uaa/43

Stories included in release

Breaking Changes

Starting with UAA bosh release v43 the following Default Authorities will be set by default for all new identity zones: - openid - password.write - uaa.user - approvals.me - profile - roles - user_attributes - uaa.offline_token

The following Default Authorities will be set by default for the system zone: - scim.me - cloud_controller.read - cloud_controller.write - cloud_controller_service_permissions.read - oauth.approvals - notification_preferences.read - notification_preferences.write

These values can be changed via the UAA Bosh release manifest or UAA identity zone APIs.

Other Spec Changes

Support multiple SAML Keys with Active Key for SAML Key Rotation

login.saml.activeKeyId:
    description: |
      The active key to be used for signing messages and the key to be used to encrypt messages.
      See login.saml.keys
  login.saml.keys:
    description: |
      A map of keys where each map key is the name of the key. The login.saml.activeKeyId must match
      one of the keys in the map.
      To rotate keys, simply add keys. To activate a key, add it as the login.saml.activeKeyId
    example: |
      activeKeyId: key1
      keys:
        key1:
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            -----END RSA PRIVATE KEY-----
          passphrase: password
          certificate: |
            -----BEGIN CERTIFICATE-----
            -----END CERTIFICATE-----
        key2:
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            -----END RSA PRIVATE KEY-----
          passphrase: password
          certificate: |
            -----BEGIN CERTIFICATE-----
            -----END CERTIFICATE-----
  login.saml.serviceProviderKey:
    description: "Deprecated. Use login.saml.keys. Private key for the service provider certificate."
  login.saml.serviceProviderKeyPassword:
    description: "Deprecated. Use login.saml.keys. Passphrase for the service provider private key."
    default: ""
  login.saml.serviceProviderCertificate:
    description: "Deprecated. Use login.saml.keys. Service provider certificate."

Support OpenID Connect Identity Provider Discovery URL

      my-oidc-provider:
        type: oidc1.0
        discoveryUrl: |
          <URL for OpenID Connect Identity Provider discovery, example: https://accounts.google.com/.well-known/openid-configuration>
          Using this automatic discovery and you can omit several attributes like issuer, auth endpoint,
          token endpoint, userinfo endpoiint, token key url

Support UAADB TLS

  uaadb.tls_enabled :
    description: "Use TLS connection for UAA database"
    default: false

Features

• Make User Default Authorities Zone Specific and allow setting them via API
• Page that documents prop mapping
• Unable to set discoveryUrl on OIDC/OAUTH providers in UAA config file
• Better default for storeCustomAttributes
• Ability to specify multiple SAML Keys with an active key id
• Update the API docs for required_user_groups
• JWT Bearer Token Exchange support external OIDC
• Provide the ability to register a client with jwt-bearer grant type
• Support for UAA id_token to be exchanged for Access Token via JWT Bearer
• Enable SSL/TLS for DB Configuration in UAA YML and in UAA Release Spec
• All password changes should throw audit events
• Validation for Clients of Type jwt-bearer
• JWT token authentication - username allowed to be null and fail
• Refactor DAO objects to always take zone-id parameter
• Fix example for getting token from local UAA on the Github UAA readme
• support id_token exchange for an access token within the same identity zone
• Enable audience check for JWT Bearer Token Exchange
• cloudfoundry/uaa #639: When acting as a SAML SP allow configuration of RequestedAuthnContext

Bug Fixes

• cloudfoundry/uaa #611: Update approvals in profile deletes approvals for other client ids
• Passing in ID token for check token endpoint returns 500 error
• Handle null app launch URL causing NullPointerException on UAA home page
• Race condition on OIDC/Oauth authentication
• Documentation update for /password endpoint
• cloudfoundry/uaa #628: UserInfo endpoint under .well-known/openid-configuration not correct
• idp_discovery not working for OIDC with only discoveryUrl
• password_resets documentation bug
• cloudfoundry/uaa #640: Nullpointer exception in UAA
• Missing documentation for GET /Users
• Client secret can’t be set to empty via yml
• UAA incorrectly parses private keys created with openssl req

Other Updates

The following dependencies have been updated: - Updated hibernate-validator to 4.3.2 - Updated thymeleaf to 3.0.6 and ognl to 3.1.12 - Updated owasp-esapi-java to 2.1.0.1 - Updated spring-security-jwt to 1.0.8 - Updated commons-collections to 3.2.2 - Updated not-yet-commons-ssl to 0.3.17 - Updated statsd to no longer use spring-security and tomcat-embed-logging-juli

- name: "uaa"
  version: "43"
  url: "https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=43"
  sha1: "25d858cde37705c9f525e2cad4ab3b9cf21d6de5"

bosh upload-release --sha1 25d858cde37705c9f525e2cad4ab3b9cf21d6de5 \
  "https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=43"