Release notes

Display Password Strength

A progressive display of password strength has been introduced in various UIs in both our administrative and our self-service portal.

The password strength is computed using the Shannon's entropy algorithm, as depicted below.

4 classifications have been established for password strength. During reset of the password, one of those classifications will be used to show the strength of the password which is currently being set:

• Weak
• Fair
• Good
• Strong

The areas where password strength will be progressively calculated and displayed are listed below.

Admin UI

• Add profile page
• Password view page, under "Modify Profile" > Password View
• Generate password functionality, under "Modify Profile" > Password (Modify Profile -> Password View)

A sample UI of the password strength display in admin UI is shown below.

Self service UI

• My Accounts
• OBO (Users tab)
• Self Registration
• Kiosk
• Forgot password
• Claim account
• SMS Reset

A sample UI of the password strength display in self service UI is shown below.

EventPro Connector

EventPro connector mainly supports Accounts, Company, Contact, Event, Event Location, Invoice and Payment APIs

Account/Company/Contact Attributes:

Event Attributes:

Event Location Attributes:

Invoice Attributes:

Payment Attributes:

MaxResults setting for connector export

We have started supporting global variables for setting the value of the MaxResults setting for connector exports.

OracleHCM Connector

The supported APIs for OracleHCM connector are Employee, Job, JobFamily, Location,Organization and Position. Apart from the Employee API all the others are export only APIs.

Employee Attributes:

Job Attributes:

JobFamily Attributes:

Location Attributes:

Organization Attributes:

Position Attributes:

Azure AD Connector

The supported APIs for Azure AD connector are User, Group and Role. Role APIs are export only. The supported entitlement types are Group and Role. Only static entitlements are supported.

User Attributes:

Group Attributes:

Role Attributes:

Workday Connector

Workday connector has been enhanced to support dynamic date range for effective  and updated dates. This is supported only in WorkerFromTransactionLogs data format. 

Password Policy Changes

Prior to this release, the maximum passwords to remember upper limit was 32. The upper limit has been increased to 999.

Provisioning Policy and Resources

The naming columns relating to provisioning policy and resources had a limitation of 64 in character limit prior to this release which has been extended to 255.

The tables and columns affected with the changes are :

PRODUCT_RESOURCE --> RESOURCE_NAME

PRODUCT_RESOURCE_LOCALE --> RESOURCE_DISPLAY_NAME

POLICY --> POLICY_NAME

POLICY_LOCALE --> POLICY_DISPLAY_NAME

Table and View Cleanup

The following tables have been dropped as they are not used:

• MOBILE_AUTH_QRCODE
• SHIB_RP_MD_FILTER_OPT

The following views have been dropped as they are not used:

• APPROVAL_DELEGATE_USER_APPR_V
• AUDIT_PASSWORD_RESET_SUM_V
• BULK_SPONSOR_EVENT_DETAIL_V
• COMP_ASSESS_USERS_V
• COMP_DASH_GRP_EXEC_V
• COMP_DASH_GRP_POL_EXEC_V
• COMP_DASH_GRP_POL_RES_EXEC_V
• COMP_DASH_GRP_RES_EXEC_V
• COMP_DASH_OVERALL_COMP_DETL_V
• COMP_DASH_POL_EXEC_V
• COMP_DASH_POL_RES_EXEC_V
• COMP_DASH_RES_EXEC_V
• COMP_JOB_INST_ASSMNT_POLICY_V
• COMP_JOB_INST_ASSMNT_RES_GRP_V
• COMP_JOB_INST_ASSMNT_RES_V
• COMP_JOB_INST_ASSMNT_SYSTEM_V
• COMP_POL_RES_ALL_V
• COMP_RC_SYSTEM_LIST_V
• COMP_RECERT_GRP_EXP_CNT_V
• COMP_RECERT_HISTORY_V
• COMP_SOA_UNKNOWN_PROFILES_V
• PRODUCT_DBCOL_MAPPED_ATTR_V
• PRODUCT_JOB_SCHEDULE_V
• PSA_OBJECT_TABLE_CATEGORY_V
• PSA_POLICY_FEATURE_TAB_OPT_V
• PSA_POLICY_FEATURE_TAB_V
• PSA_POLICY_FEATURE_V
• PSA_POLICY_INDEX_CONDITION_V
• PSA_POLICY_INDEX_REL_V
• PSA_POLICY_OBJECT_CATEGORY_V
• PSA_POLICY_RESOURCE_TYPE_V
• PSA_POLICY_RULE_CONDITION_V
• PSA_POLICY_SET_V
• PSA_POLICY_USER_GROUP_V
• PSA_POL_OBJ_CAT_AL_V
• PSA_POL_OBJ_CAT_AM_V
• PSA_POL_OBJ_CAT_ARA_V
• PSA_POL_OBJ_CAT_ARE_V
• PSA_POL_OBJ_CAT_PCAT_V
• PSA_POL_OBJ_CAT_PC_V
• PSA_POL_OBJ_CAT_PR_V
• PSA_POL_OBJ_CAT_PS_V
• PSA_POL_OBJ_CAT_PT_V
• PSA_POL_RES_PER_CAT_V
• PSA_TYPE_V
• REPORT_CERT_USER_ACCESS_SUPP_V
• SHIB_ATTR_DEF_ORG_V
• SHIB_ATTR_ENC_PARAM_V
• SHIB_CONF_ATTR_ORG_V
• SHIB_DATA_CONN_ATTR_DEF_V
• SHIB_METADATA_ORG_V
• SHIB_RP_ORG_V
• SYNC_ACCNT_ENTL_V
• USSP_CONFIG_V

Solution changes

Workflow Chainer

There were a few differences in behavior between bulk mode and non bulk mode when handling empty data. This has been corrected to have consistent behavior in both modes. The below table show the new behavior.

Shibboleth upgrade to 3.4.3

• There have been some configuration changes in Shibboleth. For each solution it has to be verified that none of the changes listed here since 3.3.3 will have any impact:
  
• An additional behavioral change is that the idp-metadata on install will now always be enddated to the time of the install:
   <EntityDescriptor  xmlns="urn:oasis:names:tc:SAML:2.0:metadata":tc:SAML:metadata:ui" validUntil="..."
   Because of this the metadata will have to be modified before the IdP can be operational.
• JQuery has been upgraded from 2.1.4 to 3.3.1.
• Shibboleth moved the webapp folder to dist/webapp

ReCaptcha Span

Prior to this release the column span DUI property for captchas was limited to a minimum of 2 columns when the DUI screen was configured to have multiple columns. This limitation has now been removed so that administrators may place captchas on the exact column they would like.

Patch Installer

The patch installer is no longer supported in 7.2.  Patches will be provided via an updated 7.2 installer.

Linux Install Change

InstallationType must be set to "Upgrade" in the corresponding *_install.cfg file when you want to upgrade an instance or perform an over install.

Silent install

The -silent option is now supported by the various installers (Identity, Provisioning, and GIG).  If the -silent option is specified, all input parameters will be pulled from the corresponding install.cfg file:

• identity_install.cfg
• dataforum_install.cfg
• studio_install.cfg
• gig_install.cfg

The -silent option is also available for the uninstall, and like the install, will require access to an install.cfg file.

identity_install.cfg changes

The following properties have been added for -silent install:

• DataBaseAdminName - The name of Database Store Admin account (DBA).
• DataBaseAdminPassword - The password of Database Store Admin account
• ServiceAcctUsername - The service Account Username, usually <prefix>ADMIN
• ServiceAcctPwd - The service Account Password
• IdMPwd - IDM Schema password
• AUDPwd - AUD Schema password
• Password - password for the LDAP Admin DN
• AlwaysApplyDatabaseUpdates - set to true to force the installer to reapply database updates if the database is already at the same level as the installer.  If set to false, only the instance version will be updated if the database is at the same level.  If the database is not at the same level as the installer, this flag is ignored.

If a different database is being used for the dashboard:

• DashboardDataBaseAdminName - The name of Dashboard Store Admin
• DashboardDataBaseAdminPassword - The password of Dashboard Store Admin
• DashboardServiceAcctUsername - The dashboard Service Account Username, usually <prefix>MONADMIN
• DashboardServiceAcctPwd - The dashboard Service Account Password
• DashboardPwd - The dashboard Schema password

The following properties have been added for -silent uninstall:

• DataBaseAdminName - The name of Database Store Admin account (DBA).
• DataBaseAdminPassword - The password of Database Store Admin account
• cleanUpDB - Set to true to remove the database schemas on the last instance install

dataforum_install.cfg changes

The following properties have been added for -silent install:

• Prefix - The prefix specified in the Identity install
• ServiceAcctUsername - The service Account Username, usually <prefix>ADMIN
• ServiceAcctPwd - The service Account Password
• StartMenuFolderName - The menu folder name to create if installing on Windows
• oldStartMenuFolderName - old Windows start folder name.  Used only when upgrading and you want to rename the start folder

The following properties have been added for -silent uninstall:

• DataBaseAdminName - The name of Database Store Admin account (DBA).  Can be <prefix>ADMIN
• DataBaseAdminPassword - The password of Database Store Admin account
• RetainWorkflows - Set to true to keep all workflows.  Set to false to delete the workflows.

gig_install.cfg changes

There are no changes to the gig_install.cfg file.

Identity Claim

The 'Claim My Account' feature has been renamed to 'Identity Claim'.  All  'Claim My Account' related configurations have been moved from Configuration->Self-Service to the Self-Service->Identity Claim configuration. The new menu option 'Identity Claim'  under the self-service tab will list the Identity Claim Configuration. The product now supports configuring different screens and panels based on the user type just like Self-Registration

The Default Identity Claim configuration will have one default user type. Upgrade will copy the current Claim My Account related configuration values from Configuration->Self-Service to the default identity claim configuration.

Enabled: Indicates whether or not Identity Claim is enabled for the org

User Type Attribute: The display name of the attribute will be used as the label on the first panel in self-service if the  URL didn't have any any type=<value> attribute to determine the user type. If a valid user type name is used as type=<value> in the URL, then the User Type selection panel will not be displayed and the configurations of the specified user type will be used to render the panels.

User Type : Name of the User Type

DisplayType : Display name of the User Type

Claim Screen : The screen to be used for Identity Claim

The Claim Screen, Profile Update Configurations, Notification and Reset Action can be configured for each User Type.

When more than one Identity Claim user type is defined and there is no type=<value> attribute on the URL, the Identity Claim page will look like the following:

After the user has been identified, all the steps the user needs to complete to claim their Identity will be listed.  Previously, only the active step was listed last.

Duo Connector Changes

The Duo connector enhancement is primarily due to the mandatory paging which is going to be enforced by March 2019 as per Duo's documentation.

The changes consist of:

• The introduction of a "Results per page" attribute in the configuration, which enables the user to set the number of records exported per page. This is for internal purpose ONLY which means the full export will still get you entire records, honoring the "Max Results" attribute.
• Earlier the "Max Results" attribute was available as configurable only for Administrator data format. In this release we have extended it for other 2 data formats as well, namely, User and Group. If "Max Results" is set as 0, then all the records will be exported.

User Management Configuration

User Management Configuration now supports configuring different profile update screen, contact and profile verification configurations based on the beneficiary.

The obo rules for requester and beneficiaries can be configured by editing the user management configurations from  Admin UI  -->Self-Service-->User Management.

With the above configuration, the obo 'Requestor 1' can manage profiles of users in 'Marketing' department and users whom he manages. If the selected beneficiary's manager is 'Requestor 1', then  'Bene Screen' will be used as the profile update screen, if the selected beneficiary's job department is 'Marketing', then 'Profile Magmt -Profile Information' screen will be used. If the selected beneficiary falls into both the categories, then the screen of the highest priority will be used. 

If required, each beneficiary type can have screen, contact and profile verification configurations configured at the granular level. The 'View' button under 'User Type Based Configuration' column will bring up the screen below (this is for the second rule with Priority 1).

The above UI adds granular configuration for beneficiaries having 'Requestor 1' as manager. If the beneficiary belongs to 'Sales' department, then the  'Sales Screen' will be used, if the beneficiary is Contractor then 'Contractor Screen' will be used. If the beneficiary is both a Contractor and belongs to Sales department, then Contractor Screen will be used since it has the highest priority. If the beneficiary is neither Contractor nor belongs to Sales department then the 'Bene Screen' from the parent rule will be used. The Contact and Profile Verification also can be configured at the granular level, if the qualified granular level configuration doesn't have any contact/profile verification configuration, then the configuration from parent rule will be used.

Sales Screen

Contractor Screen

Bene Screen

Showing 'Sales Screen' when the Selected Beneficiary belong to Sales Department

Showing 'Contractor Screen' when the Selected Beneficiary is a Contractor

Showing 'Bene Screen' when the Selected Beneficiary is neither a Contractor nor belongs to Sales Department

Compatibility

Java

OpenJDK 8

Database

Operating System

Browser

Fixed defects

List of defects reported by customers or implementation, does not contain defects raised internally.

• Changed the REST API search operation to use straight equals
• Fixed submit button disappearing when using IE11 and making a change on My Profile
• Fixed approval list exception behavior not working as designed when there is no approver found from the dynamic condition
• Fixed LDAP JNDI ChangeType deleteTree not working
• Fixed approval request showing as pending in Self-Service, even after the resource approval request got cancelled
• Fixed performance issue of the configuration hub when creating policies
• Fixed user export performance when using Kerberos connector
• Fixed provisioning events listing listing performance
• Fixed approver not able to approve the self-service resource request under certain circumstances
• Fixed failing chained workflow when chainer workflow passes no data
• Fixed failing process due to tix expiring when performing export of users in Kerberos
• Fixed sponsor search filter performance issues
• Fixed multiple modify workflows being triggered when user modify provisioning events comes in
• Fixed cache issue causing attributes, values and operators to not be recorded in the logs under certain conditions
• Fixed sponsor search filter performance issues
• Fixed workflow instance cleanup janitor process not finishing when process interrupted by a server restart
• Fixed self-service configuration being duplicated after hitting about button
• Fixed Duo connector not handling apostrophes in payloads
• Fixed deletion of workflow instances using a specific date, with an Oracle back-end
• Fixed Active Directory group export with high number of memberships
• Fixed issue with comment not being cleared out in Users tab if one of the modified profile fields requires data verification
• Fixed instructional icon misalignment in dynamic screens
• Fixed Duo connector's behavior so that existing values are retained during a modify operation
• Fixed user match filters not working in the Admin UI
• Fixed Google reCaptcha responsiveness issue
• Fixed password instructional text icon placement
• Fixed login title misaligment
• Fixed ability to clear out preferred suffix
• Fixed date format in dynamic screens not following format configured in locales configuration
• Fixed date format for user coming in through user match feature
• Fixed authentication issue in standalone password reset page when authentication system is configure to be the Identity System
• Fixed dynamic screen sections misalignments
• Fixed value of error code returned when looking up an invalid group using GoogleMD connector
• Fixed issue causing administrator to be logged out when download and uploading workflow .DAT files
• Fixed issue in identity claim process which would skip profile management step
• Fixed clearance of date fields managed through iHub
• Fixed rendering of confirm fields in kiosk dynamic screen
• Fixed label fields misalignments
• Fixed issues occurring during selection of profile verification attributes
• Fixed issue when adding profile verification configuration with same name as contact verification
• Fixed issue with Done button becoming enabled before all mandatory fields are filled out during the Create New User process
• Fixed mislocated 'include self' checkbox on change access page
• Fixed upgrade issue which caused attribute types to not be updated
• Fixed message bundle issue in attribute verification screen
• Fixed issue with flat file connector only supporting one name space
• Fixed exception which occurs when workflow is restarted with no RT_JOB_QUEUE entry
• Fixed issue with duplicate provisioning requests under certain circumstances
• Fixed issue where flat file would not work with nil in the attribute definition
• Fixed issue causing success task not being configurable on flat file configured with XML
• Fixed audit error occurring when changing workflow suspend date
• Fixed blank spaces causing misalignments in profile management UI
• Removed Retry button from confirmation popup after successful password reset
• Fixed GIGs communication issues
• Fixed global variables not being usable as initial values in dynamic screen fields
• Fixed fields missing in SAP connector lookup dialog
• Fixed Report edit in HA environment
• Fixed 'Done' button not enabled when creating new user screen
• Fixed Access Expiry Notifications not being sent under certain conditions
• Fixed Box connector not returning full error message
• Fixed issue when adding Office 365 entitlements
• Fixed 500 server error when setting a password which does not meet password policy through REST API

Latest Identity 7.2.10 Release Notes