Table of Contents

6.1.0

Warning

The SAML Metadata engine has been updated. Please validate that your SAML module starts correctly. Metadata with EntityID collisions require configuration to resolve. See Upgrade from older versions for details.

Note

If you are using an AgnosticAuthSelector with only one option, the default behavior has been changed and configuration is needed to keep the same behavior. See Upgrade from older versions for details.

PAS 6.1.0 is a feature release where we build more features upon the massive technical upgrades introduced in PAS 6.0. It focuses on these main areas:

  • An entirely new system for SAML Metadata management
  • New valves for seamless ADCS integration
  • Conditional Selector options and SSO improvements
  • Interactive authentication flowcharts / configuration visualization

PAS 6.1.0 also includes many other new improvements / bug fixes, including all improvements and fixes introduced in PAS 5.1.9. Issues from 5.1.9 are listed separately below.

SAML Metadata management

An entirely new engine for SAML metadata management has been developed. Aside from resolving old bugs and limitations, we introduce many new features and significantly more insight into the loading status. Some new features are:

  • A full metadata status page in the admin GUI, allowing insights into the status of meta loading. Examples of insights are:
    • Overall status of the SAML module (OK / Warning / Error)
    • Status for each metadata source (Loaded / Loaded with warnings / Error)
    • Additional insights for each metadata source (e.g. Last loaded, next load at, valid until)
    • Insights for each SAML Entity within each source (e.g. which repositories have loaded this entity, certificate expiration status, and more)
  • A number of configuration options for metadata sources, e.g.custom refresh interval, cache duration, optional enforcement of validity durations, signature validation requirements.
  • Metadata Repositories -- a way to configure a subset of trusted metadata used in specific integrations.
  • Direct configuration of a trusted SAML entity (if no URL or File source is available)
  • New metrics with additional insights from before

New valves for ADCS integration

A long requested feature has been integration with ADCS. PAS 6.1.0 delivers easy ADCS integration directly in your pipes via the new valves:

These valves can all be used in many different scenarios, but we have put together an example configuration that shows how to sign a PDF with an ADCS generated certificate: Pipe: Sign PDF using ADCS

Selector, Dispatch and SSO improvements

Another highly requested feature has been conditional options in Auth Selectors. PAS 6.1.0 delivers this and with it, many powerful new capabilities (for example, very simple LoA-based SSO). Features include:

  • Expression conditions for whether an authentication option should be available in a selector
  • A shorthand for which request issuers (SPs, RPs, etc) should be allowed an option (Also available in Dispatch)
  • A 'forceAuth' property for options in both Dispatch and Selector -- so you may easily limit SSO in conditions you decide
  • A 'useAssertionProfile' property for options in both Dispatch and Selector -- so you may in one easy place both determine the auth flow and assertion profile for your SAML flows
  • Improved SSO behavior for AuthSelector -- SSO will only be used if the available options include the option you initially authenticated with.

More information is available in AgnosticAuthSelector and AgnosticDispatcher. Examples on powerful LoA-based SSO configurations are now available in Single Sign On.

Authentication flowcharts / configuration visualization

Complex authentication flows with Sequences, Selectors, or Dispatchers have traditionally been quite hard to follow as an administrator, tough to configure and ensure that the configuration maps out the exact flow you had in mind. To remedy this, PAS 6.1.0 introduces interactive authentication flowcharts directly in the configuration GUI. This means the entire authentication flow, any sequences or branches are entirely visible in one interactive flowchart, with functionality to drill down further to get more detail on particular components or sub-flows. This is available in the config GUI at each SAML Identity Provider, OpenID Provider, and Internal Authentication Endpoint. It is also possible to get a PDF printout of these flowcharts (including all sub-charts and details), and for the entire system by visiting the start page.

Improvements

  • PHX-2965 - Add a way to upload a new certificate to an existing keystore using the WebUI. Added new support in the admin GUI to update keystore resources directly.
  • PHX-4224 - New SAML Metadata functionality. More information above.
  • PHX-3749 - Better view over how all authenticators are connected together. More information above.
  • PHX-4381 - New valve: PropertyExtractValve. Added a valve for property extraction via RegEx. Read more on how to use it in the article PropertyExtractValve.
  • PHX-4383 - Define sign transactions in internal auth endpoints. Added new way of interacting with internal auth endpoints -- signature flows. Read more in the article Internal Authentication.
  • PHX-4384 - Add an application guide for PRISM FedSigning. Added a configuration scenario for Signing Service that sets up all the necessary PAS components for PhenixID Signing in an easy to use guide. Includes nice features such as automatic sign message, additional sign data, and inclusion of an order reference in the signature certificate.
  • PHX-4435 - Selector, Dispatch and SSO improvements. See more info above.
  • PHX-4520 - RPBroker should support configurable client authentication methods and/or based on OP metadata. Client authentication methods are now configurable at RPBroker. All standard methods (client_secret_basic, client_secret_post, client_secret_jwt and private_key_jwt) as well as an automatic select based on discovery data are available. Read more in the article RPBroker.
  • PHX-4508 - Add icons for Home and Globe. New icons added to authentication frontend.
  • PHX-4397 - Change default BankID apiVersion to v6.0. Since the previous default BankID v5.1 has been officially end-of-life for a long time, we are now changing the default apiVersion to v6.0.
  • PHX-4387 - Add OneID / OneTouch certificate to pipe after successful authentication. Added the used certificate to the pipe such that it may be used in e.g. external revocation checks.
  • PHX-4382 - Include mobile authenticator OrderRef to pipe requests. Now includes all mobile authenticator (BankID, Freja, Nias, Siths eID, OneID/Onetouch) order refs / transaction ids in the pipe.
  • PHX-4377 - Auth frontend: Add logo alt-text and link. You may now configure an alt-text and link in your custom logos.
  • PHX-4375 - Auth frontend: Change dialog close button. Changed the close button in dialogs to follow the design conventions of the app.
  • PHX-4374 - Auth frontend: Focus display style. Changed how focus is displayed when moving through page elements using tab.
  • PHX-4240 - Auth frontend: TraceID on error. Added the trace id to error messages for easier troubleshooting.
  • PHX-4373 - Auth frontend: Add optional layout in selector view. Added an optional selector layout, see Languages for more details.

Bug fixes

  • PHX-4467 - Custom Error Codes no longer work in Mobile Authenticators. Resolved an issue where custom error codes would not be displayed in mobile authenticators.
  • PHX-4465 - Admin GUI login page - link to docs does not work when language is set to swedish. Resolved an issue where the link to the official docs would not work when language is set to swedish.
  • PHX-4466 - Missing EntrypointId in authenticator audit logs. Resolved an issue where entrypointId was missing in authenticator audit logs.
  • PHX-4405 - SPARLookupValve broken since 6.0.0. Resolved an issue where SPARLookupValve was not working as intended.
  • PHX-4412 - RelayAuthenticator: QR code not visible. Resolved an issue where the QR component of RelayAuthenticator was not working as intended since 6.0.1.

Issues from 5.1.9

Improvements

  • PHX-4460 - UX Improvements in 'Relay Session login'. Greatly improved the user experience (UX) of the automatic relay session login triggered when outdated, unsupported browsers are used in authentication flows. Also added configurability and documentation for this behavior, see Authentication in outdated browsers.
  • PHX-4514 - Handle EC keys in OIDC integrations. Both our OpenID Provider and OIDC Relying Party implementations now support signing and validation of JWTs using Elliptic Curve (EC) cryptography. Read more about signature methods in OIDC in the article OpenID Provider.
  • PHX-4447 - New OneID Logo. Changed the OneID logo to match with the new logo in the OneID app.

Bug fixes

  • PHX-4345 - DynamicAuthenticator: Browser reload on informationDisplay step auto-accepts the choice. Resolved an issue where the information-display mode on DynamicAuthenticator would only ensure the information was displayed, and not ensure that a choice was made. Now requires interaction to proceed.
  • PHX-4292 - Sometimes OIDC discovery fails against internal OP. Resolved an issue where discovery against an internal OP may fail on startup due to modules not yet being loaded. Increased robustness and error handling in OIDC discovery.
  • PHX-4409 - Legacy Browser Relay -- dropped form data / query params. Resolved an issue where the relay authentication used to handle legacy browsers would drop original request parameters so it could not be used with parameter based authentication such as JWTs.
  • PHX-4408 - Null pointer when keystore missing end date. Resolved an issue where metrics tracking keystore certificate expiration dates could get a NullPointerException.
  • PHX-3991 - If all fields in a Dynamic Authenticator is optional you get error CSRF in browser. Resolved an issue where only optional inputs in a DynamicAuthenticator would result in no form being displayed.
  • PHX-4464 - Freja OrgID points to wrong URL. Resolved an issue introduced in PAS 5.1.8 where the wrong URL was used for Freja OrgID.
  • PHX-4474 - Default SMS / Mail OTP MFA Scenarios do not mask phone numbers / mail addresses. Resolved an issue where default guide scenarios for SMS and Mail OTP would not mask phone numbers and mail addresses before displaying it to the user.
  • PHX-4418 - Disable flash SMS default in SMS OTP Scenario. Resolved an issue where flash SMS would be the default in the SMS OTP scenario.
  • PHX-4463 - WindowsSSO backup authenticator is not used on other OS / failed SSO. Resolved an issue where WindowsSSO authenticator would not correctly use the backup authenticator if the negotiation failed.
  • PHX-4511 - OneID/OneTouch: Assignments not tied to device. Resolved an issue where anonymous OneID and OneTouch assignments claimed via QR code scanning / same device could be completed by your other enrolled devices.
  • PHX-4513 - Nias on same device for Android has incorrect return url. Resolved an issue where using NetID Access (Nias) on same device on Android devices caused an error due to incorrect return url. Now uses null as default redirect for Android, but may still be customized in Return URLs and Custom App Schemes in Mobile Authenticators.
  • PHX-4528 - New FedSigning module does not redirect to failure_url on pipe error. Resolved an issue where the PDF signing portal would not redirect to the proper failure URL if a pipe failed.