UAA Release Notes

UAA Release Notes

Q1 2017 Release

New Enhancements

The following new enhancements have been added.

Added Support for Configuring OpenID Connect (OIDC) Identity Provider in UAA Dashboard
You can now configure your UAA instance to support an external OIDC identity provider using the UAA dashboard. For more information, see uaas-managing-identity-providers.html#task_oct_sz2_5w.
Added Capability to Setup Shadow Users in UAA using UAA Dashboard
You can now use UAA dashboard to create shadow users. A shadow user is a local user in UAA corresponding to each user defined in the external identity provider that you are configuring with your UAA instance. The local user is created when the user logs-in for the first time. This feature enables a user to be authenticated by UAA without requiring you to create it in UAA also.

You can either choose to create shadow users for all users in your identity provider or create shadow users one at a time.

To create shadow users for all users in your identity provider, use the Automatically create a shadow user on login option when you configure UAA for a new identity provider. For more information, see uaas-managing-identity-providers.html#task_oct_sz2_5w.

To create selected shadow users, select the Shadow User option when you create a new user. This option is useful if you need to white list users to authenticate only a subset of users setup in your identity provider. For more information, see uaas-managing-users.html#task_lrr_n5w_fs.

Q4 2016 Release

New Features

The following new features have been added.

OpenID Connect Endpoints Published
OpenID Connect flow was updated for endpoint information. For more information, see https://docs.cloudfoundry.org/api/uaa/#openid-connect-flow.
Added Client Credentials Lockout Policy
You can now configure your UAA instance client credentials lockout policy to lock the client credentials for specified period of time after specified number of unsuccessful attempts to login.

For more information, see create-pswd-policies.html#task_gdk_f43_fx.

New Enhancements

Enhanced UAA Dashboard User Interface
UAA Dashboard user interface was enhanced managing identity providers and managing password policies.

For more information, see Managing Identity Providers and create-pswd-policies.html#task_gdk_f43_fx.

Enhanced MetaData Generated by UAA as IdP
  • UAA now generates NameIDPolicy in the identity provider (IdP) metadata. The NameIDPolicy specifies the SAML name identifier format that is used by the IdP. SAML 2.0 requires the IdP to exchange the name identifier format with the service provider (SP) for SSO service setup.

    For more information, see https://github.com/cloudfoundry/uaa/pull/439.

  • UAA now generates the inResponseTo attribute in the IdP metadata. The attribute was added to saml2p:Response to correspond with the inResponseTo attribute for saml2:SubjectConfirmationData.

    For more information, see https://github.com/cloudfoundry/uaa/pull/441.

Q3 2016 Release

New Features

The following new features have been added.

UAA Dashboard
Predix.io now provides a graphical user interface to configure and manage your UAA instance. When you select the UAA instances from the Services page on Predix.io, you can click on the Configure your instance button to access the UAA Dashboard. Some of the tasks that you can accomplish using UAA Dashboard are:
  • View the clients, users and identity providers related to your UAA instance.
  • View client and user details.
  • View clients associated with your service instances.
  • Create and update clients.
  • Create and update users.
  • Add identity providers for SAML federation flow where UAA is the service provider.

For more information, see Using the UAA Service.

Support for OpenID Connect Relying Party
UAA now supports federating to an OpenID Connect 1.0 compliant Identity Provider in addition to SAML 2.0 providers.

For more information, see Cloud Foundry UAA Documentation.

New Enhancements

The following new enhancements have been added.

Identity Provider Discovery
UAA now supports Identity Provider discovery when multiple SAML or OpenID Connect Identity Providers are enabled for any given Identity Zone.

For more information, see the description of the Identity Zone API in the Cloud Foundry UAA Documentation.

Opaque Tokens
A new token type of opaque was added in addition to JWT tokens.

For more information, see Cloud Foundry UAA Documentation.

Revocable Tokens
UAA now supports revocable tokens. Both JWT and Opaque tokens are revocable. You can configure a JWT token for revocation per Identity Zone. The configuration is turned off by default.

For more information, see Cloud Foundry UAA Documentation.

JWT Key Rotation

UAA now supports specifying multiple signing and verification keys as part of the Identity Zone configuration.

For more information, see Cloud Foundry UAA Documentation.

Q2 2016 Release

New Features

The following new features have been added.

UAA as SAML Identity Provider
You can now configure UAA as SAML identity provider to integrate with other service providers. For more information, see uaas-managing-identity-providers.html#task_nbg_cg2_3v.
Ability to configure UAA properties per UAA zone
You can now use the UAA APIs to configure the UAA zone that you created for the following values:
  • Enable or disable self service links UI. By default, it is set to False (disable).
  • Enable or disable internal authorization. By default, it is set to False (disable).
  • Enable or disable internal user store management. By default, it is set to False (disable).
  • Set the home page redirect.
Allow use of /check_token to perform authorization
In addition to validating the token itself, UAA also allows the requester to include a list of scopes to perform authorization against the token. When the requester sends a scope parameter with one or more scopes, UAA validates that the token is authorized for the specified scopes.

For more information, see UAA Documentation.

Support for User Account Verification
The Create a User API now supports an additional attribute called verified. By default verified is set to True. That means that when you create a user, it is authenticated by UAA and additional verification is not required for the user to obtain a token from UAA. When the property is set to Null, it defaults to True. If your application requires user verification, you can set this attribute to False. When the attribute is set to False, your application must authenticate the user and then use the Verify User Links API to update the user verification status in UAA. To verify the user, the application must define its own authentication process.
Note: Any users that were created prior to this release are authenticated by default even if the verified attribute was set to False.