May 30, 2023

Highlights

Improve Your Users' Experience with Single Sign On (SSO)

Single Sign On Authentication (SSO) allows the user to log in just once to an application connected to Cloudentity and use the resulting session as a proof of authentication to all applications in the workspace for as long as the session is valid, thus removing the need to re-authenticate when the user wants to use another app.

SSO can be configured in a workspace Authentication » Settings » Persistence view.

To enable SSO, turn the single_sign_on feature flag in your platform’s configuration files.

B2B/Delegated Administration Portal Coming Soon

User Management	Organization Management

Cloudentity B2B Portal allows to administer organizations and their user populations without any technical hassle. You can delegate organization administration to your partners/customers and empower them with the self-management of users, configuration of sign-in options, roles configuration, and application permissions.

B2B/Delegated Admin Portal Availability

We are continuously striving to provide an exceptional B2B/Delegated Administration Portal, and to ensure a seamless experience, it is currently accessible through feature flags. To leverage the capabilities of the portal, you have the option to enable the organizations feature flag in your platform’s configuration files. This empowers you to unlock the full potential of the portal and enjoy its extensive functionalities.

Major Additions And Changes

[ AUT-8861 ] Added Demonstration of Proof of Possession as an option for sender constraints in the OAuth configuration tab, providing increased security and authorization capabilities. With this enhancement, users can now easily configure and enforce proof of possession for OAuth requests.

Minor Enhancements

[ AUT-8542 ] Added support for OAuth 2.0 Authorization Server Issuer Identification (RFC 9207), allowing users to leverage the latest industry-standard for issuer identification. The feature can be controlled in the server’s advanced configuration settings, enabling administrators to define the behavior of the iss parameter in the authorization response. This enhancement enhances interoperability and provides better compatibility with other systems.

This feature can be controlled in the authorization server’s advanced configuration.

When enabled, an additional iss parameter will be returned in the authorization response.

The well-known page advertises if the server supports this feature using the authorization_response_iss_parameter_supported field.

If enabled, clients should verify if the iss parameter matches issuer from the well-known page.

[ AUT-8737 ] Introduced a feature that enables external SAML Service Providers (SP) to include the forceAuthn flag during login, ensuring a fresh login even when a valid Single Sign-On (SSO) session exists for the user. This enhancement provides finer control over user authentication and strengthens security by allowing SPs to override existing SSO sessions when necessary.

Additionally, resolved a bug where OAuth logins with ?prompt=login were not properly overwriting the existing SSO session upon completion.

[ AUT-8746 ] Improved security by preventing tenant admins from downgrading their roles to auditor or member from the identity pool user roles view. This enhancement ensures that tenant admins have the necessary privileges and responsibilities associated with their role, maintaining the integrity of user management within the platform.

[ AUT-8871 ] Split the PATCH /api/system/promote/config API into two separate APIs, namely PATCH /api/system/promote/config-rfc6902 and PATCH /api/system/promote/config-rfc7396.

This division ensures clear support for two different patch standards and aligns with industry best practices. Additionally, the Patch model for rfc6902 has been updated, resulting in no functional changes. However, clients generated from swaggers for all Patch APIs now utilize the new model, ensuring consistency and compatibility.

[ AUT-8914 ] Updated Openbanking Quickstart packages in downloads to use the stable version (2.0.0) instead of pulling from the latest images. This ensures consistency and reliability when utilizing Openbanking features.

[ AUT-8934 ] Introduced the ability to manage metadata payload and schema in the organization workspace. Users can now easily configure and customize metadata for their organization, providing more flexibility and control over the workspace. Additionally, an “Domains” input has been added to the “Create new organization” form, allowing users to specify the domains associated with the organization. B2B Portal and Admin Portal naming have also been aligned for a more consistent user experience. Furthermore, a suggestion feature has been implemented in the user population modal, enhancing the usability of managing user populations.

[ AUT-8935 ] Added a separate profile for security and message signing in FAPI 2.0, which is available behind the feature flag. This addition provides enhanced security measures and ensures compliance with industry standards.

[ AUT-8945 ] Fixed an issue where the issuer URL was not included in the accepted values for the aud claim in the token endpoint. This fix ensures proper validation and improves compatibility with external systems.

[ AUT-8947 ] Fixed an issue that causes the single_sign_on feature flag to disable the old authentication context caching mechanism for an IDP. Additionally, the Authentication Context Caching option in the Admin UI IDPs configuration screen has been removed. This change resolves a bug where enabling SSO at the server level before disabling the SSO feature flag resulted in the backend authn context caching remaining disabled.

[ AUT-8948 ] Implemented a feature that terminates any OAuth access tokens associated with the SSO session upon SSO logout. This enhancement improves security by ensuring that access tokens are invalidated and no longer usable after logout.

[ AUT-8949 ] Added the ability to disable single sign-on for individual IDPs when it is enabled for a workspace. This allows administrators to have granular control over SSO configurations and enables them to manage IDPs independently.

[ AUT-8962 ] Updated the /api/system/promote/config and /promote/config APIs to return and accept scopes_without_service. This improvement allows for more fine-grained control and configuration of scopes within the system.

[ AUT-8973 ] Updated the /api/system/promote/config and /promote/config APIs to return and accept policies and policy_execution_points. This update enhances the flexibility and customization options for managing policies within the system.

[ AUT-8976 ] Added {mtls_alias}/{tid}/{aid}/open-banking-brasil/open-banking/payments/v2/consents to the list of accepted audiences for the v1 and v2 payment consent creation endpoint. This ensures that the specified audience is valid for the mentioned endpoint and improves the overall functionality of the payment consent process.

[ AUT-8981 ] Updated the /api/system/promote/config and /promote/config APIs to return and accept services. This enhancement provides more comprehensive information and control over services within the system.

[ AUT-8992 ] Updated the /api/system/promote/config and /promote/config APIs to return and accept IDPs. This update enables better management and configuration of identity providers within the system.

[ AUT-8997 ] MTLS aliases for the authorization server issuer and token endpoint will now be accepted as valid aud claims in the /oauth2/authorize endpoint. This improvement allows for more flexible and secure authentication mechanisms.

[ AUT-8998 ] Updated the /api/system/promote/config and /promote/config APIs to return and accept Claims. This enhancement expands the capabilities for managing claims within the system.

[ AUT-9002 ] Updated the /api/system/promote/config and /promote/config APIs to return and accept Gateways and Gateway API Groups. This improvement provides better control and configuration options for gateways and their associated API groups.

[ AUT-9005 ] Newly created Open Finance Brasil workspaces will now have a block machine policy assigned by default to the consent:* scope. This default policy assignment ensures that proper security measures are in place for Open Finance operations.

[ AUT-9011 ] Added the missing userinfo, device, and registration endpoints to the mtls aliases endpoints section in the OpenID Discovery Endpoint. This update ensures that the documentation accurately reflects the available endpoints and improves the developer experience.

[ AUT-9013 ] Enhanced the PATCH /api/system/promote/config and PATCH /promote/config APIs to handle the import/patch of DerivedServers. This improvement allows for seamless patching of clients from the system server referenced in the patched server.

[ AUT-9019 ] Implemented workspace metadata context in the attributes validator for “User” and “Machine to machine” policy types. This addition enables the usage of metadata context in validating attributes and provides more flexibility in policy enforcement.

Bug fixes

[ AUT-7082 ] Fixed an issue where the trash icon was not functioning correctly on the edit redirect URL view when there was only one redirect URL present. This fix restores the proper functionality of the trash icon.

[ AUT-8182 ] Resolved an issue where there was no easy way to see the full name of an identity pool when connecting it as an IDP. This fix ensures that the full name of the pool is now easily accessible.

[ AUT-8766 ] Improved the /userinfo endpoint by adding a new advanced configuration option, “Disallow access token in request query for protected resource endpoints.” This option enables compliance with specific specifications, enhancing security and ensuring adherence to industry standards.

[ AUT-8855 ] Fixed an issue where the Organization Admin and Tenant Admin had the possibility to revoke their own roles or downgrade their roles to auditor or member. This fix ensures that such actions are no longer possible, preserving the integrity and security of role assignments.

[ AUT-8880 ] Resolved an issue where the Users Side Navigation item did not work properly when two or more user populations were present. This fix restores the correct functionality of the Users Side Navigation item in such scenarios. Additionally, associated IDPs are now properly removed when a user population is removed.

[ AUT-8940 ] Ensured that clients can use one or both sender constraints, providing more flexibility in configuring client behavior.

[ AUT-8959 ] Fixed a panic case that could occur when calling the POST /open-banking-brasil/payment/{login}/reject API. This fix resolves the issue and ensures the API behaves as expected.

[ AUT-8960 ] Fixed a misleading title on the identity providers page, ensuring that the displayed title accurately reflects the page’s content.

[ AUT-8964 ] Resolved an issue where the Org admin could not see additive columns fetched from metadata in the Users Population Table > Dynamic Columns > Metadata. This fix enables the Org admin to view all relevant columns as expected.

AUT-8974 [UI] Read schemas as workspace admin and workspace user manager and identity pool user manager

AUT-9012 [UI] Import > User Org Manager/User Pop Manager are missing import button, however they can create user via create user button

[ AUT-8990 ] Removed the broken “enable demo application” button in the workspace creation wizard for ConnectID profiles.

[ AUT-9006 ] Fixed a UI error that occurred when attempting to bind a theme to a workspace, resolving the issue and ensuring a smooth user experience.

[ AUT-8907 ] Removed the broken “enable demo application” button from the workspace creation wizard for ConnectID profiles. This button was non-functional and no longer serves a purpose.

[ AUT-9008 ] Addressed an issue with the switch component’s checked styles, ensuring that the styles are applied correctly after a Material-UI (MUI) bump.

[ AUT-9010 ] Made changes to the /oauth2/introspect and /oauth2/revoke endpoints. Clients using inline authentication and certificate-bound access tokens with private_key_jwt are no longer required to provide a certificate. Additionally, bearer token authentication now enforces certificate-bound access tokens and DPoP (Distributed Proof-of-Possession) tokens for improved security.

[ AUT-9012 ] Implemented the ability to fetch workspace schema on the “Import users (csv)” dialog, providing users with better visibility and control over the import process.

[ AUT-9017 ] Previously, in the dump for a server, there were GatewayAPIGroups from all servers in the tenant. Now, the dump for a server includes only the GatewayAPIGroups from the given server, resulting in more accurate and relevant data.

[ AUT-9018 ] Fixed a lack of UI error for duplicated users using the same mobile phone, ensuring that appropriate error messages are displayed when attempting to add duplicate users.

Recommended Database Versions