Safewhere*Identify 3.4. Release Notes

Transcription

1 Safewhere*Identify 3.4 Release Notes

2 Safewhere*identify is a new kind of user identification and administration service providing for externalized and seamless authentication and authorization across organizations. Safewhere*identify allows an organization to handle user identification and administration centrally and external to all web applications and web services. Safewhere*identify allows the support of basically any kind of authentication. Apart from built-in mechanism of authenticating like username and password, it also supports popular social authentication methods like Facebook, Google, Twitter, or LinkedIn, as well as all modern federation solutions via the SAML 2.0, and WS-Federation protocols. This new version enhances the system s ability in supporting complex user scenarios, guarantees full flexibility in regards to localization and message customization, ads additional authentication options, and ensures support for different browsers and browser versions. This release note gives an introduction to all the new features of version 3.4. Localization Identify*runtime has been rewritten to provide full control over look and feel of all pages as well as provide a robust framework for localization to any language and support of different browsers and browser versions. This includes default support for Danish and English, option to introduce new languages, override existing text resources, and even add new text resources. This feature allows users to localize pages, since we know from experience that such customized pages can help provide an even better user experience. Important features of the new localization system are: Fallback support; if a text is not found in a specific language, it will instead use the text resource of a configurable default language. Administrators can override existing default text resources with their own custom texts. Text resources can be edited by administrators during runtime. Adding support for a new language is as simple as copying a file. The system supports standard.net resource files, making it possible to reuse existing tooling support. Supports localized custom text resources, i.e. an administrator can add new pages not included in the standard product, as well as customize existing pages and have all text be localized in the user s chosen language.

3 Authentication and Protocol Connections Version 3.4 greatly improves the existing support for social network authentication connections. With version 3.3 we already added support for Facebook, Google, Twitter, LinkedIn, and OpenId. We now add login via LiveId to this list. On top of this we have ensured that 2-factor authentication and Single Logout (SLO) are fully supported with all of these connection methods. During this version we have also tested and ensured that Identify works with SharePoint In this way companies and organizations can now support Single Sign-On to SharePoint 2013 via Identify. Another type of second factor, similar to the existing SMS and One Time Password (OTP) support, was also added in the latest version. This new type is called a Mobile Login connection, since it utilizes a mobile device for delivering the second factor without the user needing to take any additional action, which is a very attractive solution both in regards to usability as well as financially. The idea behind this authentication method is that the user initially logs in to a personal profile page via regular 2-factor authentication, where a code for use on the mobile device is created. The first time the user initiates authentication via the mobile device, he will be asked to supply this code, which will then be used to create a unique cookie on the device. The next time the user then authenticates via this mobile device, he will just be exposed to the primary authentication requirements (typically username and password ), since the secondary authentication factor is handled by Identify simply checking that the code in the cookie is valid. Another feature that has been added to manage the increasing number of mobile users is one that controls the types of authentication methods that are offered on mobile devices. For each authentication connection type it has been made possible to specify if it should be offered for mobile use making it possible to e.g. exclude logins requiring Java. It can also be used to ensure that users are forced to use certain authentication methods from mobile devices. The One-Time Password authentication page has also been improved so that it provides users information on whether his OTP was sent via or SMS, as well as additional information on what he is supposed to do next. Another minor improvement concerns the page that users end up on after Single Logout. Where users were earlier redirected to the Identity Provider login page after logging out, we have now changed it so that the user is sent to a customizable information page.

4 Claim Transformation The claims transformation pipeline has seen a significant upgrade, with the addition of two new and very flexible claim transformation rules. The first one is the SQL Transformation rule, which supports the execution of queries on an SQL database when selected conditions in a user s token have been met. Values from the token can be used as parameters in the SQL query, making it possible to e.g. transfer values from the token into external user storages. With this new rule an additional option was also added to the condition regex syntax called ExistOrg(claim type). It makes it possible to check if the value for a claim type in a user s token, exists as an organization name in Identify. This can be e.g. be used to check whether a new organization needs to be created on the fly using the SQL Transformation rule. The other new rule is for External Claim Transformation, which among other things, allows data from external systems to be included in the users token, complex business processes to be included in the claim transformation pipeline, or simply just do advanced transformations of existing data in the pipeline. Even though the existing transformation rules in Identify covers a wide range of needs, there will still be scenarios where regular rules will not suffice. Using the External Claim Transformation rule a customer can code their own steps and plug them into Safewhere*identify s pipeline. A minor extension in regards to the pipeline, was the addition of an exclude from pipeline setting on all claim types. If there is a claim type that we never want issued to a token, excluding it using this setting is a lot easier than having to add an exclusion transformation step for all pipelines. Logging Logging has been further improved to include more information in the audit log reports, including more detailed user information and information on executed mass user updates and objects that were deleted. But the most important improvement has been in the way that errors are shown and logged. The error handling architecture has been completely rewritten so that all error messages from runtime now include a traceable event ID. This event ID is also attached to the errors when they are logged which makes it possible to extract reports from the system that quantifies the types of errors that have occurred. Administration

5 The following capabilities have been introduced, that will make the system more user friendly for administrators: It is possible to specify per user whether he or she should be forced to change password during the next login. The default state for whether new users should change password on the first login has been supplied as a setting on organization. The configurator has been improved to better handle unique situations as well as show clearly if the installation is still ongoing. An administrative page has been added in which it is possible to edit the regex expressions and error messages used for validation rules on fields like passwords, usernames and s. The pages for Audit Log and Server Settings have been moved to the System Settings tab, so access to these pages now requires the SystemSetupAdmin role. Usability improvements The user interface in version 3.4 has added full support for Internet Explorer 10, support for NemId applet on Windows 8 browsers, and improved rendering of Safari. Other improvements include: Default for Restrict elevation setting on claims has been changed to false, since this has turned out to be the most used setup. An error message is now shown if mass update of users was done without having highlighting any records. It was earlier necessary to write /admin/ in the URL to connect to the Identify*admin site. Now it is also possible to only write /admin.