Table of Contents

6.0.0

PAS 6.0.0 is finally here! This new major release has significant improvements in performance, monitoring and analytics, and user experience. New larger features include:

  • Upgrade Java version to 21
  • Brand new audit log system
  • New metrics and example dashboards
  • New OneTouch enrollment portal
  • New internal application guides
  • Improved logout functionality / Smoother SP/RP-configuration

As always, make sure to read the upgrade notes before upgrading Upgrade from older versions.

Java 21

When PAS 5.0 released in late 2023, it significantly improved the performance of the software by upgrading from Java 8 to 11, and now we continue that journey by upgrading to the latest Java LTS version, Java 21. This upgrade comes with a notable performance boost, security updates, as well as being an important step in long term maintenance of the software by allowing for the latest versions in important dependencies thus mitigating vulnerabilities. In simple performance tests, we could see up to 40% reduction in server startup time and API response time.

New audit logs

PAS 6.0 also introduces a whole new implementation of audit logs, rich in detail and now included in many places where the previous implementation was lacking. Features of the new audit logs include:

  • Automatic documentation of all audit logs and parameters
  • Customizable pipe/valve logs with attributes of choice
  • Consistent attribute presence (log with name X will not exist in different forms)
  • Many more attributes that allow detailed traceability

For more details, read the introduction article Audit logs / Event logs in PAS 6.0 and above.

Metrics improvements

In PAS 5.1.3 we introduced support for operations monitoring via exposure of certain metrics that allow you to get insight about the system's health. In PAS 6.0 we introduce a number of new metrics, as well as complete dashboards that will work directly out of the box.

New metrics

New metrics have been added that measure the following:

  • Successful / failed authenticator executions
  • Successful authentications (SAML / OIDC / Internal)
  • Pipe execution time
  • Pipe congestion (active unfinished pipes, active unfinished total duration)
  • License validity duration

Metrics dashboards / Recommended metrics

To easily get started with metrics, we now provide example dashboards that will visualize recommended metrics out of the box. All you need to do is download and run the file, enable PAS metrics, and you are up and running!

You can find more information about the dashboards and recommended metrics in the article Recommended metrics and visualization.

An example of some included visualizations are seen below:

Metrics visualization

New OneTouch enrollment portal

With the imminent release of the long awaited OneTouch 2 app, we also introduce a new OneTouch enrollment portal which allows a WCAG compliant user interface, more configurability and options to continue enrollment flows by redirecting the user elsewhere after profile installation. Both OneTouch 1 and 2 are compatible with the new enrollment portal, so we recommend everyone to start using it for new enrollments! The old enrollment portal still works, so nothing breaks when upgrading of course. New guide scenarios will automatically use the new portal, but existing configurations will have to create a new guide scenario for OneTouch enrollment. Read more in the article OneTouch Enrollment.

New internal application guides

The 'Applications'-section of the admin configuration GUI have been remade slightly. For existing configurations nothing has been changed, but when creating new guide scenarios the new authenticator architecture introduced in PAS 5.1 is used instead of the legacy authenticators. For protecting your internal applications for example SelfService or OneTouch Enrollment, you may now freely select between all authenticators configured in the 'Authenticators'-section.

Improved logout functionality / Smoother SP/RP-configuration

Configuring logout flows has often been difficult to do in PAS, so in PAS 6.0 we introduce multiple improvements to support smoother logout flows. Features include:

  • An option to automatically log out from external providers (through SPBroker or RPBroker) when logging out at PAS
  • Automatic ACS URL / SLO URL / Redirect URI management in SPBroker / RPBroker
  • Full Single Log Out (SLO) protocol support in SPBroker
  • Multiple bug fixes in SLO flows

We also realize that configuring SPBroker and RPBroker for easy externalized authentication has been cumbersome and introduce improvements that allow for easier configuration and a more failsafe approach with universal ACS / redirect URLs independent of protocol entrypoint. Read more in the article SPBroker.

Improvements

  • PHX-3159 - Upgrade to Java 21. See section above for more details.
  • PHX-3577 - JSON logging with MDC fields. When running PAS as a container, the audit log format is now different and uses MDC fields. Read more in the article Running as a Container.
  • PHX-3765 - Change Application guides so that they use new authenticators. See section above for more details.
  • PHX-3766 - Log out at external providers on logout. See section above for more details.
  • PHX-3931 - New audit log system. See section above for more details.
  • PHX-3939 - Expand metrics for keystores so that 'name' is visible.
  • PHX-3953 - Add metrics for license expiration. New metrics for license expiration is available (including license source, and grace period duration).
  • PHX-3954 - Document best practice of metrics. See section above for more details or read more in the article Recommended metrics and visualization.
  • PHX-4004 - New extraction of end user IPs. A new method is now used for end user IP extraction (backwards compatible, so the old method works). Read more in the article Resolving the client IP / End user IP.
  • PHX-4046 - Create MFA Sequence preset for pre-enrolled token. Now a preset option for pre-enrolled OTP tokens are available in the guide scenario for MFA Sequence.
  • PHX-4061 - Add metrics for authentication. New metrics for entrypoints, authenticators and legacy authentications are available.
  • PHX-4064 - Add metrics for pipes and valves. New metrics for pipes and valves are available (e.g. execution time, concurrent executions, congestion and more).
  • PHX-4065 - Metric improvements. See section above for more details.

Bug fixes

  • PHX-4068 - Keystores in configuration without private key cause issues in operations monitoring. Resolved an issue where keystores in the configuration that did not have a private key would cause errors bloating the logs.
  • PHX-4115 - XSRF token issue in Signing. Resolved an issue where navigating back and forth in the signing app would cause issues validating the XSRF token.
  • PHX-4159 - SAML Operations monitoring throws error if no certificate is present. Resolved an issue where SAML Operations monitoring would throw errors if a SAML Entity had no certificates.
  • PHX-4175 - Legacy SAMLLogout component SLO flow error when RelayState is present. Resolved an issue where RelayState was added twice to the flow.
  • PHX-4262 - OTTokenVerifierValve does not work with OT2. Resolved an issue where OTTokenVerifierValve could not be used with tokens issued by OneTouch v2. The valve is now compatible with both versions, and will only permit the correct versions as configured in the PKI module. In compatibility mode, both tokens from OT1 or OT2 will be allowed. Read more in the article: OTTokenVerifierValve.