Safewhere Identify 5.12 Release Notes

This document summarizes all new features and bug fixes for version 5.12 as well as breaking changes when being upgraded from previous versions.

New features and improvements

Refactoring session state management

Safewhere Identify, as an intermediate Identity Provider, is a stateful web application that needs to manage states of logins. In the previous Identify versions, you sometimes encountered contextId or other state-related errors. Even though eliminating session state-related issues totally is not possible, we have refactored the Identify code as well as added support for storing some data in cookies. As a result, you can use the new options to tweak where different types of data are stored as to best fit your deployment.

You can read more about the topic at Session management

New scripting extensible points and scripting library

Safewhere Identify has many scripting extensible points where you can add custom business logics to Identify runtime pipeline using C# scripts. Problems arise when you have many resources, e.g. multiple connections, and you need to configure the same script for all of them. After that, if you want to make a small change to your script, you will need to update all connections.

Scripting library is the new way to manage your scripts. You can define your scripts on the Scripting library page. To use them, you can insert only the name of a script to a scripting setting. You will notice that the new scripting library feature is very similar to how Scripting claims transformation is working.

Please note that not all scripting features have script library supported. For ones that do not have yet, we will add support for them in future versions.

You can read more about the topic at Script library

SAML extensible points

We added a bunch of new extensible points to customize processing of SAML's requests and responses. The new extensible points require advanced knowledge about Identify's internal data structure and usually requires support from the Identify's development team.

Scripting Home Realm Discovery

Our customers usually have the need to add custom Home Realm Discovery (HRD) logics. One such example is to show an error page or to pick up a default Identity Provider when all previous HRD rules cannot determine a single Identity Provider. The new scripting HRD feature can help you do that.

Scripting OTP method

Safewhere Identify supports many MFA methods. Even though they are currently assigned the same level of assurance, in reality they can have different levels. Out of those methods, OTP via SMS and Email is the weakest form while using biometrics or a hardware key are the strongest ones. In light of NSIS 2.0 and OIOSAML 3.0, there is a need to issue different assurance levels based on what second factor method is used. For example, the TOTP Authenticator option can have the Substantial assurance level, and the WebAuthn’s biometric option can have the High level. Because what the levels are and what method can have what level vary from standard to standard, scripting is the most flexible option. For the previous example, when a request asks for the Substantial level, your script can allow users to use both the TOTP and the WebAuthn methods. Meanwhile, when a request asks for the High level, your script can allow only the WebAuthn method. Refer to our guideine for how to set up OTP script.

Customize SAML metadata

The new System setup's SAML metadata custom configuration setting allows you to customize the content of Identify's SAML metadata. This feature is useful when you need to connect Identify to systems such as NemLog-in.

You can read more about this feature at How to customize SAML metadata

Skip connection dependencies

Connection dependencies is a way for Identify to know what identity providers (aka authentication connections) that users can use to log in to what service providers (aka protocol connections). When this setting is ticked, Identify ignores all the connection dependencies both when you create a new connection as well as when users log in. In other words, users can use all identity providers to log in to every service provider.

Reset password email expiry

You can now specify two separate expiry times for reset password emails that are sent out to newly created users who need to set up their passwords and to existing users who need to reset their passwords. More details are available at the System setup page.

Certificate validations

We have added a new way of doing certificate validation as well as the ability to disable revocation checks for the whole instance.

Regarding the OCES environment list, we updated its options to reflect recent changes from DanID.

Before 5.12:

From 5.12:

Database-based certificate validation

With database-based certificate validation, Identify has a background job that can validate if certificates are valid (including revocation checks) and store validation results in the database. By doing this, Identify can avoid doing online checks when validating requests/responses and can just read certificate status from the database. You can enable the Use database certificate revocation checks setting to use this feature. You also can find other settings to control the certificate validation background job at the System setup page.

Ability to turn off revocation check

Two ways to disable revocation checks for a running Identify instance:

1. Turn on the Suppress all certificate revocation checks setting in the System setup.
2. Add an environment variable named SuppressCertificateRevocationCheck and set its value to "true". When the environment variable exists and is "true", Identify suppresses all certificate revocation checks even if the Suppress all certificate revocation checks setting in the System setup is false. This setting is useful when you have a backup environment that has the database of the main environment restored but you want it to have a different certificate revocation checks behavior.

A tool to generate CSR for keys in Azure Managed HSM

Azure Managed HSM doesn't support certificates, thus CSR generation from its keys isn't available. We offer a standalone tool for this purpose. Contact support for further assistance.

Remember my selection HRD

Remember my selection is a new HRD rule that allows users to specify whether Identify needs to remember their choice of an identity provider.

Logging

We've made significant improvements to Identify's log data, making it easier to work with. You can read more about the new changes at Changes in logging feature.

Identify configurator

You can now use the Identify Configurator to customize security settings such as HTTP Security Headers, request filtering, and many other IIS' security settings.

Safewhere Admin

Audit log viewers

The Audit logs tab has some new Audit log viewers:

• Audit Admin Site Authentication
• Audit Identity Provider Configuration
• Audit OAuth Access Tokens
• Audit Claim Sets
• Audit Ldap Attribute Definition
• Audit Deleted Resource
• Audit Mass Update User Claim Value
• Audit Group
• Audit Protocol Connection
• Audit Authentication Connection

More importantly, there is a new System logs viewer for non-Audit logs. A great application of this new feature is that you can easily collect logs for troubleshooting purposes without having to RDP to the servers.

Reduce size of Safewhere icon and use caching for static files

We did some optimizations to improve loading time for Identify Runtime's pages:

• Reduce the size of the "safewhere.ico" file from 371KB to 4KB
• Enable caching for static files (CSS, JavaScript, images etc.) that are hosted in the following folders:

Guidelines

IP Address and Domain Restrictions is one of the great built-in features of IIS. You can use it to selectively permit or deny access to an Identify instance and its resources (folders, files, or some endpoints) which will make your Identify instance more secure. Specifically, we recommend that you should:

• Restrict access to Admin sites to specific IPs, for example intranet IPs or a VPN IP.
• Restrict access to the REST API to specific IPs, for example intranet IPs or IPs of the servers that have REST API consumer applications installed.
• Throttle requests to Identify runtime to mitigate brute-force attacks.

You can read more about how to do them at Protecting Safewhere Identify using IP and Domain Restrictions.

Breaking changes

When upgrading an Identify instance from a previous version, you may experience some unexpected issues or changes:

Changes in Hosted forms

We updated all hosted forms to fix potential XSS vulnerabilities (we also released patches for previous versions as well). Please refer this pull request for more details about the change. If you are using these forms, you should back them up, then click RESET TO DEFAULT button to view the new templates.

New change on Safewhere.External.dll

We added some new model classes to the Safewhere.External.dll to support metadata customization, so we pumped up its version to 5.12.0.0. This means that if you have custom components that have a reference to Safewhere.External.dll, you will need to recompile them against the new 5.12.0.0 version.

The following documents have been updated:

• Access Safewhere Identify data from external code
• Interceptors
• How to implement an interceptor

You can check out old documents used for Identify 5.11 and before at:

• Access Safewhere Identify data from external code - 5.11
• Interceptors - 5.11
• How to implement an interceptor - 5.11

Known issues

• If you use Application Insights for logging and encounter an error related to cryptographic performance counters, you can either just ignore them or manually update the ApplicationInsights.config to get rid of the error.

• Updating the Oces environment setting on the System setup page requires restarting the instance's website or application pool.

• An external image does not display when you link to it from a hosted form and preview the form on the new Admin (Adminv2). To have it displayed, you need to add the domain of the image to the CSP header setting. You can do that by:

  • Option 1: If you are using an Identify version prior to 5.12, you can edit the web.config file of your Adminv2 instance.
  • Option 2: If you are using an Identify version from 5.12 or newer, you can use the Reconfigure feature Change security settings to modify Adminv2's security settings

Bug fixes

• Fixed: #84755 Attribute Services page shows an incorrect error message about organization
• Fixed: #84866 [HostedForm] Cannot preview content of the 'HRD No Idp Determined' view
• Fixed: #80512 [RESTAPI][Connections][POST][PUT] Cannot import metadata if its certificates are not imported to the Identify's database in advance.
• Fixed: #84712 [LogEventFiltering] Log filtering does not work
• Fixed: #84947 [IdentityProvidersList] Change "Social media" type to "Social media/ OIDC" in "Identity Provider type" combo-box
• Fixed: #85023 [Runtime] Exception was thrown after changing a password and clicking on the Continue login button
• Fixed: #84906 [SafewareAdmin] Update text description for the isPresentLoginSelector setting
• Fixed: #84848 [Runtime] System claim is included on assertions when the "Use Multi-valued attribute" setting is enabled
• Fixed: #84817 [OIDC] PostLogout returns an error about invalid id_token when using Whr parameter and there exists a login session
• Fixed: #84573 The 'Owner organization' does not work with Attribute services
• Fixed: #84446 The 'Invalid SCIM filter' error happens when selecting to show Users belonging to the 'Root' organization only
• Fixed: #84390 Logging - Some events are still logged even when the log level is OFF
• Fixed: #82240 [CLI] Cannot create a new Identify instance on a fresh database server
• Fixed: #82009 [Swagger] Some issues with the sortBy parameter and User endpoints
• Fixed: #81385 [Swagger] Update models on API filter on Swagger page
• Fixed: #80821 [API][Filter] user's attribute: Emails uses case-sensitive check
• Fixed: #80708 [Runtime][Localization] Getting an text resource in "en-US" locale from GlobalTextResources returns empty even though a text resource does exist in "en" locale
• Fixed: #80229 [SafewareAdmin] Cannot import certificates to Identify's local database store
• Fixed: #80110 [SafewareAdmin] Unable to update a newly created SAML connection using a metadata URL
• Fixed: #83514 [SafewareAdmin][WStrust application] the Identify signing certificate is set as an Encryption certificate when creating a new WSTrust application
• Fixed: #83329 [SafewareAdmin][SAML20SP] Error throws when importing the SAML2 metadata without certificate to SAML20 Application
• Fixed: #83209 [SafewareAdmin] The log preset combo box is reset to LogFilterDefaultPreset when selecting LogFilterSilentPreset
• Fixed: #82595 [IC] Import data - error about index when clicking the data import list
• Fixed: #82546 XSS attacks in all hosted forms
• Fixed: #79877 [SafewareAdmin] Missing title header block on some hosted forms
• Fixed: #79691 [OTP] Correct text resource: OtpAuthenticationView_YouCanRequestAnotherOtpIn and OtpAuthenticationView_YouCanRequestAnotherOtpInSeconds
• Fixed: #79385 [SLO] Error happens because system claims are removed unexpectedly by claim transformations when they are used in protocol connection
• Fixed: #79236 [REST API][Connection][POST] No error returns when posting a connection with invalid metadataReference
• Fixed: #75933 [WCF] Error page throws when accessing WCF service of Identify instance using HSM key vault
• Fixed: #85033 [CLI] we have incorrect data log when executing CLI to reconfigure the Identify instance
• Fixed: #84821 [Runtime] Saml2MalformedRequestError returns when there exists a login session and user tries to use WHR params and the "Present the login selection page if no prior RP specific selection" is used
• Fixed: #84461 [Logging] No data for History/Device logon history SQL Audit in 5.12
• Fixed: #79240 [RESTAPI][Connection][PUT] When updating a connection with metadataReference, other settings are not updated