Release Notes
Support Sponsor Variable In Access Expiry Notification
In order to get the profile information of the sponsor, the product has introduced the sponsor variable in the custom access expiry notification. For example, to include the first name of the sponsor in the message, use the variable %SPONSOR_Person-Firstname%.
Moodle 2 Connector Enhancements
Moodle 2 connector has been enhanced to support the below features.
Sub-Item Modify Handling
All sub-item operations in the connector was done fully depending on the modify type. Also, replace was done with full delete and add. All these sub-item operations are changed to do a delta processing by fetching the current sub-items and then updating only the required changes.
Unenroll User from Course
User and Course data formats have been enhanced to support unenroll of user from course. This is a function introduced in Moodle version 3.0. So, to use this feature, you'll need a Moodle server of version 3.0 or above.
User Data Format - New Filter Options
Introduced two new filter options for user data format. Search by user fields starts/ends with. Both options work in a similar manner except the condition generated. First Name, Last Name and Email are supported as user fields. Any number of values can be configured for values setting. The API is invoked for each configured value. It also supports special values, Alphabet and Number. When Alphabet is configured, API is invoked for each alphabet and fetched users having field starting with that alphabet. The Moodle APIs doesn't support paging. So this option is useful for systems having too many users and can't be fetched in a single call.
Course Data Format - New Filter Options
Introduced two new filter options for course data format.
Search by course field option can be used to fetched course by Short Name, IdNumber or Category.
Search course option can be used to search courses containing pattern in course name, module or tag.
MaxResults Configuration
Introduced MaxResults configuration in export for all data formats so that number of entries to be fetched can be limited.
Attribute Changes
Some of the connector multi-level attributes have been redesigned to support name attributes and group them based on Moodle data structure. The following tables show new attributes and old attributes.
User Data Format Attributes
The courses multi-level attributes have been redesigned for user data format. All workflows using the bold attributes should be adjusted immediately after applying the patch since old names are not supported in new version.
| New Attribute | Old Attribute | Comments |
| courses->courseId | courses->courseId | |
| courses->fullName | New attribute introduced to identify the enrollment course name. | |
| courses->shortName | New attribute introduced to identify the enrollment course short name. | |
| courses->courseRoles->name | New attribute introduced to identify the enrollment role name. | |
| courses->courseRoles->roleId | courses->courseRoles | The old attribute courses->courseRoles is made a sub record to accommodate role naming attributes. |
| courses->courseRoles->shortName | New attribute introduced to identify the enrollment role short name. | |
| courses->courseSuspend | courses->courseSuspend | |
| courses->courseTimeEnd | courses->courseTimeEnd | |
| courses->courseTimeStart | courses->courseTimeStart | |
| courses->groups->description | New attribute introduced to identify the enrollment group description. | |
| courses->groups->id | groups->groupId | These groups-> are for course groups. So these attributes are moved under course-> node so that the attribute grouping is easy. |
| courses->groups->name | New attribute introduced to identify the enrollment group name. | |
| groups->attachedCourseId | Once the groups attribute are moved under course node, this linking attribute is not required. |
Course Data Format Attributes
The users multi-level attributes have been redesigned for course data format. All workflows using the bold attributes should be adjusted immediately after applying the patch since old names are not supported in new version.
| New Attribute | Old Attribute | Comments |
| users->email | New attribute introduced to identify email of the enrolled user. | |
| users->fullName | New attribute introduced to identify full name of the enrolled user. | |
| users->userId | New attribute introduced to identify Id of the enrolled user. | |
| users->userName | New attribute introduced to identify name of the enrolled user. | |
| users->userSuspend | users->userSuspend | |
| users->userTimeEnd | users->userTimeEnd | |
| users->userTimeStart | users->userTimeStart | |
| users->userRoles->name | New attribute introduced to identify the enrollment role name. | |
| users->userRoles->roleId | users->userRoles | The old attribute users->userRoles is made a sub record to accommodate role naming attributes. |
| users->userRoles->shortName | New attribute introduced to identify the enrollment role short name. | |
Ascentis Connector Enhancements
Ascentis connector export and lookup has been enhanced to support OR conditions in filter. Ascentis API supports only AND conditions. So OR conditions are supported by special handling at the connector level. The OR conditions in the filter are split and multiple filters are created for each condition. Then API is invoked for each sub filters. Since multiple API calls are made, there is chance for getting the same entry in multiple calls. So a key attribute based duplicate handler is introduced to skip duplicates.
Sample Filter and Splitted Filtes
| Filter | Splitted Filter |
|
(|(employeeID=10044)(employeeID=10052)(employeeID=10055)) |
(employeeID=10044) |
| (employeeID=10052) | |
| (employeeID=10055) | |
|
(&(|(employeeID=10044)(employeeID=10052)(employeeID=10055))(&(firstName=John*)(lastName=Smith*)(issupervisor=true))) |
(&(employeeID=10044)(firstName=John*)(lastName=Smith*)(issupervisor=true)) |
| (&(employeeID=10052)(firstName=John*)(lastName=Smith*)(issupervisor=true)) | |
| (&(employeeID=10055)(firstName=John*)(lastName=Smith*)(issupervisor=true)) |
Google Apps Multi Domain Connector: Data Transfer Data Format
Google Apps Multi Domain connector has been enhanced to support a new data format Data Transfer. This is an export and lookp data format to fetch status and details of data transfers processed and processing. This data format supports paging and filters.
Following are the attributes supported for filter and only equals conditions are supported.
| Filter Attribute | Comments |
| newOwnerUserId | The profile id of the destination user for whom the data transfer operation is initiated. The user must exists in Google to use this filter attribute. If the user is deleted after transfer, this filter condition may result in failure. |
| oldOwnerUserId | The profile id of the source user for whom the data transfer operation is initiated. This filter attribute support deleted user too. |
| overallTransferStatusCode | completed and inProgress are the values supported for this attribute. Also the values are case sensitive. |
Following are the attributes supported for this data format.
| Name | Type | Description |
| Application->applicationId | String | The application's ID. |
| Application->applicationName | String | The application's name. |
| Application->applicationTransferStatus | String | Current status of transfer for this application. |
| Application->DataTransferParams->key | String | The key of data transfer parameters |
| Application->DataTransferParams->value | String | The value of data transfer parameters. |
| etag | String | ETag of the resource. |
| id | String | The transfer's ID. |
| kind | String | Identifies the resource as a DataTransfer request. |
| newOwnerUserId | String | ID of the user to whom the data is being transferred. |
| oldOwnerUserId | String | ID of the user whose data is being transferred. |
| overallTransferStatusCode | String | Overall transfer status. |
| requestTime | Date | The time at which the data transfer was requested. |
Microsoft Office 365 Enhancements
Microsoft Office 365 connector has been enhanced to support Room-Mailbox. Microsoft Office 365 Identity connector has been enhanced to revoke user sessions when the account is disabled.
Room Mailbox
Microsoft Office 365 connector user data format is enhanced to support Room Mailbox. Introduced the below attributes to control this. The powershell cmdlets which process these attributes are New-Mailbox and Set-Mailbox. If login is to be disallowed for the room mail box account, configure the attribute BlockCredential with a value true.
| Name | Comments |
| EnableRoomMailboxAccount |
Specifies whether to enable or disable user account that's associated with this room mailbox. Valid values are:
|
| RoomMailboxPassword | Parameter to configure the password for the account that's associated with the room mailbox when that account is enabled. |
Revoke Session
Microsoft Office 365 Identity connector has been enhanced to revoke user sessions when the user account is disabled from admin UI or self-service. If disable call is failed, revoke session call is not attempted. Any failure on revoke sessions call is logged but not propagated to above levels.
Microsoft Office 365 Provisioning connectors has been enhanced to support revoke user sessions when a user is disabled using workflow. Revoke sessions is controlled by an attribute (RevokeSignInSessions) added to the connector. A user is disabled when BlockCredential attribute is true. To revoke user sessions BlockCredential should be true and RevokeSignInSessions should be true.
Revoke session is done by the cmdlet Revoke-AzureADUserAllRefreshToken. This is a cmdlet in Azure Active Directory powershell module. So the AzureAD module should be installed in Identity/Idm GIG machine. The module can be installed by the command Install-Module AzureAD after starting poweshell as administrator.
Extra Connection Parameters
Microsoft Office 365 connector has been enhanced to support Extra Connection Parameters. A new connected system parameter is introduced to configure this. When a value is configured for this parameter, it is included with the Connect-ExchangeOnline cmdlet.
Azure Active Directory and Microsoft Office 365 REST Connectors Revoke Session
Azure Active Directory and Microsoft Office 365 REST Identity connectors have been enhanced to revoke user sessions when the user account is disabled from admin UI or self-service. If disable call is failed, revoke session call is not attempted. Any failure on revoke sessions call is logged and ignored. The reove sessions call failure is ignored because main call is diable and can have permission related issues in existing solutions.
Azure Active Directory and Microsoft Office 365 REST Provisioning connectors have been enhanced to support revoke user sessions when a user is disabled using workflow. Revoke sessions is controlled by an attribute (revokeSignInSessions) added to both connectors. A user is disabled when accountEnabled attribute is false. To revoke user sessions accountEnabled should be false and revokeSignInSessions should be true.
Following are the permissions required for this API call.
| Permissionn Type | Permission |
| Application | User.ReadWrite.All |
| Application | Directory.ReadWrite.All |
Note: After calling revoke sessions API, there might be a small delay of a few minutes before tokens are revoked. This API doesn't revoke sign-in sessions for external users, because external users sign in through their home tenant.
SAP NetWeaver Connector Enhancements
SAP NetWeaver connector user data format has been enhanced to support additional LOGONDATA attributes during import. The following are the new attributes supported.
| Name |
| LOGONDATA.BCODE |
| LOGONDATA.CODVN |
| LOGONDATA.LTIME |
| LOGONDATA.PASSCODE |
| LOGONDATA.PWDSALTEDHASH |
Fixed Defects
List of defects reported by customers or implementation, does not contain defects raised internally.
-
Fixed issue of setting modified user as SYSTEM for scheduled/compliance workflows. Workflow engine was setting modified user as SYSTEM when a scheduled/compliance workflow is started or stopped.
Feature Affected: Scheduled/Compliance Workflow
-
Fixed issue of compliance timeout hangs the certification process. Job instance statistics calculation was causing the timeout process to hang. Hence made changes to perform the statistics recalculation to happen in separate thread, thereby causing the original timeout process to complete
Feature Affected: Compliance Certification
-
Fix issue with user match processing when the post match workflow is configured. Fixed query error when post-match workflow passed in empty employee-enddate attribute.
Feature Affected: User Match
-
Fixed issue with access expiry notification processing when the attribute configured for address has multiple email addresses. Corrected the email validation to support multiple addresses.
Feature Affected: Access Expiry Notification
-
Fixed issue with Google Apps lookup when there are no attributes configured. There are few lookups in existing solutions which check user existence by count. Removed the extra validations to fix this issue.
Feature Affected: Google Apps Multi Domain Connector
Downloads
The download links below are applicable to Fischer on-premise customers that host the Fischer IdM software in their environment. If you are a Fischer IaaS (Cloud) customer, all delivery of updates are performed by Fischer on a scheduled basis.
To download the latest update, you will need a login to the Fischer Release portal. If you are a Fischer on-premise customer and would like to request an account to the Fischer Release portal, please submit a request through the Fischer ticketing system.
Identity Linux 7.7.19 Installer
Identity Windows 7.7.19 Installer
DataForum Linux 7.7.19 Installer
DataForum Windows 7.7.19 Installer
Gateway Linux 7.7.19 Installer