UAA Release Notes
UAA Release Notes
Q1 2017 Release
New Enhancements
The following new enhancements have been added.
- Added Support for Configuring OpenID Connect (OIDC) Identity Provider in UAA Dashboard
- You can now configure your UAA instance to support an external OIDC identity provider using the UAA dashboard. For more information, see uaas-managing-identity-providers.html#task_oct_sz2_5w.
- Added Capability to Setup Shadow Users in UAA using UAA Dashboard
- You can now use UAA dashboard to create shadow users. A shadow user is a local user in UAA corresponding to each user defined in the external identity provider that you are configuring with your UAA instance. The local user is created when the user logs-in for the first time. This feature enables a user to be authenticated by UAA without requiring you to create it in UAA also.
You can either choose to create shadow users for all users in your identity provider or create shadow users one at a time.
To create shadow users for all users in your identity provider, use the Automatically create a shadow user on login option when you configure UAA for a new identity provider. For more information, see uaas-managing-identity-providers.html#task_oct_sz2_5w.
To create selected shadow users, select the Shadow User option when you create a new user. This option is useful if you need to white list users to authenticate only a subset of users setup in your identity provider. For more information, see uaas-managing-users.html#task_lrr_n5w_fs.
Q4 2016 Release
New Features
The following new features have been added.
- OpenID Connect Endpoints Published
- OpenID Connect flow was updated for endpoint information. For more information, see https://docs.cloudfoundry.org/api/uaa/#openid-connect-flow.
- Added Client Credentials Lockout Policy
- You can now configure your UAA instance client credentials lockout policy to lock the client credentials for specified period of time after specified number of unsuccessful attempts to login.
For more information, see create-pswd-policies.html#task_gdk_f43_fx.
New Enhancements
- Enhanced UAA Dashboard User Interface
- UAA Dashboard user interface was enhanced managing identity providers and managing password policies.
For more information, see Managing Identity Providers and create-pswd-policies.html#task_gdk_f43_fx.
- Enhanced MetaData Generated by UAA as IdP
-
- UAA now generates
NameIDPolicy
in the identity provider (IdP) metadata. TheNameIDPolicy
specifies the SAML name identifier format that is used by the IdP. SAML 2.0 requires the IdP to exchange the name identifier format with the service provider (SP) for SSO service setup.For more information, see https://github.com/cloudfoundry/uaa/pull/439.
- UAA now generates the
inResponseTo
attribute in the IdP metadata. The attribute was added tosaml2p:Response
to correspond with theinResponseTo
attribute forsaml2:SubjectConfirmationData
.For more information, see https://github.com/cloudfoundry/uaa/pull/441.
- UAA now generates
Q3 2016 Release
New Features
The following new features have been added.
- UAA Dashboard
- Predix.io now provides a graphical user interface to configure and manage your UAA instance. When you select the UAA instances from the Services page on Predix.io, you can click on the Configure your instance button to access the UAA Dashboard. Some of the tasks that you can accomplish using UAA Dashboard are:
- View the clients, users and identity providers related to your UAA instance.
- View client and user details.
- View clients associated with your service instances.
- Create and update clients.
- Create and update users.
- Add identity providers for SAML federation flow where UAA is the service provider.
For more information, see Using the UAA Service.
- Support for OpenID Connect Relying Party
- UAA now supports federating to an OpenID Connect 1.0 compliant Identity Provider in addition to SAML 2.0 providers.
For more information, see Cloud Foundry UAA Documentation.
New Enhancements
The following new enhancements have been added.
- Identity Provider Discovery
- UAA now supports Identity Provider discovery when multiple SAML or OpenID Connect Identity Providers are enabled for any given Identity Zone.
For more information, see the description of the Identity Zone API in the Cloud Foundry UAA Documentation.
- Opaque Tokens
- A new token type of opaque was added in addition to JWT tokens.
For more information, see Cloud Foundry UAA Documentation.
- Revocable Tokens
- UAA now supports revocable tokens. Both JWT and Opaque tokens are revocable. You can configure a JWT token for revocation per Identity Zone. The configuration is turned off by default.
For more information, see Cloud Foundry UAA Documentation.
- JWT Key Rotation
-
UAA now supports specifying multiple signing and verification keys as part of the Identity Zone configuration.
For more information, see Cloud Foundry UAA Documentation.
Q2 2016 Release
New Features
The following new features have been added.
- UAA as SAML Identity Provider
- You can now configure UAA as SAML identity provider to integrate with other service providers. For more information, see uaas-managing-identity-providers.html#task_nbg_cg2_3v.
- Ability to configure UAA properties per UAA zone
- You can now use the UAA APIs to configure the UAA zone that you created for the following values:
- Enable or disable self service links UI. By default, it is set to False (disable).
- Enable or disable internal authorization. By default, it is set to False (disable).
- Enable or disable internal user store management. By default, it is set to False (disable).
- Set the home page redirect.
- Allow use of
/check_token
to perform authorization - In addition to validating the token itself, UAA also allows the requester to include a list of scopes to perform authorization against the token. When the requester sends a scope parameter with one or more scopes, UAA validates that the token is authorized for the specified scopes.
For more information, see UAA Documentation.
- Support for User Account Verification
- The Create a User API now supports an additional attribute called
verified
. By defaultverified
is set toTrue
. That means that when you create a user, it is authenticated by UAA and additional verification is not required for the user to obtain a token from UAA. When the property is set toNull
, it defaults toTrue
. If your application requires user verification, you can set this attribute toFalse
. When the attribute is set toFalse
, your application must authenticate the user and then use the Verify User Links API to update the user verification status in UAA. To verify the user, the application must define its own authentication process.Note: Any users that were created prior to this release are authenticated by default even if theverified
attribute was set toFalse
.