Table of Contents

5.1.1

This is a minor release, mainly building upon the major improvements made in version 5.1.0.

Improvements

  • PHX-3345 Improve the EVT_10032 (token revoked) log to show more information about why the token was revoked

    When deleting a OneTouch profile the event log would not show who revoked the token and how, now shows destination user name, source user name, and source service name.

  • PHX-3394 Docker logging: JSON to stdout

    Added option to change logging from file to json-stdout.

  • PHX-3431 LDAP-connections: add support for round robin

    If multiple LDAP connections are configured, previously all connections aside from the first were only used for failover reasons. Now load balancing via round robin is performed by default. New config parameter on the LDAP Connection store entity is added: "load_balance": "true/false" (default "true").

  • PHX-3444  Add property to PADESSignVisibleSignatureValve to control fail behavior

    Default behavior is for the valve to fail if a visible signature cannot be performed, added parameter that will add a non-visible signature if a visible signature cannot be added: "requireVisualSignature": "true/false" (default "true").

  • PHX-3446 Add support for parameter expansion in authenticator config

    Some authenticators (mainly those providing broker functionality) require dynamic configuration. For example, SP Broker might want to send a RequestedAuthenticationContext depending on the context of the initial authentication request. SPBroker, RPBroker and AssignmentAgnostic have had dynamic parameters added to them. Syntax is the same as for valve parameter expansion: "configParam": "{{request.someParam}}". Example documentation can be seen in e.g. SPBroker

  • PHX-3451 Enable signature assignments in OneTouch authenticators

    As a continuation of the "sign-enabled" authenticators introduced in 5.1.0, AssignmentAgnostic and AnonymousAssignmentAgnostic will now perform signature assignments if part of a flow that has a SAML SignMessage present. Both have a new parameter "signature_template_name" for AnonymousAssignmentAgnostic and "signTemplate" for AssignmentAgnostic which points to the JSON template used for the assignment.

  • PHX-3452 Add optional pipe to AssignmentAgnostic

    As users may often want to execute valves after using AssignmentAgnostic in e.g. a step-up scenario, an optional pipe has been added. New config parameter: "pipeID".

  • PHX-3456 Create new endpoint in PRISM fedsigning app

    The module phenix-prism-fedsigning can now handle remote signing, via two new configuration parameters: "create_dss_pipe" and "parse_dss_pipe"..

  • PHX-3457 PipeExecutorValve should accept pipes array

    PipeExecutorValve has a new configuration parameter: "pipes" where you can (similarly to the Dispatch authenticator) list pipes and expressions, where the first pipe to match the expression is run.

  • PHX-3502 Improve NiasAuth to send extended certificate information as SAMLNias does

  • PHX-3516 RequestIssuer from context missing in pipes

    Context-specific values like "requestIssuer" that are available in AgnosticDispatcher is now available in authenticator and IDP pipes too. They are available via "request.contextrequestissuer", "request.contextprotocol" etc. To see all context values that are available, see AgnosticDispatcher config

  • PHX-3530 Make protocol agnostic authenticator for NiAS

  • PHX-3533 Make protocol agnostic authenticator for SITHs eID

  • PHX-3540 Make protocol agnostic authenticator for FIDO2

  • PHX-3587 Preserve queryparams in logout NextTarget

    When using an OIDC flow that uses an SP Broker directed at legacy SAML authenticators, it is necessary to log out at both the /authentication path and /saml path. To allow for this combined with OIDC standards like post_logout_redirect_uri and id_token_hint an option has been added on the authentication module configuration to allow for query parameter preservation when navigating to nextTarget. It is configured on the authentication module config (in boot.json): "logoutNextTargetPreserveQueryParams": "true/false" (default: "false")

Defect fixes

  • PHX-3432 PostUidAndPasswordSAML is missing default login.message.information.title/header/body.

    Strings added to default translations.

  • PHX-3479 Personnummer exposed in the URL for the NIAS authenticator.

    Request containing PNR is now sent via POST request instead of GET.

  • PHX-3485 External SAML metadata can disappear on rare occasions (Part 1)

    Occasionally upon reconfiguration not all SAML metadata would be updated.

  • PHX-3490 External SAML metadata can disappear on rare occasions (Part 2)

  • PHX-3492  LDAP connections can leak upon reconfiguration

    Upon undeployment of module there was no manual closing of LDAP connection pools.

  • PHX-3494 SAML SP cannot handle inbound Redirect-binding for deflated requests

    When receiving a deflated SAMLResponse over the Redirect-binding, the SAML SP could not read the response correctly.

  • PHX-3495 SAML "Sign Assertion" configuration parameter only works on outbound POST binding, not on Redirect

    When the target of the SAMLResponse only has a Redirect binding available, the "sign assertion" configuration parameter would not result in a signed assertion.

  • PHX-3496 SAML SP will not verify detached signatures

    When receiving a SAMLResponse over a Redirect-binding with a detached signature, the signature would not be verified as it is detached

  • PHX-3497 SAML IdP will return invalid signature if returning SAMLResponse over Redirect-binding

    When returning a detached signature on a SAMLResponse via Redirect-binding, the signature was invalid

  • PHX-3498 PAS can lose connection with MySQL, requiring a restart

    If a connection is lost it will now properly be removed

  • PHX-3501 SAMLNias breaks if forceReauthenticate is enabled

  • PHX-3521 The 5.1 version of OIDC has very little debug output

    Since token / userinfo endpoints are no longer routed via the pipe API, there was too little debug output in the logs

  • PHX-3544 BankID HintCode "userCallConfirm" is mapped to "Unknown" causing errors

  • PHX-3545 Vulnerabilities identified - CVE-2024-30172(7.5), CVE-2024-29857(7.5)

  • PHX-3553 BankIDClient has an info-level log that should be on a debug level

  • PHX-3555 Legacy FIDO2 authenticators are stateless

    Legacy FIDO2 authenticators could possibly be open for replay attacks

  • PHX-3578 100-continue not handled, leaves client lingering

    Http status code 100 (continue) was not handled by default, leaving the client lingering

  • PHX-3585 SPBroker / AssertionProvider "signMessage" cross contamination

    Both the SPBroker and AssertionProvider would use the pipe property called "signMessage" causing interference between AssertionConsumer and AssertionProvider

  • PHX-3586 Userinfo endpoint in 5.1 OIDC does not return content-type

  • PHX-3598 Missing CEF dependency for authn

    A JAR-file was missing causing issues in the authn-module

  • PHX-3603 HttpGetRequestValve crashes if there is no response body (http status 204)