Safewhere Identify 5.11 Release Notes

Products

Safewhere Identify 5.11 Release Notes

May 20, 2024

This document summarizes all new features and bug fixes for version 5.11 as well as breaking changes when being upgraded from previous versions.

New features and improvements

New encryption algorithms

We have added support for the following new Block Encryption algorithms:

  1. http://www.w3.org/2009/xmlenc11#aes128-gcm
  2. http://www.w3.org/2009/xmlenc11#aes192-gcm
  3. http://www.w3.org/2009/xmlenc11#aes256-gcm

and a new Key Transport algorithm which is http://www.w3.org/2009/xmlenc11#rsa-oaep.

The RSA-OAEP and AES-GCM algorithms are state-of-the-art algorithms and are recommended by specifications such as XML Encryption Syntax and Processing Version 1.1
 and OIOSAML 3.0.

SAML GCM Encryption settings

NemLog-in3 integration

Identify is now be able to integrate with NemLog-in3 identity provider. Especially, Identify can handle NemLog-in3's tokens that are encrypted using the RSA-OAEP and AES-GCM encryption algorithms.

Logging

Application Insights log store

In previous versions, even though you could configure Identify to log to Application Insights, the configuration process required modifying web.config files which was inconvenient. From version 5.11, you can ask Identify to log to Application Insights using the Logging page on the Admin portal.

Multiple log stores support

Another new logging feature is that you can now configure Identify to log to multiple log stores at the same time, for example, to text files and the SQL database. This feature can be convenient when it comes to troubleshooting. Normally, you can set Identify up to log to text files for cost and performance purposes. However, when you need to collect logs of some activities, you can temporarily enable logging to the SQL database, perform those activities, use the Admin portal to view and download logs, and finally turn the SQL option off again.

New MFA features

Device authentication (Trusted browser)

Device authentication is a new MFA method that allows users to register their devices’ browsers as "trusted" browsers. Trusted devices can be exempted from doing second factor authentication. Device authentication provides the perfect balance between security (only trusted devices can skip second factor authentication) and usability (users need to do second factor authentication less often).

Because the device authentication feature uses cookies to mark devices as trusted, we sometimes call it cookie-based authentication.

Skip doing MFA for N days

We have added a new setting called The number of days that users can skip the second factor authentication to the One time password Identity Provider connection. If the setting is set to a positive number, when your users need to do second factor authentication, they are offered an option to skip it for N days.

You can read more about both Device authentication and this feature here.

Wizards for MFA registration

MFA registration, especially when users need to install an app or use a hardware token, can be an uneasy task for non-tech-savvy users. To improve usability, we have implemented the use of a wizard for the registration flow that can guide users through all necessary steps. These steps can be grouped into 3 categories:

  • A starting step
  • Client-side steps that show users how to do something. These steps never make any requests to the server side.
  • Several last steps that need to make requests to the server side, for example to enter an OTP code, or go next after saving a recovery code.

More importantly, the wizard is designed for customization. You can customize:

  • Content of each step.
  • Look and feel of each step.
  • Add/remove some steps, especially for the client side steps.

As usual, you can customize them using either the Razor views or Hosted forms. You can find the full guideline here

Reset MFA method using recovery code

This new feature allows users to reset their MFA method (either TOTP Authenticator or WebAuthn) using recovery codes that they have saved during registration of the MFA method. You can find the new setting to enable this feature on the OTP connector page.

mfa-reset-using-recovery-code

Conditional access

The conditional access feature aims to improve the security of MFA registration. Without conditional access, if a user has not registered an MFA method and an attacker is able to get hold of the user's first factor credentials, the attacker can freely register an MFA method himself. With conditional access, you can set up a policy that only allows registrations from some specific IPs, for example from the Intranet.

OIDC: allow logout without id_token_hint

When an OpenId Connect application, such as the new Admin portal, sends a logout request to Identify, the request must contain an id_token_hint. If id_token_hint is missing, Identify will show an error about the missing id_token_hint. Even though this behavior is good for security purposes, it can cause a scenario where an application may not be able to send an id_token_hint to Identify after a session has expired.

To deal with this edge case, we have added a new setting called Allow logout without ID Token hint to the OpenId Connect application connector. The setting is disabled by default.

allow-log-out-without-id-token

When the Allow logout without ID Token hint setting is enabled, the OpenID Connect logout redirect URL setting must be set correctly. This is because Identify needs to match the incoming request to an OIDC application connector in its database, and the missing of an id_token_hint means Identify needs to use the redirect URL as the matching key.

OpenId Connect Discovery Endpoint: Add the none option to request_object_signing_alg_values_supported

We have added the none option to the request_object_signing_alg_values_supported list of the well-known configuration at OpenId Connect Discovery Endpoint (/runtime/oauth2/.well-known/openid-configuration).

Identify Configurator

Encrypting credentials using keys in Azure Key Vault

Identify Configurator stores tenant configurations in the IdentityTenant database that may contain some credentials that are used when upgrading or replicating tenants. In addition to other database encryption methods, we provide another option that uses Azure Key Vault encryption keys to encrypt all credentials information. You can select one or more methods to apply to your Identify deployment. The advantage of this option is that because only credentials are encrypted, you can , for example, attach configuration data in support tickets, without leaking credentials.

Learn how to use this feature here

More certificate information when hovering mouse

In the Certificates dialog, when hovering your mouse over a certificate, a tool tip appears that shows the certificate's subject, thumbprint, and expiration date.

configurator_ui_certificates_detail

Set Safewhere Admin's Idle Time-out (minutes) when doing mass upgrade

When doing mass upgrade Identify instances, you can use the new Idle Time-out (minutes) setting to specify the Idle time-out value for all Admin instances.

configurator_ui_mass_upgrade

Safewhere Admin

One Time Password identity provider

The OTP connector has some new settings:

  • New Conditional access tab to let you add the conditional access policy script.
  • New checkbox to let you enable or disable your users from resetting MFA using recovery code.

Logging

Settings

The logging menu has new settings that you can use to configure Application Insights as a new log target as well as to log to multiple stores.

Audit log viewers

The Audit logs tab has some new Audit log viewers:

  • Audit issued claims
  • Audit admin site authentication

We have also changed the date filter to support hours and minutes. This change is especially important for the System log viewer feature.

date-filter-control

System logs

The new System logs tab can display log entries whose types are SYS (Error, Warning), SEC, REV, etc. It only works for log data stored in the SQL Server database, MongoDB, or CosmosDB (aka query-able log stores).

001-introduction

Bug fixes

  • Fixed: #69990 [Safewhere Admin] Duplicate Create buttons occasionally showing on a resource list
  • Fixed: #75194 [Safewhere Admin] New uploading certificate cannot be found when selecting Choose existings on certificate control of connection page
  • Fixed: #75198 [Safewhere Admin] The fields Azure tenant ID, Application client Id, and Application client secret are filled automatically by saved login credential when using Chrome browser
  • Fixed: #75413 [Safewhere Admin] Invalid SCIM filter error displays on the user list occasionally
  • Fixed: #75416 [Safewhere Admin] The user list whose owner organization is All is empty after creating a new user and close its user page
  • Fixed: #75419 [Safewhere Admin] The user list shows those who do not belong to the selected organization after pressing (x) on All locked user option
  • Fixed: #75451 [Safewhere Admin] Templates list - An template with invalid language code is saved successfully
  • Fixed: #78837 [Safewhere Admin] Saving setting page is successful although there are duplicate values on the Email claim
  • Fixed: #76049 [Safewhere Admin] User page - Update the text resource when resetting MFA methods
  • Fixed: #75457 [Safewhere Admin] Attribute list - User can create the attribute service although the Identify license does not enable SAML attribute service feature
  • Fixed: #77332 [Safewhere Admin] Update Set the audience field of tokens which are issued for the application of the applications when updating "Entity id" in Settings
  • Fixed: #78362 [REST API] SQL error is logged when using REST API to create a connection with metadata information
  • Fixed: #79525 [REST API][PUT] Because BouncyCastle.Crypto library version is incorrect, a wrong error is returned when import metadata with AcceptUntrustedCertificate": false and the certificate does not exist in Identify's DB
  • Fixed: #79519 [REST API][POST] Because BouncyCastle.Crypto library version is incorrect, no error is returned when import metadata with AcceptUntrustedCertificate": false and the certificate does not exist in Identify's DB
  • Fixed: #75630 [Identify configurator] Instance replication - The default SSL certificate *.safewhere.local is selected when replicating an Identify instance using non-wildcard SSL certificate
  • Fixed: #75738 [Identify configurator] Instance creation - Shallow values appear on new tenant creation when not finishing instance replication
  • Fixed: #76938 [Identify configurator] Instance replication - Different tenantID issue occurs after finishing flow Delete/Create/Replicate instance with the same name
  • Fixed: #78257 [Identify configurator] An error "The public certificate is expired or not within its validity period." returns when applying the key mode with a new-issued certificate from NemLog-in3 to an Identify instance
  • Fixed: #78829 [Identify configurator] An error 500.30 about missing permission occurs when accessing Safewhere Admin portal
  • Fixed: #78910 [Identify configurator] Instance Reconfiguration - Redundant tenant is failed to update its signing certificate from Azure key vault store to local store
  • Fixed: #78983 [Identify configurator] Instance data import - Only first organizations are imported after finishing a data import
  • Fixed: #76994 [CLI] ICC.exe.config does not contain the right value for SafewhereRootPath key
  • Fixed: #79060 [Step-up] The LoA returns to SP after step-up is successful is incorrect
  • Fixed: #75471 [STS] A relative URI error returns on RequestSecurityTokenResponse when an existing WS-Trust application contains a non-URI value as its Entity Id
  • Fixed: #74921 [WCF] Identify WCF service error occurs when its Identify instance uses Azure Managed HSM
  • Fixed: #79334 [Translation] Incorrect text resource for OTP error message when user contact information is not available

Breaking changes

When upgrading an Identify instance from a previous version, you may experience the following changes in behavior:

Changes in Razor views and Hosted forms

Please refer this link for more detail about the changes. If you are using these forms, you should back them up, then click RESET TO DEFAULT button to view the new templates. The list below summarizes the changes:

  • The Enable Authenticator and Enable WebAuthn templates (both hosted forms and Razor views - applies to all other templates below) have been changed to support wizards for MFA registration. If you prefer the old one-page registration instead of a wizard, you can visit this link. More importantly, if you want to reuse the custom TOTP Authenticator view that your current instance is using, you also need to check that link out. Reusing it as-is can end up with QR codes not displaying.
  • The OS2faktor Login, Login With Authenticator, Login With WebAuthn and Otp Authentication templates have a new checkbox for skipping MFA methods.
  • The OS2faktor User Rejected, OS2faktor No Device,OS2faktor Device Registration, Otp Authentication Server Error, WebAuthn Error, Enable Authenticator and Enable WebAuthn templates have been changed to better display exact error messages.
  • The Recovery code template has a new button for reset an MFA method.
  • The Onboarding Succeeded, Otp Malformed Request Error, Site Layout and Policy Script Error templates (hosted forms only) are updated due to bug fixes.