Release notes
User Profile
Added 38 more columns to the FUP table. Other_61-Other_88, Other_Date_11-Other_Date_20, and added Student-Email1 and Student-Email2 attributes.
Risk Score
A risk score has been introduced at the Resource level. Support of Risk Score attribute in the Configuration Info mapper rule.
Access
A new resource owner property for USSP groups and resources has been introduced. This new property, when set for a tree node, will make the requestable resources listed for this node if owned only.
Acceptable Use
We have changed the behaviors of the Acceptable Use messages so that they are displayed immediately after identification in SMS Reset, Kiosk, and Identity Claim processes.
Duo
Help Desk
Help-Desk users now have the ability to re-sync hardware tokens, to send Duo activation codes, and to add mobile and tablets devices for end users.
Identity Claim
Introduced the ability for end-users who qualify for Duo as optional to enroll or skip enrollment during the Identity Claim process.
Manage Security
The user experience of our Manage Security tab, in Self-Service, has been revisited.
Moved status link that would popup dialog with re-activation QR code to an icon.
Added icon with alt text to bring attention to devices that are not linked.
Removed activate / deactivate buttons from manage security if factor is Duo authentication.
Added blank instructional paragraphs for device lists that can be customized through message bundles
Ability to print bypass codes
End-users now have the ability to print their bypass codes upon generation.
Post process workflow upon enrollment in Duo
Administrators now have the ability to configure a post process workflow which will be triggered upon adding or removing a device in Duo.
This post-process workflow will be triggered upon association of a phone, landline, tablet, or hardware token device. The workflow will also be triggered upon disassociation of those devices and U2F tokens.
Ability for the administrator to configure which devices end-users can register with Duo
Administrators now have the ability to configure which device types end-users can link when registering into Duo and when managing their devices under Manage Security.
The checkboxes are designed to replicate options that the Duo server provide to their admins.
The following devices are added to the list of available devices for end users if any of the following options are selected:
- Mobile Phone : "Duo Push", "Duo Mobile Passcodes", "Phone Callback", or "SMS Passcodes" are selected.
- Tablet : "Duo Push", or "Duo Mobile Passcodes" is selected.
- Landline : "Phone Callback" is selected.
- Security Key : "Security Key" is selected.
- Hardware Token: "Hardware Token" is selected.
On upgrade all options will be enabled by default, since all options were available before upgrade. Client administrator can filter out options after upgrading by navigating to "Configuration" -> "Authentication" and selecting "Additional Options" on a Duo Authentication rule.
Please note that configurations at the authentication rule level should be the same as configuration in the Duo server.
Ability for help-desk users to add a new device for an end-user
Help-desk users now have the ability to resend an activation code and a Duo app link to an existing device on the end-user profile, so that in cases where an end-user has a new device, the activation of Duo can be accomplished through Fischer Identity by help desk users.
The help desk user will be able to chose the type of device we would like to add for the end-user.
An activation link will send be sent to the end-user by e-mail, using the profile attribute configured in "Activation code notification e-mail attribute".
Added hardware token re-sync for help-desk user..
Introduced the ability for end-users who qualify for Duo as optional to enroll or skip enrollment during the Identity Claim process.
Added mobile and tablet device types to the list of available devices for help desk users.
Help Desk users are now able to send Duo activation codes to end-users they can manage.
CKEditor
The CKEditor has been updated. The new version does not cause a loss of html code on opening the page. It also provides a variety of extra plugins for the RichText editor that allows insertion of images, div containers, additional styling options, as well as a source code view.
Connectors
Workday
Changes to support additional worker attributes during worker export. Those attributes are related to WorkerData->EmploymentData, WorkerData->EmployeeContractsData, WorkerData->PersonalData, as well as WorkerData->RoleData.
Box Connector
Box will no longer provide support for products and services that rely on the Transport Layer Security (TLS) 1.1 encryption protocol as of March 31, 2020. We have updated Box SDK to version 2.44.1 in prevision of this change.
Drupal connector
Our Drupal connector has been decomissionned.
Oracle HCM connector
Added effective date support for Oracle HCM export and lookup.
Webex Teams connector
Changes to support user rename using WebEx connector.
Canvas LMS connector
Introduced new data format to manage enrollment terms. Introduced new lookup option to fetch entry using SIS ID. All attributes supported by the API are included for user and course data formats.
We have extended abstract REST connector, Filter enhanced to support more API options, MaxResults and ResultsPerPage are made configurable.
Added the support below to avoid backward compatibility issues with old workflows:
1. Change a login by providing original_uniqueId.
2. Support Multiple values for communicationEmailAddresses.
3. Avoid duplicate entries when usersByCourseId or coursesByUserId option is used.
4. Merge the user data if same user is under multiple accounts.
Blackboard connector
Changes to use Blackboard server version to decide the API version to be used.
Changes to support additional filter options for Blackboard REST connector.
SAP Connector Productive Password Via Workflow
Introduced an option to set Productive Password via workflow. Introduced a new password attribute (PASSWORD.PRODPWD) to provide productive password. If this attribute and initial password attribute are provided, productive password is set for the user.
SAP HR Date Specifications
SAP HR combined data format is enhanced to support Date Specifications (0041) Info.
Paylocity connector
We have introduced a connector for Paylocity, an HR and Payroll software. This new connector offers support for Employee Export, Lookup and Import.
Ascentis HR connector
We have introduced a connector for Ascentis HR, a Human Resource software. This new connector supports Employee export, lookup and import.
Oracle HCM connector
Introduced a new data format in Oracle HCM Connector to fetch changes using the Atom Feeds available with HCM API.
Changes to support export and lookup of Organization Extra Information.
Blackboard REST connector
This new connector supports export as well as creation, modification and deletion of users and courses. It also supports the export of InstitutionRole, SystemRole, and CourseRole objects.
Access Expiry Configurations
The access expiry configurations have been moved from the configuration drop down in the Admin UI, to its own function menu under the Configuration tab.
The feature now allows to configure certain accesses to be excluded from the access expiry notification.
The excluded accesses can be configured in the Access Filter for each user type.
The above access expiry settings have no exclusion for the On-Behalf-Of Users user type. For the Approval Administrator user group, there are some excluded accesses.
Clicking the View button in the 'Access Filter' column will bring up the below UI, where the exclusions are configured.
Change Access Configurations
The self-service configuration detail screen is modified to specify different on behalf of rules for request and change access. The previous transfer access on behalf of rules has been merged to the new Change Access on behalf of rules.
The feature now supports configuring granular change access options for each requestor types. Each requestor types in the self-service configuration(s) should have the change access options configured in the UI below. The feature is enhanced to include the resources available for change access. Previously, this was configured through 'Change Access Display Options' property under Configuration->Self-service. This property is now retired, and the resources can be configured for each requestor types.
The resources available for each requestor type can be configured from the below UI by clicking the View button of the 'Available Resource' column.
Allow edit of new user
Added support to allow request access users to go back and edit/change the attributes of a new user that they are requesting before clicking the submit button. After clicking the create new user button and filling out the dialog, if they click the person icon next to the user in the list, then the create new user dialog will be re-displayed with the previously entered information. This allows users to correct any mistakes on the new user information before submitting the request.
Implementation change in configuring report duration
Report duration configuration was having the following issues:
- User didn't have any visibility on which report column the duration is based on.
- If multiple date columns are present in a report, user did not have the option to select the column to be used for report duration criteria.
- If no date columns were selected in a report, entire records since inception were shown.
In order to handle above scenarios, we have introduced
- A date column selection mechanism which can be used for selecting the column to be used for report duration criteria.
- UI change to not show duration configuration element if no date field is present.
- Added date range and duration column information in the generated report.
The report configuration UI is modified to add a new section (Report period Criteria) as follows to handle the report duration field configuration.
The report instance is also modified to have a description of the date range of duration of report and the field on which the duration filter/condition is applied.
Manage Provisioning events option for client administrators
The provisioning events listing page is enhanced with the facility to manage the events. Now user can Start/Stop/Delete events based on the events current status.
The provisioning events section of Client administrator configuration is provided with an additional checkbox to enable managing of provisioning events:
The users/groups who have the checkbox checked will be able to see the start, stop, and restart buttons in the "Provisioning" tab in Self-Service.
My availability Changes
My Availability feature in My profile is enhanced with the following changes
- Populate end date field also while setting the start date. If end date is already a date after the new start date, it wont be changed.
- Remove start immediate option as we can attain the same by setting current date for start date and null for end date. Validations will be adjusted.
- When a future date is set as unavailability window start date, the button was incorrectly showing as 'make me available' This is fixed as part of this enhancement.
- Make the dates always visible so that user has an idea of what dates he have set
- Provision to edit already set dates.
JDBC API Data Format - Set Null on Empty
If any attribute value is empty/NULL or unassigned, we can set null to this API parameter for execution of import task with JDBC API data format. This is also applicable for ‘Execute Stored Procedure’ mapper rule execution.
We have added checkbox ‘Set Null on Empty’ in “Add/Modify API Variable” dialog which decides to set null in API variable for import task or stored procedure. By default the checkbox will be unchecked.
Configuration hub - Policy re-evaluation
Added option to re-evaluate policies when imported through configuration hub. Re-evaluation is scheduled for the next Resource Change Processing Time when the plug-in property is set to true.
Get Identity Info Mapper rule
Added two check boxes to handle when attribute/variable value is null.
- Fail the rule when attribute/variable value used in a condition is null.
- Exclude null valued attribute/variable(s) while building condition.
Multiple Managers
Added support for multiple managers. The manager selection pages from admin and self-service UIs have been updated to allow picking more than one manger and to set one of the managers as the primary. This enhancement also changed where the manager information is stored.
Sections below will provide more details of this enhancement.
Manager Repository
Managers are now stored in separate table so the MANAGER_PROFILE_ID and MANAGER_SYSTEM_ID columns from FISC and SYNC tables have been removed.
Profile Table | Manager Table | Comments |
FISC_USER_PROFILE | FUP_MANAGERS | Profile is linked to FUP using pbwuserid, manager's profile is linked to FUP using manager_pbwuserid. |
FISC_USER_PROFILE | FUP_MANAGERS_TMP | Profile is linked to FUP using pbwuserid, manager_profile_id and org_id are used to identity the manager in FUP. This is a TMP table to store the manager info for workflow driven/initial load scenario when the manager has not yet provisioned. Whenever the manager is provisioned in Fischer, records from this table will get converted to FUP_MANAGERS. Any manager(s) in the TMP table will not be shown in the UIs since the manager(s) don't exist in Fischer. |
FISC_USER_PROFILE_NEW | FUP_MANAGERS_NEW | Profile is linked to FUP_NEW using pbwuserid, manager's profile is linked to FUP using manager_pbwuserid. |
SYNC_USER_PROFILE | SUP_MANAGERS | Profile is linked to SUP using syncuid, manager_profile_id and org_id is used to identity the manager in SUP. |
Manager Pay Load and Product Attributes
Job-Manager: Primary Manager's source profile_id
Job-Managers: All managers in multi-level as given below.
To support old workflows, the Job-Manager attribute is expected to have the profile_id of the primary manager.
Multiple managers can be passed in the pay load as:
<Job-Managers>
<Job-Manager><changetype>modify</changetype><pbwuserid>-103292774935247709744033967819792038049</pbwuserid><primary>false</primary></Job-Manager>
<Job-Manager><changetype>add</changetype><pbwuserid>133323543693807658467703566600449481679</pbwuserid><primary>true</primary></Job-Manager>
<Job-Manager><changetype>add</changetype><pbwuserid>902591644087899877486069162938635467</pbwuserid><primary>false</primary></Job-Manager>
</Job-Managers>
The pay load to the resource workflows will have primary manager's spid in as Job-Manager and all managers as Job-Managers in the format above (changetype of manager will be none since all current managers will be included).
Sync Import workflows
The manager_profile_id column from SUP has been removed. The default Sync Import workflows have been updated to use Job-Managers to update the new SUP_MANAGERS table. Since SYNC workflows doesn't have the pbwuserid of the manager, the manager's profile_id is mapped to Job-Managers->Job-Manager->pbwuserid,and this value goes to SUP_MANAGERS.MANAGER_PROFILE_ID. After the upgrade, any customized sync import workflows have to be updated based on the default sync import workflows to update the manager information in SYNC tables.
Dynamic Filters
All dynamic filters support matching for primary manager and multi-manager. The Job-Manager attribute matches the primary manager and Job-Managers attribute matches multi-manager. Old filters may be matching Job-Manager with Person-SoureProfileId, new filters are expected to match Job-Manager with Idenity-PBWUSERID instead. Upgrade will not update the filters, but at run time, the filter evaluation will switch to use Idenity-PBWUSERID if Job-Manager is matched with Person-SoureProfileId.
Operators supported for Job-Manager
a) Equals
b) Not Equals
c) Present
d) Not Present
Operators supported for Job-Managers
a) Contains
b) Not Contains
c) Present
d) Not Present
Notifications
Any notification which can be configured to send out to the manager (example self-service post process, access expiry etc..) will be sent to all the managers.
User Load
User Load populate will load managers from SUP_MANAGERS into FUP_MANAGERS. If the manager doesn't exist in FUP, then managers will be temporarily kept in the FUP_MANAGERS_TMP table and later converted to FUP_MANAGERS when the manager's profile is loaded.
User Match
The matched profiles's manager(s) will be used for provisioning and for resource workflows, however,user match doesn't support matching against the manager(s).
Identity Hub
Identity Hub load mode supports manager attributes. The Job-Manager attribute can have either the profile_id or the DN of the primary manager. Multiple managers can be passed in the new format specified in section
Dynamic UI
Detail and information screens will still use the Job-Manager attribute in the UI Management configuration (DUI). If a user has multiple managers, the primary manager will be shown on the screen. When the Job-Manager attribute is read only and the user has multiple managers, an info icon will appear after the primary manager's name.
Clicking on the info icon will display a popup dialog that shows all of the managers of the user. The dialog will use the "Manager Search" DUI List definition to show the manager details.
If the Job-Manager field is editable, then when the user clicks on either manager link, or add manager button, the Manager Search dialog will appear. The dialog has been modified to list the user's current managers at the top, with the normal user selection list below. Users can remove managers by clicking on the x icon next to an existing manager. To change the primary manager, change the selected Primary radio button. To add managers, select users from the "Search Available Managers" table, and then click the Add button. The Done button will not become enabled until either no managers are listed in the Current Managers table, or there is a primary manager listed.
If the Job-Manager attribute is configured in the DUI to require approval, then view requests will list the managers in the detail with a circle check next to the primary manager.
The approver will see a similar view when viewing the approval request details. If the approver has edit capabilities, then when they click Edit, the detail will appear like the one below. Clicking on the Manager link will bring up the manager selection dialog where the approver can change the managers on the request.
Identity Info Mapper rule
Following changes are made to the Identity Info mapper rule.
Identity Info: Added a new multi-level attribute Job-Managers to fetch information of managers. Job-Manger attribute now return profile ID of the primary manager.
Manger Info: Introduced a new type to fetch attributes of mangers for one or more users. This type return user attributes in product attribute names and manger attributes as multi-level attributes with Manger-> prefix.
Encryption-key-distribution call proxying
Identity and Provisioning instances exchange encryption keys with each other as part of our distributed key storage implementation. This used to be done using direct webservice calls between the instances of the two server types. The IDP server used to call the key distribution (synchronization) webservices of the Identity server directly.
However, in an environment where an Identity instance can communicate with a Provisioning instance only through a load balancer (and vice-versa), this will cause the encryption key distribution to fail consequently failing other encryption-related operations. The same applies to IDP to Identity instance communication.
To fix this, we modified all key distribution calls to be made through the load balancer and proxied calls from instances. An Identity/Provisioning server will now redirect the call to the correct server if it is not the intended recipient of the call. However, please note that this is an optional feature and you can revert to the earlier behaviour by disabling the feature.
This feature can be enabled/disabled by setting the system property "com.fii.crypto.keysync.use-lb-proxy" to "true"/"false" respectively. If unset, it defaults to "true".
Since it's a system property, it must be separately set for each JVM instance and hence for each of the Identity, Provisioning or IDP instance to override the default behaviour.
Third-Party libraries vulnerability upgrade and mitigation
- Jersey - Upgraded to 2.31.
- Jackson 1.9 - Removed and replaced with Jackson 2.10.1.
- jQuery - Mitigated CVEs by patching.
- Richfaces - Mitigated CVEs by patching and by adding a safe list filter.
- Spring, Spring Security - Upgraded to 5.2.6.RELEASE.
- XML-RPC - Removed library usage.
AES encryption
Added AES symmetric encryption for token connected system parameter in Moodle 2, Ellucian Ethos, and Cherwell connected systems.
Upgrade
The 7.5.0 upgrade will perform the following steps:
a) Populate FUP_MANAGERS, FUP_MANAGERS_NEW and SUP_MANAGERS tables for manager information kept in FUP, FUP_NEW and SUP.
b) Remove MANAGER_PROFILE_ID and MANAGER_SYSTEM_ID columns from FUP, FUP_NEW, SUP.
c) Remove the profile column mapping of Job-Manager attribute
d) Convert dynamic filters using the NameSpace(Attribute) format (example approval delegation, reassign filters) to the NameSpace.Attribute format.
Solution changes
Multiple managers
1. As part of the multi managers support, the profile column mapping of product attribute Job-ManagerSystemId is removed. Any references to this attribute in policy or security conditions, DUI references etc.. may not work correctly after the upgrade.
2. FUP no longer has MANGER_PROFILE_ID and MANAGER_SYSTEM_ID columns. Any mapper logic matching source_profile_id to MANAGER_PROFILE_ID to get the manager profile has to be changed. Please see section "Identity Info Mapper rule above".
Due to database changes in releases post 7.5.x, workflows will need editing to remove certain attributes that no longer exist in the database. The attributes are:
Fisc_User_Profile.Manager_Profile_Id
Fisc_User_Profile.Manager_System_Id
Sync_User_Profile.Manager_Profile_Id
Sync_User_Profile.Manager_System_Id
Managers are now stored in separate table so the MANAGER_PROFILE_ID and MANAGER_SYSTEM_ID columns from FISC and SYNC tables have been removed.
Any workflow EXPORTING these attributes from the FUP or SYNC tables will need editing to remove these attributes from the initial export, and logic will need changing in the mapper as follows:
Remove the attributes from the Selected Fields export link:
After doing this, you will also need to remove these attributes from any mapper assignments you have them set to:
Instead, what you will need to do is use the “Get Identity Info” Mapper rule, and pull the attribute for Job-Manager:
We typically use Source Profile ID of the user in question for this filter, as seen above. Once the Condition is configured, you can choose the attributes you want to pull back, in this case Job-Manager:
If Manager_System_Id is required for any logic, there is a new configuration within the “Get Identity Info” mapper rule where you can get this information, shown below. In the drop down, choose Manager Info, and set up your filter the same way, then choose Manager->Account-SystemID from the list of Attributes:
Then, you re-map the attributes in question with the new “Get Identity Info” attributes:
So when you are done, it should look like this:
**NOTE – Since Job-ManagerSystemID is obsolete, the value can be used in logic, but cannot be mapped outbound to any attribute, since there is nowhere for it to go.
Reassigning these attributes in this way will place the same values in the variables as was there before, so there would be no need to edit any further logic that uses them.
The same applies to any use in lookups within the mapper. If you are using the temp variables in the lookup SELECT or WHERE clause, at this point you should be fine, but if you are using the actual attributes, you should replace them with the variables as shown above.
If you have any workflows that are directly writing TO these attributes, whether it is the Fisc User Profile table or the Sync User Profile table, these will also need to be edited. For Fisc User Profile, you will need to create a success task off the workflow that ends in an Identity Hub, so that this attribute can be passed into Job-Manager.
**NOTE: Again, Job-ManagerSystemID cannot be mapped back into the product, as it is obsolete.
Set up a success task as shown in the image below. Once this is done, you can right click on the import task and choose Edit <to_IdMDatabase> Properties
Choose the Success Processing tab, and configure your attribute match. Set the success task as the provisioning hub at the top of your success task, and the data pipe would be the matching provisioning hub in the original workflow.
The mapper for the success task would simply send the Job-Manager attribute into the Identity Hub attribute of the same name.
If you are importing into Sync_User_Profile, we have changed the sync-Import workflows to handle this already, and these can be replaced in your environment easily, simply undeploy the existing one and replace it with the supplied one for your database type.
If you run across any more complicated logic that relates to these attributes, and cannot determine a way to change it so that it works for you, we at Fischer are always available to review these items with you and help make the transition smoother, so just let us know if you run into any issues.
Drupal connector removal
The Drupal connector has been removed. As a result, references to this connected system will need to be removed from the Admin UI prior to the upgrade.
Fixed defects
List of defects reported by customers or implementation, does not contain defects raised internally.
- Fix to gracefully handle one off failures during the property manager initialization on server startup.
- Fixed issue with rule or condition names used in advanced expressions when containing & or characters.
- Fix to consider end_date grace policies on SoD evaluation, so that the higher priority policy is in grace period or going to be in grace period due to dis-qualification, then the lower priority policy will not be granted. If the user newly qualified for the higher priority policy then the lower priority policy will be de-provisioned without any grace days.
- Fixed issue with the identity system's entitlements not being revoked when the user dis-qualified from the entitlement policy and the modify ended up on rename.
- Made a change so that end-user's full name does not appear in Kiosk's top banner until end-user is fully authenticated.
- Fixed FK Violation while processing iFly Removal.
- Fixed issue where end-user would be logged-out of Self-Service if the DUI screen he is viewing has a non-editable drop down attribute using SQL to fetch values.
- Fixed issue with HTML content displayed in notification in the Admin UI.
- Fixed issue with password expires set to a date in the future while having a 128 status.
- Removed the validation for conditions in data mapper rules IF, While, Else-IF, For-Each
- Fixed Powershell escape method to escape all quotation characters.
- Fixed workflow schedule lost on activate and start
- Fixed inter server alert to clear the cache not being processed by the receiving IPM server.
- Fixed installer failing to connect to Active Directory via SSL.
- Fixed provisioning install upgrade failing with unable to connect error if the database is not configured on the default port.
- Fixed issue occurring when submitting a report when using an MSSQL database.
- Fixed MySQL Connector in table format export returning a different table name then selected.
- Fixed inability to log into Admin UI if both primary and secondary login attributes have same value.
- Fixed inability for administrator to configure bypass codes in federation authentication rules.
- Fixed logout issue occurring when end-user clicks a workflow initiator button from the profile page.
- Fixed MySQL Connector in table format export returning a different table name than selected.
- Fix to exclude psjoa jar in idmgig and provgig war.
- Fixed issue where user has an inactive device set up and the add device button is disabled or non existent and the activate factor button is enabled.
- Fix inability to provide device name when registering a device the first time upon logging in, or through account claim. Fixed inability to rename a device. Fixed issue where old device name is used when added back a previously used device.
- Fixed the request_id hyper link in the consolidated notification which was displayed as plain html instead of as a link. Fixed to skip replacing html tags of %REQUEST_ID% token since the value is an html hyper link.
Fixed issue with read only screen showing attribute value instead of attribute display value when attribute uses a static list.
- Fixed display name definition of user match conditions showing incorrectly
- Increased size of name column from 64 to 255 for the provisioning config objects.
- Fix to not change the account enabled, locked, suspended status on scramble password reset.
- Removed empty line validation check from conditional mapper rules If, Else-If, While, For-Each and Dynamic Output Record.
- Fixed issue with global variable "where used" feature not showing the next page button.
- Fixed issue where hardware tokens and bypass codes cannot be managed by user or obo if the user qualifies for both Kiosk Duo primary authentication rule and Duo secondary authentication rule.
Fixed issue of SMTP connected system getting deleted during upgrade.
- Fixed issue with Get Identity Info Out of Memory if Variable Empty
- Fixed issue with Information Text on DUI Doesn't Show if Field is Not Editable
- Fixed a formatting issue with Duo phone numbers that was preventing international numbers from being associated to the user. Added the missing "+" to the beginning of the phone number parameter that seems to have been ignored for domestic numbers only. Moved country code value into drop down.
- Added ability to stop provisioning events from the Client Admin tab in Self-Service to take care of user matches that result from a bad process.
- Fixed UI issue with display of all attributes under User Match Events
- Fixed issue with loading of old version Projects having StoredProcedure data source due to wrong class mapping in migration map.
- Fixed issue with lookup rule execution in HA after GIG upgrade from 7.3.x to 7.4.x.
- Fixed issue of building wrong parent data file path for import task due to the status check while loading dependent task. Fixed issue of post import process happening with empty data. Changes to restart at failed task instance even if there is previously executed next level task for the task. This is potential case when task retry is configured to start at a top level task.
- Execute Manager Filter on Requester before setting it as default manager in create new user screen.
- Added ability to stop provisioning events from the Client Admin tab in Self-Service to take care of user matches that result from a bad process.
- Fixed issue when executing Oracle Stored Procedure where NULL would not be allowed for Date fields.
- Fixed issue Duo enrollment not being displayed during Identity Claim process.
- Fixed issue preventing a landline to be registered twice with Duo.
- Fix to update the configurable minimum and maximum values for the duration and reuse count of duo bypass codes generated by a help desk user. The maximum duration was supposed to 31 days which has been correct. The maximum reuse count has been upgraded to 31 times, but it can be set for unlimited use by entering in zero.
- Fixed additional line break in login alerts
- Fixed unassigned system assessment failed for identity system due to ORG_ID condition to FUE.
- Webex lookup changes to return a status code 0 and not to fail lookup when the search doesn't return any entry for the given search criteria.
- Fixed issue with Webex lookups generating an exception when being executed.
- Fixed issue Webex Team People import when multi-valued attributes are available in import data.
Fix to prevent user match evaluation query to match profiles from multiple orgs when rules have conditions with OR match.
- Fixed issue with Submit button becoming enabled when disabled field is selected in forms.
- Fixed PowerShell cmdlets logging issues in ADV2 connector.
- Fix to perform case insensitive match for PSA External LDAP Group memberships.
- Fixed MySQL connector driver selection causing connection to fail.
- Fixed PowerShell cmdlets logging issues in ADV2 connector.
- Fixed report duration issue in Reports under Self-Service.
- Fixed the previous pending future dated provisioning events not getting cancelled on a new request. This issue occurs when the request gets in another server or the server is restarted.
- Changes to avoid logging secure data on REST connector call failures.
- Fixed search filter issues in Self-Service Events in the Admin UI.
- Fixed issue with user being logged out from users tab in Self-Service when DB has an invalid read only screen_id value for the profile management configuration.
- Fixed duplicate entry in recertification UI when same entitlement is used in two resources with same set of owners and both are given for certification.
- Fixed my availability issues when selecting dates by changing the behavior of the feature. The dates will always be visible so that the end-user can see what dates are currently set.
- Fixed SoD evaluation is triggered before setting the required fields.
- Fixed issue of showing wrong attribute list for write data change type and modify type configurations.
- Fixed issue occurring when attempting to add multiple e-mail addresses in the notification configuration under the workflow auto-suspend section.
- Fixed an issue that would present the import yubikey step to the end user even if the token has already been associated with the user.
- Fixed user getting logged out when clicking on the self-service admin tab when the user only qualifies for the user match sub tab of the admin tab.
- Fixed issue with workflows failing with "too many files open" error.
- Fixed policy evaluation count showing in the incorrect format in the Admin UI.
- Fixed issue user load when users are already loaded in sync tables with same syncuid/sourceprofileid
- Fixed issue occurring in Office365 when the data contain invalid invalid license.
- Fixed issue with DUI initial values not re-initialized when error occurs.
- Fixed SQL errors in logs occurring when searching for beneficiary fields for change events not having any beneficiary set.
- Fix issue with whitespaces being collapsed into a single whitespace resulting in the Admin UI Policy Summary View showing a different value for the Condition then the actual condition
- Fixed an issue were MFA authentication would fail with "Operation Failed" message when master administrator is administrator for client organization only but does not have an identity in that client org.
- Fix to update gig properties like server address without gig restart.
- Fix to update gig properties like server address without gig restart.
- Fix issue with Spanish strings being displayed in lieu of English in policy history in Self-Service.
- Fixed issue with status handling for LDAP connector modify calls.
- AD Referral and V2: Fixed issue with diff with target while trying to clear an attribute which is not configured for differencing.
- Fix for creating password reset audit entry if the workflows sends in the password change date to update the existing FUAs. Fix applicable for both resource workflows updating FUA through post import process and for Identity Hub.
- Changes to have a higher connection timeout value for Google connector as default 20 seconds is not enough to handle high loads.
- Fixed queue distributor starting before setting the status of items running in the leaving instance as 'pending'.
- Fixed issue with the Infinispan cache entry change listeners which was being invoked in the same thread as the listener. This could cause thread starvation if the listener handler methods were not short and taking too long to return.
- Fixed slowness issues occurring as a result of key store being too large.
- Fixed REST token removal query.
- Fixed issue occurring when communication between identity and provisioning instances are only allowed through load balancer. Issue would result in encryption key related operations failing since the feature communicates with instances directly instead of using load balancer.
Compatibility
Java
OpenJDK 8
Database
Database | Minimal Version |
---|---|
Microsoft SQL Server | Microsoft SQL Server 2012 Service Pack 4 |
Oracle | 11.2 |
PostgreSQL | 9.5 |
Operating System
Operating System | Minimal Version |
---|---|
Windows Server | Windows Server 2008 Service Pack 2 |
Linux | No restriction |
Browser
Browser | Minimal Version |
---|---|
Internet Explorer | 11 |
Edge | Latest |
Chrome | Latest |
Firefox | Latest |