Changelog

1.0.0 (2017-8-31)

This release provides improvements, bug fixes and new features:

  • IAM now supports hierarchical groups. The SCIM group management API has been extended to support nested group creation and listing, and the IAM dashboard can now leverage these new API functions (#88)
  • IAM now supports native X.509 authentication (#119) and the ability to link/unlink X.509 certificates to a user membership (#120)
  • IAM now supports configurable on-demand account provisioning for trusted SAML IDPs; this means that the IAM can be configured to automatically on-board users from a trusted IdP/federation after a succesfull external authentication (i.e. no former registration or administration approval is required to on-board users) (#130)
  • IAM now provides an enhanced token management and revocation API that can be used by IAM administrators to see and revoke active tokens in the system (#121)
  • Account linking can be now be disabled via a configuration option (#142)
  • IAM dashboard now correctly displays valid active access tokens for a user (#112)
  • A problem that caused IAM registration access tokens to expire after the first use has been fixed (#134)
  • IAM now provides an endpoint than can be used to monitor the service connectivity to external service (ie. Google) (#150)
  • Improved SAML metadata handling (#146) and reloading (#115)
  • Account linking can now be disabled via a configuration option (#142)
  • The IAM audit log now provides fine-grained information for many events (#137)
  • The IAM token introspection endpoint now correctly supports HTTP form authentication (#149)
  • Notes in registration requests are now required (#114) to make life easier for VO administrators that wants to understand the reason for a registration request
  • Password reset emails now contain the username of the user that has requested the password reset (#108)
  • A stronger SAML account linking logic is now in place (#116)
  • Starting from this release, we provide RPM and Deb packages (#110) and a puppet module to configure the IAM service (#109)
  • The spring-boot dependency has been updated to version 1.3.8.RELEASE (#144)
  • An issue that prevented access to the token revocation endpoint has been fixed (#159)

0.6.0 (2017-3-31)

This release provides improvements and bug fixes:

  • IAM now implements an audit log that keeps track of all interesting security events (#79)
  • Password grant logins are now correctly logged (#98)
  • The MitreID logic for resolving user access and refresh token has been replaced with a more efficient implementation (#94)
  • Audience restrictions can be enforced on tokens obtained through all supported OAuth/OIDC flows (#92)
  • The tokens and site approval cleanup periods are now configurable (#96)

0.5.0 (2016-12-6)

This release provides new functionality and bug fixes:

  • It is now possible for users to link external authentication accounts (Google, SAML) to the user IAM account (#39)
  • It is now possible to register at the IAM starting from an external authentication (#44)
  • The IAM now exposes an authority management endpoint (integrated in the dashboard) that allows to assign/remove administrative rights to/from users (#46)
  • The token exchange granter now enforces audience restrictions correctly (#32)
  • It is now possible to set custom SAML maxAssertionTime and maxAuthenticationAge to customize how the SAML filter should check incoming SAML responses and assertions (#65)
  • Improved token exchange documentation (#51,#52)
  • The IAM now includes spring boot actuator endpoints that allow fine-grained monitoring of the status of the service (#62)
  • Group creation in the dashboard now behaves as expected (#34)
  • Editing first name and other information from the dashboard now behaves as expected (#57)
  • The IAM now provides a refactored SAML WAYF service that remembers the identity provider chosen by the user (#59)
  • The overall test coverage has been improved

0.4.0 (2016-09-30)

This release provides new functionality and some fixes:

  • Groups are now encoded in the JSON returned by the IAM /userinfo endpoint as an array of group names.
  • Group information is also exposed by the token introspection endpoint
  • External authentication information (i.e. when a user authenticates with Google or SAML instead of username/password) is now provided in the JSON returned by the /userinfo endpoint
  • The first incarnation of the administrative dashboard is now included in the service
  • The first incarnation of the registration service is now included. The registration service implements a "self-register with admin approval" registration flow
  • User passwords are now encoded in the database using the Bcrypt encoder
  • A password forgotten service is now provided

More information about bug fixes and other developments can be found on our JIRA release board

0.3.0 (2016-07-12)

This is the first public release of the INDIGO Identity and Access Management Service.

The IAM is an OpenID-connect identity provider which provides:

The IAM is currently released as a Docker image hosted on Dockerhub.

Documentation on how to build and run the service can be found in the IAM GitBook manual or on Github.

results matching ""

    No results matching ""