INDIGO Identity and Access Management v1.10.3

What's Changed

• Add confirmation before rotate client secret by @SteDev2 in #875
• Fix account mapping in VOMS AA by @rmiccoli in #872
• Add POST endpoint for registration requests confirmation by @enricovianello in #881
• Fix CERN lifecycle handler by @enricovianello in #871, #896
• Grant admin scopes to admin-approved clients only by @rmiccoli in 6bbaccd
• Client-credentials flow won't create a refresh token by @rmiccoli in indigo-iam/OpenID-Connect-Java-Spring-Server#22
• Redirect to login page when signing AUP by @federicaagostini in 5acde91
• Fix missing update of matchingPolicy by @garaimanoj in f15ef57
• Find account by certificate sub and iss in VOMS AA by @rmiccoli in #897
• Exclude IAM optional groups from VOMS AC by @rmiccoli in #894
• Find account by certificate sub and iss in VOMS AA by @rmiccoli in #897

Full Changelog: v1.10.2...v1.10.3.rc.20241122

INDIGO Identity and Access Management v1.11.0

What's Changed

• Add confirmation before rotate client secret by @SteDev2 in #875
• Fix account mapping in VOMS AA by @rmiccoli in #872
• Add POST endpoint for registration requests confirmation by @enricovianello in #881
• Fix CERN lifecycle handler by @enricovianello in #871, #896
• Grant admin scopes to admin-approved clients only by @rmiccoli in 6bbaccd
• Client-credentials flow won't create a refresh token by @rmiccoli in indigo-iam/OpenID-Connect-Java-Spring-Server#22
• Redirect to login page when signing AUP by @federicaagostini in 5acde91
• Fix missing update of matchingPolicy by @garaimanoj in f15ef57
• Find account by certificate sub and iss in VOMS AA by @rmiccoli in #897
• Exclude IAM optional groups from VOMS AC by @rmiccoli in #894
• Find account by certificate sub and iss in VOMS AA by @rmiccoli in #897
• Prevent the issue of broken SAML login flow by @DonaldChung-HK in #885

Added

• (Experimental*) Implement MFA by @sam-glendenning, @rmiccoli, @garaimanoj, @Sae126V in #733

(*) This initial release featuring Multi-Factor Authentication is experimental and will be enhanced and expanded with new features in future releases, based also on user feedback.

MFA experimental feature summary

• Each authenticated user can enable/disable MFA through a button in their homepage
  • user will use an authenticator, as it is required to generate the time-based one-time passwords (TOTPs) necessary for authentication
• If issues arise with the authenticator, the IAM administrator can disable MFA for a user
• Authenticator working for local authentication only
  • integration with X.509 certificates and external providers not yet supported
• Encryption and decryption of MFA secrets

Configuration

The mfa Spring profile is used to enable MFA functionality. By default, MFA is disabled for all users.

INDIGO Identity and Access Management Service v1.10.2

What's Changed

• Add devcontainer configuration by @darcato in #835
• Track refresh tokens in access token AUDIT logs by @rmiccoli in #838
• Combine CERN HR logic with internal life-cycle by @enricovianello in #844
• Fix expected password min length to 8 chars by @SteDev2 in #849
• AUP signature PATCH endpoint accepts signature time as input by @enricovianello in #853

INDIGO Identity and Access Management Service v1.10.1

What's Fixed

• Fix repeated suspensions by @enricovianello in #831
• Fix typo in AUDIT log for suspended accounts by @federicaagostini in #832
• Upgrade AngularJS version by @SteDev2 in #820
• Fix AUP signature validity by @rmiccoli in #834

INDIGO Identity and Access Management Service v1.10.0

What's Changed

• Send an email when client status changes by @rmiccoli in #802
• Add a statistical anonymous endpoint by @rmiccoli in #790
• PATCH to change AUP signature time works also for client credentials by @rmiccoli in #804
• Add AUP and user's lifecycle missing email notifications by @rmiccoli in #787
• Add groups enrollment logic to be applied after users registration by @garaimanoj in #793
• Add the organization name in all email notifications subjects by @rmiccoli in #810
• Improve password quality check by @SteDev2 in #719
• Allow to totally disable cache by @federicaagostini in #778

Bug Fixes

• Refresh token flow not allowed for suspended clients by @rmiccoli in #814
• Update angular-jwt script link by @SteDev2 in #822
• Fix error 500 on old mitreId user interface by @SteDev2 in #808

Configuration Fixes

• Prefix all necessary env variables with IAM_ by @federicaagostini in #807
  • As described into #807, the environment variables DEFAULT_ACCESS_TOKEN_VALIDITY_SECONDS, DEFAULT_DEVICE_CODE_VALIDITY_SECONDS, DEFAULT_ID_TOKEN_VALIDITY_SECONDS and DEFAULT_REFRESH_TOKEN_VALIDITY_SECONDS have been renamed with IAM_ prefix.
• Fix client track-last-used setting location in .yaml by @enricovianello in #795
  • The client's "last-used" tracking has been disabled by default. You can turn it on by setting IAM_CLIENT_TRACK_LAST_USED as true. This feature allows administrators to see how many days have last since last token was issued for each client.
• The redis-cache.enabled property has been moved to cache.redis.enabled. This property is set by the same environment variable IAM_REDIS_CACHE_ENABLED so configurations that relies on this variable are not affected.

Documentation Fixes

• VOMS-AA replica deployment example provided by @darcato in #729

INDIGO Identity and Access Management Service v1.9.0

What's Changed

• Show unrestricted scopes into well-known endpoint by @federicaagostini in #628
• Fix account lifecycle workflow by @rmiccoli in #746
• Administrators can disable a client by @garaimanoj in #747
• Change VOMS warning message when requesting a too long proxy by @federicaagostini in #756
• VO members can re-sign the AUP at any time by @garaimanoj in #757
• Add delete signature and sign on behalf by @enricovianello in #777
• Increase SAML response skew from 60 to 300 secs by @enricovianello in #780
• Multiplatform docker by @jacogasp in #761
• (Experimental*) Fix audit log for issued access tokens and add refresh token event by @federicaagostini in #774
• Fix authorization on SCIM me endpoint by @enricovianello in #764
• (Experimental*) Add attributes and managed groups to the SCIM user by @enricovianello in #764
• (Experimental*) Add authorities list to SCIM user by @enricovianello in #788
• Add last used property to clients by @darcato in #675
• Display how much time is left to AUP expiry by @garaimanoj in #783
• Allow to add nickname as attribute during a registration request by @federicaagostini in #789

* The introduced AUDIT messages and info to the SCIM user must be considered as experimental and they may be changed in next RC/releases in a backward incompatible way

New Contributors

• @garaimanoj made his first contribution in #757
• @jacogasp made his first contribution in #761

Notes

SCIM users response can now be extended in order to list also:

• user's attributes
• user's authorities
• user's managed groups

In order to include authorities and|or managed groups into SCIM users details you need to enable them through the following properties:

scim:
  include_authorities: true
  include_managed_groups: true

or through the environment variables:

IAM_SCIM_INCLUDE_AUTHORITIES=true
IAM_SCIM_INCLUDE_MANAGED_GROUPS=true

Attributes can be included into SCIM user response in the same way the labels are:

scim.include_attributes[0].name=attribute-name
scim.include_attributes[1].name=another-attribute-name

Full Changelog: v1.8.4...v1.9.0

INDIGO Identity and Access Management Service v1.8.4

v1.8.4 (2024-03-25)

Added

• Add property to show SQL queries (default to false) #702
• Add refresh token value index on database #722
• Add support for admin to customize login layout #668

Fixed

• Encode/decode token value hash with Charset UTF-8 to match the MySQL algorithm #694
• Update the email address/username without needs to refresh the web UI #686
• Allow Chinese characters to be shown on user's info column #701
• Update login form display strategy #669

Changed

• Only registered users can get client credentials grant type #683
• Remove possibility to add a client logo URI #697
• Disable client editing through MitreID endpoint (/api/clients/*) #703
• Request for an optional "Apply for an account with eduGAIN" button #665

INDIGO Identity and Access Management Service v1.8.3

Recommendations

It is strongly recommended to make a backup of your database before upgrading to v1.8.3 because several migrations are planned. Also, remember that for updates from versions prior to v1.7.2 you must first upgrade to v1.7.2.
The migration to v1.8.3 will take an amount of time which will be proportional to the amount of currently active access tokens. This means that if you are deploying IAM with some kind of liveness and readiness probes, it's probably better to switch them off before upgrading. This migration may take a long time.

Changed

• Save access token value as an hash in order to use lighter db indexes and avoid conflicts by @rmiccoli in #613
• Avoid upper case characters into VO names by @SteDev2 in #616
• Enable Redis scope matchers and well-known endpoint caching by @federicaagostini in #633
• Consider scope matcher based on string equality for custom scopes by @rmiccoli in #642

Added

• Add SCIM endpoint entry to well-known endpoint by @federicaagostini in #631
• Update account AUP signature time via API by @rmiccoli in #608
• Add new JWT profile that rename 'groups' claim with 'roles' by @enricovianello in #637
• Add support for displaying specific language name in federation Metadata by @Sae126V in #640
• Add missing "Reuse refresh token" box within client management page by @rmiccoli in #650
• Add missing foreign keys to the database by @enricovianello, @rmiccoli in #632, #659
• Add OpenID Connect standard claims in ATs for WLCG JWT profile by @rmiccoli in #651

Fixed

• Allow to add certificates with the same subject DN by @rmiccoli in #624
• Delete unsupported response types by @rmiccoli in #610
• Fix management of tokens lifetime following RFC9068 by @federicaagostini in #620
• Fix CERN Restore workflow by @hannahshort in #645
• Fix authz code flow with PKCE for IAM test client application by @rmiccoli in #653
• Fix authorization on IAM APIs such to avoid cases where access is granted to already approved scopes instead of effective token scopes by @enricovianello in #664

New Contributors

• @SteDev2 made his first contribution in #616
• @federicaagostini made her first contributions in #620, #631 and #633
• @Sae126V made his first contribution in #640
• @hannahshort made her first contributions in #645

INDIGO Identity and Access Management Service v1.8.2p2

This release fixes a privilege escalation present in all previous IAM releases. See https://advisories.egi.eu/Advisory-EGI-SVG-2023-53.

INDIGO Identity and Access Management Service v1.8.1p2

This release fixes a privilege escalation present in all previous IAM releases. See https://advisories.egi.eu/Advisory-EGI-SVG-2023-53.