Breaking changes

This release

OIDC

New parameter: use_generic_error_page (default: false)

A new configuration parameter, use_generic_error_page, has been introduced. It applies to authentication errors that cannot be mapped to a configured failed_redirect and where fail_location is not set.

• false (default): The authenticator propagates the error to the underlying framework, allowing OIDC/SAML to handle the error according to their default behavior.

• true: Restores the previous behavior, where a generic error page is displayed by the authenticator.

This change makes error handling more explicit and aligns the default behavior with the surrounding authentication framework.

3.3.0

OIDC keystore

A single password is now used for both the key and the store.Only PKCS#12 (.p12) format is supported, and the store must contain exactly one alias.The .p12 file is selected from known resources — global stores are not recommended.

3.2.2

The LDAP search valve has been updated to better handle single vs. multi-value attributes. In previous versions, all returned values were treated as multi-value attributes, even when only a single value was present, which made configuration unnecessarily complex. With this update, attributes containing a single value are now returned as a simple value ("") instead of an array ([""]).

Impersonate has updated configuration

Ensure to adapt if used in environment.

3.1.0

Updated default encryption

As of 3.1.0 default encryption has been changed. This will only affect systems where encryption is enabled.

To keep previous implementation ensure environment setting:

FORTIFIED_SECRETS_IMPL = local

3.0.0

SAML NameID format update

When deciding outgoing SAML assertion NameID format selection process is updated. If NameID format is configured this will supersed anything else. If not configured, requested format value from the AuthNRequest is used.

If none of the above is true, default fallback is:

Any format values in SAML meta data is ignored.

Overriding logos has new way of configuration

Default property names, and the overriding, of logos have changed.

All logos are now configured in a "logos" property in the ui_config and ui_config_overrides.json

All Integrity Access ui's now use logos defined in the access_header and access_footer. All apps with a top header bar (Password Reset, Portal etc) use the app_logo.

This allows for better separation of logos and for using the same configuration and/or same configuration file for multiple ui apps.

For more information about new configuration possibilities, see UI Configuration Overrides

New Hazel cast schema

If running cluster, update cluster configuration xml file using schema:

http://www.hazelcast.com/schema/config/hazelcast-config-5.3.xsd

Session cookie defaults

All session cookies now are set out to require User-Agent communication being done using TLS (encrypted channel)

Running in a non secure channel will require setting: