resolved

• PHX-3390 Missing dependency: com.verisec:RelyingPartyApiClient cause FrejaEIDAuthenticatorSAML to not work

  The jarfile RelyingPartyApiClient.jar is missing in the installation. Issue resolved

• PHX-3393 OWASP: nimbus-jose-jwt-9.31.jar: CVE-2023-52428(7.5)

  Vulnerability CVE-2023-52428 identified. Issue resolved

• PHX-3420 SAML2SithsEID authenticator NullPointerException

  SAML2SithsEID crashes when using SITHS EID in PAS 5.x. Issue resolved

• PHX-3421 OWASP: postgresql-42.6.0.jar: CVE-2024-1597(10.0)

  Vulnerability CVE-2024-1597 identified. Issue resolved

• PHX-3428 Slow or hangning http-klient at reconf

  HTTP client sometimes hangs after reconf. Issue resolved

• PHX-3475 BankID: QR-codes go out of sync

  Animated QR code could get out of synch if waiting too long. Issue resolved

• PHX-3484 Freja does not do a app switch after approval

  After successful Freja eID identification, phone doesnt switch back to app initiating authorization. Issue resolved

• PHX-3487 DestinationServiceName is being logged wrong in new authenticators

  Log contains IdP name instead of SP name, OIDC OP instead of RP. Issue resolved