Release notes
Connectors
Ethos
Fischer Identity introduces its first version of its Ethos connector. In this initial version, the connector will support the following dataformats for both import and export functionalities: Person, Organization, Employee, Student, and Course.
A high number of export only subdataformats have also been introduced.
Cherwell
Fischer Identity introduces its Cherwell connector, with support for user, teams, task, customer, and incident dataformats.
Webex Teams
This connector supports import and export functionalities for both User and Team dataformats. Export of both Roles and Organizations is also supported.
UltiPro
Fischer Identity UltiPro connector supports both the Employee and Report dataformats.
The employee dataformat supports export, lookup and import of Person data and user defined fields.
The Report dataformat supports export and lookup using report services.
Oracle HCM
External identifier
The support for External Identifier Import has been added to our Oracle HCM connector.
Worker data format
Oracle HCM connector is enhanced to support Worker data ormat. Worker dataformat is supported for export, lookup and import. Worker dataformat import is supported for the sub objects Addresses, Emails, Legislative-Info, Names, Phones and WorkRelationships. Another export only data format named HR Combined is added to fetch Worker and Employee data together from a single data format.
Workday - Additional worker attributes
Support has been added for both Hire_Rescinded and Job Profile ID attributes.
Help Desk - Accounts actions
The "Enable/Disable Accounts" functionality that is available to Help Desk users has been split into two distinct actions. This will provide more flexibility and control to administrators, and will allow different groups of Help Desk users to either enable accounts, disable accounts, or both.
User ID Recovery process
The Forgot User ID feature has been enhanced so that the end-user can either be redirect to a custom URL, or to the origin page depending on where the end-user initiated the process; the login page or the kiosk page.
Duo authentication
Landline management
End users can now use landlines to authenticate via Duo when they login, use kiosk, or account claim. End-users may also select landline when activating Duo as an optional second factor on the My Profiles Manage Security page.
Support for Help-Desk users to manage end-users' landline numbers have also been added as part of this enhancement.
Emergency codes
End users can now define their own emergency bypass codes that they may use in case they forgot their Duo authentication device (phone or hardware token). Configuration of end user bypass code usage is defined in the Authentication page configuration page, in the Admin UI. When Duo Security is selected as the authentication type, a 'View' or 'View for Duo' button will appear in the 'Additional Properties' column. Clicking the 'View' button will bring up the following screen where the end user's bypass configuration can be defined:
Help Desk users can also create a one time use emergency bypass code for a Duo user. This feature is controlled by a new setting in the User Management detail page, in the Admin UI. Listed below the 'Manage Security' feature, will be 'Manage Duo Bypass Codes'. If this feature is selected, Help Desk users will see the 'Manage Security' option. Please note that if a Help Desk user creates an emergency code, it will erase all emergency codes that the user has defined.
The duration of an OBO created bypass code, and the number of times it may be used are controlled by two new configuration properties that are located in the Duo Security Authentication section of the Configuration menu, in the Admin UI:
OBO Bypass Code Duration - Defines the number of minutes the code is valid
OBO Bypass Code Reuse Count - Defines the number of times the code may be used.
Hardware tokens and U2F tokens via Duo
Fischer Identity has introduced support for Hardware tokens, both HOTP and U2F. End-users will now be able to enroll their hardware tokens during the enrollment process via the Claim Identity page. They will also be able to configure and manage their hardware token(s) via the "Manage Security" tab in our Self-Service portal.
Additionally, we have added the ability for Help-Desk users to manage hardware tokens for their user population. This also includes the re-sync capability, which covers cases where end-users hardware token went out of sync.
SOAP Call compression
SOAP Call compression support has been added. This will be particularly useful for large payloads, full exports workflows, or large imports for example. Compression is supported through GZip. If the client signals support through HTTP Header, the server will send back its payload compressed. This ensure that this stays a non-breaking change as older Gateways will not compress, and will still be able to communicate with Identity / DataForum without compression.
Observed size reductions on large payload is about 90% on average.
Hostname Installation Parameter
The Dataforum and Identity installation now have the hostname as an optional parameter. For the silent install the parameter is 'WebServerHost'.
On install it verifies that the combination of hostname and port is not already used by an existing server.
The IdP installation already took hostname as an argument. It now also verifies that the hostname is unique. For the IdP the port is not configurable.
Shibboleth IDP 3.4.5
Shibboleth has been upgraded to version 3.4.5. A security advisory was issues for version 3.4.4 and below.
Logging changes
Renamed the Infinispan Cache log file from TreeCacheLog.log to HaCacheLog.log.
Infinispan Cache log level is now configurable in the Admin UI.
Third Party Library Logging Configuration
Made third-party library loggers configurable. Added two configuration properties in the Admin UI to enable/disable and set the log level of loggers of (certain hand-picked*) third-party libraries we use in the product. Once enabled, the logs of the configured level will be written to the main server log file. Two different set of properties exist for Identity and Provisioning.
* At the moment, only "org.springframework" and "org.reflections" is included.
Latin American Spanish
Self-Service can now be configured to display in Latin American Spanish. "Spanish (Latin American)" will now be listed as an available locale in the Admin UI's Configuration -> Configuration -> Locales section.
End users must configure their browser to prefer Latin American Spanish (es_419) as their language if they want the login/kiosk/identity claim/sms reset pages to default to this language.
Additional datamapper rule validation
The source and target attributes used in datamapper rules are validated and if any attribute is invalid (such as usage of attributes not selected as source/target), the UI will show a popup warning. This warning will have the invalid data mapper rule with the line number and it will be logged into the designer.log. This is just a warning, which doesn't prevent the workflow deployment. The validation is triggered on deploying the workflow and on doing run-test.
Sample warning message:
Log corresponding to the warning:
2020-01-10 16:05:53,172 [AWT-EventQueue-0] - [DataMapper]:Target attribute [PersonalData->Names->LegalName.MiddleName] not valid in [Concat Value] rule for mapper [Data Mapper] on row : 2
2020-01-10 16:05:53,172 [AWT-EventQueue-0] - [DataMapper]:Source attribute(s) [PersonalData->Names] not valid in [Equals] rule for mapper [Data Mapper] on row : 4
Compliance
The re-certification process of unassigned accounts has been enhanced. Fischer Identity's re-certification feature now provides different options of viewing the certification data, and more control on the re-certification process of unassigned system certification.
Granular re-certification of unassigned entitlements
Previously, re-certification of unassigned accounts was done at the account level, and any action on the account was reflected on entitlements tied to that account. More granularity is now offered, by allowing remediation action to be taken individually on each entitlements the account possesses. The accounts view with options to take remediation actions is as in the screen shot below. The entitlement certification will have its own certification history too like account had in previous versions.
New view of accounts and entitlements
The re-certification view used to follow an account first approach, where the entitlements of each account would be listed as an expandable section under each account. We have enhanced our end user view to support an alternate view where Entitlements will be the top level and all accounts having that entitlement will be listed.
Support for entitlement only re-certification job for unassigned Systems
We have enhanced the feature to have the ability to certify entitlements only, by introducing a configuration in job level to mark the campaign as entitlement only certification campaign. This option is selectable only if we are configuring an unassigned system certification job. A user can check the Certify Entitlement Only Checkbox against the Unassigned Chain of Trust selection area for making the job to do entitlement only certification.
In this case, we won't be having Accounts view and by default we will be seeing entitlements view only, which is why we are not seeing the drop down where we toggle between the views.
Support for configuring resource owners as certifiers
Enhanced certifier configuration area to have support to configure resource owners as certifiers. We have introduced a new radio button option for Resource Owner type cerifier as in the below UI.
This type of certifiers can be picked only in unassigned Chain of Trust creation, which means it can be used in Unassigned Systems recertifiction campaign only.
The system selection mechanism will have an additional facility to Select resources of interest or select all resources, whose resource owners will be considered as the certifiers. The certifier creation screens are listed below. The pick resource button will take you to resources listing page where user could select from all resources of the expanded system.
Solution changes
URL Redirects Disabled for SOAP calls
For increased security our SOAP calls will no longer follow HTTP redirects. Reference: CVE-2019-0227
Install/Upgrade Changes
A dedicated folder will hold all non-distributable jars, the name of this folder is 'ext' and it will be under the <install_location> at the same level as that of the jars folder(under IdM/Provisioning/gig folder based on the install type). If there are any non-distributable jars currently in use, then prior to upgrading to 7.4.0 this 'ext' folder should be manually created and all non-redistributable jars (such as ojdbc.jar, peoplesoft jars etc..) should be copied to this ext folder.
The upgrade will delete all files from the 'jars' and wars/<install_type>/WEB-INF/lib folders and copy ONLY the jars packaged with the installer.
For fresh 7.4.0 installs, there will be an empty 'ext' folder in the installer binaries. Any non-distributable jars required for the installer (ojdbc.jar for oracle install) should be placed in this 'ext' folder prior to starting the installer. The installer will copy all jars from the ext folder to the designated 'ext' folder specified above - <install_location>/ext
In short, <install_location>/ext is the only location to keep the non-distributable jars.
There is no need to copy the non-distributable jars to the "jars" and WEB-INF/lib folders, all jars in the <install_location>/ext folder will be included on building the war. So, if a non-distributable jar needs to be updated, just place it in the <install_location>\ext folder and rebuild the war.
Connectors
We removed old connected system types from our database: JIRA, IBM AS400, TAO, MSSQL2005, RACF, Moodle, Moodle2OKTech, and LiveAtEDU. As a result, connected systems of the types mentioned above will need to be removed from the Admin UI prior to upgrading.
MySQL Connector Driver
The MySQL connector is now updated with a new version of the JDBC driver class. Upon upgrade, the MySQL JDBC driver needs to be updated to version 8.0 or higher. MySQL driver is not shipped as part of the product due to license restrictions.
Fixed defects
List of defects reported by customers or implementation, does not contain defects raised internally.
- Fixed notes section not displaying notes in Users tab.
- Fixed issue with policies which were requested and pending approval having their inherited policies canceled if a Policy Evaluation occurs before approval.
- Fixed incorrect time for workflow failure notifications.
- Fixed issue occurring when requesting multiple resources during a self-service request and which will result in the enter key defaulting to the first remove resource button.
- Fixed issue with workflow instance page showing multiple active directory instances, in the Admin UI.
- Fixed data validation error message does not display if field not editable.
- Fixed issue with user being sent back to PIN code step when declining acceptable use message in Kiosk when reaching it through Login Tile.
- Fixed issue with password expiry notifications being sent twice.
- Removed Workday old jar files.
- Fixed issue where mailboxes cannot be removed using Office365 connector.
- Fixed issue with workflow debug files show different data than deployed mapper logic.
- Fixed issue with delete pending policies getting cancelled when the policy evaluation is skipped.
- Fixed issue with delete type approvals in pending state being cancelled when a policy evaluation occurs.
- Fixed issue with import process not bringing over the Contact Verification notifications.
- Fixed inability to delegate approval.
- Fixed entitlements of type GroupOfName and PosixGroup were not corrected on rename.
- Fixed issue with user being unable to login to self-service if the user doesn't qualify for any self-profile update rules.
- Fixed entitlements of type GroupOfName and PosixGroup were not corrected on rename.
- Fixed date picker calculating max end date incorrectely.
- Fixed Office-365 Connector doesn't remove forward
- Fixed Username change not modifying openLDAP group memberships
- Fixed Date Picker Calculating Max Date incorrectly
- Fixed Unable to Delegate Approver
- Fixed AD-V2 Connector doesn't work if sAMAccountName is set as the key attribute
- Fixed Access Expiry Notifications Going out Duplicated
- Fixed Workflow fail periodically when set up with asynchronous
- Fixed Notifications sent via Workflow are not going out.
- Included Custom View for Acceptable Use Policy
- Supported grace period during password expiry check during login
- Fixed search type that had changed from "starts with" to contains while searching for Resource in Self-Service
- Corrected owner Id for account enable/disable happening internally
- Included missing account management audit events from resource workflows
- Included view to fetch users who haven't claimed Identity
- Fixed issue with changes to password policy not being reflected in database
- Fixed issue with user deprovisioning not removing policy relationships.
- Fixed error generated in logs by Active Directory connector.
- Fixed issue with workflow not honoring TransactionProcessEntry set to 2.
- Fixed issue with duplicate workflow instances launched in policy load mode.
- Fixed issue with overwrite option not being honored during user load resulting in duplicate FUE_REL entries.
- Fixed issue with warning popup being displayed under user profile when switching user even if no changes were made.
- Fixed issue with expired password when logging-in Studio.
- Fixed format issue with calendar widget.
- Introduced new view to include both resource_name and policy_name available for reporting around user access details.
- Fixed issue with policy load mode execution creating duplicate FUA association for account workflows.
- Fixed issue with workflow being built with version 7.2 and deployed with version 7.3.
- Fixed issue with idp key synchronization.
- Fixed cache of dependent resources not being updated resulting in resource dependencies not working.
- Added support for date change tokens as the value of AsOfEffectiveDate parameter in Workday connector.
- Fixed conditional rules evaluated to true for empty String value.
- Fixed workflow queue hung due to suspended workflows.
- Fixed Azure AD export filter losing configurations.
- Fixed issue with Compliance Assessment of type Resource failing.
- Fixed issue with key store provider throwing exception when applying license.
- Fixed org import creating duplicate config reports when import is set to "overwrite" mode.
- Fixed issue in Google MD connector when adding custom attributes under a certain category to a user who doesn't have any attribute under that category.
- Fixed issue in Google MD connector when adding a multi-valued custom attribute.
- Fixed policy workflow set to approval pending on restart, if the event was cancelled. Fixed the policy workflow status not updated if the task process object is not available. Set the event and workflow status if the requestor job could not be found. Fixed not to cancel the identity delete pending for delete dependency on other grace period waiting policies. Fixed rename handler throwing exception on getting the account_id when there are multiple accounts for the system.
- Fixed issues when trying to change manager from "Users" tab.
- Fixed issues occurring when saving a compliance job.
- Fixed duplicate issues match records.
- Fixed removal approval which was launched for policies even though the add approval was cancelled.
- Fixed issue occurring when different rules used in an advanced expression have different logical relations.
- Added support for JobProfileID in Workday connector.
- Fixed UI issue with individual checkboxes of connected systems are disabled during password reset process by Help Desk user.
- Fixed issue with UI Management screen not displaying properly in the Admin UI when using Internet Explorer.
- Introduced new property InterGIGCommUseSSL to specify whether the inter gig communication should use SSL.
- Removed obsolete resource dependency code which was leading delete events to remove policy while ignoring resources within policy.
- Fixed issue with quick search not returning users having a space in their first or last name.
- Fixed policy evaluation which was not accounting for records with null value when using advanced expressions.
- Fixed password rules disappearing in "My Accounts" page after a successful reset.
- Fixed JDBC workflow not updating failure count.
- Fixed Self-Service request janitor process to account for future dated events.
- Fixed the request type combo to allow for search against Enable access requests.
- Fixed installer issue which wrongfully led certain UI files to be reported as customized.
- Fixed to sync passwords to systems in the PEC having reset status as failed or password change date as null irrespective of whether or not the system is visible in the PEC.
- Fixed auto-select behavior in password sync feature if only one system is available.
- Fixed the self-service event status not updated to cancelled if the pending requested policies were cancelled by the provisioning engine when an evaluation qualifies for those policies.
- Fixed workflow path value being truncated.
- Fixed lookup resulting in incorrect return code in Omnilert connector.
- Fixed escaping issue with user load filter.
- Fixed searching workflow from studio failed when the search criteria matches one or more trigger names.
- Fixed executing stored procedure not escaping strings.
- Fixed studio fails to refresh systems view on changing the orgs.
- Added support to make elevated call to fix the AD home folder move failures due to windows files.
- Fixed data mapper 'Clear Target' not working
- Fixed workflow queue hanging when lots of workflows are queued.
- Fixed issue with dissociating entitlement of type Role.
- Fixed issue with delta process returning all records as modified under a specific scenario.
- Fixed pressing the enter key not doing a search of user's resources.
- Fixed scenario where scheduled workflow goes to running state but does not create tasks.
- Fixed issue with unlocking operation with AD V2 connector.
- Fixed SMTP connection issues when communication occurs through the GIG.
- Fixed access expiry notification import/export issues.
- Fixed issue when attempting to test connect a system that is configured to have communications go through the GIG, after modifying the system's paremeters.
- Fixed issue with Key Status being frozen in 'Rotating' state when a key status with 'Rotation Failed' is rotated and then fails again.
- Fixed PSA user group evaluation being case sensitive for equals operator.
- Fixed user life cycle report performance issues.
- Fixed workflow deployment sometimes resulting in share not being updated.
- Fixed Self-Service calendar date picker "CANCEL" button not working in IE.
- Fixed minimum password age not getting refreshed when help desk with no email resets the password of a user.
- Fixed performance issue in request access.
- Fixed Workday connector to support Worker attribute JobData->Worker.HireRescinded in export and lookup.
- Fixed OOM issues due to too many powershell sessions opened.
- Fixed issue with crashplan connector trying to make connection in disconnected mode, resulting in connection attempt in ProvServer/GIG even if there is GIG association.
- Fixed AD homefolder move failing on certain windows files causing manual interaction.
- Fixed issue with HR-Combined export when personal data is missing for a person. Enhanced SAP connector lookup to support HR data formats.
- Fixed issue with unlocking operation with AD 2008 / Exchange 2010 Referral connector.
- Fixed SQLServer trust certificate issue.
- Fixed issue with character normalization “Ł” and “ł”.
- Fixed workflow redeployment not updating the share.